Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Managing HP-UX Software With SD-UX: HP 9000 Computers > Chapter 8 Controlling Access to Software Objects

Access Control Lists
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

An ACL allows you to specify different access rights to many individuals and groups instead of just one of each.

NOTE: With SD-UX, you can control ACLs only on your local host. If you need to modify ACLs on remote hosts, you must purchase the HP OpenView Software Distributor (HP Prod. No. B1996AA) which provides extended software management plus multi-site software distribution capabilities.

An ACL is a set of entries that are attached to a software object when it is created.

ACL Entries

ACL entries define which users, groups and/or hosts have permission to access the objects. They consist of three fields (entry_type, key and permissions) separated by colons:

entry_type[:key]:permissions

For example, an ACL entry for an object might be:

user:fred:r-ctw

which means that a user named fred can read, control, test and write the object, but the dash signifies that he cannot insert or create new objects. Permissions (c r w i t) are explained later in this chapter. The order in which the permissions are specified is not critical.

The ACL entry_type must be one of these values:

Table 8-1 ACL Entry Types

Type

Permissions Apply To

user

user principal, whose name is to be specified in the key field

group

group principal, whose name is specified in the key field

object_owner

the owner of the object

object_group

members of the group to which an object belongs

other

principals with no matching user and group entries

host

host systems (agents acting for users)

any_other

principals not matching any other entry

 

The user and group of the object's owner are determined and automatically recorded at the time the object is created, based on the identity of the person who creates it. This information is recorded as user, group and realm. An object_owner or object_group entry type in an ACL causes the ACL Manager to look up the owner and group information on the object and, if a match to the requester is found, grant permissions as specified.

There may be many user, group, and host type entries per ACL, while there may be only one of each of the object_owner, object_group and any_other types. There may be at most one "local" (that is, no key) other entry and an unlimited number of "remote" (that is, keyed) other entries.

ACL Keys

The second part of the ACL entry is the key. The table below lists the possible key values for specific entry types.

Table 8-2 ACL Entry Key Values

Entry Type

Key Content

user

a user's name

group

a group name

other

any_other

no key allowed

host

a host's name

 

When listing the ACL, the host is printed in its Internet address form (for example, 15.12.89.10) if the local system cannot resolve the address from its host lookup mechanism (DNS, NIS, or /etc/hosts).

ACL Permissions

There are five different permissions grantable by the ACL:

Title not available (ACL Permissions )

control

Permission to edit or change the ACL.

test

Permission to test access to an object (that is, read the ACL)

insert

Permission to install a new product, depot or root.

write

Permission to change a host, depot, root or product.

read

Permission to list depot, roots and products and attributes.

In the ACL entry, these permissions are abbreviated c, t, i, w and r. If you are granting all permissions, you may use the shorthand letter a instead of the crwit to denote "all" permissions. The meaning of permissions is different for different types of objects and the permissions do not have to appear in any specific order. Roots do not provide product level protection, so all permissions on products installed on roots are controlled by the ACL protecting the root itself. Product level protection is provided on depots in this way: the depot's ACL protects the depot itself while product ACLs protect the products within the depot.

The table below summarizes object permissions and ACLs to which they may be applied.

Table 8-3 ACL Permission Definitions

Permission

Allows You To:

Host system

Root

Depot

Product on depot

[c]ontrol

Modify ACLs

Modify ACLs

Modify ACLs

Modify ACLs

[t]est

Test access to an object, read (list) the ACL itself

[i]nsert

Insert a new depot or root

Insert a new product

Insert a new product

N/A

[w]rite [1]

change host

chang e root or products

change depot

change product

[r]ead [2]

list depots and roots

list root &prod attrs

list depot & prod attrs

read product files

[1] Write permission means permission to change or delete the object, except the host source object may not be deleted.

[2] Read permission on containers (i.e. hosts, roots and depots) is permission to list the contents; on products it is permission to copy/install the product.

 

Editing ACLs: The swacl Command

You can view or change ACL entries and permissions by using the swacl command, an SD-UX tool that allows you to list and change ACLs.

The syntax for swacl is:

   swacl [-v] -l level
         [-M acl_entry|-D acl_entry|-F acl_file]
         [-x option=value] [-f software file] [-t target file]
         [-X option file] [full_object_name]  [@ targets]

The -t option applies only to the HP OpenView Software Distributor product.

