Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, July 27, 2022
 
 

account-policy(8S)

Name

account-policy - user account policy configuration

Synopsis

svc:/system/account-policy:default

Description

The svc:/system/account-policy:default service provides the security policy configuration for user account attributes, authentication policy, password complexity, and default RBAC settings.

The current implementation uses the smf_stencil mechanism to write the values to the following legacy files. The files are considered obsolete and support for specification of account policy in them may be removed in a future release. At that point, the account-policy SMF service will always be authoritative. For more information, see the smf_stencil(5) man page.

The following properties are defined:

login/environment/hz

Sets the HZ environment variable of the shell.

login/environment/path

Sets the initial shell PATH variable.

login/environment/root_path

Sets the initial shell PATH variable for root.

login/environment/set_shell

Determines if login must set the SHELL environment variable.

login/environment/timezone

Sets the TZ environment variable of the shell. For more information, see the environ(7) man page.

login/environment/ulimit

Sets the file size limit for the login. Units are disk blocks. Default is zero which implies no limit.

login/environment/umask

Sets the initial shell file creation mode mask. For more information, see the umask(1) man page.

login/log/syslog

Determines whether the syslog(3C) LOG_AUTH facility must be used to log all root logins at level LOG_NOTICE and multiple failed login attempts at LOG_CRIT.

login/log/syslog_failed_attempts

Used to determine how many failed login attempts are allowed by the system, before a failed login message is logged, using the syslog(3C) LOG_NOTICE facility. For example, if the variable is set to 0, login logs show all failed login attempts.

login_policy/annotation

Determines if users are required to provide a session annotation at login. Possible values are yes, no, and optional.

login_policy/auto_unlock_time

Specifies the time after which an account lock for failed logins will be unlocked upon a valid password entry. The time may be specified as number of minutes (m), hours (h), days (d), or weeks (w). If unspecified, no unlock will occur. The default is unspecified. Individual account overrides are provided by user_attr(5).

login_policy/clearance

Specifies the default process clearance that is used when starting user sessions or SMF services, when no explicit clearance is specified. Explicit user clearances are maintained in user_attr(5) and the default user clearance is maintained by labelcfg(8). If no explicit clearance is associated with the user or role, and the labeled service is not enabled, then the clearance specified here is used. For SMF services, the explicit clearance is specified in the method credential. The default value of the CLEARANCE property is ADMIN_HIGH. ADMIN_LOW must be specified for strict enforcement of the clearance policy.

login_policy/disabletime

If present, and greater than zero, the number of seconds that either login waits after retried failed attempts, or that the PAM framework returns PAM_ABORT. Default is 20 seconds. Minimum is 0 seconds. No maximum value is imposed.

login_policy/lock_after_retries

Specifies whether a local account is locked after the count of failed logins for a user equals, or exceeds the allowed number of retries as defined by login_policy/retries. The default value for users is NO. Individual account overrides are provided by user_attr(5).

login_policy/pam_policy

Specifies the system-wide PAM policy for all users who do not have pam_policy set in their user attributes. The value set here can be the file name of a PAM policy file in /etc/security/pam_policy/ or an absolute path to a PAM policy file. For more information, see the pam_user_policy(7) man page.

login_policy/password_required

Determines if login requires a non-null password.

login_policy/retries

Sets the number of retries for logging in. The default number of retries is 5. The maximum number of retries is 15. For accounts configured with automatic locking, the account is locked and login exits. If automatic locking is not configured, login exits without locking the account. For more information, see the pam(3PAM) man page.

login_policy/root_login_device

If set, root can login on that device. This property is set to an empty string to allow root to login on any other hardware device. Note that the root login using ssh is controlled by the settings in sshd_config, and also if root is configured as a role.

login_policy/sleeptime

If present, sets the number of seconds to wait before the login failure message is printed to the screen. This property is for any login failure other than PAM_ABORT. Another login attempt is allowed, providing retries that have not been reached, or the PAM framework returns PAM_MAXTRIES. Default is 4 seconds. Minimum is 0 seconds. Maximum value is 5 seconds.

