Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Privilege Manager for Unix Policy File Components

Privilege Manager for Unix Policy File Components

This appendix provides detailed information about the components that you use to construct the Privilege Manager for Unix security policy file.

Lexical and Syntactic Productions

Privilege Manager for Unix Policy File Components > Lexical and Syntactic Productions

Quest uses the following language standards to define the grammar of the policy scripting language used in Privilege Manager for Unix.

Table 27: Lexical Productions
Production Description
<identifier>  ::= [A-Za-z][A-Za-z0-9_]*
<number> ::= [0-9]+
<octalnumber> ::= 0[0-7]+
<hexnumber> ::= 0x[a-fA-F0-9]+
<realnumber> ::= <number> '.' <number>
<string> ::= \" <non-double-quote | backslashed-double-quote >* \"

| ' <non-single-quote | backslashed-single-quote >* '

<non-double-quote> ::= [^\"]
<backslashed-double-quote> ::= \\\"
<non-single-quote> ::= [^']
<backslashed-single-quote> ::= \\'
<comment> ::= <shell-style-comment> | <c-style-comment> | <cplusplus-style-comment>
<shell-style-comment> ::= '#' [^\n]*
<c-style-comment> ::= /\* [^\*/]* \*/
<cplusplus-style-comment> ::= // [^\n]*
Table 28: Syntactic Productions
Production Description
Policy ::= { Statement | Procedure }
Procedure ::= ( 'procedure' | 'function' ) <identifier> '(' [Parameters] ')' BlockStatement
Parameters ::= Parameter {',' Parameter }
Parameter ::= <identifier> ['=' Expression]
Statements ::= Statement { Statement }
Statement

::= IfStatement | ForStatement | DoWhileStatement | WhileStatement | SwitchStatement | BreakStatement | ContinueStatement | ReturnStatement | AcceptStatement | RejectStatement | IncludeStatement | ReadOnlyStatement | ReadOnlyExceptStatement | ExpressionStatement | BlockStatement

IfStatement ::= 'if' '(' Expression ')' Statement [ 'else' Statement ]
WhileStatement ::= 'while' '(' Expression ')' Statement
DoWhileStatement ::= 'do' BlockStatement 'while' '(' Expression ')' ';'
ForStatement

::= 'for' '(' Expressions ';' Expression ';' [Expression] ')' Statement | 'for' '(' <identifier> 'in' Expression ')' Statement

SwitchStatement ::= 'switch' '(' Expression ')' '{' [Cases][Default] '}'
Cases ::= Case { Case }
Case ::= 'case' Expression ':' Statements
Default ::= 'default' Statements
BreakStatement ::= 'break' ';'
ContinueStatement ::= 'continue' ';'
ReturnStatement ::= 'return' [ Expression ] ';'
IncludeStatement ::= 'include' Expression ';'
AcceptStatement ::= 'accept' ';'
RejectStatement ::= 'reject' [ Expression ] ';'
ReadOnlyStatement ::= 'readonly' Expression ';'
ReadOnlyExceptStatement ::= 'readonlyexcept' Expression ';'
ExpressionStatement ::= Expression ';'
BlockStatement ::= '{' Statements '}'
Expressions ::= Expression {',' Expressions }
Expression ::= AssignmentExpression | ConditionalExpression
AssignmentExpression ::= PrimaryExpression { AssignmentOp Expression }
AssignmentOp ::= '=' | '+=' | '-=' | '*=' | '/='
ConditionalExpression ::= LogicalOrExpression [ '?' Expression ':' Expression ]
LogicalOrExpression ::= LogicalAndExpression { '||' LogicalAndExpression }
LogicalAndExpression ::= BitwiseOrExpression { '&&' BitwiseOrExpression }
BitwiseOrExpression ::= BitwiseAndExpression { '|' BitwiseAndExpression }
BitwiseAndExpression ::= EqualityExpression { '&' EqualityExpression }
EqualityExpression ::= RelationalExpression { EqualityOp RelationalExpression }
EqualityOp ::= '==' | '!=
RelationalExpression ::= AdditiveExpression { RelationalOp AdditiveExpression }
RelationalOp ::= '<' | '>' | '<=' | '>=' | 'in'
AdditiveExpression ::= MultiplicativeExpression { AdditiveOp MultiplicativeExpression }
AdditiveOp ::= '+' | '-'
MultiplicativeExpression ::= PrimaryExpression { MultiplicativeOp PrimaryExpression }
MultiplicativeOp ::= '*' | '/' | '%'
PrimaryExpression

