Patrice Duroux wrote: > Already possible or not, I would like to have a Debian system for > which packages can be installed either by a specific user > (root/sysadmin as usual) only or by any other (or a group of) users. > But this would also depend on the class of the requested packages: > 1. packages providing mainly commands or library facility (large > majority packages?), > 2. packages providing modifying system runtime like (root) services, > new kernel modules, ... (very few packages?). > > Any (or a specific group of) users could be able to install any > package of the first class by their own without asking a sysadmin (or > explicitly acquiring privilege of) user. > > With this goal (dream?) in mind, I tried to cluster all the packages > between the one that wouldn't change the system runtime (and therefore > even after a reboot) and whatever would be the sign of that.Those > package installation should insure a sort of system default runtime > reproducibility in fact.
If you maintain the package lists, you can do this today. Add a sudo privilege for a group of users to run apt install on your list of packages. I do not recommend this. Remember that every package installation includes an opportunity for the package to run some commands as root, even if the final package does not install any root-required executables. Remember that some packages conflict with each other in non-obvious ways. As a simple example, it is possible to have multiple webservers running at the same time, but the default configs for each of them will interfere. Solving this problem is a matter not just requiring root privileges for reconfiguration, but also of knowing what is happening and being able to sort it out. If you have multiple users who are that knowledgeable and trustworthy, perhaps they are also trustworthy with general sudo privileges. Anyone who is not trustworthy for the whole system is, perhaps, not someone you want installing packages at all. -dsr-
