Using Access Control Lists (swacl)

An ACL allows you to specify different access rights to many individuals and groups instead of just one of each.




	NOTE: With SD-UX, you can control ACLs only on your local host. If you need to modify ACLs on remote hosts, you must purchase the HP OpenView Software Distributor (HP Prod. No. B1996AA) which provides extended software management plus multi-site software distribution capabilities.

An ACL is a set of entries that are attached to a software object when it is created.

ACL Entries

ACL entries define which users, groups and/or hosts have permission to access the objects. They consist of three fields (entry_type, key and permissions) separated by colons:

entry_type[:key]:permissions

For example, an ACL entry for an object might be:

user:fred:r-ctw

which means that a user named fred can read, control, test, and write the object, but the dash signifies that he cannot insert or create new objects. Permissions (c r w i t) are explained later in this chapter. The order in which the permissions are specified is not critical.

The ACL entry_type must be one of these values:

Table 9-1 ACL Entry Types

Type	Permissions Apply To
user	user principal, whose name is to be specified in the key field
group	group principal, whose name is specified in the key field
object_owner	the owner of the object
object_group	members of the group to which an object belongs
other	principals with no matching user and group entries
host	host systems (agents acting for users)
any_other	principals not matching any other entry

The user and group of the object's owner are determined and automatically recorded at the time the object is created, based on the identity of the person who creates it. This information is recorded as user, group and realm. An object_owner or object_group entry type in an ACL causes the ACL Manager to look up the owner and group information on the object and, if a match to the requester is found, grant permissions as specified.

There may be many user, group, and host type entries per ACL, while there may be only one of each of the object_owner, object_group and any_other types. There may be at most one "local" (that is, no key) other entry and an unlimited number of "remote" (that is, keyed) other entries.

ACL Keys

The second part of the ACL entry is the key. The table below lists the possible key values for specific entry types.

Table 9-2 ACL Entry Key Values

Entry Type	Key Content
user	a user's name
group	a group name
other	I
any_other	no key allowed
host	a host's name

When listing the ACL, the host is printed in its Internet address form (for example, 15.12.89.10) if the local system cannot resolve the address from its host lookup mechanism (DNS, NIS, or /etc/hosts).

ACL Permissions

Six different permissions are grantable by the ACL:

Permission Meaning

control: Permission to edit or change the ACL.
read: Permission to list depot, roots and products and attributes.
write: Permission to change a host, depot, root or product.
insert: Permission to install a new product, depot or root.
test: Permission to test access to an object (that is, read the ACL)
all: A wildcard that grants all the above permissions. It is expanded by swacl to crwit.

In the ACL entry, these permissions are abbreviated c, r, w, i, t and a. The meaning of permissions is different for different types of objects and the permissions do not have to appear in any specific order. Roots do not provide product level protection, so all permissions on products installed on roots are controlled by the ACL protecting the root itself. Product level protection is provided on depots in this way: the depot's ACL protects the depot itself while product ACLs protect the products within the depot.

The table below summarizes object permissions and ACLs to which they may be applied.

Table 9-3 ACL Permission Definitions

Permission	Allows You To:
	Host system	Root	Depot	Product on depot
[c]ontrol	Modify ACLs	Modify ACLs	Modify ACLs	Modify ACLs
[t]est	Test access to an object, read (list) the ACL itself
[i]nsert	Insert a new depot or root	Insert a new product	Insert a new product	N/A
[w]rite ^[1]	change host	change root or products	change depot	change product
[r]ead ^[2]	list depots and roots	list root &prod attrs	list depot & prod attrs	read product files
^[1]Write permission means permission to change or delete the object, except the host source object may not be deleted. ^[2]Read permission on containers (i.e. hosts, roots and depots) is permission to list the contents; on products it is permission to copy/install the product.

Syntax

You can view or change ACL entries and permissions by using the swacl command, an SD-UX tool that allows you to list and change ACLs.

The syntax for swacl is:

swacl -l level
[-D acl_entry|-F acl_file|-M acl_entry]
[-f software_file][-x option=value]
[-X option_file] [software_selections] [@ targets]

Examples

To list the ACLs for the COBOL and FORTRAN products in depot /var/spool/swtest:

swacl -l product COBOL FORTRAN @ /var/spool/swtest

To list the product template ACL on host newdist:

swacl -l host

To read, edit, then replace the ACL protecting the default depot /var/spool/sw:

swacl -l depot > new_acl_file

vi new_acl_file

swacl -l depot -M user:steve:- -M user:george:- \
@ newdist:/var/spool/sw

To delete entries for local user rick from all products in the default local depot:

swacl -l product -D user:rick \*

Command Options

The swacl command supports these options:

Option Action

-v

Turn on verbose output to stdout. Lets you see the results of the activity while it is being performed.

-f software file

Read a list of software selections from a separate file instead of (or in addition to) the command line. In this separate file, blank lines and lines beginning with # (comments) are ignored. Each software selection must be specified on a separate line. For an example of a software selection file, see “Command Operands ”.

-l level

Level to edit. Level designations are the literals: host, depot, root, product, product_template, global_soc_template or global_product_template. ACL templates are discussed in “ACL Templates ” in this chapter.

You can change an ACL with of any of the following options (if none are used, swacl just prints the specified ACLs). These options are mutually exclusive.

-M acl_entry

Adds a new ACL entry or changes the permissions of an existing entry. You can enter multiple -M options.

-D acl_entry

Deletes an existing entry from the ACL associated with the specified object. You can enter multiple -D options.

-F acl_file

Assigns the ACL information contained in acl_file to the object. All existing entries are removed and replaced by the entries in the file. You can enter only one -F option.

-x option=value

Set the session option to value and override the default value or a value in an options file (-X option file). Multiple -x options can be specified. See the section “Changing Default Options” for more information on defaults.

-X option file

Read session options and behaviors from option_file. The default values for system options are provided in the file /var/adm/sw/defaults. You can also provide a personal option file, $HOME/.swdefaults. This option file overrides those values in the system defaults file. For a complete listing of system options, see the file /usr/lib/sw/sys.defaults. This file lists the possible values and behaviors for each option for each command.

Command Operands

The swacl command supports the standard software selection syntax. For more details on software selection syntax and an example of a software selection file, see “Command Operands ”.

Changing Default Options

In addition to the command-line option listed above, several swacl behaviors and policy options can also be changed by editing extended option and default values found in the system-wide defaults file: /var/adm/sw/defaults

or in the user-specific defaults file:

$HOME/.swdefaults

Values in these files are specified using the command.option=value syntax. For example:

swacl.agent_auto_exit=true

Table 9-4 ACL Default Options

distribution_target_directory= /var/spool/sw	select_local=true
level=	software=
rpc_binding_info=ncacn_ip_tcp:2121 ncadg_ip_udp:[2121]	targets=
rpc_timeout=5	verbose=1

See Appendix A “Default Options and Keywords ” for a complete listing and description of default options.

Environment Variables

SD programs are affected by external environment variables and environment variables set for use by control scripts. For a description of external environment variables, see Chapter 11, Control Scripts.