Posts Tagged ‘updates’

A script to allow non-admin users to install security updates on CentOS

Thursday, September 27th, 2018

At work, I needed to come up with a script that allows non-admin users to install security updates on CentOS servers.

The only real dependency is yum-utils (because it uses the binary needs-restart to check the status of things) but you should also create a folder to store the script and of course a sudo command for the users to run.

Please also note the creative accumulation of several copied scripts to create the multiple choice menus…. I patched together some code samples found on the usual websites where coding is discussed.

HTH someone out there…

#!/bin/bash

######################################
## only root can run this (or sudo) ##
######################################

# Make sure only root can run our script
if [[ $EUID -ne 0 ]]; then
echo “This script must be run using sudo (“sudo /opt/yumcleanup/restartsetupscript”) or as root. Exiting…” 1>&2
exit 1
fi

###############
## functions ##
###############

display_help () {
echo “The script can be run without interaction using the following”
echo “command line option: –non-interactive”
echo “This will silently install security updates only and restart”
echo “affected services.”
echo ” ”
echo “Calling the script with –help will also display this help text”
echo “as does calling the script with an unknown option.”
exit
}

set_exports () {
export http_proxy=”http://my.proxy.server.local:11111″
export https_proxy=”http://my.proxy.server.local:11111″
export proxy=”http://my.proxy.server.local:11111″
}

unset_exports () {
unset http_proxy
unset https_proxy
unset proxy
}

outputs_preparation () {
`rm -f $outputs`
touch $outputs
chmod 600 $outputs
}

outputr_preparation () {
`rm -f $outputr`
touch $outputr
chmod 600 $outputr
}

outputs_filling () {
`$mybin -s >> $outputs`
}

outputr_filling () {
`$mybin -r >> $outputr`
}

services_restart () {
while read line
do
# Restarting $line
`/bin/systemctl stop $line`
`/bin/systemctl start $line`
done < $outputs
}

#################
## getopt test ##
#################

getopt –test > /dev/null
if [[ $? -ne 4 ]]; then
echo “I’m sorry, `getopt –test` failed in this environment.”
exit 1
fi

#######################
## setting variables ##
#######################

outputs=/tmp/myoutputs
outputr=/tmp/myoutputr
mybin=/bin/needs-restarting

getopt –test > /dev/null
if [[ $? -ne 4 ]]; then
echo “I’m sorry, `getopt –test` failed in this environment.”
exit 1
fi

LONGOPTIONS=non-interactive,help

PARSED=$(getopt –options=$OPTIONS –longoptions=$LONGOPTIONS –name “$0” — “$@”)
if [[ $? -ne 0 ]]; then
# e.g. $? == 1
# then getopt has complained about wrong arguments to stdout
echo “something wrong, showing help instead in one second”
display_help
exit 2
fi

# echo “$PARSED”

# read getopt’s output this way to handle the quoting right:
eval set — “$PARSED”

# now enjoy the options in order and nicely split until we see —
while true; do
case “$1” in
–non-interactive)
n=y
# echo “doing silent stuff now… TODO: disable this line”
# should do these steps: (probably better to put this in its own function)
set_exports
`yum -y -d0 –security update`
outputs_preparation
outputs_filling
services_restart
unset_exports
exit
shift
;;
–help)
h=y
# echo “displaying help in two seconds”
display_help
shift
;;
–)
#echo “instead of — showing help in three seconds”
#display_help
shift
break
;;
*)
echo “Programming error”
echo “displaying help instead in four seconds”
display_help
exit 3
;;
esac
done

set_exports
#export http_proxy=”http://my.proxy.server.local:11111″
#export https_proxy=”http://my.proxy.server.local:11111″
#export proxy=”http://my.proxy.server.local:11111″

# cleanup before we do anything
#`rm -f $outputs`
#`rm -f $outputr`

# install updates, ask user which type of updating he wants to do
echo “”
echo “Please select the type of updates you want to install: ”
echo “”
PS3=’Enter your choice: ‘
options=(“All updates (will most certainly require a reboot)” “Security updates only (reboot probably not required)” “All updates except kernel and kernel-related packages (reboot might be required)” “Quit (you will need to run the script again later)”)
select opt in “${options[@]}”
do
case $opt in
#”Option 1″)
“All updates (will most certainly require a reboot)”)
echo “Installing all updates… please wait”
`yum -y -d0 update` &
PIDD=`ps -ef|grep yum | grep -v yumclean |grep -v grep | awk ‘{print $2}’`
while sleep 8; do echo “still installing…” && kill -0 $PIDD 2>/dev/null || break; done
break
;;
#”Option 2″)
“Security updates only (reboot probably not required)”)
echo “Installing only security updates…. please wait”
`yum -y -d0 –security update` &
PIDD=`ps -ef|grep yum | grep -v yumclean |grep -v grep | awk ‘{print $2}’`
while sleep 8; do echo “still installing…” && kill -0 $PIDD 2>/dev/null || break; done
break
;;
#”Option 3″)
“All updates except kernel and kernel-related packages (reboot might be required)”)
echo “Installing all updates except kernel and kernel-related packages… please wait”
`yum –exclude=kernel* -y -d0 update` &
PIDD=`ps -ef|grep yum | grep -v yumclean |grep -v grep | awk ‘{print $2}’`
while sleep 8; do echo “still installing…” && kill -0 $PIDD 2>/dev/null || break; done
break
;;
#”Quit”)
“Quit (you will need to run the script again later)”)
echo “Quitting… bye!”
exit
;;
*) echo “invalid option $REPLY”;;
esac
done

