Manualshelf

Software Distributor Administrator Guide (September 2010)

ManualsBrandsHP ManualsSoftwareHP-UX Software Distributor
211212213214215216217218219220
As a special case, the superuser always has full permissions on a local system.
9.8.2 Local Superuser Authorization
As a special case, SD-UX always allows the local superuser full access to all local objects
regardless of ACL protections. This allows the local superuser to repair corrupted ACLs
or to perform any other operations.
9.8.2.1 Delegation
SD-UX provides a form of delegation to control access to depot-resident products: both
the host where the target agent is running and the user initiating the call must have
read access.
This form of delegation passes the caller credential information to the depot agent in
the RPC options. This form of delegation works the same whether the agents are
configured to use DCE or SD-UX Internal authentication.
It is important to note that this delegation technique is provided to allow user-level
access to depot-resident products.
9.8.3 Depot Registration and Daemon/Agent Security
Because SD-UX stores its objects in the file system, someone could build a “Trojan
Horse” file system image of a software depot. This could breech the security of any
system that installed products from the false depot. To protect systems from such a
situation, SD-UX requires that a depot be registered with SD-UX (either through swcopy
or by using swreg) before software may be installed or copied from it. This check is
always performed before granting access. Registration with swreg requires insert
permission in the host’s ACL.
As a special case, an unregistered depot may be used for local installation (i.e., the
depot and destination root exist on the same system) if the initiator is the local superuser
or has permission to register the depot (insert permission on the host).
The administrator of a host system must ensure the integrity of new depots before
registering them and ensure that only trustworthy users are granted permission to
insert on the host.
NOTE: In addition to registering users, caution should be exercised when installing
or copying from unregistered depots.
9.9 Security Use Models
The use models below use the swadm group that is provided in the default host ACLs,
which are installed at SD-UX install-time. This group is not a part of the default HP-UX
configuration, but can be easily added. First, add the swadm group and the appropriate
group members by using the HP-UX System Administration Manager product. Next,
214 SD-UX Security