swacl(1M) — Hewlett-Packard Company
NAME
swacl − View or modify the Access Control Lists (ACLs) which protect software products
SYNOPSIS
swacl -l level [-M acl_entry| -D acl_entry| -F acl_file] [-x option=value]
[-X option_file] [-f software_file] [-t target_file] [software_selections] [ @ target_selections]
Remarks:
SD-UX commands are included with the HP-UX Operating System and manage software on the local host only. To install and manage software simultaneously on multiple remote hosts (including PCs) from a central controller, you must purchase the HP OpenView Software Distributor (HP Prod. No. B1996AA) which provides extended software management and multi-site software distribution capabilities. While most of the information in this manual page applies to both SD-UX commands and the OpenView product, some applies only to the OpenView product. Where this is the case, you will see:
Applies only to HP OpenView Software Distributor
DESCRIPTION
The swacl command displays or modifies the Access Control Lists (ACLs) which:
• Protect the specified target_selections (software depots or root filesystems).
• Protect the specified software_selections on each of the specified target_selections (software depots only).
All root filesystems, software depots, and products in software depots are protected by ACLs. The SD commands permit or prevent specific operations based on whether the ACLs on these objects permit the operation. The swacl command is used to view, edit, and manage these ACLs. The ACL must exist and the user must have the appropriate permission (granted by the ACL itself) in order to modify it.
ACLs offer a greater degree of selectivity than standard file permissions. ACLs allow an object’s owner (i.e. the user who created the object) or the local superuser to define specific read, write, or modify permissions to a specific list of users, groups, or combinations thereof.
Protected Objects
The following objects are protected by ACLs:
• Each host system on which software is being managed by SD,
• Each root filesystem on a host (including alternate roots),
• Each software depot on a host,
• Each software product contained within a depot.
Options
When none of the -M, -D, or -F options are specified, swacl prints the requested ACL(s) to the standard output.
The swacl command supports the following options:
-l level Defines which level of SD ACLs to view/modify. The supported levels are:
host View/modify the ACL protecting the host system(s) identified by the target_selections.
depot View/modify the ACL protecting the software depot(s) identified by the target_selections.
root View/modify the ACL protecting the root filesystem(s) identified by the target_selections.
product
View/modify the ACL protecting the software product identified by he software_selection. Applies only to products in depots, not installed products in roots.
product_template
View/modify the template ACL used to initialize the ACL(s) of future product(s) added to the software depot(s) identified by the target_selections.
global_soc_template
View/modify the template ACL used to initialize the ACL(s) of future software depot(s) or root filesystem(s) added to the host(s) identified by the target_selections.
global_product_template
View/modify the template ACL used to initialize the product_template ACL(s) of future software depot(s) added to the host(s) identified by the target_selections.
-M acl_entry Adds a new ACL entry or changes the permissions of an existing entry. Multiple -M options can be specified.
-D acl_entry Deletes an existing entry from the ACL associated with the specified object(s). (For this option, the permission field of the acl entry is not required.) Multiple -D options can be specified.
-F acl_file Assigns the ACL contained in acl_file to the object. All existing entries are removed and replaced by the entries in the file. Only the ACL’s entries are replaced; none of the information contained in the comment portion (lines with the prefix “#”) of an ACL listing is modified with this option. The acl_file is usually the edited output of a swacl list operation.
If the replacement ACL contains no syntax errors and the user has control permission on the ACL (or is the local super user), the replacement succeeds.
-x option=value
Set the session option to value and override the default value (or a value in an alternate option_file specified with the -X option). Multiple -x options can be specified.
-X option_file
Read the session options and behaviors from option_file.
-f software_file
Read the list of software_selections from software_file instead of (or in addition to) the command line.
-t target_file
Read the list of target_selections from file instead of (or in addition to) the command line.
Only one of the -M, -D, or -F options can be specified for an invocation of swacl. (E.g. the -M and -D options cannot be specified together.)
