Manualshelf

Software Distributor Administration Guide for HP-UX 11i

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
281282283284285286287288289290
SD-UX Security
SD-UX Internal Authentication
Chapter 9 287
SD-UX Internal Authentication
This section discusses the following topics:
SD-UX Credentials
Controllers Run with the User’s Credentials and Privileges
Agents Run with the System’s Identity
Security Between Hosts: The Shared Secrets File
SD-UX security does not replace DCE Security. It seeks to provide a
usable protection scheme based on the assumption that there is no
hostile, concerted effort by users to do damage.
Much of the DCE security functionality used by SD-UX comes from the
DCE Runtime Library that is included in SD-UX. This library provides
DCE RPC capability and some of the DCE Security Services required to
support ACLs.
Without full DCE Security Services, it is impossible to reliably prove the
identity of a user making an SD-UX RPC call; even if the source and
destination of the RPC call is local. The RPC identifies only the network
address of the calling client.
This means that a person who has access to a legitimate SD-UX host
system and knows the SD-UX call interface and protocol could
impersonate an SD-UX controller. This would create a significant
security risk in a hostile environment.
However, SD-UX makes it possible to run securely without these DCE
Security Services by providing its own internal method of performing
user, group, and host authentication.
SD-UX Credentials
A key to SD-UX security is determining which users are allowed to be
involved in particular operations. In SD-UX internal authentication,
your HP-UX uid, gid, and host name are used to establish your identity.
The fact that the SD-UX controller runs with an effective uid of root
(because the controller is a setuid-root program) does not affect your
identity, which is obtained from your real uid.