サポートと今すぐチャット
サポートとのチャット

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Data types

The following data types are available for use in the policy scripting language.

Table 27: Data types
Type Description Example

array

A multi-dimensional array that can contain any mixture of types.

Users={"fred", "jen", "sally"}; Ids={1, 9, 10}; Usermap={ Users, Ids}; print(umap[0][2] + " -> " + umap[1][2]);

boolean

The values true and false.

x = true;

double

A number with a fractional component.

x=2.5; y=4.3; print(x+y); #prints 6.8

int

The type integer includes the set of integers (…, -2, -1, 0, 1, 2, …).

The constants true and false are defined to have the values 1 and 0, respectively.

Specify hexadecimal numbers with the prefix 0x.

count=0; x=y=1;

You can specify an octal number by preceding it with a leading zero. For example, when specifying a umask value runumask=022

ldapid

Special type to support LDAP functions.

 

ldapsearchresult

Special type to support LDAP functions.

 

list

An ordered group of strings separated by commas and surrounded by curly braces.

List elements are accessed by post-fixing them with square brackets [ ] containing the index of the desired element. Indices start at 0.

mylist = {"string zero", "string one", "string two"}; print( {"a", "b", "c"}[1] ); # prints "b"

string

A sequence of zero or more characters within single or double quotes.

Mystr="this is a string"; Str1="user: " + user;

undefined

A variable is assigned a type when it is assigned a value of that type.

A variable that is referenced but has not been assigned a value is set to the type undefined.

if (typeof(myvar) == "undefined") { myvar=user;}

Operators and expressions

Operators specify what is done to variables, constants, and expressions.

Expressions combine variables and constants to produce new values. Expressions which use the operators !, ||, &&, ==, !=, <, >, <=, >=, in, !in and () return a boolean value of true or false.

Unless otherwise specified, these operators are valid for all types of variables.

Table 28: Variable operators
Operator Description Example
=

variable = expression

The assignment operator assigns a copy of the expression on the right side to the variable on the left side.

count=0; x=y=1; str="this is a string"; users={"fred", "john"}; list1=users; list[1]="johnr";

+=

variable += expression

The addition self-assignment operator adds the value of the expression to the value of the variable and stores the result in the variable. Valid for integer, double and string data types.

count=1; count +=10; print(count); #prints 11

-=

variable -= expression

The subtraction self-assignment operator subtracts the value of the expression from the value of the variable and stores the result in the variable. Valid for integer and double data types.

Count=10; Count-=2; print(Count); #prints 8

*=

variable *= expression

The multiplication self-assignment operator multiplies the value of the expression by the value of the variable and stores the result in the variable. Valid for integer and double data types.

tot =10; tot *= 10; print(tot); #prints 100

/=

variable /= expression

The division self-assignment operator divides the value of the variable by the value of the expression and stores the result in the variable. Valid for integer and double data types.

tot=10; tot /=2; print(tot); #prints 5

var++

variable ++

The postfix auto increment operator returns the value of the variable and adds 1 to the variable. Valid for integer and double data types.

count=0; userlist[count++]="john";

++var

++variable

The prefix auto increment operator adds 1 to the variable and returns the result. Valid for integer and double data types.

++count=-1; userlist[++count]="john";

var--

variable --

The postfix auto increment operator returns the value of the variable and subtracts 1 from the variable. Valid for integer and double data types.

for(i=10; i>0; i--) {…}

--var

--variable

The prefix auto increment operator subtracts 1 from the variable and returns the result. Valid for integer and double data types.

i=9; do { userlist[--i] = value; } while (i>0);

!