::= PrefixAssignmentExpression | DesignatorExpression | LiteralExpression | '-' Expression | '!' Expression | 'typeof' Expression | 'defined' <identifier> | '(' Expression ')'

PrefixAssignmentExpression ::= PrefixOp <identifier>
PrefixOp ::= '++' | '--'
DesignatorExpression

::= <identifier> | <identifier> PostfixOp | <identifier> Arguments | <identifier> ListAccess { ListAccess }

PostfixOp ::= '++' | '--'
Arguments ::= '(' [Expressions]  ')'
ListAccess ::= '[' Expression ']'
LiteralExpression ::= <string> | <number> | <hexnumber> | <octalnumber> | <realnumber> | ListLiteral
ListLiteral ::= '{' [Expressions] '}'

Data Types

The following data types are available for use in the policy scripting language.

Table 29: Data types
Type Description Example
array A multi-dimensional array that can contain any mixture of types.

Users={"fred", "jen", "sally"}; Ids={1, 9, 10}; Usermap={ Users, Ids}; print(umap[0][2] + " -> " + umap[1][2]);

boolean The values true and false. x = true;
double A number with a fractional component.

x=2.5; y=4.3; print(x+y); #prints 6.8

int

The type integer includes the set of integers (…, -2, -1, 0, 1, 2, …).

The constants true and false are defined to have the values 1 and 0, respectively.

Specify hexadecimal numbers with the prefix 0x.

count=0; x=y=1;

You can specify an octal number by preceding it with a leading zero. For example, when specifying a umask value runumask=022

ldapid Special type to support LDAP functions.  
ldapsearchresult Special type to support LDAP functions.  
list An ordered group of strings separated by commas and surrounded by curly braces.

List elements are accessed by postfixing them with square brackets [ ] containing the index of the desired element. Indices start at 0.

mylist = {"string zero", "string one", "string two"}; print( {"a", "b", "c"}[1] ); # prints "b"

string A sequence of zero or more characters within single or double quotes.

Mystr="this is a string"; Str1="user: " + user;

Undefined A variable is assigned a type when it is assigned a value of that type.

A variable that is referenced but has not been assigned a value is set to the type undefined.

if (typeof(myvar) == "undefined") { myvar=user;}

Operators and Expressions

Operators specify what is done to variables, constants, and expressions.

Expressions combine variables and constants to produce new values. Expressions which use the operators !, ||, &&, ==, !=, <, >, <=, >=, in, !in and () return a boolean value of true or false.

Unless otherwise specified, these operators are valid for all types of variables.

Table 30: Variable operators
Operator Description Example
=

variable = expression

The assignment operator assigns a copy of the expression on the right side to the variable on the left side.

count=0; x=y=1; str="this is a string"; users={"fred", "john"}; list1=users; list[1]="johnr";

+=

variable += expression

The addition self-assignment operator adds the value of the expression to the value of the variable and stores the result in the variable. Valid for integer, double and string data types.

count=1; count +=10; print(count); #prints 11

-=

variable -= expression

The subtraction self-assignment operator subtracts the value of the expression from the value of the variable and stores the result in the variable. Valid for integer and double data types.

Count=10; Count-=2; print(Count); #prints 8

*=

variable *= expression

The multiplication self-assignment operator multiplies the value of the expression by the value of the variable and stores the result in the variable. Valid for integer and double data types.

tot =10; tot *= 10; print(tot); #prints 100

/=

variable /= expression

The division self-assignment operator divides the value of the variable by the value of the expression and stores the result in the variable. Valid for integer and double data types.

tot=10; tot /=2; print(tot); #prints 5

var++

variable ++

The postfix auto increment operator returns the value of the variable and adds 1 to the variable. Valid for integer and double data types.

count=0; userlist[count++]="john";

++var

++variable

The prefix auto increment operator adds 1 to the variable and returns the result. Valid for integer and double data types.

