What are the potential vulnerabilities of allowing non-root users to run apt-get?

There are two ways I can think of doing this:

  1. On a system with sudo, by modifying /etc/sudoers.

  2. On a system without sudo (such as a Docker environment), by writing a program similar to the below and setting the setuid bit with chmod u+s. apt-get checks real uid, so a setuid call is necessary.

... int main(int argc, char **argv) {     char *envp[] = { ... };     setuid(0);     execve("/usr/bin/apt-get", argv, envp);     return 1; } 

I have two questions:

  1. What are the potential vulnerabilities of allowing non-root users to run apt-get?
  2. My goal is to allow people to install/remove/update packages, given that apt-get lives in a custom non-system refroot and installs from a custom curated apt repository. Are there safer ways to allow non-root users to run apt-get on a system without sudo?