policy.conf(4) File Formats policy.conf(4)NAMEpolicy.conf - configuration file for security policy
SYNOPSIS
/etc/security/policy.conf
DESCRIPTION
The policy.conf file provides the security policy configuration for
user-level attributes. Each entry consists of a key/value pair in the
form:
key=value
The following keys are defined:
AUTHS_GRANTED
Specify the default set of authorizations granted to all users.
This entry is interpreted by chkauthattr(3SECDB). The value is one
or more comma-separated authorizations defined in auth_attr(4).
CRYPT_ALGORITHMS_ALLOW
Specify the algorithms that are allowed for new passwords and is
enforced only in crypt_gensalt(3C).
CRYPT_ALGORITHMS_DEPRECATE
Specify the algorithm for new passwords that is to be deprecated.
For example, to deprecate use of the traditional UNIX algorithm,
specify CRYPT_ALGORITHMS_DEPRECATE=__unix__ and change
CRYPT_DEFAULT= to another algorithm, such as CRYPT_DEFAULT=1 for
BSD and Linux MD5.
CRYPT_DEFAULT
Specify the default algorithm for new passwords. The Solaris
default is the traditional UNIX algorithm. This is not listed in
crypt.conf(4) since it is internal to libc. The reserved name
__unix__ is used to refer to it.
LOCK_AFTER_RETRIES=YES|NO
Specifies whether a local account is locked after the count of
failed logins for a user equals or exceeds the allowed number of
retries as defined by RETRIES in /etc/default/login. The default
value for users is NO. Individual account overrides are provided by
user_attr(4).
PRIV_DEFAULT and PRIV_LIMIT
Settings for these keys determine the default privileges that users
have. (See privileges(5).) If these keys are not set, the default
privileges are taken from the inherited set. PRIV_DEFAULT deter‐
mines the default set on login. PRIV_LIMIT defines the limit set on
login. Users can have privileges assigned or taken away through use
of user_attr(4). Privileges can also be assigned to profiles, in
which case users who have those profiles can exercise the assigned
privileges through pfexec(1).
For maximum future compatibility, the privilege specifications
should always include basic or all. Privileges should then be
removed using negation. See EXAMPLES. By assigning privileges in
this way, you avoid a situation where, following an addition of a
currently unprivileged operation to the basic privilege set, a user
unexpectedly does not have the privileges he needs to perform that
now-privileged operation.
Note that removing privileges from the limit set requires extreme
care, as any set-uid root program might suddenly fail because it
lacks certain privilege(s). Note also that dropping basic privi‐
leges from the default privilege set can cause unexpected failure
modes in applications.
PROFS_GRANTED
Specify the default set of profiles granted to all users. This
entry is interpreted by chkauthattr(3SECDB) and getexe‐
cuser(3SECDB). The value is one or more comma-separated profiles
defined in prof_attr(4).
RESTRICTIVE_LOCKING
Specify whether to use the newer password semantics, which restrict
locking of nologin accounts and unlocking using password-setting.
If this option is set to NO, the following behavior is in effect:
o Assigning a new password unlocks a locked account.
o nologin accounts are lockable using passwd -l.
o New accounts have *LK* in the password field.
o passwd -l returns 0 if the account is already locked.
If this option is set to YES, the following behavior is in effect:
o Assigning a new password to a locked account replaces
the password, but retains the lock.
o nologin accounts (see the -N option of passwd(1)) cannot
be locked directly. passwd -d followed by passwd -l is
required.
o New accounts have UP in the password field.
o passwd -l returns a non-zero value if nothing changes.
This option is Obsolete and is not present in newer releases. The
default for this option is YES.
For additional information see passwd(1), policy.conf(4), and the
Oracle Solaris 10 8/11 What's New.
The key/value pair must appear on a single line, and the key must start
the line. Lines starting with # are taken as comments and ignored.
Option name comparisons are case-insensitive.
Only one CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRECATE value can
be specified. Whichever is listed first in the file takes precedence.
The algorithm specified for CRYPT_DEFAULT must either be specified for
CRYPT_ALGORITHMS_ALLOW or not be specified for CRYPT_ALGORITHMS_DEPRE‐
CATE. If CRYPT_DEFAULT is not specified, the default is __unix__.
EXAMPLES
Example 1 Defining a Key/Value Pair
AUTHS_GRANTED=solaris.date
Example 2 Specifying Privileges
As noted above, you should specify privileges through negation, speci‐
fying all for PRIV_LIMIT and basic for PRIV_DEFAULT, then subtracting
privileges, as shown below.
PRIV_LIMIT=all,!sys_linkdir
PRIV_DEFAULT=basic,!file_link_any
The first line, above, takes away only the sys_linkdir privilege. The
second line takes away only the file_link privilege. These privilege
specifications will be unaffected by any future addition of privileges
that might occur.
FILES
/etc/user_attr Defines extended user attributes.
/etc/security/auth_attr Defines authorizations.
/etc/security/prof_attr Defines profiles.
/etc/security/policy.conf Defines policy for the system.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWcsu │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │See below. │
└─────────────────────────────┴─────────────────────────────┘
The RESTRICTIVE_LOCKING option is Obsolete and is not present in newer
releases. The rest of the command is Evolving.
SEE ALSOlogin(1), passwd(1), pfexec(1), chkauthattr(3SECDB), getexe‐
cuser(3SECDB), auth_attr(4), crypt.conf(4), policy.conf(4),
prof_attr(4), user_attr(4), attributes(5), privileges(5)
Oracle Solaris 10 8/11 What's New
SunOS 5.10 21 Feb 2012 policy.conf(4)
