Software Distributor (SD-UX) Administration Guide HP-UX 11i v1, 11i v2, and 11i v3 (762797-001, March 2014)
Table Of Contents
- Software Distributor Administration Guide
- Contents
- HP secure development lifecycle
- About This Document
- 1 Introduction to Software Distributor
- SD-UX Overview
- SD-UX Concepts
- Using the GUI and TUI Commands
- The Terminal User Interface
- Starting the GUI/TUI Commands
- Window Components
- Opening and closing items in the object list
- Marking Items in the Object List
- Preselecting Host Files
- Software Selection Window
- Session and File Management—The File Menu
- Changing Software Views—The View Menu
- Changing Options and Refreshing the Object List—The Options Menu
- Performing Actions—The Actions Menu
- Getting Help—The Help Menu
- XToolkit Options and Changing Display Fonts
- Working from the Command Line
- 2 Installing Software
- Installation with swinstall
- Features and Limitations
- Installing with the GUI
- Installing from the Command Line
- Installation Tasks and Examples
- Updating to HP-UX 11i
- Installing Patches
- Recovering Updated Files
- Installing Software That Requires a System Reboot
- Using Software Codewords and Customer IDs
- Re-installing Software Distributor
- Installing Multiple Versions
- Installing to an Alternate Root
- Compatibility Filtering and Checking
- Software Selection Checking
- Configuring Your Installation (swconfig)
- Verifying Your Installation (swverify)
- Installation with swinstall
- 3 Managing Installed Software
- 4 Managing Software Depots
- Depot Management Commands and Concepts
- Copying Software Depots
- Registering and Unregistering Depots (swreg)
- Verifying Signed Software Signatures
- Additional Depot Management Tasks and Examples
- Combining Patch Depots
- Creating a Tape Depot for Distribution
- Setting Depot Attributes
- Creating a Network Depot
- Managing Multiple Versions of HP-UX
- Listing Registered Depots
- Listing the Contents of a Depot (swlist -d)
- Source Depot Auditing
- Verifying a Depot (swverify -d)
- Removing Software from Depots
- Removing a Depot
- 5 HP-UX Patching and Patch Management
- 6 Using Jobs and the Job Browser
- 7 Remote Operations Overview
- 8 Reliability and Performance
- 9 SD-UX Security
- 10 Creating Software Packages
- Overview of the Packaging Process
- Identifying the Products to Package
- Adding Control Scripts
- Creating a Product Specification File (PSF)
- Product Specification File Examples
- PSF Syntax
- PSF Object Syntax
- Selecting the PSF Layout Version
- PSF Value Types
- Product Specification File Semantics
- Re-Specifying Files
- Packaging the Software (swpackage)
- Packaging Tasks and Examples
- Registering Depots Created by swpackage
- Creating and Mastering a CD-ROM Depot
- Compressing Files to Increase Performance
- Packaging Security
- Repackaging or Modifying a Software Package
- Packaging In Place
- Following Symbolic Links in the Source
- Generating File Revisions
- Depots on Remote File Systems
- Verifying the Software Package
- Packaging Patch Software
- Writing to Multiple Tapes
- Making Tapes from an Existing Depot
- 11 Using Control Scripts
- Introduction to Control Scripts
- General Script Guidelines
- Packaging Control Scripts
- Using Environment Variables
- Execution of Control Scripts
- Execution of Other Commands by Control Scripts
- Control Script Input and Output
- File Management by Control Scripts
- Testing Control Scripts
- Requesting User Responses (swask)
- Request Script Tasks and Examples
- 12 Nonprivileged SD
- A Command Options
- B Troubleshooting
- Error Logging
- Common Problems
- Cannot Contact Target Host’s Daemon or Agent
- GUI Won’t Start or Missing Support Files
- Access To An Object Is Denied
- Slow Network Performance
- Connection Timeouts and Other WAN Problems
- Disk Space Analysis Is Incorrect
- Packager Fails
- Command Logfile Grows Too Large
- Daemon Logfile Is Too Long
- Cannot Read a Tape Depot
- Installation Fails
- swinstall or swremove Fails With a Lock Error
- Use of Square Brackets ([ and ]) Around an IPv6 Address Causes an Error
- Some SD commands do not work after network configuration changes
- C Replacing or Updating SD-UX
- D Software Distributor Files and File System Structure
- Glossary
- Index
Local Superuser Authorization
As a special case, SD-UX always allows the local superuser full access to all local objects regardless
of ACL protections. This allows the local superuser to repair corrupted ACLs or to perform any
other operations.
Delegation
SD-UX provides a form of delegation to control access to depot-resident products: both the host
where the target agent is running and the user initiating the call must have read access.
This form of delegation passes the caller credential information to the depot agent in the RPC
options. This form of delegation works the same whether the agents are configured to use DCE or
SD-UX Internal authentication.
It is important to note that this delegation technique is provided to allow user-level access to
depot-resident products.
Depot Registration and Daemon/Agent Security
Because SD-UX stores its objects in the file system, someone could build a “Trojan Horse” file system
image of a software depot. This could breech the security of any system that installed products
from the false depot. To protect systems from such a situation, SD-UX requires that a depot be
registered with SD-UX (either through swcopy or by using swreg) before software may be installed
or copied from it. This check is always performed before granting access. Registration with swreg
requires insert permission in the host’s ACL.
As a special case, an unregistered depot may be used for local installation (i.e., the depot and
destination root exist on the same system) if the initiator is the local superuser or has permission
to register the depot (insert permission on the host).
The administrator of a host system must ensure the integrity of new depots before registering them
and ensure that only trustworthy users are granted permission to insert on the host.
NOTE: In addition to registering users, caution should be exercised when installing or copying
from unregistered depots.
Security Use Models
The use models below use the swadm group that is provided in the default host ACLs, which are
installed at SD-UX install-time. This group is not a part of the default HP-UX configuration, but can
be easily added. First, add the swadm group and the appropriate group members by using the
HP-UX System Administration Manager product. Next, provide the /etc/logingroup link to
/etc/group to activate HP-UX supplementary groups.
NOTE: /etc/logingroup is an HP-UX utility to support both SVR2/3 and BSD group semantics
selectively. When /etc/logingroup is linked to /etc/group, HP-UX gives BSD (and SVR4)
semantics.
If the file /etc/logingroup does not exist on systems targeted as SD-UX Controllers, execute
the following command (as superuser) on each appropriate system:
ln -s /etc/group /etc/logingroup
Security in Remote Distributions
A common use of SD-UX remote operations capabilities is for a software administrator to push
software from a local depot out to numerous remote targets.
You can set up of this kind of configuration:
Security Use Models 161