Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

if-else

Syntax
if ( expression ) statement
if ( expression ) statement else statement
Description

The if-else statement is a conditional statement. It executes the specified statement if the specified expression evaluates to true (a non-zero value). If the else part is present, it executes the associated statement if the expression evaluates to false (the value 0).

Use a statement block of the form { statement ... } to execute multiple statements. Quest recommends using a statement block for readability.

Examples

Accept if the user is contained in the set of trusted users, otherwise continue execution at the next statement:

trustedusers = {"jamie","corey","robyn"}; 
if (user in trustedusers) 
   accept;

Accept if the user is contained in the set of trusted users, otherwise reject:

trustedusers = {"jamie","corey","robyn"}; 
if (user in trustedusers) 
   accept; 
else 
   reject;

Note the use of statement block to handle multiple statements:

trustedusers = {"jamie","corey","robyn"}; 
if (user in trustedusers) { 
   print("accepted"); 
   accept; 
} else { 
   print("rejected"); 
   reject; 
}

include

Syntax
include file-name
Description

The Privilege Manager for Unix configuration language contains the include statement, which is used to call out to other configuration files. By splitting your configuration file up into several smaller files, you can eliminate clutter. You can also hand-off control over certain aspects of configuration to different people, by giving them access to the subsidiary configuration files.

If an accept or reject is done within the included file, control never returns to the original file. On the other hand, if no accept or reject is done in the included file, execution will proceed to the end of that file, and then resume in the original file immediately after the include statement.

If a full pathname is not specified, the value of the policydir setting from the /etc/opt/quest/qpm4u/pm.settings file will be pre-pended to the filename.

When handing off control to a subsidiary configuration file whose contents are controlled by a questionable person, you might want to "fix" certain Privilege Manager variable values so that they cannot be changed by the subsidiary file. Use the readonly and readonlyexcept statements for this purpose.

As an example, you may have an Oracle® database administrator, who you want to be able to administer certain Oracle® programs. Each of those programs is to run as the "oracle" user. You would like the DBA to be able to grant or deny access to these programs and this account without your involvement, but you certainly do not want to give this person power over non-Oracle® parts of the system.

NOTE: Specify the file to be included as a string expression; it may contain variables. For example, include "/etc/ + usr + ".conf";.

The following configuration file fragment hands off control to a subsidiary configuration file called, /etc/pmorcle.conf, and ensures that if an accept is done within this file, the job being accepted can only run as the oracle user.

Examples
oraclecmds = {"oradmin", "oraprint", "orainstall"}; 
if(command in oraclecmds) 
{ 
   runuser = "oracle"; 
   readonly {"runuser"}; 
   include "/etc/pmoracle.conf"; 
   reject; 
}

procedure / function

Syntax
procedure ( parameter = expression, ... ) { statement ... }
function ( parameter = expression, ... ) { statement ... }
Description

A procedure is a named block of code that executes a sequence of one or more statements, and which may declare zero or more parameters. Each parameter is a variable that may optionally have a default value. If a parameter is declared with a default value, then all following parameters must also be declared with a default value. A procedure terminates when the final statement is executed or when a return statement is executed.

Variables and parameters declared within the procedure have local scope and are discarded when the procedure terminates. If an identifier is referenced within a procedure, the local scope of the procedure is checked first for a variable or parameter with a matching name. If one cannot be found, then the containing scope is checked for a variable with a matching name. If a matching variable still cannot be found, a new variable is declared, with a scope local to the procedure.

A procedure is invoked by specifying the name of the procedure and providing values for each parameter in a comma-separated argument list contained within parentheses. No argument is required if the matching parameter has a default value; in this case, the parameter will be assigned its specified default value.

NOTE: A procedure may be declared using the procedure or function keywords. Historically, a function returns a value whereas a procedure does not; however, the parser will permit any procedure to return a value regardless of the keyword used. The choice of using the procedure or function keyword is stylistic.

Examples

Procedure with no parameters:

procedure include_defaults() { 
   include "/opt/quest/qpm4u/policies/defaults.conf"; 
} 

include_defaults();

Procedure with two parameters, one of which has a default value:

procedure process_include_file(fname, fdir="") { 
   topdir = "/opt/quest/qpm4u/policies"; 
   fpath = topdir + "/" + (fdir == "" ? "" : fdir + "/") + fname; 
   if (fileexists(fpath)) { 
      include fpath; 
   } 
} 

process_include_file(user + ".conf"); 
         # default value of "" is assigned to parameter fdir 

process_include_file(user + ".conf", "users"); 
         # parameter fdir is assigned the value "users"

Procedure with a parameter that masks a top-level variable with the same name. This print 1,2,1:

x = 1; 

procedure foo(x) { 
   print(x); 
} 

print(x); 
foo(2); 
print(x); 

readonly

Syntax
readonly list
Description

Use the readonly statement to make a variable read-only. This means that its current value is frozen, so that no configuration file statement can change it. The purpose of this statement is to allow a system administrator to freeze the value of certain variables before calling out to another configuration file using the include statement. By safely freezing certain variable values, control over the other configuration file can safely be given to other, less-trusted personnel, knowing that they will not be able to abuse their privilege and gain unauthorized access to parts of the system that they should not be tampering with.

Examples
runuser = "jamie"; 
readonly {"runuser","runhost","runcommand"}; 
runuser = robyn; 
print(runuser);

This policy will cause an execution error. Running pmcheck displays a message similar to this:

**Policy execution error in /etc/opt/quest/qpm4u/policy/pm.conf, line 3 Cannot assign value to readonly identifier runuser

Related Documents