swacl man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

swacl(1M)							     swacl(1M)

NAME
       swacl  -	 view  or modify the Access Control Lists (ACLs) which protect
       software products

       swfixrealm - updates default_realm in all SD ACL files

SYNOPSIS
       level  acl_entry|  acl_file|  acl_entry]	 software_file]	  target_file]
	      option=value]  option_file]  [software_selections] target_selec‐
	      tions]

   Remarks
	      ·	 The command supports operations on remote systems.   See  the
		 section below for details.

	      ·	 Type to display sd(5) for an overview of all SD commands.

	      ·	 The command can only be run by superuser.

	      ·	 When  operating  on local ACLs with a command released in the
		 year 2008  or	later,	messages  previously  written  to  are
		 instead  written to stderr of the command.  Messages describ‐
		 ing changed ACLs are written to stderr and to

DESCRIPTION
       The command displays or modifies the Access Control Lists (ACLs) which:

	      ·	 Protect  the  specified  target_selections  (hosts,  software
		 depots or root filesystems).

	      ·	 Protect  the  specified  software_selections  on  each of the
		 specified target_selections (software depots only).

       All root filesystems, software depots, and products in software	depots
       are  protected  by  ACLs.   The	SD commands permit or prevent specific
       operations based on whether the ACLs on these objects permit the opera‐
       tion.   The  command is used to view, edit, and manage these ACLs.  The
       ACL must exist and  the	user  must  have  the  appropriate  permission
       (granted by the ACL itself) in order to modify it.

       ACLs  offer  a greater degree of selectivity than standard file permis‐
       sions.  ACLs allow an object's owner (that is, the user who created the
       object)	or the local superuser to define specific read, write, or mod‐
       ify permissions to a specific list of users,  groups,  or  combinations
       thereof.

       Some  operations	 allowed  by ACLs are run as local superuser.  Because
       files are loaded and scripts are run  as	 superuser,  granting  a  user
       write  permission  on  a root filesystem or insert permission on a host
       effectively gives that user superuser privileges.

   Protected Objects
       The following objects are protected by ACLs:

	      ·	 Each host system on which software is being managed by SD,

	      ·	 Each root filesystem on a host (including alternate roots),

	      ·	 Each software depot on a host,

	      ·	 Each software product contained within a depot.

   Remote Operation
       You can enable SD to manage software on remote  systems.	  To  let  the
       root user from a central SD controller (also called the central manage‐
       ment server or manager node) perform  operations	 on  a	remote	target
       (also called the host or agent):

       1)   Set up the root, host, and template Access Control Lists (ACLs) on
	    the remote machines to permit root access from the controller sys‐
	    tem.  To do this, run the following command on each remote system:

	    NOTES:

	    ·  controller is the name of the central management server.

	    ·  If  remote  system is 11.00, make sure SD patch PHCO_22526 or a
	       superseding patch is installed on remote system before running

	    ·  If remote system is older than 11.00 or for some	 other	reason
	       does  not  have	in  place, copy script from an 11.11 or higher
	       system to the remote system.

       2)   have enhanced GUI interfaces for remote  operations.   Enable  the
	    enhanced  GUIs  by	creating the file on the controller.  Use this
	    command:

	    See sd(5), swinstall(1M),  swcopy(1M),  swjob(1M),	swlist(1M)  or
	    swremove(1M) for more information on interactive operations.

       NOTE: You can also set up remote access by using directly on the remote
       machines to grant root or non-root access to users from the  controller
       system.

   Options
       If  the	or option is not specified, prints the requested ACL(s) to the
       standard output.

       The command supports the following options:

	      Deletes an existing entry from the ACL associated with the spec‐
	      ified object(s).
			     For  this option, the permission field of the ACL
			     entry is not required.  You can specify  multiple
			     options.  See the heading for more information.

	      Read the list of
			     software_selections from software_file instead of
			     (or in addition to) the command line.

