This appendix provides detailed information about the components that you use to construct the pmpolicyPrivilege Manager for Unix security policy file.
One Identity uses the following language standards to define the grammar of the policy scripting language used in Privilege Manager for Unix.
Production | Description |
---|---|
<identifier> | ::= [A-Za-z][A-Za-z0-9_]* |
<number> | ::= [0-9]+ |
<octalnumber> | ::= 0[0-7]+ |
<hexnumber> | ::= 0x[a-fA-F0-9]+ |
<realnumber> | ::= <number> '.' <number> |
<string> | ::= \" <non-double-quote | backslashed-double-quote >* \"
| ' <non-single-quote | backslashed-single-quote >* ' |
<non-double-quote> | ::= [^\"] |
<backslashed-double-quote> | ::= \\\" |
<non-single-quote> | ::= [^'] |
<backslashed-single-quote> | ::= \\' |
<comment> | ::= <shell-style-comment> | <c-style-comment> | <cplusplus-style-comment> |
<shell-style-comment> | ::= '#' [^\n]* |
<c-style-comment> | ::= /\* [^\*/]* \*/ |
<cplusplus-style-comment> |
::= // [^\n]* |
Production | Description |
---|---|
Policy | ::= { Statement | Procedure } |
Procedure | ::= ( 'procedure' | 'function' ) <identifier> '(' [Parameters] ')' BlockStatement |
Parameters | ::= Parameter {',' Parameter } |
Parameter | ::= <identifier> ['=' Expression] |
Statements | ::= Statement { Statement } |
Statement |
::= IfStatement | ForStatement | DoWhileStatement | WhileStatement | SwitchStatement | BreakStatement | ContinueStatement | ReturnStatement | AcceptStatement | RejectStatement | IncludeStatement | ReadOnlyStatement | ReadOnlyExceptStatement | ExpressionStatement | BlockStatement |
IfStatement | ::= 'if' '(' Expression ')' Statement [ 'else' Statement ] |
WhileStatement | ::= 'while' '(' Expression ')' Statement |
DoWhileStatement | ::= 'do' BlockStatement 'while' '(' Expression ')' ';' |
ForStatement |
::= 'for' '(' Expressions ';' Expression ';' [Expression] ')' Statement | 'for' '(' <identifier> 'in' Expression ')' Statement |
SwitchStatement | ::= 'switch' '(' Expression ')' '{' [Cases][Default] '}' |
Cases | ::= Case { Case } |
Case | ::= 'case' Expression ':' Statements |
Default | ::= 'default' Statements |
BreakStatement | ::= 'break' ';' |
ContinueStatement | ::= 'continue' ';' |
ReturnStatement | ::= 'return' [ Expression ] ';' |
IncludeStatement | ::= 'include' Expression ';' |
AcceptStatement | ::= 'accept' ';' |
RejectStatement | ::= 'reject' [ Expression ] ';' |
ReadOnlyStatement | ::= 'readonly' Expression ';' |
ReadOnlyExceptStatement | ::= 'readonlyexcept' Expression ';' |
ExpressionStatement | ::= Expression ';' |
BlockStatement | ::= '{' Statements '}' |
Expressions | ::= Expression {',' Expressions } |
Expression | ::= AssignmentExpression | ConditionalExpression |
AssignmentExpression | ::= PrimaryExpression { AssignmentOp Expression } |
AssignmentOp | ::= '=' | '+=' | '-=' | '*=' | '/=' |
ConditionalExpression | ::= LogicalOrExpression [ '?' Expression ':' Expression ] |
LogicalOrExpression | ::= LogicalAndExpression { '||' LogicalAndExpression } |
LogicalAndExpression | ::= BitwiseOrExpression { '&&' BitwiseOrExpression } |
BitwiseOrExpression | ::= BitwiseAndExpression { '|' BitwiseAndExpression } |
