xref: /titanic_52/usr/src/lib/libsecdb/policy.conf (revision ead1f93ee620d7580f7e53350fe5a884fc4f158a)
17c478bd9Sstevel@tonic-gate#
27c478bd9Sstevel@tonic-gate# CDDL HEADER START
37c478bd9Sstevel@tonic-gate#
47c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the
5499fd601Sgww# Common Development and Distribution License (the "License").
6499fd601Sgww# You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate#
87c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate# and limitations under the License.
127c478bd9Sstevel@tonic-gate#
137c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate#
197c478bd9Sstevel@tonic-gate# CDDL HEADER END
207c478bd9Sstevel@tonic-gate#
217c478bd9Sstevel@tonic-gate#
22c11c3631SJoep Vesseur# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
237c478bd9Sstevel@tonic-gate# Use is subject to license terms.
247c478bd9Sstevel@tonic-gate#
257c478bd9Sstevel@tonic-gate# /etc/security/policy.conf
267c478bd9Sstevel@tonic-gate#
277c478bd9Sstevel@tonic-gate# security policy configuration for user attributes. see policy.conf(4)
287c478bd9Sstevel@tonic-gate#
29*ead1f93eSLiane Praza
307c478bd9Sstevel@tonic-gateAUTHS_GRANTED=solaris.device.cdrw
317c478bd9Sstevel@tonic-gatePROFS_GRANTED=Basic Solaris User
32499fd601SgwwCONSOLE_USER=Console User
337c478bd9Sstevel@tonic-gate
347c478bd9Sstevel@tonic-gate# crypt(3c) Algorithms Configuration
357c478bd9Sstevel@tonic-gate#
367c478bd9Sstevel@tonic-gate# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
377c478bd9Sstevel@tonic-gate# be used for new passwords.  This is enforced only in crypt_gensalt(3c).
387c478bd9Sstevel@tonic-gate#
390cd13cbfSwyllysCRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6
407c478bd9Sstevel@tonic-gate
417c478bd9Sstevel@tonic-gate# To deprecate use of the traditional unix algorithm, uncomment below
427c478bd9Sstevel@tonic-gate# and change CRYPT_DEFAULT= to another algorithm.  For example,
437c478bd9Sstevel@tonic-gate# CRYPT_DEFAULT=1 for BSD/Linux MD5.
447c478bd9Sstevel@tonic-gate#
457c478bd9Sstevel@tonic-gate#CRYPT_ALGORITHMS_DEPRECATE=__unix__
467c478bd9Sstevel@tonic-gate
47*ead1f93eSLiane Praza# The OpenSolaris default is a SHA256 based algorithm.  To revert to
48*ead1f93eSLiane Praza# the policy present in Solaris releases set CRYPT_DEFAULT=__unix__,
49*ead1f93eSLiane Praza# which is not listed in crypt.conf(4) since it is internal to libc.
507c478bd9Sstevel@tonic-gate#
51*ead1f93eSLiane PrazaCRYPT_DEFAULT=5
527c478bd9Sstevel@tonic-gate#
537c478bd9Sstevel@tonic-gate# These settings determine the default privileges users have.  If not set,
547c478bd9Sstevel@tonic-gate# the default privileges are taken from the inherited set.
557c478bd9Sstevel@tonic-gate# There are two different settings; PRIV_DEFAULT determines the default
567c478bd9Sstevel@tonic-gate# set on login; PRIV_LIMIT defines the Limit set on login.
577c478bd9Sstevel@tonic-gate# Individual users can have privileges assigned or taken away through
587c478bd9Sstevel@tonic-gate# user_attr.  Privileges can also be assigned to profiles in which case
59c11c3631SJoep Vesseur# the users with those profiles can use those privileges through pfexec(1).
607c478bd9Sstevel@tonic-gate# For maximum future compatibility, the specifications should
617c478bd9Sstevel@tonic-gate# always include "basic" or "all"; privileges should then be removed using
627c478bd9Sstevel@tonic-gate# the negation.  E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
637c478bd9Sstevel@tonic-gate# sys_linkdir privilege, regardless of future additional privileges.
647c478bd9Sstevel@tonic-gate# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
657c478bd9Sstevel@tonic-gate# file_link_any privilege from the basic privilege set; only that notation
667c478bd9Sstevel@tonic-gate# is immune from a future addition of currently unprivileged operations to
677c478bd9Sstevel@tonic-gate# the basic privilege set.
687c478bd9Sstevel@tonic-gate# NOTE: removing privileges from the the Limit set requires EXTREME care
697c478bd9Sstevel@tonic-gate# as any set-uid root program may suddenly fail because it lacks certain
707c478bd9Sstevel@tonic-gate# privilege(s).
717c478bd9Sstevel@tonic-gate#
727c478bd9Sstevel@tonic-gate#PRIV_DEFAULT=basic
737c478bd9Sstevel@tonic-gate#PRIV_LIMIT=all
747c478bd9Sstevel@tonic-gate#
757c478bd9Sstevel@tonic-gate# LOCK_AFTER_RETRIES specifies the default account locking policy for local
767c478bd9Sstevel@tonic-gate# user accounts (passwd(4)/shadow(4)).  The default may be overridden by
777c478bd9Sstevel@tonic-gate# a user's user_attr(4) "lock_after_retries" value.
787c478bd9Sstevel@tonic-gate# YES enables local account locking, NO disables local account locking.
797c478bd9Sstevel@tonic-gate# The default value is NO.
807c478bd9Sstevel@tonic-gate#
817c478bd9Sstevel@tonic-gate#LOCK_AFTER_RETRIES=NO
82