unset_exports
#unset http_proxy
#unset https_proxy
#unset proxy

##############################
## section services restart ##
##############################

outputs_preparation
outputs_filling

# `$mybin -s >> $outputs`
# chmod 600 $outputs

if [ `wc -l $outputs | awk ‘{ print $1 }’` -ge 1 ]; then
echo “”
echo “The following services should be restarted:”
echo “******************************”
cat $outputs
echo “******************************”

while true
do
read -p “Do you want to restart the above services? (y/N)” answer

case $answer in
[yY]* ) #
echo “restarting services….”

while read line
do
echo Restarting $line
`/bin/systemctl stop $line`
`/bin/systemctl start $line`
done < $outputs

break;;

[nN]* )echo “exiting…” && break ;;

* ) echo “Please enter Y or N”;;
esac
done
else
echo “******************************”
echo “No services need to be restarted.”
echo “******************************”
fi

# section reboot

outputr_preparation
outputr_filling

# `$mybin -r >> $outputr`
# chmod 600 $outputr

echo “”
echo “Please check the following output and decide whether a reboot is required:”
echo “***************”
cat $outputr
echo “***************”

while true
do
echo “If you need to disable some kind of monitoring before rebooting the server,”
echo “please cancel this script (Ctrl+c) and disable the monitoring now,”
echo “then re-run this script again.”
read -p “Do you want to reboot the server in 60 seconds? (y/N)” answer

case $answer in
[yY]* ) #
echo “Scheduling reboot….”

shutdown -r -t 1

break;;

[nN]* )echo “exiting…” && exit;;

* ) echo “Please enter Y or N”;;
esac
done

Tags:, , , ,
Posted in Computer | Comments Closed

Which is more practical to keep safe – Windows or Ubuntu?

Thursday, February 25th, 2010

Please note: As all my other blog entries, this is just my personal opinion. It’s based on experience at work or at home. The conclusions drawn may be wrong or biased but as I said, it’s personal.

I’ve come a long way with Windows, starting with the inevitable Windows 3.11, going through 95, 98, ME, 2000, XP, a short spin with Vista and finally Windows 7. Well, who hasn’t… As soon as internet connections became more common, Window’s shortcomings in security gained immediate attention and Microsoft responded (e.g. had to respond) with Windows Updates.

IMHO, Windows Updates has also come a long way. In a certain way, it is a reflection of the increasing complexity of Windows.

In XP, Updates could be installed from the Windows Updates website. Some installed without a restart, some updates required a restart but most of the updates installed fine and the following restart didn’t take very long.

In Vista and 7 though, Updates requiring a restart execute post-installation when shutting down AND they they execute post-installation configuration when starting the OS again. The effect on the user? Bewilderment and waiting time…

Not only for a common user, also for full-time IT personnels like me it’s impossible to foretell whether an update requires a reboot or not. Often, not even the description of the update is very helpful: “This update may require a reboot” mostly means it will require a reboot. Legalese phrases were never intended for humanity, only for non-humans… The reboot requirement sometimes differ depending on the server configuration – one particular update from January 2010 required not reboot on a WSUS server but required one a DC. I’m sure there’s technical reasons for that but still….

Oh, and this is just Windows and MS Office updates! Recommended updates for 3rd software such as .pdf readers (a particular bloatware comes to mind) also cries for reboots very often.

At least there is an alternative even on Windows… Foxit Reader. And there are others: OpenOffice, Firefox, VLC, Gimp and many more. They also need to be patched but uninstallation and installation can be completed with without a reboot.

My experience with Linux and in particular Ubuntu is not that old yet but has been growing deeper ever since. I’ve toyed with Linux distros since 1996 (SuSE at that time) but often I just installed a distro, played around with it and had to revert to Windows because specific 3rd party software was not available or some devices did not work or because it was just too impractical etc. (remember, it’s my personal opinion, I’m not trying to start a flame war).

However, for two years I’ve been using Debian at work and Ubuntu at home and I’m quite happy. At work, I don’t have to worry about updates as this is take care of by somebody else. At home, I can rely on apt-get to provide the latest updates quickly. The only updates that require a reboot are kernel upgrades (and very few others but I don’t remember what type they are – SSL-related?) and even 3rd party software upgrades are included. Not all but quite some.

Based on this experience I would rather recommend installing Ubuntu if I was asked by a novice computer user. The package is more complete, the installation of updates is easier, maintenance for the average user is easier. There is still the stigma of complexity to Linux but Ubuntu has made strides in that direction – even to the level where an average user can install and use it.

My conclusion should be quite clear: Ubuntu is easier to maintain safe than any Windows version.

I would like to add the following though: Regardless of what operating system you use, if you have a internet connection it had better be a broadband connection or a lousy dial-up connection. Broadband means you can regularly install updates without waiting 3 hours for the update to download and lousy dial up means your connection is slow that you are not a target worth hacking. Nonetheless, you should install updates whenever you can to keep your PC safe.

Tags:, , , , ,
Posted in Computer | 2 Comments »