Software Distributor Administrator Guide (September 2010)

9.7 SD-UX Internal Authentication
This section discusses the following topics:
SD-UX Credentials
Controllers Run with the Users Credentials and Privileges
Agents Run with the System’s Identity
Security Between Hosts: The Shared Secrets File
SD-UX security does not replace DCE Security. It seeks to provide a usable protection
scheme based on the assumption that there is no hostile, concerted effort by users to
do damage.
Much of the DCE security functionality used by SD-UX comes from the DCE Runtime
Library that is included in SD-UX. This library provides DCE RPC capability and some
of the DCE Security Services required to support ACLs.
Without full DCE Security Services, it is impossible to reliably prove the identity of a
user making an SD-UX RPC call; even if the source and destination of the RPC call is
local. The RPC identifies only the network address of the calling client.
9.7.1 SD-UX Credentials
A key to SD-UX security is determining which users are allowed to be involved in
particular operations. In SD-UX internal authentication, your HP-UX uid, gid, and
host name are used to establish your identity. The fact that the SD-UX controller runs
with an effective uid of root (because the controller is a setuid-root program) does
not affect your identity, which is obtained from your real uid.
When you start an RPC (as an SD-UX controller), a structure describing your identity
accompanies each call to an agent; the controller sends the user and group name of the
person invoking the RPC, as well as the host name of the system on which it is running
(in DCE, called the realm).
This structure is called your credentials. Credentials consist of:
user (principal) name
The user (or host system, for agents making RPCs to other agents) who is
originating the RPC call.
Group name
The users primary group.
Realm or local Host
The users host name.
The users credentials are passed in the RPC parameters. The agent receiving the RPC
uses this information to compare authentication credentials.
210 SD-UX Security