NAME
GetApplyPatch - retrieve and apply a vendor patch
SYNOPSIS
GetApplyPatch [ -b ][ -s site ][ -u user ][ - d dir ][
patchno .. ]
DESCRIPTION
Sun Microsystems supports an anonymous ftp site where recom-
mended patches are found. It is a fundamental security prin-
ciple that systems which have vendor patches installed will
be more secure than those that do not. In the life of any
released operating system there will be many patches.
GetApplyPatch is a simple tool to assist in patch management
on Solaris systems. It will retrieve and install vendor
patches under user control. Patches can be listed on the
command line or on standard input -- that makes the tool
suitable for a pipeline as in:
[1:05pm wally] CheckPatches | GetApplyPatch
In "batch" mode (ie. when run from cron(8)) patches are
applied blindly with no human intervention. In interactive
mode you have several opportunities to consider the patch:
[3:32pm xsv] CheckPatches | GetApplyPatch
***************** Recommended Patch *****************
105403-03 SunOS 5.6: ypbind/ypserv patch
Get/Examine? [y/n] y
Fetching ftp://sunsolve.sun.com/pub/patches/105403-03.tar.Z ...
Patch 105403-03 retrieved from sunsolve.sun.com; README says:
Patch-ID# 105403-03
Keywords: security ypbind ypbind.pid diskless clients lookup rpcbind
Synopsis: SunOS 5.6: ypbind/ypserv patch
Date: Apr/14/00
...etc.
Apply 105403-03? [y/n] n
Cleanup 105403-03? [y/n] y
..etc.
One should, of course, be very careful to read the README
documentation that comes with each patch. Some patches
advise that you bring the system into single user mode, oth-
ers advise that you reboot the system after applying the
patch. In interactive mode you have the opportunity to defer
the patch if you so decide after reading the patch documen-
tation.
If you need to back out of a patch that you have installed
you will need use the vendor provided script:
/var/sadm/patch/nnnnnn-mm/backoutpatch
Every vendor patch will have this procedure to restore the
system to it's pre-patched state.
OPTIONS
Sites with a local mirror, or sites that must use an ftp
proxy will require these options:
-b forces "batch" mode. No questions are asked
and patches are applied with minimal fuss.
This is the same behaviour as when run from
cron(8) or as an at(1) job.
-s site specifies an alternative ftp site -- the
default is "sunsolve.sun.com". This is use-
ful if you have a local mirror of sunsolve or
if you need to connect through an ftp proxy.
-u user specifies an alternative login id for the
anonymous ftp site -- the default is "ftp".
This is useful if you have an ftp proxy you
connect through -- eg. "anonymous@proxy"
might be required to get through a proxy.
-d directory specifies the directory at the ftp site
where you expect to find vendor patches --
the default is "/pub/patches". This is useful
if you have a local mirror but a different
directory structure.
EXAMPLES
GetApplyPatch is designed to be used interactively in a
pipeline with CheckPatches as in:
[1:05pm wally] CheckPatches | GetApplyPatch
You can also use it to selectively apply patches as in:
[1:05pm wally] GetApplyPatch 105403-03 105552-03 108333-02
You can also use it to retrieve and apply the most recent
version of some patch as in:
[1:05pm wally] GetApplyPatch '105403-??'
Note the quoting required to escape the wild card.
On many systems (certainly not backroom mission critical
servers) you probably can get away with a cron job that
applies all outstanding patches from a cron job.
BUGS/BEWARE
GetApplyPatch cannot get a patch if it isn't there. There
have been times when the Solaris patch report refers to
patches that cannot be found at their patch depot. The ven-
dor has also transitioned from traditional compressed tar
files to zip files. Most recently on Solaris 7.
GetApplyPatch can only retrieve patches available by
anonymous ftp. Sometimes Sun will have other patches hidden
away in other support areas with different access require-
ments.
GetApplyPatch assumes the vendor patches are found at a well
known site in a well known location with well known file
extensions. When that changes this tool will fail.
FILES
CheckPatches works in a directory /tmp/GetApplyPatch.nnnn.
When vendor patches are applied you'll discover directories
with patch number names in /var/sadm/patch. As noted
earler, that's where you'll find a back out procedure as may
be required (seldom if ever) to restore things to a pre-
patched state. You probably ought to purge the patch direc-
tory periodically.
Patches, when applied, update the package database at
/var/sadm/install/contents.
SEE ALSO
CheckPatches(8), ftp(1), patchadd(1M), pkginfo(1M), and Sun
Microsystems support site at http://sunsolve.Sun.COM.
AUTHOR
Reg Quinton, University of Waterloo, Information Systems and
Technology. 1999/07/09 - 2001/01/19.