Operands
The swacl command supports the following syntax for each software_selection:
bundle[.product[.subproduct][.fileset]][,version]
or
product[.subproduct][.fileset][,version]
The version component has the form:
[,r <op> revision][,a <op> arch][,v <op> vendor][,c <op> category]
or
[instance_id] (numerical only)
where <op> can be: ==, >=, <=, <, >, or != which performs individual comparisons on dot-separated fields. For example, r>=B.10.00 means choose all revisions that are greater than or equal to B.10.00. The system will compare each dot-separated field to find matches. Software will only be selected when matches within each field are satisfied. Wildcards are not allowed with these operators.
The = (equals) relational operator is also allowed to specify a particular version component.
All version components are repeatable within a single specification (e.g. r>=A.12, r<A.20). If multiple components are used, the selection must match all components. If the version component is simply *, then all versions are included.
No isspace(3) characters are allowed.
For complete information, see the sd(4) manual page.
The swacl command supports the following syntax for each target_selection. The : (colon) is required if both a host and directory are specified.
[host][:][/directory]
The following operand applies only to HP OpenView Software Distributor
The swacl command also supports the syntax:
[pc_controller]
This syntax only applies to PC controllers and PC depots on PC controllers.
EXTERNAL INFLUENCES
Defaults File
In addition to the standard options, several swacl behaviors and policy options can be changed by editing the default values found in:
/var/adm/sw/defaults - the system-wide default values,
$HOME/.sw/defaults - the user-specific default values.
Values must be specified in the defaults file using this syntax:
swacl.option=value
The default values can be overridden by specifying an options file with the -X option, or by specifying -x option=value on the command line. The policy options that apply to swacl are:
level= Defines the level of SD ACLS to view/modify. The supported levels are: host, depot, root, product, product_template, global_soc_template, or
global_product_template. (See the discussion of the -l option above.)
rpc_binding_info=ncadg_ip_udp:[2121]
Defines the protocol sequence and endpoint which will be used to contact swagentd. This value should be consistent among all hosts that work together. See sd(5) for details on specifying this option.
rpc_timeout=7(=5 for OpenView Software Dist.)
Relative length of the communications timeout. This is a value in the range from 0 to 9 and is interpreted by the DCE RPC. Higher values mean longer times; you may need a higher value for a slow or busy network. Lower values will give faster recognition on attempts to contact hosts that are not up, or are not running the swagentd. Each value is approximately twice as long as the preceding value. A value of 5 is about 30 seconds for ncadg_ip_udp.
select_local=true
If no target_selections are specified, select the default target_directory of the local host as the target_selection for the command.
software=
Defines the default software_selections. There is no supplied default. If there is more than software selection, they must be separated by spaces.
target_directory=/var/spool/sw
Defines the default location of the target depot.
targets= Defines the default target_selections. There is no supplied default (see select_local above). If there is more than target selection, they must be separated by spaces.
Environment Variables
The swacl program sets the following environment variable, which is used by the software control scripts being executed.
LANG
Determines the language in which messages are displayed. If LANG is not specified or is set to the empty string, a default value of C is used. See lang(5) for more information.
NOTE: The language in which the SD agent and daemon log messages are displayed is set by the system configuration variable script, /etc/rc.config.d/LANG. For example, /etc/rc.config.d/LANG, must be set to LANG=ja_JP.SJIS or LANG=ja_JP.eucJP to make the agent and daemon log messages display in Japanese.
OPERATION
Each entry in an ACL has the following form:
entry_type[:key]:permissions
(e.g. user:steve @ newdist:crwit.) An ACL can contain multiple entries.
List Output Format
The output of a list operation is in the following format:
# swacl Object_type Access Control List
#
# For depot|host: [host]:[/directory]
#
# Date: date_stamp
#
# Object Ownership: User= user_name
# Group= group_name
# Realm= host_name
#
# default_realm = host_name
entry_type:[key:]permissions
entry_type:[key:]permissions
entry_type:[key:]permissions
This output can be saved into a file, modified, and then used as input to a swacl modify operation (see the -F option above).
PC Controller ACLs
The following applies only to HP OpenView Software Distributor
When listing an ACL at a PC Controller, this additional information is listed:
# Locally Configured SD Controller Access:
# user:user_name@hostname:permissions
# group:group_name@hostname:permissions
This output describes the user and group granted all SD access permissions to all objects at the PC Controller.
