1policy.conf(4)                   File Formats                   policy.conf(4)
2
3
4

NAME

6       policy.conf - configuration file for security policy
7

SYNOPSIS

9       /etc/security/policy.conf
10
11

DESCRIPTION

13       The  policy.conf  file  provides  the security policy configuration for
14       user-level attributes. Each entry consists of a key/value pair  in  the
15       form:
16
17
18       key=value
19
20
21       The following keys are defined:
22
23       AUTHS_GRANTED
24
25           Specify  the  default  set  of authorizations granted to all users.
26           This entry is interpreted by chkauthattr(3SECDB). The value is zero
27           or more comma-separated authorizations defined in auth_attr(4).
28
29
30       PROFS_GRANTED
31
32           Specify  the  default  set  of  profiles granted to all users. This
33           entry   is   interpreted   by   chkauthattr(3SECDB)   and   getexe‐
34           cuser(3SECDB).  The  value is zero or more comma-separated profiles
35           defined in prof_attr(4).
36
37
38       CONSOLE_USER
39
40           Specify an additional default set of profiles granted to  the  con‐
41           sole  user  user.  This entry is interpreted by chkauthattr(3SECDB)
42           and getexecuser(3SECDB). The value is zero or more  comma-separated
43           profiles defined in prof_attr(4).
44
45
46       PRIV_DEFAULT and PRIV_LIMIT
47
48           Settings for these keys determine the default privileges that users
49           have. (See privileges(5).) If these keys are not set,  the  default
50           privileges  are  taken  from the inherited set. PRIV_DEFAULT deter‐
51           mines the default set on login. PRIV_LIMIT defines the limit set on
52           login. Users can have privileges assigned or taken away through use
53           of user_attr(4). Privileges can also be assigned  to  profiles,  in
54           which  case users who have those profiles can exercise the assigned
55           privileges through pfexec(1).
56
57           For maximum  future  compatibility,  the  privilege  specifications
58           should  always  include  basic  or  all.  Privileges should then be
59           removed using negation. See EXAMPLES. By  assigning  privileges  in
60           this  way,  you avoid a situation where, following an addition of a
61           currently unprivileged operation to the basic privilege set, a user
62           unexpectedly  does not have the privileges he needs to perform that
63           now-privileged operation.
64
65           Note that removing privileges from the limit set  requires  extreme
66           care,  as  any  set-uid root program might suddenly fail because it
67           lacks certain privilege(s). Note also that  dropping  basic  privi‐
68           leges  from  the default privilege set can cause unexpected failure
69           modes in applications.
70
71
72       LOCK_AFTER_RETRIES=YES|NO
73
74           Specifies whether a local account is  locked  after  the  count  of
75           failed  logins  for  a user equals or exceeds the allowed number of
76           retries as defined by RETRIES in  /etc/default/login.  The  default
77           value for users is NO. Individual account overrides are provided by
78           user_attr(4).
79
80
81       CRYPT_ALGORITHMS_ALLOW
82
83           Specify the algorithms that are allowed for new  passwords  and  is
84           enforced only in crypt_gensalt(3C).
85
86
87       CRYPT_ALGORITHMS_DEPRECATE
88
89           Specify  the  algorithm for new passwords that is to be deprecated.
90           For example, to deprecate use of the  traditional  UNIX  algorithm,
91           specify      CRYPT_ALGORITHMS_DEPRECATE=__unix__     and     change
92           CRYPT_DEFAULT= to another algorithm, such  as  CRYPT_DEFAULT=1  for
93           BSD and Linux MD5.
94
95
96       CRYPT_DEFAULT
97
98           Specify  the  default  algorithm  for  new  passwords.  The Solaris
99           default is the traditional UNIX algorithm. This is  not  listed  in
100           crypt.conf(4)  since  it  is  internal  to  libc. The reserved name
101           __unix__ is used to refer to it.
102
103
104
105       The key/value pair must appear on a single line, and the key must start
106       the  line.  Lines  starting  with  # are taken as comments and ignored.
107       Option name comparisons are case-insensitive.
108
109
110       Only one CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRECATE value can
111       be  specified.  Whichever is listed first in the file takes precedence.
112       The algorithm specified for CRYPT_DEFAULT must either be specified  for
113       CRYPT_ALGORITHMS_ALLOW  or not be specified for CRYPT_ALGORITHMS_DEPRE‐
114       CATE. If CRYPT_DEFAULT is not specified, the default is __unix__.
115

EXAMPLES

117       Example 1 Defining a Key/Value Pair
118
119         AUTHS_GRANTED=solaris.date
120
121
122
123       Example 2 Specifying Privileges
124
125
126       As noted above, you should specify privileges through negation,  speci‐
127       fying  all  for PRIV_LIMIT and basic for PRIV_DEFAULT, then subtracting
128       privileges, as shown below.
129
130
131         PRIV_LIMIT=all,!sys_linkdir
132         PRIV_DEFAULT=basic,!file_link_any
133
134
135
136       The first line, above, takes away only the sys_linkdir  privilege.  The
137       second  line  takes  away only the file_link privilege. These privilege
138       specifications are unaffected by any future addition of privileges that
139       might occur.
140
141

FILES

143       /etc/user_attr               Defines extended user attributes.
144
145
146       /etc/security/auth_attr      Defines authorizations.
147
148
149       /etc/security/prof_attr      Defines profiles.
150
151
152       /etc/security/policy.conf    Defines policy for the system.
153
154

ATTRIBUTES

156       See attributes(5) for descriptions of the following attributes:
157
158
159
160
161       ┌─────────────────────────────┬─────────────────────────────┐
162       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
163       ├─────────────────────────────┼─────────────────────────────┤
164       │Availability                 │SUNWcsu                      │
165       ├─────────────────────────────┼─────────────────────────────┤
166       │Interface Stability          │Committed                    │
167       └─────────────────────────────┴─────────────────────────────┘
168

SEE ALSO

170       login(1),    pfexec(1),    chkauthattr(3SECDB),    getexecuser(3SECDB),
171       auth_attr(4), crypt.conf(4), prof_attr(4), user_attr(4), attributes(5),
172       privileges(5)
173

NOTES

175       The console user is defined as the owner of /dev/console.
176
177
178
179SunOS 5.11                        25 Feb 2008                   policy.conf(4)
Impressum