Both su(8) and sulogin(8) are affected by the value of SLEEPTIME.

login_policy/timeout

Sets the number of seconds to wait before abandoning a login session. The value can range between 0 and 900

password/aging_defaults/max_days

Maximum time period in days that a password is valid.

password/aging_defaults/max_weeks

Maximum time period in weeks that a password is valid.

password/aging_defaults/min_days

Minimum time period in days before the password can be changed.

password/aging_defaults/warn_days

Time period in days until warning date of password's ensuing expiration.

password/complexity/max_repeats

Maximum number of allowable consecutive repeating characters. If password/complexity/max_repeats is not set or is zero (0), the default is no checks.

password/complexity/min_alpha

Minimum number of alpha characters required. If password/complexity/min_alpha is not set, the default is 2.

password/complexity/min_diff

Minimum differences required between an old and a new password. If password/complexity/min_diff is not set, the default is 3.

password/complexity/min_digit

Minimum number of digits required. If password/complexity/min_digit is not set or is set to zero (0), the default is no checks. You cannot specify password/complexity/min_digit if password/complexity/min_nonalpha is also specified.

password/complexity/min_lower

Minimum number of lowercase letters required. If not set or zero (0), the default is no checks.

password/complexity/min_nonalpha

Minimum number of non-alpha (including numeric and special) required. If password/complexity/min_nonalpha is not set, the default is 1. You cannot specify password/complexity/min_nonalpha if password/complexity/min_digit or password/complexity/min_special is also specified.

password/complexity/min_special

Minimum number of special (non-alpha and non-digit) characters required. If password/complexity/min_special is not set or is zero (0), the default is no checks. You cannot specify password/complexity/min_special if you also specify password/complexity/min_nonalpha.

password/complexity/min_upper

Minimum number of uppercase letters required. If password/complexity/min_upper is not set or is zero (0), the default is no checks.

password/complexity/namecheck

Enables or disables checking of the login name. The default is to check login name. A case insensitive value disables this feature.

password/complexity/passlength

Minimum length of password, in characters.

password/complexity/whitespace

Determines if white space characters are allowed in passwords.

password/crypt/algorithms_allow

Specifies the algorithms that are allowed for new passwords, and is enforced only in crypt_gensalt(3C).

password/crypt/algorithms_deprecate

Specifies the algorithm for new passwords that are to be deprecated. For example, to deprecate use of the traditional UNIX algorithm, set password/crypt/algorithms_deprecates=__unix__ and change pass-word/crypt/default= to another algorithm, such as password/crypt/default=6 for SHA512.

password/crypt/default

Specifies the default algorithm for new passwords. The Oracle Solaris default is 5 which is the crypt_sha256 algorithm.

A value must only be specified in either password/crypt/algorithms_allow or password/crypt/algorithms_deprecate. If the same value is specified in both keys, whichever is listed first in the file takes precedence. The algorithm specified for password/crypt/default must either be specified for password/crypt/algorithms_allow or not be specified for password/crypt/algorithms_deprecate. If password/crypt/default is not specified, the default is __unix__.

password/dictionary/db_dir

The directory where the generated dictionary databases reside. Defaults to /var/passwd.

If neither DICTIONLIST nor DICTIONDBDIR is specified, the system does not perform a dictionary check.

password/dictionary/min_word_length

password/dictionary/min_word_length can contain a number specifying the minimum word length for the source files in password/dictionary/word_list. Words shorter than the specified length will be omitted from the password dictionary.

The minimum number of letters allowed is 2. The default value is 3.

password/dictionary/word_list

password/dictionary/word_list can contain list of comma separated dictionary files such as password/dictionary/word_list=file1, file2, file3. Each dictionary file contains multiple lines and each line consists of a word and a NEWLINE character. Full path names must be specified. The words from these files are merged into a database that is used to determine whether a password is based on a dictionary word.

Spell-checking dictionary (similar to /usr/share/lib/dict/words) can be listed in password/dictionary/word_list but need to be pre-processed first. See password/dictionary/min_word_length below for an easy way.

If neither password/dictionary/word_list nor password/dictionary/db_dir is specified, the system does not perform a dictionary check.

