secconfig, secsetup - Security features setup graphical interface (Enhanced
NOTE: The secsetup utility has been replaced by the secconfig graphical
The secconfig utility is a graphical interface used to select the level of
system security needed. It can convert from Base to enhanced security
mode, and configure base and enhanced security features. If you are using
secconfig to enable Enhanced security, you must first have loaded the
enhanced security subsets.
You can run secconfig while the system is in multiuser mode. However, if
you change the security level, the change is not completed until you reboot
For both base and enhanced security, the secconfig utility allows you to
enable segment sharing, to enable access control lists (ACLs), and to res-
trict the setting of the execute bit to root only.
For enhanced security, the secconfig utility additionally allows you to
configure security support from simple shadow passwords all the way to a
strict C2 level of security. Shadow password support is an easy method for
system administrators, who do not wish to use all of the extended security
features, to move each user's password out of /etc/passwd and into the
extended user profile database (auth.db. You can use the Custom mode if
you wish to select additional security features, such as breakin detection
and evasion, automatic database trimming, and password controls.
When converting from base to enhanced security, secconfig updates the sys-
tem default database (/etc/auth/system/default) and uses the convuser util-
ity to migrate user accounts.
While it is possible to convert user accounts from enhanced back to base,
the default encryption algorithms and supported password lengths differ
between base and enhanced security, and thus user account conversions do
not succeed without a password change.
NOTE: Because of the page table sharing mechanism used for shared
libraries, the normal file system permissions are not adequate to protect
against unauthorized reading. The secconfig interface allows you to dis-
able segment sharing. The change in segment sharing takes effect at the
acl(4), authcap(4), default(4), convuser(8),