Unix/Linux Go Back    

OpenSolaris 2009.06 - man page for policy.conf (opensolaris section 4)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)

policy.conf(4)				   File Formats 			   policy.conf(4)

       policy.conf - configuration file for security policy


       The policy.conf file provides the security policy configuration for user-level attributes.
       Each entry consists of a key/value pair in the form:


       The following keys are defined:


	   Specify the default set of authorizations granted to all users. This entry  is  inter-
	   preted  by  chkauthattr(3SECDB).  The value is zero or more comma-separated authoriza-
	   tions defined in auth_attr(4).


	   Specify the default set of profiles granted to all users. This entry is interpreted by
	   chkauthattr(3SECDB) and getexecuser(3SECDB). The value is zero or more comma-separated
	   profiles defined in prof_attr(4).


	   Specify an additional default set of profiles granted to the console user  user.  This
	   entry is interpreted by chkauthattr(3SECDB) and getexecuser(3SECDB). The value is zero
	   or more comma-separated profiles defined in prof_attr(4).


	   Settings for these keys determine the default privileges that users have. (See  privi-
	   leges(5).) If these keys are not set, the default privileges are taken from the inher-
	   ited set. PRIV_DEFAULT determines the default set on  login.  PRIV_LIMIT  defines  the
	   limit  set  on  login. Users can have privileges assigned or taken away through use of
	   user_attr(4). Privileges can also be assigned to profiles, in  which  case  users  who
	   have those profiles can exercise the assigned privileges through pfexec(1).

	   For	maximum  future compatibility, the privilege specifications should always include
	   basic or all. Privileges should then be  removed  using  negation.  See  EXAMPLES.  By
	   assigning  privileges  in this way, you avoid a situation where, following an addition
	   of a currently unprivileged operation to the basic privilege set, a user  unexpectedly
	   does not have the privileges he needs to perform that now-privileged operation.

	   Note that removing privileges from the limit set requires extreme care, as any set-uid
	   root program might suddenly fail because it lacks certain privilege(s). Note also that
	   dropping  basic privileges from the default privilege set can cause unexpected failure
	   modes in applications.


	   Specifies whether a local account is locked after the count of  failed  logins  for	a
	   user  equals  or  exceeds  the  allowed  number  of	retries  as defined by RETRIES in
	   /etc/default/login. The default value for users is NO.  Individual  account	overrides
	   are provided by user_attr(4).


	   Specify  the  algorithms  that  are	allowed for new passwords and is enforced only in


	   Specify the algorithm for new passwords that is to be deprecated. For example, to dep-
	   recate   use  of  the  traditional  UNIX  algorithm,  specify  CRYPT_ALGORITHMS_DEPRE-
	   CATE=__unix__ and change CRYPT_DEFAULT= to another algorithm, such as  CRYPT_DEFAULT=1
	   for BSD and Linux MD5.


	   Specify  the  default  algorithm  for new passwords. The Solaris default is the tradi-
	   tional UNIX algorithm. This is not listed in crypt.conf(4) since  it  is  internal  to
	   libc. The reserved name __unix__ is used to refer to it.

       The  key/value  pair  must appear on a single line, and the key must start the line. Lines
       starting with # are taken as comments and ignored. Option name comparisons are case-insen-

       Only  one  CRYPT_ALGORITHMS_ALLOW  or  CRYPT_ALGORITHMS_DEPRECATE  value can be specified.
       Whichever is listed first in the  file  takes  precedence.  The	algorithm  specified  for
       CRYPT_DEFAULT  must either be specified for CRYPT_ALGORITHMS_ALLOW or not be specified for
       CRYPT_ALGORITHMS_DEPRECATE. If CRYPT_DEFAULT is not specified, the default is __unix__.

       Example 1 Defining a Key/Value Pair


       Example 2 Specifying Privileges

       As noted above, you  should  specify  privileges  through  negation,  specifying  all  for
       PRIV_LIMIT and basic for PRIV_DEFAULT, then subtracting privileges, as shown below.


       The  first  line,  above, takes away only the sys_linkdir privilege. The second line takes
       away only the file_link privilege. These privilege specifications are  unaffected  by  any
       future addition of privileges that might occur.

       /etc/user_attr		    Defines extended user attributes.

       /etc/security/auth_attr	    Defines authorizations.

       /etc/security/prof_attr	    Defines profiles.

       /etc/security/policy.conf    Defines policy for the system.

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWcsu			   |
       |Interface Stability	     |Committed 		   |

       login(1),     pfexec(1),     chkauthattr(3SECDB),    getexecuser(3SECDB),    auth_attr(4),
       crypt.conf(4), prof_attr(4), user_attr(4), attributes(5), privileges(5)

       The console user is defined as the owner of /dev/console.

SunOS 5.11				   25 Feb 2008				   policy.conf(4)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 03:16 AM.