POLICY.CONF(5) File Formats and Configurations POLICY.CONF(5)
NAME
policy.conf - configuration file for security policy
SYNOPSIS
/etc/security/policy.conf
DESCRIPTION
The
policy.conf file provides the security policy configuration for
user-level attributes. Each entry consists of a key/value pair in the
form:
key=value
The following keys are defined:
AUTHS_GRANTED Specify the default set of authorizations granted to all users.
This entry is interpreted by
chkauthattr(3SECDB). The value is
zero or more comma-separated authorizations defined in
auth_attr(5).
PROFS_GRANTED Specify the default set of profiles granted to all users. This
entry is interpreted by
chkauthattr(3SECDB) and
getexecuser(3SECDB). The value is zero or more comma-separated
profiles defined in
prof_attr(5).
CONSOLE_USER Specify an additional default set of profiles granted to the
console user user. This entry is interpreted by
chkauthattr(3SECDB) and
getexecuser(3SECDB). The value is zero or
more comma-separated profiles defined in
prof_attr(5).
PRIV_DEFAULT and
PRIV_LIMIT Settings for these keys determine the default privileges that
users have. (See
privileges(7).) If these keys are not set, the
default privileges are taken from the inherited set.
PRIV_DEFAULT determines the default set on login.
PRIV_LIMIT defines the limit
set on login. Users can have privileges assigned or taken away
through use of
user_attr(5). Privileges can also be assigned to
profiles, in which case users who have those profiles can
exercise the assigned privileges through
pfexec(1).
For maximum future compatibility, the privilege specifications
should always include
basic or
all. Privileges should then be
removed using negation. See EXAMPLES. By assigning privileges in
this way, you avoid a situation where, following an addition of a
currently unprivileged operation to the basic privilege set, a
user unexpectedly does not have the privileges he needs to
perform that now-privileged operation.
Note that removing privileges from the limit set requires
extreme care, as any set-uid root program might suddenly fail because it
lacks certain privilege(s). Note also that dropping
basic privileges from the default privilege set can cause unexpected
failure modes in applications.
LOCK_AFTER_RETRIES=YES|NO Specifies whether a local account is locked after the count of
failed logins for a user equals or exceeds the allowed number of
retries as defined by
RETRIES in
/etc/default/login. The default
value for users is
NO. Individual account overrides are provided
by
user_attr(5).
CRYPT_ALGORITHMS_ALLOW Specify the algorithms that are allowed for new passwords and is
enforced only in
crypt_gensalt(3C).
CRYPT_ALGORITHMS_DEPRECATE Specify the algorithm for new passwords that is to be deprecated.
For example, to deprecate use of the traditional UNIX algorithm,
specify
CRYPT_ALGORITHMS_DEPRECATE=__unix__ and change
CRYPT_DEFAULT= to another algorithm, such as
CRYPT_DEFAULT=1 for
BSD and Linux MD5.
CRYPT_DEFAULT Specify the default algorithm for new passwords. The Solaris
default was once the traditional UNIX algorithm. This is not
listed in
crypt.conf(5) since it is internal to
libc. The
reserved name
__unix__ is used to refer to it.
The key/value pair must appear on a single line, and the key must
start the line. Lines starting with
# are taken as comments and
ignored. Option name comparisons are case-insensitive.
Only one
CRYPT_ALGORITHMS_ALLOW or
CRYPT_ALGORITHMS_DEPRECATE value
can be specified. Whichever is listed first in the file takes
precedence. The algorithm specified for
CRYPT_DEFAULT must either be
specified for
CRYPT_ALGORITHMS_ALLOW or not be specified for
CRYPT_ALGORITHMS_DEPRECATE. If
CRYPT_DEFAULT is not specified, the
default is
__unix__.
EXAMPLES
Example 1: Defining a Key/Value Pair
AUTHS_GRANTED=solaris.date Example 2: Specifying Privileges
As noted above, you should specify privileges through negation,
specifying
all for
PRIV_LIMIT and
basic for
PRIV_DEFAULT, then
subtracting privileges, as shown below.
PRIV_LIMIT=all,!sys_linkdir
PRIV_DEFAULT=basic,!file_link_any
The first line, above, takes away only the
sys_linkdir privilege. The
second line takes away only the
file_link privilege. These privilege
specifications are unaffected by any future addition of privileges
that might occur.
FILES
/etc/user_attr Defines extended user attributes.
/etc/security/auth_attr Defines authorizations.
/etc/security/prof_attr Defines profiles.
/etc/security/policy.conf Defines policy for the system.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+
SEE ALSO
login(1),
pfexec(1),
chkauthattr(3SECDB),
getexecuser(3SECDB),
auth_attr(5),
crypt.conf(5),
prof_attr(5),
user_attr(5),
attributes(7),
privileges(7)NOTES
The
console user is defined as the owner of
/dev/console.
February 25, 2008 POLICY.CONF(5)
