Software Distributor Administrator Guide (September 2010)
#
# swacl Depot Access Control List
#
# For depot: swelter:/simple_1.depot
#
# Date: Thu Mar 1 16:19:57 2001
#
# Object Ownership: User= allen
# Group=users
# Realm=swelter.fc.hp.com
#
# default_realm=swelter.fc.hp.com
object_owner:crwit
other:-r---
Local users can now access this depot as a result of the other ACL, but remote users
are refused.
To allow only user shelly on host swcrunch to access software in a depot located
on swelter, it may appear that adding a user ACL for shelly would be sufficient:
swacl -l depot -M user:shelly@swcrunch:r @ /simple_1.depot
However, this is not enough. An attempt by shelly to access this depot would fail
with a security violation. This is because SD-UX also requires that SD agents (the
swagent process) that contacts the depot server to be authorized via a host ACL
entry_type:
swacl -l depot -M host:swcrunch:r @ /simple_1.depot
(Note that user shelly also requires appropriate ACL permission to install software
on swcrunch.)
NOTE: The r (read) permission allows the user to access the depot and products, and
the t (test) permission allows the user to list the ACLs.
9.3.5 Adding Target Hosts
For swinstall and swcopy, both the user and target host are validated (i.e., to protect
from unauthorized users at remote hosts switching to an authorized user). The following
adds read permission for the host named target to the default depot on the local host,
the products currently in the depot, and any future products added to the depot (using
global_product_template).
# swacl -l depot -M host:target:r
# swacl -l product -M host:target:r \*
# swacl -l global_product_template -M host:target:r
Since the user is always validated, another alternative that makes it easier to manage
large numbers of hosts is to allow all hosts read permission:
196 SD-UX Security