	      Assigns the ACL contained in
			     acl_file to the object.  All existing entries are
			     removed  and replaced by the entries in the file.
			     Only the ACL's entries are replaced; none of  the
			     information  contained  in	 the  comment  portion
			     (lines with the prefix of an ACL listing is modi‐
			     fied  with	 this option.  The acl_file is usually
			     the edited output of a list operation.

			     If the replacement ACL contains no syntax	errors
			     and  the  user  has control permission on the ACL
			     (or is the local superuser), the replacement suc‐
			     ceeds.

	      Defines which level of SD ACLs to view/modify.

			     The  supported  levels  of depot, host, root, and
			     product objects that can be protected are:

			     View/modify  the  ACL  protecting	the   software
			     depot(s) identified by the
					 target_selections.

			     View/modify the ACL protecting the host system(s)
			     identified by the
					 target_selections.

			     View/modify the ACL protecting the root  filesys‐
			     tem(s) identified by the
					 target_selections.

			     View/modify the ACL protecting the software prod‐
			     uct identified by the
					 software_selection.  Applies only  to
					 products  in  depots,	not  installed
					 products in roots.

			     The supported levels of templates are:

			     View/modify the template ACL
				    used to initialize the  ACL(s)  of	future
				    software  depot(s)	or  root filesystem(s)
				    added to the  host(s)  identified  by  the
				    target_selections.	Additionally, can cre‐
				    ate templates that you can re-use to  cre‐
				    ate new ACLs.

			     View/modify the template ACL
				    used  to  initialize  the ACL(s) of future
				    software depot(s)  added  to  the  host(s)
				    identified by the target_selections.

			     View/modify the template ACL
				    used  to  initialize  the ACL(s) of future
				    product(s) added to the software  depot(s)
				    identified by the target_selections.

	      Adds  a  new ACL entry or changes the permissions of an existing
	      entry.
			     You can specify multiple options.	See the	 head‐
			     ing for more information.

	      Read the list of
			     target_selections	from  file  instead  of (or in
			     addition to) the command line.

	      Set the session
			     option to value and override  the	default	 value
			     (or a value in an alternate option_file specified
			     with  the	option).   You	can  specify  multiple
			     options.

	      Read the session options and behaviors from
			     option_file.

       You can specify only one of the or options at each invocation of

   Operands
       Most SD commands support two types of operands: followed by These oper‐
       ands are separated by the "at" character.  This syntax implies that the
       command operates on "software selections at targets".

   Software Selections
       The command supports the following syntax for each software_selection:

	      ·	 You  can specify selections with the following shell wildcard
		 and pattern-matching notations:

	      ·	 The software specification selects all products in the	 depot
		 when used with

       The version component usually has the following form:

	      ·	 The <op> (relational operator) component can take the form:

		     or

		 which	 performs   individual	comparisons  on	 dot-separated
		 fields.

		 For example, chooses all revisions greater than or  equal  to
		 The system compares each dot-separated field to find matches.
		 Shell patterns are not allowed with these operators.

	      ·	 The (equals) relational operator lets you specify  selections
		 with the shell wildcard and pattern-matching notations:

		 For  example,	the expression returns any revision in version
		 10 or version 11.

	      ·	 All version components are repeatable within a single	speci‐
		 fication  (for	 example, If multiple components are used, the
		 selection must match all components.

	      ·	 Fully qualified software specs include the and version compo‐
		 nents even if they contain empty strings.

	      ·	 No  space  or tab characters are allowed in a software selec‐
		 tion.

	      ·	 The software can take the place of the version component.  It
		 has the form:

		     [instance_id]

		 within	 the context of an exported catalog, where is an inte‐
		 ger that distinguishes versions of products and bundles  with
		 the same tag.

   Target Selections
       The SD commands support this syntax for each target_selection.

       A  host	may  be	 specified  by its host name, domain name, or Internet
       address. If host is specified, the directory must be an absolute	 path.
       To specify a relative path when no host is specified, the relative path
       must start with or otherwise, the specified name	 is  considered	 as  a
       host.

   Target Selections with IPv6 Address
       SD  commands also support specifying the host as an IPv6 address on HP-
       UX Release 11i v3, as shown below:

       If both the hostname and the path are specified, then the first	occur‐
       rence of a slash is treated as the separator.

