xref: /illumos-gate/usr/src/lib/libsecdb/policy.conf (revision b666b5bebdde1067e2d0f2b91fd28a5243311a1a)
1#
2# CDDL HEADER START
3#
4# The contents of this file are subject to the terms of the
5# Common Development and Distribution License (the "License").
6# You may not use this file except in compliance with the License.
7#
8# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9# or http://www.opensolaris.org/os/licensing.
10# See the License for the specific language governing permissions
11# and limitations under the License.
12#
13# When distributing Covered Code, include this CDDL HEADER in each
14# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15# If applicable, add the following below this CDDL HEADER, with the
16# fields enclosed by brackets "[]" replaced with your own identifying
17# information: Portions Copyright [yyyy] [name of copyright owner]
18#
19# CDDL HEADER END
20#
21#
22# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23# Use is subject to license terms.
24#
25# /etc/security/policy.conf
26#
27# security policy configuration for user attributes. see policy.conf(4)
28#
29
30AUTHS_GRANTED=solaris.device.cdrw
31PROFS_GRANTED=Basic Solaris User
32CONSOLE_USER=Console User
33
34# crypt(3c) Algorithms Configuration
35#
36# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
37# be used for new passwords.  This is enforced only in crypt_gensalt(3c).
38#
39CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6
40
41# To deprecate use of the traditional unix algorithm, uncomment below
42# and change CRYPT_DEFAULT= to another algorithm.  For example,
43# CRYPT_DEFAULT=1 for BSD/Linux MD5.
44#
45#CRYPT_ALGORITHMS_DEPRECATE=__unix__
46
47# The illumos default is a SHA512 based algorithm.  To revert to
48# the policy present in former Solaris releases set CRYPT_DEFAULT=__unix__,
49# which is not listed in crypt.conf(4) since it is internal to libc.
50#
51CRYPT_DEFAULT=6
52#
53# These settings determine the default privileges users have.  If not set,
54# the default privileges are taken from the inherited set.
55# There are two different settings; PRIV_DEFAULT determines the default
56# set on login; PRIV_LIMIT defines the Limit set on login.
57# Individual users can have privileges assigned or taken away through
58# user_attr.  Privileges can also be assigned to profiles in which case
59# the users with those profiles can use those privileges through pfexec(1).
60# For maximum future compatibility, the specifications should
61# always include "basic" or "all"; privileges should then be removed using
62# the negation.  E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
63# sys_linkdir privilege, regardless of future additional privileges.
64# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
65# file_link_any privilege from the basic privilege set; only that notation
66# is immune from a future addition of currently unprivileged operations to
67# the basic privilege set.
68# NOTE: removing privileges from the the Limit set requires EXTREME care
69# as any set-uid root program may suddenly fail because it lacks certain
70# privilege(s).
71#
72#PRIV_DEFAULT=basic
73#PRIV_LIMIT=all
74#
75# LOCK_AFTER_RETRIES specifies the default account locking policy for local
76# user accounts (passwd(4)/shadow(4)).  The default may be overridden by
77# a user's user_attr(4) "lock_after_retries" value.
78# YES enables local account locking, NO disables local account locking.
79# The default value is NO.
80#
81#LOCK_AFTER_RETRIES=NO
82