++count=-1; userlist[++count]="john";

var--

variable --

The postfix auto increment operator returns the value of the variable and subtracts 1 from the variable. Valid for integer and double data types.

for(i=10; i>0; i--) {…}
--var

--variable

The prefix auto increment operator subtracts 1 from the variable and returns the result. Valid for integer and double data types.

i=9; do { userlist[--i] = value; } while (i>0);

!

!expression

Negation operator negates the value of the expression and returns the result.

while (!found) {…} no = !true; if (!(a&&b)) reject; #request is rejected if a AND b #are not true

||

expression || expression

Logical or operator resolves to true if either expression resolves to true.

if ((user in list1) || (user in list2)) {accept;}

&&

expression && expression

Logical or operator resolves to true if both expressions resolve to true.

if ((defined myuser) && (myuser == "root")) {accept;}

|

expression | expression

Bitwise or operator resolves to true.

if (word | 0x4) {…}

&

expression & expression

Bitwise and operator resolves to true.

if (word & 0x4) {…}

==

expression == expression

Resolves to true if the expressions are identical.

if (user == "root") {…} if (x==1){…} if (list1 == {"one"}) {…}

!=

Expression != expression

Logical or operator resolves to true if the expressions are not identical.

if (found != true) {…} if (user != "root") {…} if (list1 != {"root"}) {…}

()

(expression)

Forces a particular order of evaluation.

if ((a||b) && c) { accept; } if (a || (b && c)) { reject; }

?:

Conditional expression ? t_expression : f_expression

The conditional expression is evaluated. If it resolves to true, then it evaluates to t_expression, else it evaluates to f_expression.

runuser = (user == "cory") ? "root" : "sys"; # is equivalent to: # if (user=="cory") { # runuser = "root";} # else { # runuser = "sys";}

in

string in expression

Resolves to true if the string is a member of the list. It performs a glob-style check on each member of the list, so each list element can be a glob expression. The string cannot be a glob expression.

list={"root", "admin"}; print("root" in userlist); #prints 1

!in

string !in expression

Resolves to true if the string is not a member of the list. It performs a glob-style check on each member of the list, so each list element can be a glob expression. The string cannot be a glob expression.

list={"root", "admin"}; print("john" ! in userlist); #prints 1

+ - * / %

expression operator expression

Mathematical operators return the result of evaluating the arithmetic expression. The normal mathematical rules for order of evaluation apply. All operands must be integers or doubles. The exception is the + operator which will concatenate strings and lists.

a = 5 + 4 * 2; #a == 13 b = 5 * 4 / 2; #b == 10 c = 5 % 4; #c == 1 d = "string1" + "string2"; #d = "string1 string2" e={"one"}+{"two"}; #e = {"one", "two"};

< > <= >=

expression operator expression

Relational operators resolve to true if the relationship is true.

4 > 7 // evaluates false 4 >= 4 // evaluates true 4 < 1 // evaluates false "foo" == "bar" // false "foo" > "bar" // true, because foo follows bar alphabetically

export

export <varname>

Adds a local variable to the event log and I/O log. Can be specified multiple times.

 
[]

list[number]

Returns the value of an element in a list or array.

list1={"user0", "user1", "user2"}; print(List[2]); #prints user2 list0={"user0", 0}; list1={"user1",1}; maplist={list0, list1}; print(maplist[0][0], maplist[0][1]); #prints user0 0

typeof

typeof expression

Returns a string representation of the type of an expression.

print(typeof x); #undefined x=1; print(typeof x); #integer x="1"; print(typeof x); #string x={"1"};print(typeof x); #array

defined

defined variable

Resolves to true if the variable has been declared with a value.

print(defined x); #prints 0 x=1; print(defined x); #prints 1

Related Documents