upgrade-nonroot is broken at time of writing when qubes-core-agent-passwordless-root is not installed. But this, I’d like to fix soon.
File /etc/sudoers.d/upgrade-passwordless:
%sudo ALL=NOPASSWD: /usr/bin/apt-get-update-plus dist-upgrade
This means currently only members of group sudo can run upgrade-nonroot to perform passwordless operating system upgrades.
When package qubes-core-agent-passwordless-root is not installed, then user user is no longer a member of group sudo. Hence, this breaks.
To fix this, to be able to perform passwordless operating system upgrades as user user, one solution is to allow group members of group user [1] need to be allowed to run sudo upgrade-nonroot.
%user ALL=NOPASSWD: /usr/bin/upgrade-nonroot
%sudo ALL=NOPASSWD: /usr/bin/upgrade-nonroot
%user ALL=NOPASSWD: /usr/bin/apt-get-update-plus dist-upgrade
%sudo ALL=NOPASSWD: /usr/bin/apt-get-update-plus dist-upgrade
Note, changing this from group (or user) user to group (or user) admin as part of Multiple Boot Modes for Better Security: an Implementation of Untrusted Root would be future work. But for that, finding consensus first on create user `admin` by default and add user `admin` to group `sudo` by default · Issue #9519 · QubesOS/qubes-issues · GitHub would be most helpful. Otherwise the implementation for non-Qubes versus Qubes would differ, which would be a confusing usability issue.
[1] By default, only user user is a member of group user, this is inherited from Debian UserPrivateGroups.