Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Wednesday, July 27, 2022
 
 

policy.conf(5)

Name

policy.conf - configuration file for security policy

Synopsis

/etc/security/policy.conf

Description

The policy.conf file was previously used to provide the security policy configuration for user-level attributes. Each entry consists of a key/value pair in the form:

key=value

The /etc/security/policy.conf file is obsolete. Instead, you can use the svc:/system/security/account-policy:default service to set the corresponding SMF properties.

The following table lists the mapping between the properties in the /etc/security/policy.conf file and the SMF properties:

/etc/security/policy.conf Property
Corresponding SMF Property
AUTHS_GRANTED
rbac/default_authorizations
CLEARANCE
login_policy/clearance
CONSOLE_USER
rbac/console_user_profiles
CRYPT_ALGORITHMS_ALLOW
password/crypt/algorithms_allow
CRYPT_ALGORITHMS_DEPRECATE
password/crypt/algorithms_deprecate
CRYPT_DEFAULT
password/crypt/default
LOCK_AFTER_RETRIES=YES|NO
login_policy/lock_after_retries
UNLOCK_AFTER=<n>[m | h | d | w]
login/auto_unlock_time
PAM_POLICY
login_policy/pam_policy
PRIV_DEFAULT and PRIV_LIMIT
rbac/default_privileges and rbac/default_limit_privileges
PROFS_GRANTED
rbac/default_profiles
AUTHS_PROFS_GRANTED
rbac/default_auth_profiles
ANNOTATION=YES|NO|OPTIONAL
login_policy/annotation

For information on managing the SMF properties, see the account-policy(8S) man page.

The following keys are defined:

AUTHS_GRANTED

Specify the default set of authorizations granted to all users. This entry is interpreted by chkauthattr(3C). The value is zero or more comma-separated authorizations defined in auth_attr(5).

CLEARANCE

Specify the default process clearance that is used when starting user sessions or SMF services when no explicit clearance is specified. Explicit user clearances are maintained in user_attr(5) and the default user clearance is maintained by labelcfg(8). If no explicit clearance is associated with the user or role, and the labeled service is not enabled then the clearance specified here is used. For SMF services the explicit clearance is specified in the method credential. The default value of the CLEARANCE property is ADMIN_HIGH. ADMIN_LOW should be specified for strict enforcement of the clearance policy.

CONSOLE_USER

Specify an additional default set of profiles granted to the console user user. This entry is interpreted by chkauthattr(3C) and getexecuser(3C). The value is zero or more comma-separated profiles defined in prof_attr(5).

CRYPT_ALGORITHMS_ALLOW

Specify the algorithms that are allowed for new passwords and is enforced only in crypt_gensalt(3C). Value should be a comma separated list of numeric codes for algorithms chosen from the list in /etc/security/crypt.conf.

CRYPT_ALGORITHMS_DEPRECATE

Specify the algorithm for new passwords that is to be deprecated. For example, to deprecate use of the traditional UNIX algorithm, specify CRYPT_ALGORITHMS_DEPRECATE=__unix__ and ensure CRYPT_DEFAULT= is set to another algorithm, such as CRYPT_DEFAULT=5 for SHA-256.

Note that, either CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRECATE can be specified. Enabling both is an error and results in a syslog message.

CRYPT_DEFAULT

Specify the default algorithm for new passwords. The Oracle Solaris default is the crypt_sha256 algorithm. The value should be a single numeric code for an algorithm chosen from the list in /etc/security/crypt.conf. This is useful when there is no existing password, or if an existing password uses an algorithm which is no longer allowed. The algorithm must be present in the CRYPT_ALGORITHMS_DEPRECATE list or is not present in the CRYPT_ALGORITHMS_ALLOW list, which ever is active.

LOCK_AFTER_RETRIES=YES|NO

Specifies whether a local account is locked after the count of failed logins for a user equals or exceeds the allowed number of retries as defined by RETRIES in /etc/default/login. The default value for users is NO. Individual account overrides are provided by user_attr(5).

UNLOCK_AFTER=<n>[m | h | d | w]

Specifies the time after which an account lock for failed logins will be unlocked upon a valid password entry. The time may be specified as a number of minutes (m), hours (h), days (d), or weeks (w). If unspecified, no unlock will occur. The default is unspecified. Individual account overrides are provided by user_attr(5).

