xref: /titanic_52/usr/src/lib/libsecdb/policy.conf (revision 7c478bd95313f5f23a4c958a745db2134aa03244)
1*7c478bd9Sstevel@tonic-gate#
2*7c478bd9Sstevel@tonic-gate# CDDL HEADER START
3*7c478bd9Sstevel@tonic-gate#
4*7c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the
5*7c478bd9Sstevel@tonic-gate# Common Development and Distribution License, Version 1.0 only
6*7c478bd9Sstevel@tonic-gate# (the "License").  You may not use this file except in compliance
7*7c478bd9Sstevel@tonic-gate# with the License.
8*7c478bd9Sstevel@tonic-gate#
9*7c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*7c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing.
11*7c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions
12*7c478bd9Sstevel@tonic-gate# and limitations under the License.
13*7c478bd9Sstevel@tonic-gate#
14*7c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each
15*7c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*7c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the
17*7c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying
18*7c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner]
19*7c478bd9Sstevel@tonic-gate#
20*7c478bd9Sstevel@tonic-gate# CDDL HEADER END
21*7c478bd9Sstevel@tonic-gate#
22*7c478bd9Sstevel@tonic-gate#
23*7c478bd9Sstevel@tonic-gate# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24*7c478bd9Sstevel@tonic-gate# Use is subject to license terms.
25*7c478bd9Sstevel@tonic-gate#
26*7c478bd9Sstevel@tonic-gate# /etc/security/policy.conf
27*7c478bd9Sstevel@tonic-gate#
28*7c478bd9Sstevel@tonic-gate# security policy configuration for user attributes. see policy.conf(4)
29*7c478bd9Sstevel@tonic-gate#
30*7c478bd9Sstevel@tonic-gate#ident	"%Z%%M%	%I%	%E% SMI"
31*7c478bd9Sstevel@tonic-gate#
32*7c478bd9Sstevel@tonic-gateAUTHS_GRANTED=solaris.device.cdrw
33*7c478bd9Sstevel@tonic-gatePROFS_GRANTED=Basic Solaris User
34*7c478bd9Sstevel@tonic-gate
35*7c478bd9Sstevel@tonic-gate# crypt(3c) Algorithms Configuration
36*7c478bd9Sstevel@tonic-gate#
37*7c478bd9Sstevel@tonic-gate# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
38*7c478bd9Sstevel@tonic-gate# be used for new passwords.  This is enforced only in crypt_gensalt(3c).
39*7c478bd9Sstevel@tonic-gate#
40*7c478bd9Sstevel@tonic-gateCRYPT_ALGORITHMS_ALLOW=1,2a,md5
41*7c478bd9Sstevel@tonic-gate
42*7c478bd9Sstevel@tonic-gate# To deprecate use of the traditional unix algorithm, uncomment below
43*7c478bd9Sstevel@tonic-gate# and change CRYPT_DEFAULT= to another algorithm.  For example,
44*7c478bd9Sstevel@tonic-gate# CRYPT_DEFAULT=1 for BSD/Linux MD5.
45*7c478bd9Sstevel@tonic-gate#
46*7c478bd9Sstevel@tonic-gate#CRYPT_ALGORITHMS_DEPRECATE=__unix__
47*7c478bd9Sstevel@tonic-gate
48*7c478bd9Sstevel@tonic-gate# The Solaris default is the traditional UNIX algorithm.  This is not
49*7c478bd9Sstevel@tonic-gate# listed in crypt.conf(4) since it is internal to libc.  The reserved
50*7c478bd9Sstevel@tonic-gate# name __unix__ is used to refer to it.
51*7c478bd9Sstevel@tonic-gate#
52*7c478bd9Sstevel@tonic-gateCRYPT_DEFAULT=__unix__
53*7c478bd9Sstevel@tonic-gate#
54*7c478bd9Sstevel@tonic-gate# These settings determine the default privileges users have.  If not set,
55*7c478bd9Sstevel@tonic-gate# the default privileges are taken from the inherited set.
56*7c478bd9Sstevel@tonic-gate# There are two different settings; PRIV_DEFAULT determines the default
57*7c478bd9Sstevel@tonic-gate# set on login; PRIV_LIMIT defines the Limit set on login.
58*7c478bd9Sstevel@tonic-gate# Individual users can have privileges assigned or taken away through
59*7c478bd9Sstevel@tonic-gate# user_attr.  Privileges can also be assigned to profiles in which case
60*7c478bd9Sstevel@tonic-gate# the users with those profiles can use those privileges through pfexec(1m).
61*7c478bd9Sstevel@tonic-gate# For maximum future compatibility, the specifications should
62*7c478bd9Sstevel@tonic-gate# always include "basic" or "all"; privileges should then be removed using
63*7c478bd9Sstevel@tonic-gate# the negation.  E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
64*7c478bd9Sstevel@tonic-gate# sys_linkdir privilege, regardless of future additional privileges.
65*7c478bd9Sstevel@tonic-gate# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
66*7c478bd9Sstevel@tonic-gate# file_link_any privilege from the basic privilege set; only that notation
67*7c478bd9Sstevel@tonic-gate# is immune from a future addition of currently unprivileged operations to
68*7c478bd9Sstevel@tonic-gate# the basic privilege set.
69*7c478bd9Sstevel@tonic-gate# NOTE: removing privileges from the the Limit set requires EXTREME care
70*7c478bd9Sstevel@tonic-gate# as any set-uid root program may suddenly fail because it lacks certain
71*7c478bd9Sstevel@tonic-gate# privilege(s).
72*7c478bd9Sstevel@tonic-gate#
73*7c478bd9Sstevel@tonic-gate#PRIV_DEFAULT=basic
74*7c478bd9Sstevel@tonic-gate#PRIV_LIMIT=all
75*7c478bd9Sstevel@tonic-gate#
76*7c478bd9Sstevel@tonic-gate# LOCK_AFTER_RETRIES specifies the default account locking policy for local
77*7c478bd9Sstevel@tonic-gate# user accounts (passwd(4)/shadow(4)).  The default may be overridden by
78*7c478bd9Sstevel@tonic-gate# a user's user_attr(4) "lock_after_retries" value.
79*7c478bd9Sstevel@tonic-gate# YES enables local account locking, NO disables local account locking.
80*7c478bd9Sstevel@tonic-gate# The default value is NO.
81*7c478bd9Sstevel@tonic-gate#
82*7c478bd9Sstevel@tonic-gate#LOCK_AFTER_RETRIES=NO
83