Chat now with support
Chat with Support

Privilege Manager for Unix 7.2.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

procedure / function

Syntax
procedure parameter (argument-list)
{
statement ...
parameter = expression; 
}
function parameter (argument-list)

{

statement ...

parameter = expression; 

}
Description

A procedure is a named block of code that runs a sequence of one or more statements, and which may declare zero or more parameters. Each parameter is a variable that may optionally have a default value. If a parameter is declared with a default value, then all following parameters must also be declared with a default value. A procedure terminates when the final statement is run or when a return statement is run.

Variables and parameters declared within the procedure have local scope and are discarded when the procedure terminates. If an identifier is referenced within a procedure, the local scope of the procedure is checked first for a variable or parameter with a matching name. If one cannot be found, then the containing scope is checked for a variable with a matching name. If a matching variable still cannot be found, a new variable is declared, with a scope local to the procedure.

A procedure is invoked by specifying the name of the procedure and providing values for each parameter in a comma-separated argument list contained within parentheses. No argument is required if the matching parameter has a default value; in this case, the parameter will be assigned its specified default value.

A procedure may be declared using the procedure or function keywords. Historically, a function returns a value whereas a procedure does not; however, the parser will permit any procedure to return a value regardless of the keyword used. The choice of using the procedure or function keyword is stylistic. If a procedure ends without a return statement, a variable with the same name as the procedure is treated as the return value.

Examples

Procedure with no parameters:

procedure include_defaults() { 
   include "/opt/quest/qpm4u/policies/defaults.conf"; 
} 

include_defaults();

Procedure with two parameters, one of which has a default value:

procedure process_include_file(fname, fdir="") { 
   topdir = "/opt/quest/qpm4u/policies"; 
   fpath = topdir + "/" + (fdir == "" ? "" : fdir + "/") + fname; 
   if (fileexists(fpath)) { 
      include fpath; 
   } 
} 

process_include_file(user + ".conf"); 
         # default value of "" is assigned to parameter fdir 

process_include_file(user + ".conf", "users"); 
         # parameter fdir is assigned the value "users"

Procedure with a parameter that masks a top-level variable with the same name. This print 1,2,1:

x = 1; 

procedure foo(x) { 
   print(x); 
} 

print(x); 
foo(2); 
print(x);

readonly

Syntax
readonly list
Description

Use the readonly statement to make a variable read-only. This means that its current value is frozen, so that no configuration file statement can change it. The purpose of this statement is to allow a system administrator to freeze the value of certain variables before calling out to another configuration file using the include statement. By safely freezing certain variable values, control over the other configuration file can safely be given to other, less-trusted personnel, knowing that they will not be able to abuse their privilege and gain unauthorized access to parts of the system that they should not be tampering with.

Examples
runuser = "jamie"; 
readonly {"runuser","runhost","runcommand"}; 
runuser = robyn; 
print(runuser);

This policy will cause an execution error. Running pmcheck displays a message similar to this:

**Policy execution error in /etc/opt/quest/qpm4u/policy/pm.conf, line 3 Cannot assign value to readonly identifier runuser

readonlyexcept

Syntax
readonlyexcept list
Description

The readonlyexcept statement is related to the readonly statement. The readonlyexcept statement makes all variables read-only, except those listed in the statement. The readonlyexcept statement has the same syntax as the readonly statement.

Examples
runhost = "myhost"; 
runuser = "jamie"; 
readonlyexcept {"runuser"}; 
runhost = "newhost"; // fails, runhost still equals "myhost" 
runuser = "corey"; // runuser now equals "corey"

This policy will cause an execution error. Running pmcheck displays a message similar to this:

**Policy execution error in /etc/opt/quest/qpm4u/policy/pm.conf, line 3 Cannot assign value to readonly identifier runuser

return

Syntax
return [expression];
Description

return exits the current procedure/function and returns the value of expression.

Examples
function square (n){
   n2 = n * n; 
   return n2; 
} 

print(square(10)); // prints "100"
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating