'\" te
.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH POLICY.CONF 4 "Feb 25, 2008"
.SH NAME
policy.conf \- configuration file for security policy
.SH SYNOPSIS
.LP
.nf
/etc/security/policy.conf
.fi

.SH DESCRIPTION
.sp
.LP
The \fBpolicy.conf\fR file provides the security policy configuration for
user-level attributes. Each entry consists of a key/value pair in the form:
.sp
.LP
key=value
.sp
.LP
The following keys are defined:
.sp
.ne 2
.na
\fB\fBAUTHS_GRANTED\fR\fR
.ad
.sp .6
.RS 4n
Specify the default set of authorizations granted to all users. This entry is
interpreted by \fBchkauthattr\fR(3SECDB). The value is zero or more
comma-separated authorizations defined in \fBauth_attr\fR(4).
.RE

.sp
.ne 2
.na
\fB\fBPROFS_GRANTED\fR\fR
.ad
.sp .6
.RS 4n
Specify the default set of profiles granted to all users. This entry is
interpreted by \fBchkauthattr\fR(3SECDB) and \fBgetexecuser\fR(3SECDB). The
value is zero or more comma-separated profiles defined in \fBprof_attr\fR(4).
.RE

.sp
.ne 2
.na
\fB\fBCONSOLE_USER\fR\fR
.ad
.sp .6
.RS 4n
Specify an additional default set of profiles granted to the \fIconsole user\fR
user. This entry is interpreted by \fBchkauthattr\fR(3SECDB) and
\fBgetexecuser\fR(3SECDB). The value is zero or more comma-separated profiles
defined in \fBprof_attr\fR(4).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_DEFAULT\fR and \fBPRIV_LIMIT\fR\fR
.ad
.sp .6
.RS 4n
Settings for these keys determine the default privileges that users have. (See
\fBprivileges\fR(5).) If these keys are not set, the default privileges are
taken from the inherited set. \fBPRIV_DEFAULT\fR determines the default set on
login. \fBPRIV_LIMIT\fR defines the limit set on login. Users can have
privileges assigned or taken away through use of \fBuser_attr\fR(4). Privileges
can also be assigned to profiles, in which case users who have those profiles
can exercise the assigned privileges through \fBpfexec\fR(1).
.sp
For maximum future compatibility, the privilege specifications should always
include \fBbasic\fR or \fBall\fR. Privileges should then be removed using
negation. See EXAMPLES. By assigning privileges in this way, you avoid a
situation where, following an addition of a currently unprivileged operation to
the basic privilege set, a user unexpectedly does not have the privileges he
needs to perform that now-privileged operation.
.sp
Note that removing privileges from the limit set requires \fBextreme\fR care,
as any set-uid root program might suddenly fail because it lacks certain
privilege(s). Note also that dropping \fBbasic\fR privileges from the default
privilege set can cause unexpected failure modes in applications.
.RE

.sp
.ne 2
.na
\fB\fBLOCK_AFTER_RETRIES=YES|NO\fR\fR
.ad
.sp .6
.RS 4n
Specifies whether a local account is locked after the count of failed logins
for a user equals or exceeds the allowed number of retries as defined by
\fBRETRIES\fR in \fB/etc/default/login\fR. The default value for users is
\fBNO\fR. Individual account overrides are provided by \fBuser_attr\fR(4).
.RE

.sp
.ne 2
.na
\fB\fBCRYPT_ALGORITHMS_ALLOW\fR\fR
.ad
.sp .6
.RS 4n
Specify the algorithms that are allowed for new passwords and is enforced only
in \fBcrypt_gensalt\fR(3C).
.RE

.sp
.ne 2
.na
\fB\fBCRYPT_ALGORITHMS_DEPRECATE\fR\fR
.ad
.sp .6
.RS 4n
Specify the algorithm for new passwords that is to be deprecated. For example,
to deprecate use of the traditional UNIX algorithm, specify
\fBCRYPT_ALGORITHMS_DEPRECATE=__unix__\fR and change \fBCRYPT_DEFAULT=\fR to
another algorithm, such as \fBCRYPT_DEFAULT=1\fR for BSD and Linux MD5.
.RE

.sp
.ne 2
.na
\fB\fBCRYPT_DEFAULT\fR\fR
.ad
.sp .6
.RS 4n
Specify the default algorithm for new passwords. The Solaris default is the
traditional UNIX algorithm. This is not listed in \fBcrypt.conf\fR(4) since it
is internal to \fBlibc\fR. The reserved name \fB__unix__\fR is used to refer to
it.
.RE

.sp
.LP
The key/value pair must appear on a single line, and the key must start the
line. Lines starting with \fB#\fR are taken as comments and ignored. Option
name comparisons are case-insensitive.
.sp
.LP
Only one \fBCRYPT_ALGORITHMS_ALLOW\fR or \fBCRYPT_ALGORITHMS_DEPRECATE\fR value
can be specified. Whichever is listed first in the file takes precedence. The
algorithm specified for \fBCRYPT_DEFAULT\fR must either be specified for
\fBCRYPT_ALGORITHMS_ALLOW\fR or not be specified for
\fBCRYPT_ALGORITHMS_DEPRECATE\fR. If \fBCRYPT_DEFAULT\fR is not specified, the
default is \fB__unix__\fR.
.SH EXAMPLES
.LP
\fBExample 1 \fRDefining a Key/Value Pair
.sp
.in +2
.nf
\fBAUTHS_GRANTED=solaris.date\fR
.fi
.in -2
.sp

.LP
\fBExample 2 \fRSpecifying Privileges
.sp
.LP
As noted above, you should specify privileges through negation, specifying
\fBall\fR for \fBPRIV_LIMIT\fR and \fBbasic\fR for \fBPRIV_DEFAULT\fR, then
subtracting privileges, as shown below.

.sp
.in +2
.nf
PRIV_LIMIT=all,!sys_linkdir
PRIV_DEFAULT=basic,!file_link_any
.fi
.in -2

.sp
.LP
The first line, above, takes away only the \fBsys_linkdir\fR privilege. The
second line takes away only the \fBfile_link\fR privilege. These privilege
specifications are unaffected by any future addition of privileges that might
occur.

.SH FILES
.sp
.ne 2
.na
\fB\fB/etc/user_attr\fR\fR
.ad
.RS 29n
Defines extended user attributes.
.RE

.sp
.ne 2
.na
\fB\fB/etc/security/auth_attr\fR\fR
.ad
.RS 29n
Defines authorizations.
.RE

.sp
.ne 2
.na
\fB\fB/etc/security/prof_attr\fR\fR
.ad
.RS 29n
Defines profiles.
.RE

.sp
.ne 2
.na
\fB\fB/etc/security/policy.conf\fR\fR
.ad
.RS 29n
Defines policy for the system.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
Interface Stability	Committed
.TE

.SH SEE ALSO
.sp
.LP
\fBlogin\fR(1), \fBpfexec\fR(1), \fBchkauthattr\fR(3SECDB),
\fBgetexecuser\fR(3SECDB), \fBauth_attr\fR(4), \fBcrypt.conf\fR(4),
\fBprof_attr\fR(4), \fBuser_attr\fR(4), \fBattributes\fR(5),
\fBprivileges\fR(5)
.SH NOTES
.sp
.LP
The \fIconsole user\fR is defined as the owner of \fB/dev/console\fR.