BitwiseAndExpression | ::= EqualityExpression { '&' EqualityExpression } |
EqualityExpression | ::= RelationalExpression { EqualityOp RelationalExpression } |
EqualityOp | ::= '==' | '!= |
RelationalExpression | ::= AdditiveExpression { RelationalOp AdditiveExpression } |
RelationalOp | ::= '<' | '>' | '<=' | '>=' | 'in' |
AdditiveExpression | ::= MultiplicativeExpression { AdditiveOp MultiplicativeExpression } |
AdditiveOp | ::= '+' | '-' |
MultiplicativeExpression | ::= PrimaryExpression { MultiplicativeOp PrimaryExpression } |
MultiplicativeOp | ::= '*' | '/' | '%' |
PrimaryExpression |
::= PrefixAssignmentExpression | DesignatorExpression | LiteralExpression | '-' Expression | '!' Expression | 'typeof' Expression | 'defined' <identifier> | '(' Expression ')' |
PrefixAssignmentExpression | ::= PrefixOp <identifier> |
PrefixOp | ::= '++' | '--' |
DesignatorExpression |
::= <identifier> | <identifier> PostfixOp | <identifier> Arguments | <identifier> ListAccess { ListAccess } |
PostfixOp | ::= '++' | '--' |
Arguments | ::= '(' [Expressions] ')' |
ListAccess | ::= '[' Expression ']' |
LiteralExpression | ::= <string> | <number> | <hexnumber> | <octalnumber> | <realnumber> | ListLiteral |
ListLiteral |
::= '{' [Expressions] '}' |
The following data types are available for use in the policy scripting language.
Type | Description | Example |
---|---|---|
array | A multi-dimensional array that can contain any mixture of types. |
Users={"fred", "jen", "sally"}; Ids={1, 9, 10}; Usermap={ Users, Ids}; print(umap[0][2] + " -> " + umap[1][2]); |
boolean | The values true and false. | x = true; |
double | A number with a fractional component. |
x=2.5; y=4.3; print(x+y); #prints 6.8 |
int |
The type integer includes the set of integers (…, -2, -1, 0, 1, 2, …). The constants true and false are defined to have the values 1 and 0, respectively. Specify hexadecimal numbers with the prefix 0x. |
count=0; x=y=1; You can specify an octal number by preceding it with a leading zero. For example, when specifying a umask value runumask=022 |
ldapid | Special type to support LDAP functions. | |
ldapsearchresult | Special type to support LDAP functions. | |
list | An ordered group of strings separated by commas and surrounded by curly braces.
List elements are accessed by post-fixing them with square brackets [ ] containing the index of the desired element. Indices start at 0. |
mylist = {"string zero", "string one", "string two"}; print( {"a", "b", "c"}[1] ); # prints "b" |
string | A sequence of zero or more characters within single or double quotes. |
Mystr="this is a string"; Str1="user: " + user; |
undefined |
A variable is assigned a type when it is assigned a value of that type. A variable that is referenced but has not been assigned a value is set to the type undefined. |
if (typeof(myvar) == "undefined") { myvar=user;} |
Operators specify what is done to variables, constants, and expressions.
Expressions combine variables and constants to produce new values. Expressions which use the operators !, ||, &&, ==, !=, <, >, <=, >=, in, !in and () return a boolean value of true or false.
Unless otherwise specified, these operators are valid for all types of variables.
