unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

policy.conf(4)                   File Formats                   policy.conf(4)



NAME
       policy.conf - configuration file for security policy

SYNOPSIS
       /etc/security/policy.conf

DESCRIPTION
       The  policy.conf  file  provides  the security policy configuration for
       user-level attributes. Each entry consists of a key/value pair  in  the
       form:

              key=value


       The following keys are defined:

       AUTHS_GRANTED                   Specify  the  default set of authoriza-
                                       tions granted to all users. This  entry
                                       is  interpreted by chkauthattr(3SECDB).
                                       The value is one  or  more  comma-sepa-
                                       rated    authorizations    defined   in
                                       auth_attr(4).



       PROFS_GRANTED                   Specify the  default  set  of  profiles
                                       granted  to  all  users.  This entry is
                                       interpreted by chkauthattr(3SECDB)  and
                                       getexecuser(3SECDB).  The  value is one
                                       or   more   comma-separated    profiles
                                       defined in prof_attr(4).



       PRIV_DEFAULT and PRIV_LIMIT     Settings  for  these keys determine the
                                       default  privileges  that  users  have.
                                       (See  privileges(5).) If these keys are
                                       not set,  the  default  privileges  are
                                       taken    from    the   inherited   set.
                                       PRIV_DEFAULT determines the default set
                                       on  login. PRIV_LIMIT defines the limit
                                       set on login. Users can have privileges
                                       assigned  or  taken away through use of
                                       user_attr(4). Privileges  can  also  be
                                       assigned  to  profiles,  in  which case
                                       users who have those profiles can exer-
                                       cise  the  assigned  privileges through
                                       pfexec(1).

                                       For maximum future  compatibility,  the
                                       privilege  specifications should always
                                       include basic or all. Privileges should
                                       then  be  removed  using  negation. See
                                       EXAMPLES. By  assigning  privileges  in
                                       this  way, you avoid a situation where,
                                       following an addition  of  a  currently
                                       unprivileged  operation  to  the  basic
                                       privilege set, a user unexpectedly does
                                       not  have  the  privileges  he needs to
                                       perform that now-privileged operation.

                                       Note that removing privileges from  the
                                       limit set requires extreme care, as any
                                       set-uid  root  program  might  suddenly
                                       fail  because  it  lacks certain privi-
                                       lege(s). Note also that dropping  basic
                                       privileges  from  the default privilege
                                       set can cause unexpected failure  modes
                                       in applications.



       LOCK_AFTER_RETRIES=YES|NO       Specifies  whether  a  local account is
                                       locked after the count of failed logins
                                       for   a  user  equals  or  exceeds  the
                                       allowed number of retries as defined by
                                       RETRIES   in  /etc/default/login.   The
                                       default value for users is NO. Individ-
                                       ual  account  overrides are provided by
                                       user_attr(4).



       CRYPT_ALGORITHMS_ALLOW          Specify the algorithms that are allowed
                                       for  new passwords and is enforced only
                                       in crypt_gensalt(3C).



       CRYPT_ALGORITHMS_DEPRECATE      Specify the algorithm for new passwords
                                       that  is to be deprecated. For example,
                                       to deprecate  use  of  the  traditional
                                       UNIX   algorithm,  specify  CRYPT_ALGO-
                                       RITHMS_DEPRECATE=__unix__  and   change
                                       CRYPT_DEFAULT=  to  another  algorithm,
                                       such as  CRYPT_DEFAULT=1  for  BSD  and
                                       Linux MD5.



       CRYPT_DEFAULT                   Specify  the  default algorithm for new
                                       passwords. The Solaris default  is  the
                                       traditional UNIX algorithm. This is not
                                       listed in  crypt.conf(4)  since  it  is
                                       internal  to  libc.  The  reserved name
                                       __unix__ is used to refer to it.



       The key/value pair must appear on a single line, and the key must start
       the  line.  Lines  starting  with  # are taken as comments and ignored.
       Option name comparisons are case-insensitive.

       Only one CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRECATE value can
       be  specified.  Whichever is listed first in the file takes precedence.
       The algorithm specified for CRYPT_DEFAULT must either be specified  for
       CRYPT_ALGORITHMS_ALLOW  or not be specified for CRYPT_ALGORITHMS_DEPRE-
       CATE. If CRYPT_DEFAULT is not specified, the default is __unix__.

EXAMPLES
       Example 1: Defining a Key/Value Pair

       AUTHS_GRANTED=solaris.date

       Example 2: Specifying Privileges

       As noted above, you should specify privileges through negation,  speci-
       fying  all  for PRIV_LIMIT and basic for PRIV_DEFAULT, then subtracting
       privileges, as shown below.

       PRIV_LIMIT=all,!sys_linkdir
       PRIV_DEFAULT=basic,!file_link_any


       The first line, above, takes away only the sys_linkdir  privilege.  The
       second  line  takes  away only the file_link privilege. These privilege
       specifications will be unaffected by any future addition of  privileges
       that might occur.

FILES
       /etc/user_attr                  Defines extended user attributes.



       /etc/security/auth_attr         Defines authorizations.



       /etc/security/prof_attr         Defines profiles.



       /etc/security/policy.conf       Defines policy for the system.



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()     allbox;     cw(2.750000i)|    cw(2.750000i)    lw(2.750000i)|
       lw(2.750000i).   ATTRIBUTE  TYPEATTRIBUTE   VALUE   AvailabilitySUNWcsu
       Interface StabilityEvolving


SEE ALSO
       login(1),    pfexec(1),    chkauthattr(3SECDB),    getexecuser(3SECDB),
       auth_attr(4), crypt.conf(4), prof_attr(4), user_attr(4), attributes(5),
       privileges(5)



SunOS 5.10                        16 Mar 2004                   policy.conf(4)