PAM_POLICY

Specifies the system-wide PAM policy (see pam_user_policy(7)) for all users who do not have pam_policy set in their user attributes. The value set here can be the filename of a PAM policy file in /etc/security/pam_policy/ or an absolute path to a PAM policy file.

PRIV_DEFAULT and PRIV_LIMIT

Settings for these keys determine the default privileges that users have. (See privileges(7).) If these keys are not set, the default privileges are taken from the inherited set. PRIV_DEFAULT determines the default set on login. PRIV_LIMIT defines the limit set on login. Users can have privileges assigned or taken away through use of user_attr(5). Privileges can also be assigned to profiles, in which case users who have those profiles can exercise the assigned privileges through pfexec(1).

For maximum future compatibility, the privilege specifications should always include basic or all. Privileges should then be removed using negation. See EXAMPLES. By assigning privileges in this way, you avoid a situation where, following an addition of a currently unprivileged operation to the basic privilege set, a user unexpectedly does not have the privileges needed to perform that now-privileged operation.

Removing privileges from the limit set requires extreme care, as any set-uid root program might suddenly fail because it lacks certain privilege(s). Note also that dropping basic privileges from the default privilege set can cause unexpected failure modes in applications.

In the case of PRIV_DEFAULT, it is possible to specify an Extended Policy. See privileges(7).

PROFS_GRANTED

Specifies the default set of unauthenticated profiles granted to all users that do not require reauthentication. This entry is interpreted by chkauthattr(3C) and getexecuser(3C). The value is zero or more comma-separated profiles defined in prof_attr(5). If the 'Basic Solaris User' profile is included, it must be the last profile in the list.

AUTHS_PROFS_GRANTED

Specifies the default set of authenticated profiles granted to all users. The commands included in authenticated profiles require user reauthentication prior to execution. The entries in this list take precedence over the PROF_GRANTED list. This entry is interpreted by chkauthattr(3C) and getexecuser(3C). The value is zero or more comma-separated profiles defined in prof_attr(5).

ANNOTATION=YES|NO|OPTIONAL

Specifies whether a user is prompted for an audit record annotation description. yes requires the user to provide an annotation description when prompted. optional allows the user to specify an annotation description when prompted. no will not prompt the user for an annotation description, and is the default choice. Individual account overrides are provided by user_attr(5).

An audit record annotation description is a text line terminated by a newline returned by the application's PAM conversation function. The annotation text is included in each audit record generated by the user.

The key/value pair must appear on a single line, and the key must start the line. Lines starting with # are taken as comments and ignored. Option name comparisons are case-insensitive.

A value should only be specified in either CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRECATE. If the same value is specified in both keys, whichever is listed first in the file takes precedence. The algorithm specified for CRYPT_DEFAULT must either be specified for CRYPT_ALGORITHMS_ALLOW or not be specified for CRYPT_ALGORITHMS_DEPRECATE. If CRYPT_DEFAULT is not specified, the default is __unix__.

Examples

Example 1 Defining a Key/Value Pair
AUTHS_GRANTED=solaris.date
Example 2 Specifying Privileges

As noted above, you should specify privileges through negation, specifying all for PRIV_LIMIT and basic for PRIV_DEFAULT, then subtracting privileges, as shown below.

PRIV_LIMIT=all,!sys_linkdir
PRIV_DEFAULT=basic,!file_link_any

The first line, above, takes away only the sys_linkdir privilege. The second line takes away only the file_link privilege. These privilege specifications are unaffected by any future addition of privileges that might occur.

Files

/etc/user_attr

Defines extended user attributes.

/etc/security/auth_attr

Defines authorizations.

/etc/security/prof_attr

Defines profiles.

/etc/security/policy.conf

Defines policy for the system.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os
Interface Stability
Committed

See Also

login(1), pfexec(1), chkauthattr(3C), getexecuser(3C), auth_attr(5), crypt.conf(5), prof_attr(5), user_attr(5), attributes(7), clearance(7), privileges(7), account-policy(8S)

Notes

The console user is defined as the owner of /dev/console.