Software Distributor Administrator Guide (September 2010)

ManualsBrandsHP ManualsSoftwareHP-UX Software Distributor

201

202

203

204

205

206

207

208

209

210

This is useful for product control, because it lets you assign management control for a

specific product to a delegated administrator. Also, when a product is created on a

depot, the user and group identity of the creator is recorded in the product information.

If the product ACL contains an object_owner entry granting write permissions to

the owner, then the product creator will automatically have rights to change or delete

the product. Therefore, the depot can be more widely opened to insertion because users

with insert permission can only copy in new products or delete their own products:

you don’t have to worry about a user erroneously deleting some critical product that

they shouldn’t control.

The rationale for this protection scheme is borrowed from a mechanism introduced in

the BSD file system. With write permissions on a BSD directory, you may create a file

in the directory. If the sticky mode bit is set on the directory, only the file owner, the

directory owner, or superuser may remove or rename the file.

For example: In /tmp, owned by root, with “wide-open” write permission and the

sticky bit set manually (i.e., mode 1777), anyone can create files that nobody else (except

themselves and superuser) can remove. This makes /tmp a more secure place to store

temporary work because someone else can’t delete your files there.

Installing or copying from an unregistered depot requires the user and the target agent’s

host to have insert permission on the depot’s host. If this permission is denied to the

target’s host, the depot’s daemon log will contain the message:

ERROR: Access denied to SD agent at host lucille on

behalf of rob@lucille to start agent on unregistered

depot "/users/rob/depot." No (i)nsert permission on

host.

07/23/01 15:51:06 MDT

This message indicates it is the agent at lucille that did not have insert permission

on the depot’s host, not the user rob@lucille.

The remote host ACL must have two entries granting insert permission: one for the

user, and one for the target host.

For example, for user rob to be allowed to install a product on target host lucille

from an unregistered depot on source host desi, the command

swacl -l host @ desi

must show the minimum ACL entries

user:rob@lucille:-i-

host:lucille:-i-

Rob could alternatively register the depot with the swreg command with only the first

entry above before running swinstall or swcopy.

9.5 ACL Entries 203