Command Options

In addition to the standard options (-x, -f, and -X, see Chapter 2 “Installing and Copying Software ”), the swacl command supports these options:

Title not available (Command Options )

-v

Turn on verbose output to stdout. Lets you see the results of the activity while it is being performed.

-l level

Level to edit. Level designations are the literals: host, depot, root, product, product_template, global_soc_template or global_product_template. ACL templates are discussed in the section "ACL Templates" in this chapter.

You can change an ACL with of any of the following options (if none are used, swacl just prints the specified ACLs). These options are mutually exclusive.

-M acl_entry

Adds a new ACL entry or changes the permissions of an existing entry. You can enter multiple -M options.

-D acl_entry

Deletes an existing entry from the ACL associated with the specified object. You can enter multiple -D options.

-F acl_file

Assigns the ACL information contained in acl_file to the object. All existing entries are removed and replaced by the entries in the file. You can enter only one -F option.

Command Operands

The command supports the standard software selection (bundle[.product[.subproduct][.fileset][,version]) and target selection (@ host[:/directory]) operands.

For more details on software selection syntax and an example of a software selection file, see “Command Line Software Selections ” in Chapter 2 “Installing and Copying Software ”.

Changing Options and Defaults

In addition to the command-line options listed above, several command behaviors and policy options can be changed by editing default values found in the defaults file /var/adm/sw/defaults. Values in this file are specified using the command.option=value syntax. See Chapter 2 “Installing and Copying Software ” and Appendix A “Default Options and Keywords ” for more information on changing the values in these defaults and extended options.

A typical acl_file looks like this:

# swacl    Installed Software Access Control List
#
# For host:  prewd:/
#
# Date:  Wed May 19 16:39:58 1993
#
# Object Ownership: User=root
                    Group=sys
                    Realm=prewd.fc.hp.com
# default_realm=prewd.fc.hp.com
object_owner:crwit
user:rml:crwit
user:root@newdist.fc.hp.com:crwit
group:swadm:crwit
any_other:crwit

The header information (lines marked with #) gives the object's name and owner and the name of the user's realm or hostname of his/her system.

How swacl Works

The swacl command, when invoked without the -M, -D or -F options, reads the specified ACL, converts it into plain text and prints it to the screen so you can see it. If you re-direct the output of the command to a file, you can then edit that file and change the permissions in it. After editing, you can use the -F file option described above to replace the old ACL. This procedure gives you full ACL editing capabilities.

You must have "test" permission within the ACL to produce the edit file (list the ACL) and "control" permission to change it with -F, -D or -M options.

If the replacement ACL contains no detectable errors and you have the proper permission on the ACL, the replacement succeeds. If the replacement fails because you lack permission to make the change, an error is generated and the object is skipped.

You may change or delete existing entries, or you may add additional entries to the ACL.

CAUTION: It is possible to edit an ACL so that you cannot access it! Caution should be used to avoid accidentally removing your own control (c) permissions on an ACL. As a safeguard, the local super-user should always edit ACLs.

How ACLs are Matched to the User

It is important to note that permissions in ACLs are determined by a match to a single ACL entry (except for group entries), not to an accumulation of matching entries. Simply put, checking is done from the most restrictive entry types to the broadest. If a match is found in a user entry type, no further checking is done, and the permissions for that user are fully defined by the permissions field of the matched entry. That the matched user may be a member of a group with broader permissions is of no consequence.

NOTE: The local host super-user has access to all local objects, irrespective of ACLs.

The ACL matching algorithm is:

  1. If user is local superuser, then grant all permissions, else

  2. If user is owner of the object, then grant "object_owner" permissions, else

  3. If user matches a "user" entry, then grant "user" permissions, else

  4. If any "group" entries match, then accumulate the permissions granted by all group_entries that match the user's primary and supplementary groups, else

  5. If an appropriate "other" entry matches, then grant "other" permissions, else

  6. If an "any_other" entry, then grant "any_other" permissions, else

  7. Grant no permissions



Chapter 8 Controlling Access to Software Objects
  		 


How ACLs Protect Objects  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1997 Hewlett-Packard Development Company, L.P.