Software Distributor Administration Guide HP-UX 11i v1, 11i v2, and 11i v3 (5900-2561, March 2013)
B.2.3.2 Do Not Modify ACL Files Without swacl
Since SD-UX stores ACLs in the file system as plain text files, you may try to edit them with a
conventional editor. This can lead to unexpected corruption of the ACL. Most cases of this corruption
simply result in a message indicating the corruption, but inserting additions to the ACL file without
updating the num_entries value can result in unreported problems and cause SD-UX to deny
access. A common failure could occur, for instance, if a you inserted user entry in the ACL file.
This could push the any_otherentry down beyond the num_entries limit. The ACL manager
would never read the any_other entry, and you would have access problems. The best guard
against this situation is to always use the swacl command to manipulate ACLs.
B.2.3.3 Inter-host Secrets
The default /var/adm/sw/security/secrets file contains a single entry:
default -sdu-
If you wish to explicitly name all hosts from which controllers can be run, you must replace the
-sdu- with a different default secret, or eliminate the entire entry. See Chapter 9: “SD-UX Security
” (page 145) for a thorough discussion of the secrets file.
The controller (for swinstall, swcopy, etc.) looks up the secret for the system on which it runs
and passes it in an encrypted form to its agent. The agent receiving a request from the controller
looks up the secret for the host from which the call comes, encrypts it, and compares the encryption
to that provided by the controller. If the two secrets do not match, access is denied. If you have
problems with this mechanism, make sure that all systems have matching entries. You can also
revert to the old secrets file (/etc/newconfig/sd/secrets on 9.x and /usr/newconfig/
var/adm/sw/security/secrets on 10.x) on all hosts, or simply copy a single secrets file to
all hosts.
B.2.3.4 Working With Depot Images
You may encounter a problem in using cp, tar, cpio, dd, and other commands to copy images of
depots for use on other systems. Depot and product ACLs in the image have built-in knowledge of
the host on which the depot originated. In particular, an ACL default realm will be wrong and
local users will be confused with users on the originating host. For example, attempts to add local
users to the access list will, in fact, grant access to remote users. There is no way to alter the default
realm of an ACL from that set when it is created.
Another common problem with such images occurs if you import them to systems that cannot resolve
all the hostnames (see resolver(4) and nslookup(1)) that exist in the ACLs.
If your purpose is to create a “staged” installation, use swcopy to propagate the depot. This creates
new ACLs, based on local templates, for each instance of the depot.
If the sole intent of a depot is for such image distribution, you may wish to set the swpackage
create_target_acls option to false to prevent ACL creation on the depot and products during
the swpackage operation. This option creates tape and CD-ROM images. Depots and products
without ACLs grant the local superuser all privileges, while all other users and systems have read
access. Note that when you copy or install this ACL-less depot with swcopy or swinstall, the
copies (installations) are automatically protected by ACLs based on templates on the destination
host.
B.2.4 Slow Network Performance
When using swinstall or swcopy in an environment where network bandwidth is the
“bottleneck,” the file transfer rate between source and target can become very slow.
Resolution
The compress_files=true option compresses files transferred from a source depot to a target.
This can reduce network usage by approximately 50%; the exact amount of compression depends
on the type of files. Binary files compress less than 50%, text files more.
B.2 Common Problems 265