Am Di., 17. März 2026 um 10:37 Uhr schrieb Harald Dunkel <[email protected]>:
>
> Hi folks,
>
> apparently the desktop user has to be member of the "sudo" group to
> install the most recent security updates on his laptop
That is incorrect - being part of the sudo group just means you will
get prompted for your password less often. Any user can install
updates, but they will have to have an admin password (root, another
user who is privileged, etc) to grant permission via PolKit.
Certain actions will still require you to enter your password even if
you are in the sudo group (e.g. any package removals or
installations).
> at least for KDE on Trixie. Looking at Debian's default in the sudoers file
>
> # Allow members of group sudo to execute any command
> %sudo ALL=(ALL:ALL) ALL
>
> I wonder if using the "sudo" group was a good choice. Using sudo
> the user can cirumvent all the policies packagekit tries to estab-
> lish.
Not really - if you are root, it is indeed true that PackageKit will
do anything without asking for further authorization. But that is
expected, as the literally highest privileged user once you used sudo,
you are expected to be able to do anything (and can do far worse
things that calling pkgcli).
Best,
Matthias
--
I welcome VSRE emails. See http://vsre.info/
