- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: swlist @ remotehost returns list of sw!
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2001 03:12 AM
тАО11-16-2001 03:12 AM
swlist @ remotehost
from localhost,
I can see all software installed on remotehost.
In my books this is a security flaw especially when one of my hosts is built for security!
How do I stop it?
pereal:root> swlist @ labatt
# Initializing...
# Contacting target "labatt"...
#
# Target: labatt:/
#
#
# Bundle(s):
#
B2491BA B.11.00 MirrorDisk/UX
B3693AA C.02.40.000 HP GlancePlus/UX for s800 11.0
B3884FA_AGL B.11.00 HP-UX 8-User License
B5736BA A.03.20 HA Monitors
B_SSH 1.2.27 Secure Shell
HPOC-1100-CORE B.11.00.20000914 HPUX Patch Bundle for HPOC Products
HPUXEng64RT B.11.00.01 English HP-UX 64-bit Runtime Environment
J4254AA B.11.00.01 PCI 4 PORT 100BASE-T/9000
OnlineDiag B.11.00.13.16 HPUX 11.0 Support Tools Bundle
XSWGR1100 B.11.00.50.5 HP-UX General Release Patches, September 2000
#
# Product(s) not contained in a Bundle:
#
Medusa 5.3.a Security/Audit Monitoring Toolset
MedusaLocalConf Local configurations and filters for Medusa slaves.
OMNIBACK-II A.03.10 HP OpenView OmniBack II
OSD-SEC A.02.11f HP OSD Security Tools
PWplus 3.1.a Password Security Toolset
SecurityTools 1.0 Security tools
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2001 03:32 AM
тАО11-16-2001 03:32 AM
Re: swlist @ remotehost returns list of sw!
I dont exactlly remember, but swacl command should be usefull.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2001 03:38 AM
тАО11-16-2001 03:38 AM
Re: swlist @ remotehost returns list of sw!
#
# swacl Host Access Control List
#
# For host: labatt
#
# Date: Fri Nov 16 12:37:35 2001
#
# Object Ownership: User= root
# Group=sys
# Realm=labatt.grenoble.hp.com
#
# default_realm=labatt.guinness.com
user:in:crwit
user:mvesian:crwit
user:ocmc:crwit
user:ocmp:crwit
user:pack:crwit
user:ss7:crwit
group:swadm:crwit
any_other:-r--t
I guess I should modify the any_other somehow so that read is not allowed..
Later,
Bill
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2001 03:57 AM
тАО11-16-2001 03:57 AM
Re: swlist @ remotehost returns list of sw!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2001 03:58 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2001 04:02 AM
тАО11-16-2001 04:02 AM
Re: swlist @ remotehost returns list of sw!
but swacl -l host still shows the older permissions?
pereal:root> swacl -l host
#
# swacl Host Access Control List
#
# For host: pereal
#
# Date: Fri Nov 16 13:01:36 2001
#
# Object Ownership: User= root
# Group=sys
# Realm=pereal.guinness.com
#
# default_realm=pereal.guinness.com
group:swadm:crwit
any_other:-r--t
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2001 04:07 AM
тАО11-16-2001 04:07 AM
Re: swlist @ remotehost returns list of sw!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2001 04:16 AM
тАО11-16-2001 04:16 AM
Re: swlist @ remotehost returns list of sw!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-16-2001 05:27 AM
тАО11-16-2001 05:27 AM
Re: swlist @ remotehost returns list of sw!
If one restricts the acl on a root to only readable by the root user then nobody but the root user can examine the software installed on that root. (Note: SD allows more than one root - eg for development/UAT environments you can have several roots such as:
/test/UAT1
/test/UAT2
etc. The 'normal' root is '/')
For a host it will affect access to see what roots/depots exists on that host...
To see:
sudo swacl -l host -M any_other:-----
swlist
[list of software]
sudo swacl -l host -M any_other:rt
sudo swacl -l root -M any_other:-----
swlist
[Error no access rights]
I hope that's cleared up a bit (I'm still confused :-)
To try and describe it in a different way - the ACLs describe access rights to look at the contents on the level you're looking at, so root describes the product/files etc installed on that root. host describes the objects available on that host...
dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2001 02:24 PM
тАО11-17-2001 02:24 PM
Re: swlist @ remotehost returns list of sw!
we are talking about DCE-ACLs, here...
And in order to prevent somebody from doing harm to your system the "sw..." way, you will have to restict the following "levels":
- host: for communication with the "swagentd"
- root: for using the IPD (Installed Product Database)
- depot: for using depots (all you have there)
Just to show the power of those permissions: give a "plain" user (say: johndoe) the proper permission, and s/he can install or remove software on your station:
On "target" as user "root":
swacl -l root -M user:johndoe:crwit @ /
and then try as user "johndoe":
/usr/sbin/swinstall -s /tmp/PHKL_XXXXX -x auto_reboot=true '*'
The patch will be installed, the system will reboot, and all done by a "plain" user!
So you will have to restrict read/write/control/insert/test permissions for anybody except your admin group from
-l root @ /
-l host @ $(hostname)
-l depot @ $DEPOT # for ALL local depots
Just my ???0.02,
Wodisc