Software Distributor Administration Guide HP-UX 11i v1, 11i v2, and 11i v3 (5900-2561, March 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Software Distributor

151

152

153

154

155

156

157

158

159

160

NOTE: Do not change the default secret field unless you have also changed the default secret

on the HP-UX SD-UX controller. These two secrets must match.

The set of hosts that can be managed by SD-UX can be restricted by changing the default secret

on all SD-UX controller and target hosts in the network. The default secret is found in

/var/adm/sw/security/secrets.

You may change the default secret found in this file:

default new secret

For additional information, see “Security Between Hosts: The Shared Secrets File ” (page 163).

9.3.8 Editing an ACL

The swacl command, when invoked without the -M, -D, or -F options, reads the specified ACL,

converts it into plain text and prints it to stdout. The output of the command can also be redirected

to a file, which can then be printed or edited. After editing, you can use the -F file option

described above to replace the entire old ACL. This procedure gives you full ACL editing capabilities.

You must have test permission within the ACL to produce the edit file (list the ACL) and control

permission to modify it with -F, -D, or -M options. All ACL entries must contain test permission.

If the replacement ACL contains no detectable errors and you have the proper permission on the

ACL, the replacement will succeed. If the replacement fails because you lack permission to make

the change, an error is generated, and the object is skipped.

You may change or delete existing entries, or you may add additional entries to the ACL.

NOTE: It is possible to edit an ACL so that you cannot access it! Caution should be used to avoid

accidentally removing your own control (c) permissions on an ACL. As a safeguard, the local

superuser may always use swacl to edit SD-UX ACLs.

Here are some examples based on the following ACL that is protecting a product (FORTRAN)

created by user rob whose local host is lehi.fc.hp.com:

# swacl Product Access Control Lists

# For host: lehi:/

# Date: Mon Nov 06 16:39:58 2001

# For product: FORTRAN,r=9.0,v=HP

# Object Ownership: User=root

# Group=sys

# Realm=lehi.fc.hp.com

# default_realm=lehi.fc.hp.com

object_owner:crwit

user:barb:-rt

user:ramon:-rt

group:swadm:crwit

host:alma.fc.hp.com:-rt

any_other:-rt

You can list the ACLs for the product is FORTRAN in depot /var/spool/sw (the default depot)

and prepare it for editing:

# swacl -l product FORTRAN >acl_tmp

This will bring the above ACL into the file acl_tmp, and it is ready for editing. Edit the acl_tmp

file with any suitable text editor.

To replace all entries in the ACL for FORTRAN, type:

# swacl -l product -F acl_tmp FORTRAN

To edit the default product template on a depot /var/spool/sw_dev, use:

9.3 Basic Security Tasks 153