1*7c478bd9Sstevel@tonic-gate# 2*7c478bd9Sstevel@tonic-gate# CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate# 4*7c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate# Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate# (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate# with the License. 8*7c478bd9Sstevel@tonic-gate# 9*7c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate# and limitations under the License. 13*7c478bd9Sstevel@tonic-gate# 14*7c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate# 20*7c478bd9Sstevel@tonic-gate# CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate# 22*7c478bd9Sstevel@tonic-gate# 23*7c478bd9Sstevel@tonic-gate# Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate# Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate# 26*7c478bd9Sstevel@tonic-gate# /etc/security/policy.conf 27*7c478bd9Sstevel@tonic-gate# 28*7c478bd9Sstevel@tonic-gate# security policy configuration for user attributes. see policy.conf(4) 29*7c478bd9Sstevel@tonic-gate# 30*7c478bd9Sstevel@tonic-gate#ident "%Z%%M% %I% %E% SMI" 31*7c478bd9Sstevel@tonic-gate# 32*7c478bd9Sstevel@tonic-gateAUTHS_GRANTED=solaris.device.cdrw 33*7c478bd9Sstevel@tonic-gatePROFS_GRANTED=Basic Solaris User 34*7c478bd9Sstevel@tonic-gate 35*7c478bd9Sstevel@tonic-gate# crypt(3c) Algorithms Configuration 36*7c478bd9Sstevel@tonic-gate# 37*7c478bd9Sstevel@tonic-gate# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to 38*7c478bd9Sstevel@tonic-gate# be used for new passwords. This is enforced only in crypt_gensalt(3c). 39*7c478bd9Sstevel@tonic-gate# 40*7c478bd9Sstevel@tonic-gateCRYPT_ALGORITHMS_ALLOW=1,2a,md5 41*7c478bd9Sstevel@tonic-gate 42*7c478bd9Sstevel@tonic-gate# To deprecate use of the traditional unix algorithm, uncomment below 43*7c478bd9Sstevel@tonic-gate# and change CRYPT_DEFAULT= to another algorithm. For example, 44*7c478bd9Sstevel@tonic-gate# CRYPT_DEFAULT=1 for BSD/Linux MD5. 45*7c478bd9Sstevel@tonic-gate# 46*7c478bd9Sstevel@tonic-gate#CRYPT_ALGORITHMS_DEPRECATE=__unix__ 47*7c478bd9Sstevel@tonic-gate 48*7c478bd9Sstevel@tonic-gate# The Solaris default is the traditional UNIX algorithm. This is not 49*7c478bd9Sstevel@tonic-gate# listed in crypt.conf(4) since it is internal to libc. The reserved 50*7c478bd9Sstevel@tonic-gate# name __unix__ is used to refer to it. 51*7c478bd9Sstevel@tonic-gate# 52*7c478bd9Sstevel@tonic-gateCRYPT_DEFAULT=__unix__ 53*7c478bd9Sstevel@tonic-gate# 54*7c478bd9Sstevel@tonic-gate# These settings determine the default privileges users have. If not set, 55*7c478bd9Sstevel@tonic-gate# the default privileges are taken from the inherited set. 56*7c478bd9Sstevel@tonic-gate# There are two different settings; PRIV_DEFAULT determines the default 57*7c478bd9Sstevel@tonic-gate# set on login; PRIV_LIMIT defines the Limit set on login. 58*7c478bd9Sstevel@tonic-gate# Individual users can have privileges assigned or taken away through 59*7c478bd9Sstevel@tonic-gate# user_attr. Privileges can also be assigned to profiles in which case 60*7c478bd9Sstevel@tonic-gate# the users with those profiles can use those privileges through pfexec(1m). 61*7c478bd9Sstevel@tonic-gate# For maximum future compatibility, the specifications should 62*7c478bd9Sstevel@tonic-gate# always include "basic" or "all"; privileges should then be removed using 63*7c478bd9Sstevel@tonic-gate# the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the 64*7c478bd9Sstevel@tonic-gate# sys_linkdir privilege, regardless of future additional privileges. 65*7c478bd9Sstevel@tonic-gate# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the 66*7c478bd9Sstevel@tonic-gate# file_link_any privilege from the basic privilege set; only that notation 67*7c478bd9Sstevel@tonic-gate# is immune from a future addition of currently unprivileged operations to 68*7c478bd9Sstevel@tonic-gate# the basic privilege set. 69*7c478bd9Sstevel@tonic-gate# NOTE: removing privileges from the the Limit set requires EXTREME care 70*7c478bd9Sstevel@tonic-gate# as any set-uid root program may suddenly fail because it lacks certain 71*7c478bd9Sstevel@tonic-gate# privilege(s). 72*7c478bd9Sstevel@tonic-gate# 73*7c478bd9Sstevel@tonic-gate#PRIV_DEFAULT=basic 74*7c478bd9Sstevel@tonic-gate#PRIV_LIMIT=all 75*7c478bd9Sstevel@tonic-gate# 76*7c478bd9Sstevel@tonic-gate# LOCK_AFTER_RETRIES specifies the default account locking policy for local 77*7c478bd9Sstevel@tonic-gate# user accounts (passwd(4)/shadow(4)). The default may be overridden by 78*7c478bd9Sstevel@tonic-gate# a user's user_attr(4) "lock_after_retries" value. 79*7c478bd9Sstevel@tonic-gate# YES enables local account locking, NO disables local account locking. 80*7c478bd9Sstevel@tonic-gate# The default value is NO. 81*7c478bd9Sstevel@tonic-gate# 82*7c478bd9Sstevel@tonic-gate#LOCK_AFTER_RETRIES=NO 83