1# 2# CDDL HEADER START 3# 4# The contents of this file are subject to the terms of the 5# Common Development and Distribution License (the "License"). 6# You may not use this file except in compliance with the License. 7# 8# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9# or http://www.opensolaris.org/os/licensing. 10# See the License for the specific language governing permissions 11# and limitations under the License. 12# 13# When distributing Covered Code, include this CDDL HEADER in each 14# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15# If applicable, add the following below this CDDL HEADER, with the 16# fields enclosed by brackets "[]" replaced with your own identifying 17# information: Portions Copyright [yyyy] [name of copyright owner] 18# 19# CDDL HEADER END 20# 21# 22# Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23# Use is subject to license terms. 24# 25# /etc/security/policy.conf 26# 27# security policy configuration for user attributes. see policy.conf(4) 28# 29#ident "%Z%%M% %I% %E% SMI" 30# 31AUTHS_GRANTED=solaris.device.cdrw 32PROFS_GRANTED=Basic Solaris User 33CONSOLE_USER=Console User 34 35# crypt(3c) Algorithms Configuration 36# 37# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to 38# be used for new passwords. This is enforced only in crypt_gensalt(3c). 39# 40CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 41 42# To deprecate use of the traditional unix algorithm, uncomment below 43# and change CRYPT_DEFAULT= to another algorithm. For example, 44# CRYPT_DEFAULT=1 for BSD/Linux MD5. 45# 46#CRYPT_ALGORITHMS_DEPRECATE=__unix__ 47 48# The Solaris default is the traditional UNIX algorithm. This is not 49# listed in crypt.conf(4) since it is internal to libc. The reserved 50# name __unix__ is used to refer to it. 51# 52CRYPT_DEFAULT=__unix__ 53# 54# These settings determine the default privileges users have. If not set, 55# the default privileges are taken from the inherited set. 56# There are two different settings; PRIV_DEFAULT determines the default 57# set on login; PRIV_LIMIT defines the Limit set on login. 58# Individual users can have privileges assigned or taken away through 59# user_attr. Privileges can also be assigned to profiles in which case 60# the users with those profiles can use those privileges through pfexec(1m). 61# For maximum future compatibility, the specifications should 62# always include "basic" or "all"; privileges should then be removed using 63# the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the 64# sys_linkdir privilege, regardless of future additional privileges. 65# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the 66# file_link_any privilege from the basic privilege set; only that notation 67# is immune from a future addition of currently unprivileged operations to 68# the basic privilege set. 69# NOTE: removing privileges from the the Limit set requires EXTREME care 70# as any set-uid root program may suddenly fail because it lacks certain 71# privilege(s). 72# 73#PRIV_DEFAULT=basic 74#PRIV_LIMIT=all 75# 76# LOCK_AFTER_RETRIES specifies the default account locking policy for local 77# user accounts (passwd(4)/shadow(4)). The default may be overridden by 78# a user's user_attr(4) "lock_after_retries" value. 79# YES enables local account locking, NO disables local account locking. 80# The default value is NO. 81# 82#LOCK_AFTER_RETRIES=NO 83