POLICY.CONF(4) File Formats and Configurations POLICY.CONF(4)


NAME


policy.conf - configuration file for security policy

SYNOPSIS


/etc/security/policy.conf


DESCRIPTION


The policy.conf file provides the security policy configuration for user-
level attributes. Each entry consists of a key/value pair in the form:


key=value


The following keys are defined:

AUTHS_GRANTED

Specify the default set of authorizations granted to all users. This
entry is interpreted by chkauthattr(3SECDB). The value is zero or
more comma-separated authorizations defined in auth_attr(4).


PROFS_GRANTED

Specify the default set of profiles granted to all users. This entry
is interpreted by chkauthattr(3SECDB) and getexecuser(3SECDB). The
value is zero or more comma-separated profiles defined in
prof_attr(4).


CONSOLE_USER

Specify an additional default set of profiles granted to the console
user user. This entry is interpreted by chkauthattr(3SECDB) and
getexecuser(3SECDB). The value is zero or more comma-separated
profiles defined in prof_attr(4).


PRIV_DEFAULT and PRIV_LIMIT

Settings for these keys determine the default privileges that users
have. (See privileges(5).) If these keys are not set, the default
privileges are taken from the inherited set. PRIV_DEFAULT determines
the default set on login. PRIV_LIMIT defines the limit set on login.
Users can have privileges assigned or taken away through use of
user_attr(4). Privileges can also be assigned to profiles, in which
case users who have those profiles can exercise the assigned
privileges through pfexec(1).

For maximum future compatibility, the privilege specifications should
always include basic or all. Privileges should then be removed using
negation. See EXAMPLES. By assigning privileges in this way, you
avoid a situation where, following an addition of a currently
unprivileged operation to the basic privilege set, a user
unexpectedly does not have the privileges he needs to perform that
now-privileged operation.

Note that removing privileges from the limit set requires extreme
care, as any set-uid root program might suddenly fail because it
lacks certain privilege(s). Note also that dropping basic privileges
from the default privilege set can cause unexpected failure modes in
applications.


LOCK_AFTER_RETRIES=YES|NO

Specifies whether a local account is locked after the count of failed
logins for a user equals or exceeds the allowed number of retries as
defined by RETRIES in /etc/default/login. The default value for users
is NO. Individual account overrides are provided by user_attr(4).


CRYPT_ALGORITHMS_ALLOW

Specify the algorithms that are allowed for new passwords and is
enforced only in crypt_gensalt(3C).


CRYPT_ALGORITHMS_DEPRECATE

Specify the algorithm for new passwords that is to be deprecated. For
example, to deprecate use of the traditional UNIX algorithm, specify
CRYPT_ALGORITHMS_DEPRECATE=__unix__ and change CRYPT_DEFAULT= to
another algorithm, such as CRYPT_DEFAULT=1 for BSD and Linux MD5.


CRYPT_DEFAULT

Specify the default algorithm for new passwords. The Solaris default
is the traditional UNIX algorithm. This is not listed in
crypt.conf(4) since it is internal to libc. The reserved name
__unix__ is used to refer to it.


The key/value pair must appear on a single line, and the key must start
the line. Lines starting with # are taken as comments and ignored. Option
name comparisons are case-insensitive.


Only one CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRECATE value can
be specified. Whichever is listed first in the file takes precedence. The
algorithm specified for CRYPT_DEFAULT must either be specified for
CRYPT_ALGORITHMS_ALLOW or not be specified for
CRYPT_ALGORITHMS_DEPRECATE. If CRYPT_DEFAULT is not specified, the
default is __unix__.

EXAMPLES


Example 1: Defining a Key/Value Pair



AUTHS_GRANTED=solaris.date


Example 2: Specifying Privileges




As noted above, you should specify privileges through negation,
specifying all for PRIV_LIMIT and basic for PRIV_DEFAULT, then
subtracting privileges, as shown below.


PRIV_LIMIT=all,!sys_linkdir
PRIV_DEFAULT=basic,!file_link_any


The first line, above, takes away only the sys_linkdir privilege. The
second line takes away only the file_link privilege. These privilege
specifications are unaffected by any future addition of privileges that
might occur.


FILES


/etc/user_attr
Defines extended user attributes.


/etc/security/auth_attr
Defines authorizations.


/etc/security/prof_attr
Defines profiles.


/etc/security/policy.conf
Defines policy for the system.


ATTRIBUTES


See attributes(5) for descriptions of the following attributes:


+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+

SEE ALSO


login(1), pfexec(1), chkauthattr(3SECDB), getexecuser(3SECDB),
auth_attr(4), crypt.conf(4), prof_attr(4), user_attr(4), attributes(5),
privileges(5)

NOTES


The console user is defined as the owner of /dev/console.


February 25, 2008 POLICY.CONF(4)