Software Distributor Administration Guide HP-UX 11i v1, 11i v2, and 11i v3 (5900-2561, March 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Software Distributor

151

152

153

154

155

156

157

158

159

160

# Group=users

# Realm=swelter.fc.hp.com

# default_realm=swelter.fc.hp.com

object_owner:crwit

other:-r---

Local users can now access this depot as a result of the other ACL, but remote users are refused.

To allow only user shelly on host swcrunch to access software in a depot located on swelter,

it may appear that adding a user ACL for shelly would be sufficient:

swacl -l depot -M user:shelly@swcrunch:r @ /simple_1.depot

However, this is not enough. An attempt by shelly to access this depot would fail with a security

violation. This is because SD-UX also requires that SD agents (the swagent process) that contacts

the depot server to be authorized via a host ACL entry_type:

swacl -l depot -M host:swcrunch:r @ /simple_1.depot

(Note that user shelly also requires appropriate ACL permission to install software on swcrunch.)

NOTE: The r (read) permission allows the user to access the depot and products, and the t (test)

permission allows the user to list the ACLs.

9.3.5 Adding Target Hosts

For swinstall and swcopy, both the user and target host are validated (i.e., to protect from

unauthorized users at remote hosts switching to an authorized user). The following adds read

permission for the host named target to the default depot on the local host, the products currently

in the depot, and any future products added to the depot (using global_product_template).

# swacl -l depot -M host:target:r

# swacl -l product -M host:target:r \*

# swacl -l global_product_template -M host:target:r

Since the user is always validated, another alternative that makes it easier to manage large numbers

of hosts is to allow all hosts read permission:

# swacl -l depot -M host:*:r

# swacl -l product -M host:*:r \*

# swacl -l global_product_template -M host:*:r

To allow all hosts on domain fc.hp.com read permission:

# swacl -l depot -M host:*.fc.hp.com:r

# swacl -l product -M host:*.fc.hp.com:r \*

# swacl -l global_product_template -M host:*.fc.hp.com:r

NOTE: "*" and "?" wildcards are allowed anywhere in the hostname for host ACL type.

9.3.6 Temporarily Restricting Access

A simple method of restricting access to anyone other than the local superuser without modifying

ACLs is to unregister the depot.

swreg -u -l depot [@ depot]

It can then be reregistered later:

swreg -l depot [@ depot]

9.3.7 Closing the SD-UX Network

The SD-UX secret is used as evidence of trustworthiness for the caller’s credentials. It is a password

that SD-UX uses to check the authenticity of the caller’s host. The default secret field is set by

manufacturing to match the default setting on the HP-UX controller. All secrets (i.e., controller,

targets, and depots) must be identical.

152 SD-UX Security