Object Ownership
An owner is also associated with every SD object, as defined by the user name, group and hostname. The owner is the user who created the object. When using swacl to view an ACL, the owner is printed as a comment in the header.
Default Realm
An ACL defines a default realm for an object. The realm is currently defined as the name of the host system on which the object resides. When using swacl to view an ACL, the default realm is printed as a comment in the header.
Entry Types
The following entry_types are supported:
object_owner Permissions for the object’s owner, whose identity is listed in the comment header. (Example: object_owner:crwit.)
object_group Permissions for members of the object’s group, whose identity is listed in the comment header. (Example: object_group:crwit.)
user Permissions for a named user. This type of ACL entry must include a key that identifies that user. The format for user can be: user:user_name:permissions
or user:user_name @ hostname: permissions.
(Example: user:rml:crwit.)
group Permissions for a named group. This type of ACL entry must include a key that identifies that group. The format for group can be:
group:group_name:permissions or
group:group_name @ hostname: permissions.
(Example: group:adm:crwit.)
host Permissions for an SD agent from the specified host system. SD agents require product level read access via either a host, other, or any_other entry type in order to copy or install products from depots. This type of ACL entry must include a key containing a hostname or number (in Internet dot notation) of a system. (Example: host:newdist:-r--t.)
other Permissions for others who are not otherwise named by a more specific entry type. The format for other can be: other:permissions for others on the local host (only one such entry allowed) or other: @ hostname:permissions for others at remote hosts (only one such entry per remote host allowed). (Example: other: @ newdist:-r--t.)
any_other Permissions for all other users and hosts that do not match a more specific entry in the ACL. (Example: any_other:-r--t.)
Keys
Expressions (patterns) are not permitted in keys.
A key is required for user, group and host entry types. A key is optional for other entry types, and specifies the hostname to which the entry applies. Only one other entry type may exist without a key, and this entry applies to users at the default realm (host) of the ACL.
A hostname in a key will be listed in its Internet address format (dot notation) if swacl cannot resolve the address using the local lookup mechanism (DNS, NIS, or /etc/hosts). A hostname within an ACL entry must be resolvable when used with the -M and -D options. Unresolvable hostname values are accepted in files provided with the -F option.
Permissions
Permissions are represented as the single character abbreviations indicated below. Some permissions either apply only to, or have different meaning for, certain types of objects, as detailed below. The following permissions may be granted:
r ead Grants permission to read the object. On host, depot, or root objects, read permission allows swlist operations. On products within depots, read permission allows product files to be read for swinstall, swcopy, and swlist operations.
w rite Grants permission to modify the object itself. On a root object (e.g. installed root filesystem), this also grants permission to modify the products installed (contained) within it. On a depot object, it does not grant permission to modify the products contained within it. On a host container, write permission grants permission to unregister depots. It does not grant permission to modify the depots or roots contained within it.
i nsert On a host object, grants permission to create (insert) a new software depot or root filesystem object, and to register depots. On a depot or root object, grants permission to create (insert) a new product object.
c ontrol Grants permission to modify the ACL using swacl.
t est Grants permission to perform access checks and to list the ACL.
a ll A wildcard which grants all of the above permissions. It is expanded by swacl to crwit.
RETURN VALUE
The swacl command returns:
0 The software_selections and/or target_selections were successfully displayed or modified.
1 The display/modify operation failed on all target_selections.
2 The modify/modify operation failed on some target_selections.
DIAGNOSTICS
The swacl command writes to stdout, stderr, and to the daemon logfile.
Standard Output
The swacl command prints ACL information to stdout when the user requests an ACL listing.
Standard Error
The swacl command writes messages for all WARNING and ERROR conditions to stderr. A report that the software_selections do not exist is also given if the user has no access permissions to the object.
Logging
The swacl command does not log summary events. It logs events about each ACL which is modified to the swagentd logfile associated with each target_selection.