       The  IPv6 address can optionally be enclosed in a pair of square brack‐
       ets and

EXTERNAL INFLUENCES
   Default Options
       In addition to the standard options, you can change  SD	behaviors  and
       policy options by editing the default values found in:

	      the system-wide default values,

	      the user-specific default values.

       You  must  use  the  following syntax to specify values in the defaults
       file:

       The optional prefix denotes one of the SD commands.  Using  the	prefix
       limits  the  change in the default value to that command.  If you leave
       the prefix off, the change applies to all commands.

       You can also override default values from the command line with the  or
       options:

       The  following  section lists all of the keywords supported by the com‐
       mand.  If a default value exists, it is listed after the

	      The location for SD logfiles and the default  par‐
	      ent directory for the
			installed software catalog.  The default
			value is for normal SD operations.  When
			SD  operates in nonprivileged mode (that
			is, when the default option is set to

			·  The default value is forced to

			·  The path element is replaced with the
			   name	 of  the invoking user, which SD
			   reads from the system password file.

			·  If you set the value of  this  option
			   to  path, SD replaces with the invok‐
			   ing user's home directory  (from  the
			   system  password  file)  and resolves
			   path relative to that directory.  For
			   example, resolves to the directory in
			   your home directory.

			·  If you set the value of  the	 default
			   option  to a relative path, that path
			   is resolved relative to the value  of
			   this option.

			SD's nonprivileged mode is intended only
			for managing applications that are  spe‐
			cially	designed and packaged.	You can‐
			not use this mode to  manage  the  HP-UX
			operating  system or patches to it.  For
			a full explanation of nonprivileged  SD,
			see the available at the web site.

			See also the and options.

	      Defines the default location of the target depot.

	      Defines  the  directory  path  where the Installed
	      Products Database (IPD)
			is stored.  This  information  describes
			installed  software.   When  set  to  an
			absolute path, this option  defines  the
			location  of  the IPD.	When this option
			contains a relative path,  the	SD  con‐
			troller	 appends  the value to the value
			specified by the option to determine the
			path  to  the IPD.  For alternate roots,
			this path is resolved  relative	 to  the
			location  of  the  alternate root.  This
			option does not affect where software is
			installed, only the IPD location.

			This  option  permits  the  simultaneous
			installation  and  removal  of	multiple
			software  applications by multiple users
			or multiple processes, with each  appli‐
			cation	or group of applications using a
			different IPD.

			Caution: use a specific to manage a spe‐
			cific  application.  SD does not support
			multiple descriptions of the same appli‐
			cation in multiple IPDs.

			See  also the and options, which control
			SD's nonprivileged mode.  (This mode  is
			intended  only for managing applications
			that are specially  designed  and  pack‐
			aged.	You cannot use this mode to man‐
			age  the  HP-UX	 operating   system   or
			patches	 to  it.  For a full explanation
			of nonprivileged SD, see  the  available
			at the web site.)

	      Defines  the level of SD ACLS to view/modify.  The
	      supported levels
			are: or

			See the discussion of the  option  above
			for more information.

	      Controls	the  time in minutes to cache and re-use
	      the results of hostname
			or IP  address	resolution  lookups.   A
			value  of  0  disables	the  facility to
			cache and re-use  lookup  results.   The
			maximum	 value allowed is 10080 minutes,
			which is one week.

			A value of:
			disables the lookup caching mechanism.
			is the maximum value allowed.

	      This option controls the	exit  code  returned  by
	      SD's controller commands.
			This  option  is  applicable  only for a
			single	target	operation,  and	 ignored
			when multiple targets are used.

			When  set  to the default value of swacl
			returns:

			0  If there  were  no  errors,	with  or
			   without warnings.

			1  If there were errors.

			When set to swacl returns :

			0  If  there  were  no	warnings  and no
			   errors.

			1  If there were errors.

			2  If there were warnings but no errors.

	      Defines the protocol sequence(s)	and  endpoint(s)
	      on which the daemon
			listens and which the other commands use
			to contact the daemon.	If  the	 connec‐
			tion  fails  for  one protocol sequence,
			the next is attempted.	SD supports both
			the  tcp  and  udp  protocol sequence on
			most platforms.

