Software Distributor Administration Guide HP-UX 11i v1, 11i v2, and 11i v3 (5900-2561, March 2013)
If the file /etc/logingroup does not exist on systems targeted as SD-UX Controllers, execute
the following command (as superuser) on each appropriate system:
ln -s /etc/group /etc/logingroup
9.9.1 Security in Remote Distributions
A common use of SD-UX remote operations capabilities is for a software administrator to push
software from a local depot out to numerous remote targets.
You can set up of this kind of configuration:
1. Establish the group swadm on the controller host as described above.
2. Edit the three host ACLs on each target system. If you used the suggested setup discussed in
“Setting Up Remote Operations” (page 124) to install the agents on the target systems, you
may edit the three host ACLs on the Targets as superuser on the system from which you
performed setup:
swacl -l host \
-M group:swadm@`hostname`:a @ remsys1. . .remsysN
swacl -l global_soc_template \
-M group:swadm@`hostname`:a @ remsys1. . .remsysN
swacl -l global_product_template \
-M group:swadm@`hostname`:a @ remsys1. . .remsysN
You may want to grant permissions to specific users to manage particular products on the primary
depot. For example, user ramon may be assigned responsibility to manage the ALLBASE product
on your depot, installing new versions and patches when they become available. To add ramon
to the ACL for ALLBASE on the local depot and grant him all permissions on that one product, run
the command:
swacl -l product -M user:ramon:a ALLBASE
At the same time, you may want to eliminate the ACL entry for group swadm for the same product:
swacl -l product -D group:swadm ALLBASE
9.9.2 Security in Local Distributions
Host administrators may grant permission to individual users or groups, trusted at the local host,
to administer software locally. Trusted local users have root ACL entries granting insert and write
permissions. At the source depot, access to all software products is allowed by unrestricted read
access to hosts, depots, and products. This is the basis of a pull model of software distribution.
9.9.2.1 Restricting Installation to Specific Target Systems by Specific Users
Managers of software source depots may leave software openly installable, as described above,
or may choose to limit distribution to specific systems. ACLs protecting source depot products may
contain entries that restrict product read access to only specified systems, allowing installation only
to those systems. This restriction applies to both the push and pull models.
Below is a sample product ACL that restricts read permission to systemA and systemB and grants
all permissions to user swadm:
user:swadm:rwict
host:systemA.loc.company.com:r
host:systemB.fc.hp.com:r
9.9.3 Security for Software Developers
Software developers iteratively package their products and test them before distribution. This
involves packaging products into depots and installing them to Roots for testing. Since it may
require several iterations to get all the customization right, it is not helpful to prevent software
developers from having free access to depots and Roots for this testing.
166 SD-UX Security