EXAMPLES
To list the ACLs for the COBOL and FORTRAN products in depot /var/spool/swtest:
swacl -l product COBOL FORTRAN @ /var/spool/swtest
The ACL listed to the standard output is similar to this example ACL:
#
# swacl Product Access Control Lists
#
# For depot: newdist:/var/spool/swtest
#
# Date: Wed May 26 11:14:31 1993
#
#
# For product: COBOL,r=3.2
#
#
# Object Ownership: User= robason
# Group= swadm
# Realm= newdist.fc.hp.com
#
# default_realm=newdist.fc.hp.com
object_owner:crwit
group:swadm:crwit
any_other:-r--t
#
# For product: FORTRAN,r=9.4
#
#
# Object Ownership: User= robason
# Group= swadm
# Realm= newdist.fc.hp.com
#
# default_realm=newdist.fc.hp.com
object_owner:crwit
user:rob @ lehi.fc.hp.com:-r--t
user:barb:-r--t
user:ramon:-r--t
group:swadm:crwit
other:-r--t
host:lehi.fc.hp.com:-r--t
To list the product template ACL on host newdist:
swacl -l global_product_template @ newdist
To list the host ACL on the local system:
swacl -l host
To read, edit, then replace the ACL protecting the default depot /var/spool/sw:
swacl -l depot > new_acl_file
vi new_acl_file
swacl -l depot -F new_acl_file
To add an entry for user george on host newdist to the ACL protecting COBOL in the default depot at host lehi:
swacl -l product -M user:george @ newdist:crwit COBOL @ lehi:
To deny all access to the users steve and george for the depot /var/spool/sw at host newdist:
swacl -l depot -M user:steve:- -M user:george:- @ newdist:/var/spool/sw
To delete entries for local user rick from all products in the default local depot:
swacl -l product -D user:rick \*
WARNINGS
It is possible to edit an ACL in such a way as to render it inaccessible! Caution should be used to avoid removing all control permissions on an ACL. As a safeguard against such a catastrophe, the local super-user may always edit SD ACLs.
swacl is not a general purpose ACL editor, it works only on ACLs protecting SD objects.
The following line applies only to HP OpenView Software Distributor
For PC Controllers, the user and group configured to have all access may always edit SD ACLs.
LIMITATIONS
The SunOS and SD-UX versions of swacl do not support the viewing and modification of Access Control Lists on remote targets.
The following limitation applies only to HP OpenView Software Distributor
root ACLs do not apply to PC controllers. When installing to PC targets, the depot and product ACLs on the PC controller apply, since the install is enacted by first copying the PC products into the PC depot.
FILES
/var/adm/sw/
The directory which contains all of the configurable (and non-configurable) data for SD. This directory is also the default location of logfiles.
/usr/lib/sw/sys.defaults
Contains the master list of current SD options (with their default values).
/var/adm/sw/defaults
Contains the active system-wide default values for some or all SD options.
$HOME/.sw/defaults
Contains the user-specific default values for some or all SD options.
/var/adm/sw/security/
The directory which contains ACLs for the system itself, template ACLS, and the secrets file used to authenticate remote requests.
/var/adm/sw/products/
The Installed Products Database (IPD), a catalog of all products installed on a system.
/var/spool/sw/
The default location of a source and target software depot.
PC FILES
The following files apply only to HP OpenView Software Distributor
...\SD\DATA\
The directory which contains all of the configurable (and non-configurable) data for SD.
...\SD\DATA\DEPOT\
The default location of the source and target PC depot.
...\SD\DATA\SECURITY\
The directory which contains ACLs for the system itself, template ACLS, and the secrets file used to authenticate remote requests.
<WINDOWS>\SWAGENTD.INI
Contains the configurable options for the SD PC Controller, including the user and group granted all SD access.
AUTHOR
swacl was developed by the Hewlett-Packard Company.
SEE ALSO
sd(4), sd(5), swagentd(1M), swcluster(1M), swconfig(1M), swcopy(1M), swgettools(1M), swinstall(1M), swjob(1M), swlist(1M), swmodify(1M), swpackage(1M), swpackage(4), swreg(1M), swremove(1M), swverify(1M), update(1M), and the Managing HP-UX Software with SD-UX or HP OpenView Software Distributor Administrator’s Guide manuals.
Hewlett-Packard Company — HP-UX Release 10.20: July 1996