	      Relative length  of  the	communications	timeout.
	      This is a value in the
			range  from 0 to 9 and is interpreted by
			the DCE RPC.  Higher values mean  longer
			times; you may need a higher value for a
			slow or busy network.  Lower values will
			give  faster  recognition on attempts to
			contact hosts that are not  up,	 or  are
			not  running Each value is approximately
			twice as long as the preceding value.  A
			value  of  5 is about 30 seconds for the
			protocol sequence.  This option may  not
			have  any  noticeable  impact when using
			the protocol sequence.

	      This  option  controls  SD's  nonprivileged  mode.
	      This option is ignored
			(treated as true) when the invoking user
			is super-user.

			When set to the default value  of  true,
			SD  operations	are  performed normally,
			with permissions for  operations  either
			granted	 to a local super-user or set by
			SD ACLs.  (See swacl(1M) for details  on
			ACLs.)

			When  set to false and the invoking user
			is local and is not super-user, nonpriv‐
			ileged mode is invoked:

			·  Permissions	for operations are based
			   on the  user's  file	 system	 permis‐
			   sions.

			·  SD ACLs are ignored.

			·  Files  created by SD have the uid and
			   gid of the  invoking	 user,	and  the
			   mode	 of created files is set accord‐
			   ing to the invoking user's umask.

			SD's nonprivileged mode is intended only
			for  managing applications that are spe‐
			cially designed and packaged.  You  can‐
			not  use  this	mode to manage the HP-UX
			operating system or patches to it.   For
			a  full explanation of nonprivileged SD,
			see the available at the web site.

			See also the and options.

	      If no	target_selections are specified,  select
			the  default  of  the  local host as the
			target_selection for the command.

	      Defines the default
			software_selections.  There is	no  sup‐
			plied  default.	  If  there is more than
			one software  selection,  they	must  be
			separated by spaces.

	      Defines the default
			target_selections.  There is no supplied
			default (see above).  If there	is  more
			than  one target selection, they must be
			separated by spaces.

	      Controls the verbosity of the output (stdout).   A
	      value of:
			disables  output  to stdout.  (Error and
			warning messages
			    are always written to stderr).
			enables verbose messaging to stdout.

   Environment Variables
       SD programs are affected by  external  environment  vari‐
       ables,  set  environment variables for use by the control
       scripts, and use other environment variables that  affect
       command behavior.

       The  external  environment variable that affects the com‐
       mand is:

	      Determines the language in which messages are dis‐
	      played.
			   If  is not specified or is set to the
			   empty string, a default value  of  is
			   used.   See	the  lang(5) man page by
			   typing for more information.

			   Note: The language in  which	 the  SD
			   agent  and  daemon  log  messages are
			   displayed is set by the  system  con‐
			   figuration variable script, For exam‐
			   ple, must be set to or  to  make  the
			   agent and daemon log messages display
			   in Japanese.

	      Determines the locale used to override any  values
	      for locale
			   categories  specified by the settings
			   of  or  any	 environment   variables
			   beginning with

	      Determines  the  interpretation  of  sequences  of
	      bytes of text data as
			   characters (for example, single  ver‐
			   sus	multibyte  characters  in values
			   for vendor-defined attributes).

	      Determines the  language	in  which  messages  are
	      written.

	      Determines the format of dates
			   (create_date	 and mod_date) when dis‐
			   played by Used by all utilities  when
			   displaying dates and times in and

	      Determines  the  time zone for use when displaying
	      dates and times.

OPERATION
   ACL Entries
       Each entry in an ACL has the following form:

	      For example:

       An ACL can contain multiple entries.  See the  and  head‐
       ings below for more information.

