swacl.1m (2012 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

swacl(1M) swacl(1M)

NAME

swacl - view or modify the Access Control Lists (ACLs) which protect software products

swﬁxrealm - updates default_realm in all SD ACL ﬁles

SYNOPSIS

swacl -l level [-D acl_entry |

-F acl_ﬁle | -M acl_entry ][-f software_ﬁle ][-t target_ﬁle ]

[

-x option=value ][-X option_ﬁle ][software_selections][

@ target_selections]

swfixrealm new_default_realm

Remarks

• The swacl command supports operations on remote systems. See the Remote Operation section

below for details.

• Type

man5sd

to display sd(5) for an overview of all SD commands.

• The

swfixrealm command can only be run by superuser .

• When operating on local ACLs with a

swacl command released in the year 2008 or later, mes-

sages previously written to

/var/adm/sw/swagentd.log

are instead written to stderr of the

swacl command. Messages describing changed ACLs are written to stderr and to

/var/adm/sw/swagentd.log

DESCRIPTION

The

swacl command displays or modiﬁes the Access Control Lists (ACLs) which:

• Protect the speciﬁed target_selections (hosts, software depots or root ﬁlesystems).

• Protect the speciﬁed software_selections on each of the speciﬁed target_selections (software

depots only).

All root ﬁlesystems, software depots, and products in software depots are protected by ACLs. The SD

commands permit or prevent speciﬁc operations based on whether the ACLs on these objects permit the

operation. The

swacl command is used to view, edit, and manage these ACLs. The ACL must exist and

the user must have the appropriate permission (granted by the ACL itself) in order to modify it.

ACLs offer a greater degree of selectivity than standard ﬁle permissions. ACLs allow an object’s owner

(that is, the user who created the object) or the local superuser to deﬁne speciﬁc read, write, or modify

permissions to a speciﬁc list of users, groups, or combinations thereof.

Some operations allowed by ACLs are run as local superuser. Because ﬁles are loaded and scripts are

run as superuser, granting a user write permission on a root ﬁlesystem or insert permission on a host

effectively gives that user superuser privileges.

Protected Objects

The following objects are protected by ACLs:

• Each host system on which software is being managed by SD,

• Each root ﬁlesystem on a host (including alternate roots),

• Each software depot on a host,

• Each software product contained within a depot.

Remote Operation

You can enable SD to manage software on remote systems. To let the root user from a central SD con-

troller (also called the central management server or manager node) perform operations on a remote tar-

get (also called the host or agent ):

1) Set up the root, host, and template Access Control Lists (ACLs) on the remote machines to permit

root access from the controller system. To do this, run the following command on each remote sys-

tem:

/usr/lib/sw/mx/setaccess controller

NOTES:

• controller is the name of the central management server.

HP-UX 11i Version 3: March 2012 − 1 − Hewlett-Packard Company 1

Summary of content (12 pages)

PAGE 1
swacl(1M) swacl(1M) NAME swacl - view or modify the Access Control Lists (ACLs) which protect software products swfixrealm - updates default_realm in all SD ACL files SYNOPSIS swacl -l level [-D acl_entry | -F acl_file | -M acl_entry ] [-f software_file ] [-t target_file ] [-x option=value ] [-X option_file ] [software_selections] [@ target_selections] swfixrealm new_default_realm Remarks • The swacl command supports operations on remote systems. See the Remote Operation section below for details.
PAGE 2
swacl(1M) 2) swacl(1M) • If remote system is 11.00, make sure SD patch PHCO_22526 or a superseding patch is installed on remote system before running setaccess. • If remote system is older than 11.00 or for some other reason does not have setaccess in place, copy setaccess script from an 11.11 or higher system to the remote system. swinstall, swcopy, and swremove have enhanced GUI interfaces for remote operations. Enable the enhanced GUIs by creating the .sdkey file on the controller.
PAGE 3
swacl(1M) swacl(1M) -M acl_entry Adds a new ACL entry or changes the permissions of an existing entry. You can specify multiple -M options. See the ACL Entries heading for more information. -t target_file Read the list of target_selections from file instead of (or in addition to) the command line. -x option=value Set the session option to value and override the default value (or a value in an alternate option_file specified with the -X option). You can specify multiple -x options.
PAGE 4
swacl(1M) swacl(1M) A host may be specified by its host name, domain name, or Internet address. If host is specified, the directory must be an absolute path. To specify a relative path when no host is specified, the relative path must start with ./ or ../; otherwise, the specified name is considered as a host.
PAGE 5
swacl(1M) swacl(1M) controller appends the value to the value specified by the admin_directory option to determine the path to the IPD. For alternate roots, this path is resolved relative to the location of the alternate root. This option does not affect where software is installed, only the IPD location.
PAGE 6
swacl(1M) swacl(1M) When set to the default value of true, SD operations are performed normally, with permissions for operations either granted to a local super-user or set by SD ACLs. (See swacl (1M) for details on ACLs.) When set to false and the invoking user is local and is not super-user, nonprivileged mode is invoked: • Permissions for operations are based on the user’s file system permissions. • SD ACLs are ignored.
PAGE 7
swacl(1M) swacl(1M) OPERATION ACL Entries Each entry in an ACL has the following form: entry_type [:key]:permissions For example: user:steve@newdist:crwit An ACL can contain multiple entries. See the Entry Types and Permissions headings below for more information. Entry Types The following entry_types are supported: any_other Permissions for all other users and hosts that do not match a more specific entry in the ACL. (Example: any_other:-r--t.) group Permissions for a named group.
PAGE 8
swacl(1M) swacl(1M) permission to create (insert) a new product object into the depot. c ontrol Grants permission to modify the ACL using swacl. t est Grants permission to perform access checks and to list the ACL. a ll A wildcard which grants all of the above permissions. It is expanded by swacl to crwit.
PAGE 9
swacl(1M) 0 1 swacl(1M) The default_realm successfully updated. The update operation failed. DIAGNOSTICS The swacl command writes to stdout, stderr, and to the daemon logfile. The swfixrealm command writes to stdout, stderr, and to a logfile at: /var/adm/sw/swfixrealm.log. Standard Output The swacl command prints ACL information to stdout when the user requests an ACL listing. Standard Error The swacl command writes messages for all WARNING and ERROR conditions to stderr.
PAGE 10
swacl(1M) swacl(1M) host:lehi.fc.hp.
PAGE 11
swacl(1M) swacl(1M) To delete entries for local user rick from all products in the default local depot: swacl -l product -D user:rick \* To update entries with new hostname ruby using swfixrealm swfixrealm ruby WARNINGS • You can edit an ACL in such a way that it will leave a system inaccessible. Do not remove all control permissions on an ACL. (Note, however, that the local super-user can always edit SD ACLs, regardless of permissions.) • ACLs can grant the equivalent of local superuser permission.
PAGE 12
(Notes) A (Notes) sA 12 Hewlett-Packard Company −1− HP-UX 11i Version 3: March 2012