For more information about how to pre-build the dictionary database, see the mkpwdict(8) man page.

password/history

Maximum number of prior password history to be kept for a user. Setting the password/history value to zero (0), or removing the flag, causes the prior password history of all users to be discarded at the next password change by any user. The default is not to define the password/history flag. The maximum value is 26. Currently, this functionality is enforced only for user accounts defined in the file name service. For more information, see the passwd(5) and shadow(5) man pages.

rbac/console_user_profiles

Specifies an additional default set of profiles granted to the console user. This entry is interpreted by chkauthattr(3C) and getexecuser(3C). The value is zero or more comma-separated profiles defined in prof_attr(5).

rbac/default_auth_profiles

Specifies the default set of authenticated profiles granted to all users. The commands included in authenticated profiles require user re-authentication prior to execution. The entries in this list take precedence over the rbac/default_profiles list. This entry is interpreted by chkauthattr(3C) and getexecuser(3C). The value is zero or more comma-separated profiles defined in prof_attr(5).

rbac/default_authorizations

Specifies the default set of authorizations granted to all users. This entry is interpreted by chkauthattr(3C). The value is zero or more comma-separated authorizations defined in auth_attr(5).

rbac/default_privileges and
rbac/default_limit_privileges

Settings for these keys determine the default privileges that users have. If these keys are not set, the default privileges are taken from the inherited set. rabc/default_privileges determines the default set on login. rbac/default_limit_privileges defines the limit set on login. Users can have privileges assigned or taken away through use of user_attr. Privileges can be assigned to profiles, in which case users who have those profiles can exercise the assigned privileges through the pfexec command.

For maximum future compatibility, the privilege specifications should always include basic or all. Privileges should then be removed using negation. See the examples mentioned in the man page. By assigning privileges this way, you avoid a situation where, following an addition of a currently unprivileged operation to the basic privilege set, a user unexpectedly does not have the privileges that are needed to perform that now-privileged operation.

Removing privileges from the limit set, requires extreme care, as any set-uid root program might suddenly fail because it lacks certain privilege(s). Note that, dropping basic privileges from the default privilege set can cause unexpected failure modes in applications.

In the case of rbac/default_privileges, it is possible to specify an Extended Policy. For more information, see the privileges(7) man page.

rbac/default_profiles

Specifies the default set of unauthenticated profiles granted to all users that do not require re-authentication. This entry is interpreted by chkauthattr(3C) and getexecuser(3C). The value is zero or more comma-separated profiles are defined in prof_attr(5). If the 'Basic Solaris User' profile is included, it must be the last profile in the list.

su/environment/path

Sets the initial shell PATH variable when using su command to a non root user.

su/environment/root_path

Sets the initial shell PATH variable for su command to the root user.

Examples

Example 1 Enabling a password policy
% svccfg -s account-policy
svc:/.../account-policy> setprop password/history = 5
svc:/.../account-policy> setprop password/complexity/min_special = 1
svc:/.../account-policy> refresh
Example 2 Specifying Privileges

As noted above, you must specify privileges through negation, specifying all for rbac/default_limit_priv and basic for rbac/default_privileges, then subtracting privileges, as shown below.

setprop rbac/default_limit_privileges astring: = "all,!sys_linkdir"
setprop rbac/default_privileges astring: = "basic,!file_link_any"

The first line above, takes away only the sys_linkdir privilege. The second line takes away only the file_link privilege. These privilege specifications are unaffected by any future addition of privileges that might occur.

Files

To turn a given file to the master copy of the configuration when stenciling has been enabled run:

# svccfg -s svc:/system/account-policy:default \
     setprop config/etc_default_login/disabled = boolean: true
/etc/default/login

Settings read by the login and su commands

/etc/default/passwd

Defines some parts of password policy

/etc/default/su

Settings specific to the su command

/etc/security/policy.conf

Defines RBAC, password hashing, and other account policies

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Interface Stability
Committed
Availability
system/core-os

See Also

login(1), pfexec(1), chkauthattr(3C), getexecuser(3C), auth_attr(5), crypt.conf(5), prof_attr(5), user_attr(5), attributes(7), clearance(7), privileges(7), rbac(7)

Notes

The console user is defined as the owner of /dev/console.

History

The account-policy service was added in Oracle Solaris 11.4.0.