   Entry Types
       The following entry_types are supported:

	      Permissions  for all other users and hosts that do
	      not
			     match a more specific entry in  the
			     ACL.  (Example:

	      Permissions for a named group.
			     This type of ACL entry must include
			     a key that identifies  that  group.
			     The  format can be: or permissions.
			     (Example:

	      Permissions for an SD  agent  from  the  specified
	      host system.
			     SD	 agents	 require  product  level
			     read access via either a  or  entry
			     type  in  order  to copy or install
			     products from depots.  This type of
			     ACL  entry	 must include a key con‐
			     taining a hostname	 or  number  (in
			     Internet  dot notation) of a system
			     or the asterisk character to denote
			     all systems.  (Example:

	      Permissions for the object's owner, whose identity
	      is listed in the
			     comment header.  (Example:

	      Permissions for members  of  the	object's  group,
	      whose identity is
			     listed   in   the	comment	 header.
			     (Example:

	      Permissions for others who are not otherwise named
	      by a more specific
			     entry type.  The format for can be:
			     for others on the local host  (only
			     one such entry allowed) or for oth‐
			     ers at remote hosts (Only one  such
			     entry  per	 remote	 host  allowed).
			     (Example:

	      Permissions for a named user.
			     This type of ACL entry must include
			     a	key  that  identifies that user.
			     The format for can be:  or	 permis‐
			     sions.  (Example:

   Entries With IPv6 Addresses
       IPv6 addresses in the keys within the ACL entries are not
       allowed.

   Permissions
       Permissions  are	 represented  as  the  single  character
       abbreviations  indicated	 below.	 Some permissions either
       apply only to, or have  different  meaning  for,	 certain
       types  of objects, as detailed below.  The following per‐
       missions may be granted:

	      Grants permission to read the object.
			  On or objects, read permission  allows
			  operations.	  On   products	  within
			  depots, read permission allows product
			  files	 to  be installed or copied with
			  or

	      Grants permission to modify the object itself.

			  ·  On a object (for example, installed
			     root  filesystem), this also grants
			     permission to modify  the	products
			     installed (contained) within it.

			  ·  On a object, it does not grant per‐
			     mission to modify the products con‐
			     tained  within it.	 Write access on
			     products  is  required  to	  modify
			     products in a depot.

			  ·  On	 a  container,	write permission
			     grants  permission	 to   unregister
			     depots.   It does not grant permis‐
			     sion to modify the depots or  roots
			     contained within it.

	      On a	  object,  grants  permission  to create
			  (insert) a new software depot or  root
			  filesystem  object,  and  to	register
			  roots and depots.  On a object, grants
			  permission  to  create  (insert) a new
			  product object into the

	      Grants permission to modify the ACL using

	      Grants permission to perform access checks and
			  to list the ACL.

	      A wildcard which grants all of the  above	 permis‐
	      sions.  It is expanded by
			  to

   List Output Format
       The  output  of a list operation is in the following for‐
       mat:

	      entry_type:[key:]permissions
	      entry_type:[key:]permissions
	      entry_type:[key:]permissions

       You can save this output into a file, modified  it,  then
       use  it	as  input  to a modify operation (see the option
       above).

   Object Ownership
       An owner is also associated  with  every	 SD  object,  as
       defined	by the user name, group and hostname.  The owner
       is the user who created the object.  When using	to  view
       an ACL, the owner is printed as a comment in the header.

   Default Realm
       An  ACL defines a default realm for an object.  The realm
       is currently defined as the name of the	host  system  on
       which the object resides.  When using to view an ACL, the
       default realm is printed as a comment in the header.

   Keys
       Expressions (patterns) are not permitted in keys.

       A key is required for and entry types.  A key is optional
       for  entry types, and specifies the hostname to which the
       entry applies.  Only one entry type may exist  without  a
       key, and this entry applies to users at the default realm
       (host) of the ACL.

       A hostname in a key is listed  in  its  Internet	 address
       format (dot notation) if cannot resolve the address using
       the local lookup	 mechanism  (DNS,  NIS,	 or  A	hostname
       within an ACL entry must be resolvable when used with the
       and options.  Unresolvable hostname values  are	accepted
       in files provided with the option.

   swfixrealm
       The  command updates the hostname information in all reg‐
       istered depots, in all primary root ACL files  under  and
       in all host ACL files under

RETURN VALUE
       The command returns:

	      The software_selections  and/or  target_selections
		  were successfully displayed or modified.
	      The display/modify operation failed on
		  all target_selections.
	      The modify/modify operation failed on
		  some target_selections.

