Software Distributor Administrator Guide (September 2010)

ManualsBrandsHP ManualsSoftwareHP-UX Software Distributor

331

332

333

334

335

336

337

338

339

340

If any of these access permissions is absent, the whole operation is disallowed, and you

must read the error message carefully to understanding the exact cause. To see more

about what type of security or access problems exist, see the daemon log file on the

target system: /var/adm/sw/swagentd.log

B.2.3.1 The Effects of ACL Modifications

The default ACLs make it fairly easy to administer ACLs, but do not always give the

desired level of access control. When you change an ACL to restrict access, especially

by removing the any_other read permission, you may restrict access in unexpected

ways. Host entries are required for any destination systems for swcopy and swinstall

operations.

See Chapter 9: “SD-UX Security ” (page 187) for a full discussion of the access tests

performed or each operation.

B.2.3.2 Do Not Modify ACL Files Without swacl

Since SD-UX stores ACLs in the file system as plain text files, you may try to edit them

with a conventional editor. This can lead to unexpected corruption of the ACL. Most

cases of this corruption simply result in a message indicating the corruption, but

inserting additions to the ACL file without updating the num_entries value can result

in unreported problems and cause SD-UX to deny access. A common failure could

occur, for instance, if a you inserted user entry in the ACL file. This could push the

any_otherentry down beyond the num_entries limit. The ACL manager would

never read the any_other entry, and you would have access problems. The best guard

against this situation is to always use the swacl command to manipulate ACLs.

B.2.3.3 Inter-host Secrets

The default /var/adm/sw/security/secrets file contains a single entry:

default -sdu-

If you wish to explicitly name all hosts from which controllers can be run, you must

replace the -sdu- with a different default secret, or eliminate the entire entry. See

Chapter 9: “SD-UX Security ” (page 187) for a thorough discussion of the secrets file.

The controller (for swinstall, swcopy, etc.) looks up the secret for the system on

which it runs and passes it in an encrypted form to its agent. The agent receiving a

request from the controller looks up the secret for the host from which the call comes,

encrypts it, and compares the encryption to that provided by the controller. If the two

secrets do not match, access is denied. If you have problems with this mechanism, make

sure that all systems have matching entries. You can also revert to the old secrets file

(/etc/newconfig/sd/secrets on 9.x and /usr/newconfig/var/adm/sw/

security/secrets on 10.x) on all hosts, or simply copy a single secrets file to all

hosts.

B.2.3.4 Working With Depot Images

You may encounter a problem in using cp, tar, cpio, dd, and other commands to copy

images of depots for use on other systems. Depot and product ACLs in the image have

340 Troubleshooting