Apr 14

Automating software updates on OSX

Sat, 04/14/2012 - 09:23 — peter

The Problem

OSX is fairly secure, however, nothing is impervious to attacks, and following the weakest link theory, the whole system will be as secure as its least secure component. In the recent events relating to the flashback malware, that component is NOT OSX itself, but rather, Java, as this article points out.

The Solution

At any rate, Apple has made the fix available for a while now, but unless you are on top of the news or naturally checking your system for updates daily, you may not have applied it yet. Fear not, this short article is here to help you automate the software update process for you!

Step 1: Setup visudo so you can run the software update program from the command line without a password.

We start-off by taking a trip to the command line or terminal. You get there by firing up "finder", then hitting cmd-shift-U, then finding and running the "terminal" application. Once in the terminal, type the following command:

sudo visudo

After you enter your password, what you will be presented with is a list of all admin commands that each user or group can run in your mac. Please be careful here and don't mess around with any of the existing settings unless you really know what you are doing!

I use vim as my text editor of choice, yours may be different. Once inside vim, hit ":$" (that's semi-colon, dolar sign) and then the enter key, which will place you at the very last line of that file. Type o (lower-case O) and you will be in insert mode on a new line (vim is a mode-based editor, but I won't get into this here, if you want to learn more, there are better places for that.

Here is what you need to type on that new line:

Defaults:%users !requiretty
%users    ALL=NOPASSWD: /usr/sbin/softwareupdate -i -a

Once you type that, hit the escape key, then :wq (that's colon, lower-case W, lower-case Q) and the enter key. What you've done is allow all users to run the software update program from the command line without requiring a password. We need this to automate the process, but you can substitute %users for your own username if you and to make it more restrictive.

Step 2: Automate the process

Once you are back at the command line, issue the following command:

crontab -e

You will once again be placed into an editor, most likely vim. Hit "i" (that's lower-case I) and type the following:

0 2 * * * /usr/bin/sudo /usr/sbin/softwareupdate -i -a > /dev/null

Then hit the "escape key", followed by ":wq"" again (that's colon, lower-case W, lower-case Q), followed by the enter key.

That is it. This will have scheduled the software update to run every day at 2am - feel free to adjust the time to your liking. If you want more information about the crontab syntax, Wikipedia is a good start.

Alternative 1-step solution

As an alternative solution, instead of the 2 steps above, you can just type the following command:

sudo crontab -e

And then type almost the same text as before:

0 2 * * * /usr/sbin/softwareupdate -i -a > /dev/null

Followed by "escape key", followed by ":wq"" again (that's colon, lower-case W, lower-case Q), followed by the enter key.

The difference is that this scheduled task will be run by the admin user (root) as opposed to your own user.

There are other things you can do, like redirecting the text output to an email of your choosing (my example supreses normal output), but the instructions above should get you started.

That is it.

Easy Peasy!