Hi folks,

apparently the desktop user has to be member of the "sudo" group to
install the most recent security updates on his laptop, at least
for KDE on Trixie. Looking at Debian's default in the sudoers file

	# Allow members of group sudo to execute any command
	%sudo   ALL=(ALL:ALL) ALL

I wonder if using the "sudo" group was a good choice. Using sudo
the user can cirumvent all the policies packagekit tries to estab-
lish.


Regards
Harri

Am Di., 17. März 2026 um 10:37 Uhr schrieb Harald Dunkel <harri@afaics.de>:

That is incorrect - being part of the sudo group just means you will
get prompted for your password less often. Any user can install
updates, but they will have to have an admin password (root, another
user who is privileged, etc) to grant permission via PolKit.
Certain actions will still require you to enter your password even if
you are in the sudo group (e.g. any package removals or
installations).

Not really - if you are root, it is indeed true that PackageKit will
do anything without asking for further authorization. But that is
expected, as the literally highest privileged user once you used sudo,
you are expected to be able to do anything (and can do far worse
things that calling pkgcli).

Best,
    Matthias

Am Di., 17. März 2026 um 10:37 Uhr schrieb Harald Dunkel <harri@afaics.de>:

That is incorrect - being part of the sudo group just means you will
get prompted for your password less often. Any user can install
updates, but they will have to have an admin password (root, another
user who is privileged, etc) to grant permission via PolKit.
Certain actions will still require you to enter your password even if
you are in the sudo group (e.g. any package removals or
installations).

Not really - if you are root, it is indeed true that PackageKit will
do anything without asking for further authorization. But that is
expected, as the literally highest privileged user once you used sudo,
you are expected to be able to do anything (and can do far worse
things that calling pkgcli).

Best,
    Matthias

Neither sudo nor individual admin rights are an option in my
environment. Currently the Linux laptop users can just hope for
some timer to run apt update, and than reboot. Thats bad.

I would like to have some button [upgrade now] in the desktop
GUI, giving the users better control over upgrading their
laptops.

If I got this correctly the "wheel" group used in upstream's
policy files provided a similar functionality. I understand
your patch to upstream's default policies is more complex than
just replacing "wheel" by "sudo", but I wonder if these changes
went too far?

Regards
Harri