You can set security patches to update automatically.
It is possible to set up sudo to not require a password for specified commands; I've forgotten the details but [console ] man sudoers[/console ] might get you started.


Regards, John Little

[devil's advocate]

Not everybody uses Linux on a home PC; some people (like me) also work in enterprise IT

I'd fire a sysadmin who installed patches on production hardware without testing them first; and in a properly designed enterprise IT infrastructure users don't get to patch their own machines, not even in Windows. In my own environment the week between Patch Tuesday and the third Wednesday of the month is reserved for testing patches; those monthly patches are advertised to desktop machines starting at 8pm on the third Wednesday of the month and go mandatory at 8pm on the fourth Wednesday - at that point the end user doesn't have a choice about when he gets security patches

Servers? Updates are *never* automated in production; server instances are all patched manually after testing in both dev and QA environments.

Not requiring root for security updates would be fine for a home PC, but doesn't work at all in the enterprise

[/devil's advocate]

Exactly what wizard10000 said. Even for a business (not IT), there could be tons of reasons to prevent applications from upgrading. Allowing anybody to upgrade when ever they wanted could be disastrous.

Part of the Linux security model is that root owns /bin, /sbin and the other places where most executables are stored and called from. Users can run them because they have world execute set, but the user cannot write (overwrite or modify) them without being the superuser using sudo and their password.

Security updates are installed automatically from the superuser account, if it is set to do so, which means that the superuser password is being stored by apt for that process, but non-security updates require action by the superuser. I find this mixed update process a concession to haste for security sake that makes no sense, unless the superuser's computer is on 24/7 and unattended most of the time. I used to leave my laptops on 24/7/365 but stopped doing that about a decade ago. When I first turn on my laptop it is almost impossible to not see the green shield in the system tray and take action. The first thing I do is take a PRE snapshot of / and /home (I'm using Btrfs) using snapper. Then I do the update followed by the POST snapshot. If things don't work out well I run snapper's undochange command and the delete both the PRE and POST snapshots.

Until the OP's post I had not given security updates much thought and realized while writing this post that having security updates install automatically creates a hole in my rollback model. I am going to cancel automatic updates of security patches.

This post brings up another wad of well chewed cud - using sudo and the first installed user's password as root. I've always preferred that root have a separate password. The one advantage it has is that even if a user learns of the sudo password it cannot be used if that user is not in the sudo registry. With a root password if you wanted to remove someone from having root access you would have to change the root password and not tell him the new password, but inform everyone else of the new password. Sudo is a lot easier and safer except on single user systems.

I'll see your devil's advocate and raise you one year of the desktop.

I'm not saying it should be impossible to lock down security updates, just that the default desktop behaviour ought to be to allow them as standard without UAC jumping in. Maybe for the core Canonical PPAs only, I'm open to suggestion.

I know it's possible to cludge-hack around the behaviour, it just shouldn't be necessary.

I would also expect an IT department to know how to disable it. Same as we do where I work on our Windows server estate, and for the desktop updates we check before rolling out.

Oh, and for the record: I'd probably sack any sysadmin who was running KDE on the servers.

i.e., not running a server headless

Damned right

But how else can I sync my cell phone with my server?