Software Distributor Administration Guide HP-UX 11i v1, 11i v2, and 11i v3 (5900-2561, March 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Software Distributor

151

152

153

154

155

156

157

158

159

160

swacl -l root -M user:mary:a @ mysys

To allow user mary to install software into the default root:

swacl -l root -M user:mary:ri

To give user mary the permission to open the root for reading:

swacl -l root -M user:mary:r

To give user mary the permission to install new software into the root object:

swacl -l root -M user:mary:i

To let remote user allen on host swelter fully manage the root file system:

swacl -l root -M user:allen@swelter:a

To let remote user allen at any host having hostname starting with 'sw' fully manage the root file

system:

swacl -l root -M user:allen@sw*:a

(In the above examples, change user to group and use a group name to add group access to

the depot structures.)

NOTE:

• Because software installation usually involves modification of system files during configurations,

software install and configure scripts are run as the superuser. Therefore, granting a user write

permission on a root is essentially giving them superuser access for managing software.

• "*" (for zero or more characters) and "?" (for a single character) are the wildcards allowed

in the hostname. A hostname can contain multiple wildcard characters. For example:

sw*.??.hp.com.

9.3.4 Restricting Access to Depots

To restrict read access to a depot you must first remove any_other access from the depot and

from the products contained in the depot and the template controlling the products in the depot.

You can restrict access to depot alpine on host drgw:

# swacl -l depot -D any_other @ drgw:/alpine

# swacl -l product -D any_other \* @ drgw:/alpine

# swacl -l global_product_template -D any_other \* \

@ drgw:/alpine

You will then need to add specific users (and then hosts) with read access after removing

any_other from the depot security. The following commands add read access for any user on

hostA to the depot, the products contained in the depot, and future products, respectively.

# swacl -l depot -M other:@hostA:r @ drgw:/alpine

# swacl -l product -M other:@hostA:r \* @ drgw:/alpine

# swacl -l global_product_template -M other:@hostA:r \

@ drgw:/alpine

In the following example, the local superuser disallows all remote users from accessing

/simple_1.depot on swelter, but allow local users to access the depot:

# swacl -l depot -D any_other @ /simple_1.depot

# swacl -l depot -M other:r @ /simple_1.depot

# swacl -l depot @ /simple_1.depot

# swacl Depot Access Control List

# For depot: swelter:/simple_1.depot

# Date: Thu Mar 1 16:19:57 2001

# Object Ownership: User= allen

9.3 Basic Security Tasks 151