These days Im getting update notifications via email, and now applying those updates with one click.
I've had email notifications for a while, But lately I got annoyed that'd have to login to my server and run the `apt-get dist-upgrade` command. I noticed that I wasn't even doing it. I was just ignoring the updates, which is not good practice!
So I've turned the 5minute job of logging in and applying the update into a 1 second job.
I have a small python web server (using flask) which accepts the instruction to apply the update. The python web server is running as a user who has sudo access to run `apt-get dist-upgrade` (and only that =P). The result of which is then emailed back to me.
I only want myself to be able to apply the updates. But if someone else did, its not that big a deal. I usually trust the ubuntu package maintainers. I really just want to watch the update happen incase it breaks and my server goes down. I dont require 100% uptime so this as an acceptable risk.
The instruction is just a http get on a hidden url. Its has a 30 character hash in it. So its unlikely anyone is going to guess it, and if they do im going to the update results email.
If I wanted to be a bit more secure about it, I could use a one time token for each update. But thats overkill for me.
If there were a vulnerability in the web server and someone where able to execute arbitrary code the worst they could do is install the updates for me.
Heres the code in a gist.