>> * apt-get install but not remove
>
> IMO this is possible by setting whole command "apt-get options *" in
> sudoers, but i never tried this. I have on one my server this:
>
> User_Alias EJABBER = snmp, www-data
> ...
> EJABBER ALL=(ejabberd) NOPASSWD: /usr/sbin/ejabberdctl stats *
>
> by this line (i hope) only snmp and www-data can run
> "/usr/sbin/ejabberdctl stats *" command. The asterisk can be replaced by
> any other option (package name for you). But be careful with apt-get,
> because there can be more than one (install, remove, ...) command can be
> used in one line... Perhaps some shell script for this, which will accept
> only package names?