Operator | Description | Example |
---|---|---|
= |
variable = expression The assignment operator assigns a copy of the expression on the right side to the variable on the left side. |
count=0; x=y=1; str="this is a string"; users={"fred", "john"}; list1=users; list[1]="johnr"; |
+= |
variable += expression The addition self-assignment operator adds the value of the expression to the value of the variable and stores the result in the variable. Valid for integer, double and string data types. |
count=1; count +=10; print(count); #prints 11 |
-= |
variable -= expression The subtraction self-assignment operator subtracts the value of the expression from the value of the variable and stores the result in the variable. Valid for integer and double data types. |
Count=10; Count-=2; print(Count); #prints 8 |
*= |
variable *= expression The multiplication self-assignment operator multiplies the value of the expression by the value of the variable and stores the result in the variable. Valid for integer and double data types. |
tot =10; tot *= 10; print(tot); #prints 100 |
/= |
variable /= expression The division self-assignment operator divides the value of the variable by the value of the expression and stores the result in the variable. Valid for integer and double data types. |
tot=10; tot /=2; print(tot); #prints 5 |
var++ |
variable ++ The postfix auto increment operator returns the value of the variable and adds 1 to the variable. Valid for integer and double data types. |
count=0; userlist[count++]="john"; |
++var |
++variable The prefix auto increment operator adds 1 to the variable and returns the result. Valid for integer and double data types. |
++count=-1; userlist[++count]="john"; |
var-- |
variable -- The postfix auto increment operator returns the value of the variable and subtracts 1 from the variable. Valid for integer and double data types. |
for(i=10; i>0; i--) {…} |
--var |
--variable The prefix auto increment operator subtracts 1 from the variable and returns the result. Valid for integer and double data types. |
i=9; do { userlist[--i] = value; } while (i>0); |
! |
!expression Negation operator negates the value of the expression and returns the result. |
while (!found) {…} no = !true; if (!(a&&b)) reject; #request is rejected if a AND b #are not true |
|| |
expression || expression Logical or operator resolves to true if either expression resolves to true. |
if ((user in list1) || (user in list2)) {accept;} |
&& |
expression && expression Logical or operator resolves to true if both expressions resolve to true. |
if ((defined myuser) && (myuser == "root")) {accept;} |
| |
expression | expression Bitwise or operator resolves to true. |
if (word | 0x4) {…} |
& |
expression & expression Bitwise and operator resolves to true. |
if (word & 0x4) {…} |
== |
expression == expression Resolves to true if the expressions are identical. |
if (user == "root") {…} if (x==1){…} if (list1 == {"one"}) {…} |
!= |
Expression != expression Logical or operator resolves to true if the expressions are not identical. |
if (found != true) {…} if (user != "root") {…} if (list1 != {"root"}) {…} |
() |
(expression) Forces a particular order of evaluation. |
if ((a||b) && c) { accept; } if (a || (b && c)) { reject; } |
?: |
Conditional expression ? t_expression : f_expression The conditional expression is evaluated. If it resolves to true, then it evaluates to t_expression, else it evaluates to f_expression. |
runuser = (user == "cory") ? "root" : "sys"; # is equivalent to: # if (user=="cory") { # runuser = "root";} # else { # runuser = "sys";} |
in |
string in expression Resolves to true if the string is a member of the list. It performs a glob-style check on each member of the list, so each list element can be a glob expression. The string cannot be a glob expression. |
list={"root", "admin"}; print("root" in userlist); #prints 1 |
!in |
string !in expression Resolves to true if the string is not a member of the list. It performs a glob-style check on each member of the list, so each list element can be a glob expression. The string cannot be a glob expression. |
list={"root", "admin"}; print("john" ! in userlist); #prints 1 |
+ - * / % |
expression operator expression Mathematical operators return the result of evaluating the arithmetic expression. The normal mathematical rules for order of evaluation apply. All operands must be integers or doubles. The exception is the + operator which will concatenate strings and lists. |
a = 5 + 4 * 2; #a == 13 b = 5 * 4 / 2; #b == 10 c = 5 % 4; #c == 1 d = "string1" + "string2"; #d = "string1 string2" e={"one"}+{"two"}; #e = {"one", "two"}; |
< > <= >= |
expression operator expression Relational operators resolve to true if the relationship is true. |
4 > 7 // evaluates false 4 >= 4 // evaluates true 4 < 1 // evaluates false "foo" == "bar" // false "foo" > "bar" // true, because foo follows bar alphabetically |
export |
export <varname> Adds a local variable to the event log and I/O log. Can be specified multiple times. |
|
[] |
list[number] Returns the value of an element in a list or array. |
list1={"user0", "user1", "user2"}; print(List[2]); #prints user2 list0={"user0", 0}; list1={"user1",1}; maplist={list0, list1}; print(maplist[0][0], maplist[0][1]); #prints user0 0 |
typeof |
typeof expression Returns a string representation of the type of an expression. |
print(typeof x); #undefined x=1; print(typeof x); #integer x="1"; print(typeof x); #string x={"1"};print(typeof x); #array |
defined |
defined variable Resolves to true if the variable has been declared with a value. |
print(defined x); #prints 0 x=1; print(defined x); #prints 1 |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center