HPE Community
Operating System - HP-UX
1834480 Members
3486 Online
110067 Solutions
New Discussion

Re: Blocking remote swlist access to swagentd

 
John Shepherd
Occasional Contributor

‎12-14-2006 09:06 AM

‎12-14-2006 09:06 AM

Blocking remote swlist access to swagentd

Is there a way to configure swagentd so that it won't allow *any* connections from a remote host?
0 Kudos
Reply
5 REPLIES 5
Michael Steele_2
Honored Contributor

‎12-14-2006 01:16 PM

‎12-14-2006 01:16 PM

Re: Blocking remote swlist access to swagentd

Dear John:

You want to use swacl and setaccess commands on the target client. 'setaccess remote_hostname' followed by 'swacl -l remote_user' is how you enable pushing out a SD-UX software product onto a remote host. 'swacl -l depot' will list out the acl file. For example:

# realm: remote_host
object_owner:crwit
user:rob
@ lehi.fc.hp.com:-r--t
user:barb:-r--t
user:ramon:-r--t
group:swadm:crwit
other:-r--t
host:lehi.fc.hp.com:-r--t

To read, edit, then replace the ACL protecting the default depot /var/spool/sw:

swacl -l depot > file
vi file (* delete lines )
swacl -l depot -F file
Support Fatherhood - Stop Family Law
0 Kudos
Reply
John Shepherd
Occasional Contributor

‎12-15-2006 06:56 AM

‎12-15-2006 06:56 AM

Re: Blocking remote swlist access to swagentd

Michael,

Thanks for responding. I can't find the setaccess command on my system. Maybe it doesn't exist on HPUX 11.0?
Admittedly, I'm not overly familiar with the SD-UX system.

I've tried playing around w/ editing the ACLs but haven't succeeded. I've set them back to the installed defaults. Maybe I need to elaborate on what I wish to accomplish:

I've discovered that while logged in as root on hostA, I can run 'swlist -l patch @ hostB' and get a listing of applied patches on hostB. I haven't tested if I can perform any other actions, but listing patches is more than I want allowed. If I can do it, so could someone else, which allows them to determine whether or not security patches are applied. Around here, we consider that a security no-no.

I don't need to use any SD-UX commands across the network. I want the ACLs set to *only* allow access to root on the local host.

Here are the ACLs as currently set (installed defaults). What do I need to change?

% swacl -l depot
#
# swacl Depot Access Control List
#
# For depot: hostB:/var/spool/sw
#
# Date: Fri Dec 15 13:54:09 2006
#

ERROR: There is no "depot" ACL at "hostB:/var/spool/sw". The
object is, or is part of, a read-only depot.

% swacl -l host
#
# swacl Host Access Control List
#
# For host: hostB
#
# Date: Fri Dec 15 13:38:26 2006
#

# Object Ownership: User= root
# Group=sys
# Realm=hostB
#
# default_realm=hostB
group:swadm:crwit
any_other:-r--t

% swacl -l root
#
# swacl Installed Software Access Control List
#
# For host: hostB:/
#
# Date: Fri Dec 15 14:33:33 2006
#

# Object Ownership: User= root
# Group=sys
# Realm=hostB
#
# default_realm=hostB
object_owner:crwit
group:swadm:crwit
any_other:-r--t

% swacl -l product
ERROR: There is currently no depot software on host "hostB" at
location "/var/spool/sw". Make sure that an absolute pathname
is specified for location (beginning with "/").
* Target connection failed for "hostB:/var/spool/sw".
ERROR: More information may be found in the daemon logfile on this
target (default location is
hostB:/var/adm/sw/swagentd.log).

% swacl -l global_soc_template
#
# swacl Global Template for Container Access Control Lists
#
# For host: hostB
#
# Date: Fri Dec 15 14:42:08 2006
#

# Object Ownership: User= root
# Group=sys
# Realm=hostB
#
# default_realm=hostB
object_owner:crwit
group:swadm:crwit
any_other:-r--t

% swacl -l global_product_template
#
# swacl Global Template for Product Access Control Lists
#
# For host: hostB
#
# Date: Fri Dec 15 14:43:37 2006
#

# Object Ownership: User= root
# Group=sys
# Realm=hostB
#
# default_realm=hostB
object_owner:crwit
group:swadm:crwit
any_other:-r--t

% swacl -l product_template
#
# swacl Depot Template for Product Access Control Lists
#
# For depot: hostB:/var/spool/sw
#
# Date: Fri Dec 15 14:44:40 2006
#

ERROR: There is no "product_template" ACL at
"hostB:/var/spool/sw". The object is, or is part of, a
read-only depot.

0 Kudos
Reply
Michael Steele_2
Honored Contributor

‎12-15-2006 07:08 AM

‎12-15-2006 07:08 AM

Re: Blocking remote swlist access to swagentd

Dear John:

I haven't read everything in the SD-UX library documentation but I'm sure the answer to your questions can be found here, just select you O/S version type, 11.00, 11.11 or 11.23:

http://docs.hp.com/en/SD/infolib.html

Here's the 11.00 PDF, refer to page 173.

http://docs.hp.com/en/B2355-90154/B2355-90154.pdf
Support Fatherhood - Stop Family Law
0 Kudos
Reply
Mark Nieuwboer
Esteemed Contributor

‎12-15-2006 07:44 AM

‎12-15-2006 07:44 AM

Re: Blocking remote swlist access to swagentd

Hi shepherd,

Why not easy just stop the swagentd daemon.
and start this agent when you want to use it.
the daemon is made to do remote installs.

grtz. Mark
0 Kudos
Reply
Ermin Borovac
Honored Contributor

‎12-15-2006 09:13 AM

‎12-15-2006 09:13 AM

Re: Blocking remote swlist access to swagentd

To achieve this simply remove any_other entry type from swacl.

/* host level controls access to software depots on the host */
# swacl -l host -D any_other

/* root level controls access to software installed on primary root "/" */
# swacl -l root -D any_other

/* global_soc_template level provides default ACLs that apply to all new depots and roots added to the host */
# swacl -l global_soc_template -D any_other

/* global_product_template level initialises the product_template of future depots added to the host */
# swacl -l global_product_template -D any_other

Also remove any_other entry for any depot you have on the system.

# swlist -l depot
# swacl -l depot -D any_other @ /path/to/depot

group:swadm ACL entry was removed in 11i -- you could remove it as well.

# swacl -l host -D group:swadm

repeat for other levels ...



0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.