!expression

Negation operator negates the value of the expression and returns the result.

while (!found) {…} no = !true; if (!(a&&b)) reject; #request is rejected if a AND b #are not true

||

expression || expression

Logical or operator resolves to true if either expression resolves to true.

if ((user in list1) || (user in list2)) {accept;}

&&

expression && expression

Logical or operator resolves to true if both expressions resolve to true.

if ((defined myuser) && (myuser == "root")) {accept;}

|

expression | expression

Bitwise or operator resolves to true.

if (word | 0x4) {…}

&

expression & expression

Bitwise and operator resolves to true.

if (word & 0x4) {…}

==

expression == expression

Resolves to true if the expressions are identical.

if (user == "root") {…} if (x==1){…} if (list1 == {"one"}) {…}

!=

Expression != expression

Logical or operator resolves to true if the expressions are not identical.

if (found != true) {…} if (user != "root") {…} if (list1 != {"root"}) {…}

()

(expression)

Forces a particular order of evaluation.

if ((a||b) && c) { accept; } if (a || (b && c)) { reject; }

?:

Conditional expression ? t_expression : f_expression

The conditional expression is evaluated. If it resolves to true, then it evaluates to t_expression, else it evaluates to f_expression.

runuser = (user == "cory") ? "root" : "sys"; # is equivalent to: # if (user=="cory") { # runuser = "root";} # else { # runuser = "sys";}

in

string in expression

Resolves to true if the string is a member of the list. It performs a glob-style check on each member of the list, so each list element can be a glob expression. The string cannot be a glob expression.

list={"root", "admin"}; print("root" in userlist); #prints 1

!in

string !in expression

Resolves to true if the string is not a member of the list. It performs a glob-style check on each member of the list, so each list element can be a glob expression. The string cannot be a glob expression.

list={"root", "admin"}; print("john" ! in userlist); #prints 1

+ - * / %

expression operator expression

Mathematical operators return the result of evaluating the arithmetic expression. The normal mathematical rules for order of evaluation apply. All operands must be integers or doubles. The exception is the + operator which will concatenate strings and lists.

a = 5 + 4 * 2; #a == 13 b = 5 * 4 / 2; #b == 10 c = 5 % 4; #c == 1 d = "string1" + "string2"; #d = "string1 string2" e={"one"}+{"two"}; #e = {"one", "two"};

< > <= >=

expression operator expression

Relational operators resolve to true if the relationship is true.

4 > 7 // evaluates false 4 >= 4 // evaluates true 4 < 1 // evaluates false "foo" == "bar" // false "foo" > "bar" // true, because foo follows bar alphabetically

export

export <varname>

Adds a local variable to the event log and I/O log. Can be specified multiple times.

 
[]

list[number]

Returns the value of an element in a list or array.

list1={"user0", "user1", "user2"}; print(List[2]); #prints user2 list0={"user0", 0}; list1={"user1",1}; maplist={list0, list1}; print(maplist[0][0], maplist[0][1]); #prints user0 0

typeof

typeof expression

Returns a string representation of the type of an expression.

print(typeof x); #undefined x=1; print(typeof x); #integer x="1"; print(typeof x); #string x={"1"};print(typeof x); #array

defined

defined variable

Resolves to true if the variable has been declared with a value.

print(defined x); #prints 0 x=1; print(defined x); #prints 1

Privilege Manager for Unix Variables

This appendix provides detailed information about the variables that may be present in event log entries:

For additional information about policy profile variables, see Profile variables.

Variable names

Privilege Manager for Unix uses a number of predefined global variables and user-defined variables within the pmpolicy scripting language.

Here is some general information about user-defined variables:

  • A user-defined variable is declared the first time it is assigned a value. If a variable is referenced before it has been assigned a value, it has the special type of "undefined".

  • A variable name can be any length.

  • You can use any number of user-defined variables.

  • The first character of a variable name must be a letter or an underscore (_).

  • Variable names are case-sensitive; thus, the names "checkhost" and "CHECKHOST" refer to different variables.

  • Keywords are case-sensitive; you must enter them in lower case.

  • Loose typing is applied when variables of different types are used. Thus, if you use mixed types with an operator, such as, an integer and a string with a "+" operator, the parser will attempt to convert the result to a string.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択