Finally got around to looking into an issue I saw with Ubuntu 11.10 and 12.04. These versions have PolicyKit rules that allow updating of software by users in the admin and sudo groups without asking for an administrative password. The logic is that administrative users know what they are doing, and that installing new software still requires a password. And of course, users who do not understand all this stuff are better to be effectively remotely administrated by the Ubuntu team, via what gets pushed to the repositories.

I get the rationale, but personally am not too fond of it. Perhaps this is simply due to expectations brought on by nearly 30 years of POSIX like operating systems experience. Thankfully the behavior is easily configurable, by changing the instructions used by PolicyKit.

The PolicyKit instructions for software updates and similar behaviors are found in the file /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla. Rather than change this file, copy this file to the local directory at /etc/polkit-1/localauthority/50-local.d/, giving it the same name.

sudo /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla \
    /etc/polkit-1/localauthority/50-local.d/

Next, edit the new file /etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla. Remove the entries for which you wish no change in behavior, then update those remaining as desired. In my case, with a notebook computer, I elected to require an administrative password for editing system-wide network connections, updating already installed software, using the USB creator, and performing printer administration. Say I am at a customer site and step away from my notebook computer for a moment, forgetting first to lock the screen. These changes prevent a host of unwanted changes, that might just be the kind of joke a few of my customers might want to play on me!

For reference, here is my resulting /etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla file.

[Adding or changing system-wide NetworkManager connections]
Identity=unix-group:admin;unix-group:sudo
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultActive=auth_admin

[Update already installed software]
Identity=unix-group:admin;unix-group:sudo
Action=org.debian.apt.upgrade-packages
ResultActive=auth_admin

[usb-creator]
Identity=unix-group:admin;unix-group:sudo
Action=com.ubuntu.usbcreator.mount;com.ubuntu.usbcreator.image
ResultActive=auth_admin

[Printer administration]
Identity=unix-group:lpadmin;unix-group:admin;unix-group:sudo
Action=org.opensuse.cupspkhelper.mechanism.*
ResultActive=auth_admin

The direct solution was found here. Other useful links include the PolicyKit manual configuration section and the Arch wiki page for PolicyKit.