I want to keep my system (and all installed packages) "always" on the latest version and therefore I'm thinking about creating special user for auto-updates. This user would get a cron-job which performs sudo apt-get update -y && sudo apt-get upgrade -y once a week.
Since this should be done automatically I'd like to edit the /etc/sudoers file (with sudo visudo of course) so that this user never gets a password prompt for these two commands.
However the only solution I found so far is to disable the password prompt only for apt-get but not for specific sub commands.
Since I want to keep it as safe as possible I'd need a way to ONLY allow update & upgrade, no other sub-commands of apt-get. And yes, I'd also disable the execution of any other command via sudo, just to be on the safe side.
Is there any way to achieve this or is the only way to allow the execution of apt-get without password prompts (thus also allowing apt-get install)?
I'm using the Debian based distro Raspbian.
Thanks for any help!
Make a script wrapper for apt-get update and apt-get upgrade, something like this:
#!/bin/sh
apt-get update $@
and allow it in sudoers with NOPASSWD.
But need to say that I'm not really sure that it's impossible to execute some shell command using apt-get update or apt-get upgrade, so not sure that allowing to run them as root for a non-root user is secure enough.