policy.conf(4) File Formats policy.conf(4)
policy.conf - configuration file for security policy
The policy.conf file provides the security policy configuration for
user-level attributes. Each entry consists of a key/value pair in the
The following keys are defined:
AUTHS_GRANTED Specify the default set of authoriza-
tions granted to all users. This entry
is interpreted by chkauthattr(3SECDB).
The value is one or more comma-sepa-
rated authorizations defined in
PROFS_GRANTED Specify the default set of profiles
granted to all users. This entry is
interpreted by chkauthattr(3SECDB) and
getexecuser(3SECDB). The value is one
or more comma-separated profiles
defined in prof_attr(4).
PRIV_DEFAULT and PRIV_LIMIT Settings for these keys determine the
default privileges that users have.
(See privileges(5).) If these keys are
not set, the default privileges are
taken from the inherited set.
PRIV_DEFAULT determines the default set
on login. PRIV_LIMIT defines the limit
set on login. Users can have privileges
assigned or taken away through use of
user_attr(4). Privileges can also be
assigned to profiles, in which case
users who have those profiles can exer-
cise the assigned privileges through
For maximum future compatibility, the
privilege specifications should always
include basic or all. Privileges should
then be removed using negation. See
EXAMPLES. By assigning privileges in
this way, you avoid a situation where,
following an addition of a currently
unprivileged operation to the basic
privilege set, a user unexpectedly does
not have the privileges he needs to
perform that now-privileged operation.
Note that removing privileges from the
limit set requires extreme care, as any
set-uid root program might suddenly
fail because it lacks certain privi-
lege(s). Note also that dropping basic
privileges from the default privilege
set can cause unexpected failure modes
LOCK_AFTER_RETRIES=YES|NO Specifies whether a local account is
locked after the count of failed logins
for a user equals or exceeds the
allowed number of retries as defined by
RETRIES in /etc/default/login. The
default value for users is NO. Individ-
ual account overrides are provided by
CRYPT_ALGORITHMS_ALLOW Specify the algorithms that are allowed
for new passwords and is enforced only
CRYPT_ALGORITHMS_DEPRECATE Specify the algorithm for new passwords
that is to be deprecated. For example,
to deprecate use of the traditional
UNIX algorithm, specify CRYPT_ALGO-
RITHMS_DEPRECATE=__unix__ and change
CRYPT_DEFAULT= to another algorithm,
such as CRYPT_DEFAULT=1 for BSD and
CRYPT_DEFAULT Specify the default algorithm for new
passwords. The Solaris default is the
traditional UNIX algorithm. This is not
listed in crypt.conf(4) since it is
internal to libc. The reserved name
__unix__ is used to refer to it.
The key/value pair must appear on a single line, and the key must start
the line. Lines starting with # are taken as comments and ignored.
Option name comparisons are case-insensitive.
Only one CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRECATE value can
be specified. Whichever is listed first in the file takes precedence.
The algorithm specified for CRYPT_DEFAULT must either be specified for
CRYPT_ALGORITHMS_ALLOW or not be specified for CRYPT_ALGORITHMS_DEPRE-
CATE. If CRYPT_DEFAULT is not specified, the default is __unix__.
Example 1: Defining a Key/Value Pair
Example 2: Specifying Privileges
As noted above, you should specify privileges through negation, speci-
fying all for PRIV_LIMIT and basic for PRIV_DEFAULT, then subtracting
privileges, as shown below.
The first line, above, takes away only the sys_linkdir privilege. The
second line takes away only the file_link privilege. These privilege
specifications will be unaffected by any future addition of privileges
that might occur.
/etc/user_attr Defines extended user attributes.
/etc/security/auth_attr Defines authorizations.
/etc/security/prof_attr Defines profiles.
/etc/security/policy.conf Defines policy for the system.
See attributes(5) for descriptions of the following attributes:
tab() allbox; cw(2.750000i)| cw(2.750000i) lw(2.750000i)|
lw(2.750000i). ATTRIBUTE TYPEATTRIBUTE VALUE AvailabilitySUNWcsu
login(1), pfexec(1), chkauthattr(3SECDB), getexecuser(3SECDB),
auth_attr(4), crypt.conf(4), prof_attr(4), user_attr(4), attributes(5),
SunOS 5.10 16 Mar 2004 policy.conf(4)