Allow normal user accounts to install packages

Q I sysadmin a number of machines with various distros installed on them. For network security reasons, we tend not to give users privileged accounts (neither root nor sudo). However this can be a pain if they require a new package - they have to request that IT-support (me and my small team) install it for them. Is there a way, perhaps an option in dpkg or similar, that would allow a non-privileged user to install a package (RPM or Deb) into their local userspace tree without requiring rights elevation?

A While it is possible to tell RPM to install elsewhere by using the --prefix argument, this is not without problems. Firstly, you still need access to the RPM database, which requires root access. You could get around that by setting up a wrapper script that runs rpm --prefix=/home/user/local --otheroptions and adding an entry to /etc/sudoers to allow that script to be run with sudo. That way users can run your script but not RPM directly. However, this leads to a more serious problem, as many packages are not relocatable and have to be installed to the path that was given when they were compiled. At best, RPM will refuse to use --prefix with such packages. Similar problems arise with Debs or any package containing files that have been compiled to run from a particular location and, more importantly, look for libraries and configuration files in particular locations.

One option is for your users to build the programs they want from source. This sounds like more work than it is as you could have a installation script that handles the vast majority of cases. All it needs to do is unpack the tarball, cd to the working directory, run configure with the correct options, then run make and make install. Something like this:

#!/bin/sh
tar xf "$1"
cd $(tar tf "$1" 2>/dev/null | head -n 1)
./configure --prefix $HOME/local && make && make install

The cd line may look odd, but it's just listing the tarball to grab the first item, which is the directory the rest of the tarball unpacks into. Then it changes to this directory and runs the usual autotools commands, but with the installation prefix set to $HOME/local. All the files will be included in directories under here, so you'll need to add ~/local/bin to the users' paths. Alternatively, use --prefix=$HOME, which will install to directories like bin, lib and share in the user's home directory.

If you only allow users to install certain programs, you could create your own RPM and Deb packages, which would involve getting the source packages, changing the spec files to install to a non-privileged directory and rebuilding. Unfortunately, however you approach this, there will be some administrative and support work involved. Alternatively, if you are comfortable with users installing to the system directories, you could give them restricted sudo access - say to allow them to install software but not remove it.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar