HPE Community
Operating System - HP-UX
1838655 Members
3462 Online
110128 Solutions
New Discussion

Swlist Access for a Regular User

 
SOLVED
Go to solution
Thomas Rectenwald
Occasional Advisor

‎06-13-2007 03:19 AM

‎06-13-2007 03:19 AM

Swlist Access for a Regular User

Hello,

I have a service account that needs to collect HP software information locally on a box. When I run /usr/sbin/swlist I get:

$ /usr/sbin/swlist
# Initializing...
# Contacting target "server"...
WARNING: Security access denied to file "//var/adm/sw/products/INDEX".
ERROR: "nch5k01a:/": You do not have permission for this operation.
The depot owner, system administrator, or alternate root owner
may need to use the "swreg" or "swacl" command to give you
permission. Or, to manage applications designed and packaged
for nonprivileged mode, see the "run_as_superuser" option in
the "sd" man page.

What I'd like to do is set the ACL's so that this one user can run an swlist and nothing else. I've been reading through the SD man page and ACL information but am not having much luck.

Best Regards,
Tom
0 Kudos
Reply
9 REPLIES 9
Doug Burton
Respected Contributor

‎06-13-2007 03:33 AM

‎06-13-2007 03:33 AM

Solution

Re: Swlist Access for a Regular User

SUDO comes to mind. However you may want to install then cron cfg2html and put the web page output someplace where your user can view it.
Reply
Thomas Rectenwald
Occasional Advisor

‎06-13-2007 03:36 AM

‎06-13-2007 03:36 AM

Re: Swlist Access for a Regular User

Do to security restrictions and control of the sudoers file, I am not going to have much luck getting sudo approved. That would be an ideal solution though. The swlist output gets collected each night and will be inserted into an Oracle DB with GUI and web-based applications able to translate that for users to see.

I thought there was a way to set an ACL on swlist list only that would allow a specified non-root user access to the command locally.

Thanks for the help.
Tom
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎06-13-2007 03:37 AM

‎06-13-2007 03:37 AM

Re: Swlist Access for a Regular User

Shalom,

Wrong approach. Sudo, the port available on http://software.hp.com is the way to go.

Give the user swlist and that should be sufficient.


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Thomas Rectenwald
Occasional Advisor

‎06-13-2007 06:17 AM

‎06-13-2007 06:17 AM

Re: Swlist Access for a Regular User

Thanks guys. I do agree that sudo is the cleanest and best way to go here. I've submitted a request to get the user account added so that it can execute /usr/sbin/swlist.

I appreciate the help and advice,
Tom
0 Kudos
Reply
KapilRaj
Honored Contributor

‎06-13-2007 06:29 AM

‎06-13-2007 06:29 AM

Re: Swlist Access for a Regular User

What does swacl do ? Can it help here guys ?

Regards, Kaps
Nothing is impossible
0 Kudos
Reply
Bob E Campbell
Honored Contributor

‎06-13-2007 06:54 AM

‎06-13-2007 06:54 AM

Re: Swlist Access for a Regular User

From the following security bulletin:

http://itrc.hp.com/service/cki/docDisplay.do?docId=pdb_na-hpsbux0105_150-1

It is possible to restore the ability to
perform swlist commands to specific
individual users or groups. For example,
to give user "dave" on remote host
"admin1" the ability to run "swlist"
against the local system, execute the
command:

# swacl -l root -M user:dave@admin1:r

Bob
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎06-13-2007 04:04 PM

‎06-13-2007 04:04 PM

Re: Swlist Access for a Regular User

Did you do something to restrict swlist access?
By default I can do it on my system.

Does your swlist have the SUID bit set?
-r-sr-xr-x
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎06-13-2007 04:05 PM

‎06-13-2007 04:05 PM

Re: Swlist Access for a Regular User

Did you do something to restrict swlist access?
By default I can do it on my system.

Does your swlist have the SUID bit set?
-r-sr-xr-x

(I guess not, I get a different error for that.)
0 Kudos
Reply
Bob E Campbell
Honored Contributor

‎06-13-2007 05:41 PM

‎06-13-2007 05:41 PM

Re: Swlist Access for a Regular User

The ability to list installed software (and the absence of security patches) is considered to be a type of vulnerability (see the above SecBul). Tools such as Bastile will restrict this using swacls.

The swacl man page documents how to open certain capabilities for specified users.

Bob
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.