Software Distributor Administration Guide for HP-UX 11i
SD-UX Security
Security on SD-UX Systems
Chapter 9 285
Security on SD-UX Systems
Controlling access to data is a key concern of computer security. In
SD-UX, file owners and superusers allow or deny access to files on a
need-to-know basis by setting or manipulating the file’s permission bits
to grant or restrict access by owner, group and others. For example, the
following file listing:
-rwxr-xr 1 doug admin 738 Mar 26 12:25 datafile
shows that:
• File owner is user doug.
• File’s group is admin.
• Name of the file is datafile.
• Owner permissions are read, write and execute (rwx).
• Group permissions are read and execute (r-x).
• Other permissions are read only (r-).
SD-UX commands are essentially object managers that use the SD-UX
file system in which to store their objects. There is no need to obtain
access to any objects via the file system, so the file system protection
scheme is based on blocking access to the file system directories that
store these objects.
In addition to SD-UX objects, there are several administrative files (log,
configuration, and session files) that are used or managed by SD-UX.
These files are not actually SD-UX objects and are accessible via
conventional commands such as editors and printing utilities. These files
are protected by conventional file system protection modes.
Many of the functions that the SD-UX agents do are privileged. Some
operations, such as installing files in system directories (e.g., in the /etc
and /dev directories) and customization of system files via control
scripts, require superuser privileges. For this reason, SD-UX agents
must always run as the superuser.
Any system user may run the SD-UX controller; it is not restricted to use
only by superuser. In general, the controller does its work by making
Remote Procedure Calls (RPC) to target hosts, but it also requires special
privileges occasionally to access critical log, configuration, and session