|< Day Day Up >|
Keeping Software Updated
An important part of maintaining a functioning and secure system is staying on top of the operating system updates. With a BSD core, Tiger needs more frequent attention than the Classic Mac operating system. Critical security utilities such as SSH are revised regularly and, unless updated, might open your system to outside attack. Updates in mid-2004 fixed holes in Safari and Help Viewer that could potentially allow malicious scripts to run without warning on your system. Although it might be tempting to let Tiger coast for a few months and perform all the updates at once, doing so is not wise. A machine with a full-time Internet connection is vulnerable from the moment that a new software exploit is found and very likely will be compromised.
For example, consider my home cable-connected computer, which logs each connection attempt made:
12/27/2004 03:38:28 Host: www.allstat.com/18.104.22.168 Port: 137 UDP Blocked 12/27/2004 03:51:47 Host: 22.214.171.124/126.96.36.199 Port: 27374 TCP Blocked 12/27/2004 04:22:09 Host: 71dial170.xnet/188.8.131.52 Port: 27374 TCP Blocked 12/27/2004 07:46:43 Host: 92dial132.xnet/184.108.40.206 Port: 27374 TCP Blocked 12/27/2004 08:03:51 Host: 220.127.116.11/18.104.22.168 Port: 1433 TCP Blocked 12/27/2004 08:10:57 Host: pc172.jeleniag/22.214.171.124 Port: 22 TCP Blocked 12/27/2004 09:49:30 Host: rrcs-central-24-12/126.96.36.199 Port: 515 TCP Blocked 12/27/2004 10:35:34 Host: 64dial26.xnet.ro/188.8.131.52 Port: 27374 TCP Blocked 12/27/2004 12:53:05 Host: 184.108.40.206/220.127.116.11 Port: 111 TCP Blocked 12/27/2004 14:15:47 Host: 6535208hfc65.tampa/18.104.22.168 Port: 137 UDP Blocked 12/27/2004 15:00:20 Host: Sherbrooke-HSE/22.214.171.124 Port: 27374 TCP Blocked 12/27/2004 19:01:57 Host: 126.96.36.199/188.8.131.52 Port: 21 TCP Blocked 12/27/2004 19:51:48 Host: 67-92-203-151/184.108.40.206 Port: 1433 TCP Blocked 12/27/2004 20:26:33 Host: AC83C299.ipt.aol/220.127.116.11 Port: 23 TCP Blocked 12/27/2004 21:05:20 Host: 18.104.22.168/22.214.171.124 Port: 1433 TCP Blocked 12/27/2004 23:19:13 Host: 126.96.36.199/188.8.131.52 Port: 21 TCP Blocked 12/27/2004 23:32:48 Host: 61-220-153-179/184.108.40.206 Port: 1433 TCP Blocked
In the course of one day, there are more than 15 connection attempts. Some are innocuous simple probes for Internet sharing services such as Kazaa whereas others are attempts to connect to well-known services, such as telnet, SSH, and FTP, presumably for the purpose of exploitation. On a production computer with a real Internet connection running real services, you might experience hundreds of inappropriate connection attempts a day, and unless you want to spend your time reinstalling Tiger, you should keep your system updated and prepared to handle the threat.
Checking for Updates
Tiger automates the process of upgrading software through the use of the Software Update System preferences pane (path: /Applications/System Preferences), shown in Figure 29.1.
Figure 29.1. The Software Update pane controls automatic system updates.
Use the check box to choose whether to run the software update application automatically or invoke it manually. If you've chosen an automatic install, use the pop-up menu to select a schedule (Daily, Weekly, Monthly) for the update library to be queried. If you want the system to automatically download updates in the background so that they can be installed faster, click Download Important Updates in the Background.
To force the system to look for updates immediately, click the Check Now button or choose Software Update from the Apple menu at any time. Your computer contacts Apple and detects available software packages.
If updates are found, a system update application is launched, as shown in Figure 29.2.
Figure 29.2. Check the items that you want to install.
Click the check box in front of each package that you want to install. Packages that will require a reboot are denoted by a small arrow icon in their listing. (All updates to the base operating system require a reboot before becoming active.) When you've finished selecting packages, click Install to start the updates. You will be prompted for an administrator password before continuing.
During each installation, the system displays a status bar for the update. If a component hasn't already been downloaded in the background, it could take quite awhile for the system to download and install; you might want to take a break during this process.
