Software Distributor Administration Guide for HP-UX 11i

SD-UX Security

Basic Security Tasks

Chapter 9266

To give user mary the permission to install new software into the root

object:

swacl -l root -M user:mary:i

To let remote user allen@swelter fully manage the root file system on

swcrunch:

swacl -l root -M user:allen@swelter:a

(In the above examples, change user to group and use a group name to

add group access to the depot structures.)

NOTE Because software installation usually involves modification of system

files during configurations, software install and configure scripts are run

as the superuser. Therefore, granting a user write permission on a root is

essentially giving them superuser access for managing software.

Restricting Access to Depots

To restrict read access to a depot you must first remove any_other

access from the depot and from the products contained in the depot and

the template controlling the products in the depot.

You can restrict access to depot alpine on host drgw:

swacl -l depot -D any_other @ drgw:/alpine

swacl -l product -D any_other \* @ drgw:/alpine

swacl -l global_product_template -D any_other \* \

@ drgw:/alpine

You will then need to add specific users (and then hosts) with read access

after removing any_other from the depot security. The following

commands add read access for any user on hostA to the depot, the

products contained in the depot, and future products, respectively.

swacl -l depot -M other:@hostA:r @ drgw:/alpine

swacl -l product -M other:@hostA:r \* @ drgw:/alpine

swacl -l global_product_template -M other:@hostA:r \

@ drgw:/alpine

In the following example, the local superuser disallows all remote users

from accessing /simple_1.depot on swelter, but allow local users to

access the depot: