Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Modifying Login Environment Variables

In this section, you change the default umask value for all users, prevent malicious login attempts by limiting failed logins, and remove the ability of console users to shut down the system. You can limit failed login attempts per system, per user, or through a rights profile. For a discussion of password constraints, see Passwords and Password Policy in Oracle Solaris 11.4 Security and Hardening Guidelines.

This section assumes that you have completed New Feature – Enabling the account-policy Service.

Security attributes that are properties of the config/etc_default_login stencil of the account-policy service include:

$ svcprop -p login/environment account-policy:default
login/environment/path astring
login/environment/root_path astring
login/environment/set_shell boolean
login/environment/timezone astring
login/environment/ulimit integer
login/environment/umask integer

For an example, see How to Set a More Restrictive umask Value for All Logins. See also the account-policy(8S) man page.

How to Set a More Restrictive umask Value for All Logins

In this procedure, you change the default umask value for all users. The umask utility sets the file permission bits of user-created files. If the default umask value, 022, is not restrictive enough, set a more restrictive mask by using this procedure.

Before You Begin

You have completed New Feature – Enabling the account-policy Service. You must become an administrator who is assigned the User Security rights profile. The root role is assigned this profile. For more information, see Using Your Assigned Administrative Rights.

  1. Determine the value that satisfies your site security requirements:
    • umask 026 – Provides moderate file protection

      (751) – r for group, x for others

    • umask 027 – Provides strict file protection

      (750) – r for group, no access for others

    • umask 077 – Provides complete file protection

      (700) – No access for group or others

  2. Set the umask property value in the account-policy SMF stencil.
    1. Find the full name of the umask property.
      $ svcprop account-policy | grep umask
      login/environment/umask integer
    2. Set the new value and refresh the service.
      $ pfbash svccfg -s account-policy
      svc:/.../account-policy> setprop config/etc_default_login/disabled = boolean: false
      svc:/.../account-policy> setprop login/environment/umask = 026
      svc:/.../account-policy> exit
      $ svcadm refresh account-policy

See Also