For some software packages, you might see a license agreement during the installation. In addition, the installation is likely to pause for a long period of time while it optimizes your installed packages. This is completely normal, albeit slightly annoying. Just wait patiently even if the update seems to be taking an unusually long time.
Disabling Unnecessary Updates
If there are updates that don't apply to your system, select them and choose Update, Ignore Update from the menu (or press Delete). This prevents Software Update from attempting to install them in the future.
To show updates that you've previously made inactive, choose Software Update, Reset Ignored Updates.
Reviewing Installed Files
Many users, for good reason, want to keep track of what software has been installed on their system. Opening the Software Update preferences pane and clicking the Installed Updates button displays a log of installed updates. Figure 29.3 shows this listing.
Figure 29.3. The Software Update pane displays a list of installed update packages.
In some cases, packages that are partially installed might be listed even though they weren't completely installed. To make Mac OS X forget about an update so that it can be reinstalled, open the directory /Library/Receipts. This folder contains receipt files for all software installed using Apple's built-in Installer program. The receipts are named based on the updated package; for example, Security Update July 2003 has the receipt file SecurityUpd2003-07-14.pkg.
Throwing out a receipt file will usually effectively convince Mac OS X that the update was never installed.
Listing the Bill of Materials with lsbom
The receipt files, in addition to keeping track of which packages have been installed, also contain a bill of materials (BOM). The BOM tracks every file that was updated or installed. Users can access the BOM using the command-line lsbom command. You'll need to dig deep into the receipt files, accessing a directory with this pattern: <receipt package>.pkg/Contents/Resources/<receipt package>.bom. For example, to view the BOM for the Tiger Seed Update 8A323A receipt file:
brezup:jray jray $ sudo lsbom /Library/Receipts/TigerSeedUpdate8A323A.pkg/Contents/Archive.bom . 41775 0/80 ./System 40755 0/0 ./System/Library 40755 0/0 ./System/Library/CoreServices 40755 0/0 ./System/Library/CoreServices/SystemVersion.plist 100644 0/0 506 921025735 ./System/Library/Frameworks 40755 0/0 ./System/Library/Frameworks/ApplicationServices.framework 40755 0/0 ./System/Library/Frameworks/ApplicationServices.framework/Versions 40755 0/0 ./System/Library/Frameworks/ApplicationServices.framework/Versions/A 40755 0/0 ...
The lsbom command can limit its output to only specific types of files contained in the BOM, such as directories or files, by using flags such as -d and -f, respectively. The Apple lsbom documentation, contained in Table 29.1, displays many of the available options and filters for viewing BOMs as documented in the man page.
BOM files can be useful in determining what has changed on your system. If you've modified the location of system software or configuration files, a system update might modify or move these files. Viewing the BOM can tell you exactly what happened during a system update.
Updating from the Command Line
In Tiger, all the functionality of the Software Update utility can be accessed through the command-line program softwareupdate. Invoking sudo softwareupdate -l produces a list of the available updates:
brezup:jray jray $ softwareupdate -l Software Update Tool Copyright 2002-2004 Apple Software Update found the following new or updated software: * 4082 Hard Disk Update (1.0), 840K [recommended]
Each package is listed with a number (called a label) by which you can refer to the update and a flag as to whether the update is recommended.
To install an update, simply invoke softwareupdate -i followed by the label for each update. You can specify as many updates on a single line as you want, and each will be downloaded and installed in turn:
softwareupdate -i <update label> <update label> ...
brezup:jray jray $ sudo softwareupdate -i 4082 Software Update Tool Copyright 2002-2004 Apple Downloading Hard Disk Update Downloading Hard Disk Update 0..10..20..30..40..50..60..70..80..90..100 Expanding Hard Disk Update Installing Hard Disk Update 0..10..20..30..40..50..60..70..80..90..100 Done.
If an update requires a system restart to become active, you will be prompted to reboot after the installation has completed. You can reboot from the command line by typing sudo /sbin/reboot.
As we mentioned, softwareupdate can perform all the same functions as the GUI equivalent in fact, it is more flexible than the GUI. The basic syntax for softwareupdate is always softwareupdate <options> [<label> ...] . Table 29.2 contains a list of the available arguments and their use.
|< Day Day Up >|