       The command returns:

	      The default_realm successfully updated.
	      The update operation failed.

DIAGNOSTICS
       The command writes to stdout, stderr, and to  the  daemon
       logfile.	  The command writes to stdout, stderr, and to a
       logfile at:

   Standard Output
       The command prints ACL information  to  stdout  when  the
       user requests an ACL listing.

   Standard Error
       The  command  writes  messages  for all WARNING and ERROR
       conditions to stderr.  A report that the	 software_selec‐
       tions  do  not exist is also given if the user has access
       permissions to the object.

   Logging
       The command does not log summary events.	 It logs  events
       about  each  ACL which is modified to the logfile associ‐
       ated with each target_selection.

   swagentd Disabled
       If the daemon has been disabled on the host,  it	 can  be
       enabled by the host's system administrator by setting the
       entry in to and executing

EXAMPLES
       To list the ACLs for the and products in depot

       The ACL listed to the standard output is similar to  this
       example ACL:

       To list the product template ACL on host

       To list the host ACL on the local system:

       To  read,  edit,	 then  replace	the  ACL  protecting the
       default depot

       To allow user to create, register,  and	manage	all  new
       depots and roots on the local system:

       To allow user to fully manage which already exists:

       To deny general access to a depot:

       To  allow user on host access to and all products it cur‐
       rently contains:

       To revoke previously granted ACL permission for	user  on
       host to access the product in the default depot on

       To  deny	 access to the default depot on the local system
       from host

       To deny access to the product in	 the  default  depot  on
       host to all users who do not have an explicit ACL entry:

       To  allow  user	on  host  access  to  the product in the
       default depot on host you must specify both  a  user  ACL
       for and a host ACL for

       To revoke a user ACL for user on host that allowed access
       to the product in the default depot on host

       To revoke any previously issued access to the product  in
       the default depot on host by users on host

       To deny all access to the users and for the depot at host

       To delete entries for local user from all products in the
       default local depot:

       To update entries with new hostname using

WARNINGS
       ·  You can edit an ACL in such a way that it will leave a
	  system inaccessible.	Do not remove all permissions on
	  an ACL.  (Note, however, that the local super-user can
	  always edit SD ACLs, regardless of permissions.)

       ·  ACLs	can grant the equivalent of local superuser per‐
	  mission.  SD loads and runs files and scripts as supe‐
	  ruser.   Therefore,  if  an  SD ACL gives a user write
	  permission on a root filesystem or  insert  permission
	  on  a	 host, that user has the equivalent of superuser
	  privileges.

       ·  Note that is not a general  purpose  ACL  editor.   It
	  works only on ACLs protecting SD objects.

FILES
       Contains the user-specific default values for some or all
       SD options.

       Contains the master list	 of  current  SD  options  (with
       their default values).

       The directory which contains all of the configurable
	      (and  non-configurable)  data for SD.  This direc‐
	      tory is also the default location of logfiles.

       Contains the active system-wide default values  for  some
       or all SD options.

       The  Installed  Products Database (IPD), a catalog of all
       products
	      installed on a system.

       The directory which contains ACLs for the system	 itself,
       template ACLS,
	      and  the	secrets file used to authenticate remote
	      requests.

       The default location of	a  source  and	target	software
       depot.

AUTHOR
       and were developed by the Hewlett-Packard Company.

SEE ALSO
       install-sd(1M),	swagentd(1M),  swask(1M),  swconfig(1M),
       swcopy(1M), swinstall(1M), swjob(1M), swlist(1M),  swmod‐
       ify(1M),	 swpackage(1M),	 swreg(1M), swremove(1M), swver‐
       ify(1M), sd(4), swpackage(4), sd(5).

       available at

       SD customer web site at

								     swacl(1M)
[top]

List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net