account-policy - user account policy configuration
The svc:/system/account-policy:default service provides the security policy configuration for user account attributes, authentication policy, password complexity, and default RBAC settings.
The current implementation uses the smf_stencil mechanism to write the values to the following legacy files. The files are considered obsolete and support for specification of account policy in them may be removed in a future release. At that point, the account-policy SMF service will always be authoritative. For more information, see the smf_stencil(5) man page.
The following properties are defined:
Sets the HZ environment variable of the shell.
Sets the initial shell PATH variable.
Sets the initial shell PATH variable for root.
Determines if login must set the SHELL environment variable.
Sets the TZ environment variable of the shell. For more information, see the environ(7) man page.
Sets the file size limit for the login. Units are disk blocks. Default is zero which implies no limit.
Sets the initial shell file creation mode mask. For more information, see the umask(1) man page.
Determines whether the syslog(3C) LOG_AUTH facility must be used to log all root logins at level LOG_NOTICE and multiple failed login attempts at LOG_CRIT.
Used to determine how many failed login attempts are allowed by the system, before a failed login message is logged, using the syslog(3C) LOG_NOTICE facility. For example, if the variable is set to 0, login logs show all failed login attempts.
Determines if users are required to provide a session annotation at login. Possible values are yes, no, and optional.
Specifies the time after which an account lock for failed logins will be unlocked upon a valid password entry. The time may be specified as number of minutes (m), hours (h), days (d), or weeks (w). If unspecified, no unlock will occur. The default is unspecified. Individual account overrides are provided by user_attr(5).
Specifies the default process clearance that is used when starting user sessions or SMF services, when no explicit clearance is specified. Explicit user clearances are maintained in user_attr(5) and the default user clearance is maintained by labelcfg(8). If no explicit clearance is associated with the user or role, and the labeled service is not enabled, then the clearance specified here is used. For SMF services, the explicit clearance is specified in the method credential. The default value of the CLEARANCE property is ADMIN_HIGH. ADMIN_LOW must be specified for strict enforcement of the clearance policy.
If present, and greater than zero, the number of seconds that either login waits after retried failed attempts, or that the PAM framework returns PAM_ABORT. Default is 20 seconds. Minimum is 0 seconds. No maximum value is imposed.
Specifies whether a local account is locked after the count of failed logins for a user equals, or exceeds the allowed number of retries as defined by login_policy/retries. The default value for users is NO. Individual account overrides are provided by user_attr(5).
Specifies the system-wide PAM policy for all users who do not have pam_policy set in their user attributes. The value set here can be the file name of a PAM policy file in /etc/security/pam_policy/ or an absolute path to a PAM policy file. For more information, see the pam_user_policy(7) man page.
Determines if login requires a non-null password.
Sets the number of retries for logging in. The default number of retries is 5. The maximum number of retries is 15. For accounts configured with automatic locking, the account is locked and login exits. If automatic locking is not configured, login exits without locking the account. For more information, see the pam(3PAM) man page.
If set, root can login on that device. This property is set to an empty string to allow root to login on any other hardware device. Note that the root login using ssh is controlled by the settings in sshd_config, and also if root is configured as a role.
If present, sets the number of seconds to wait before the login failure message is printed to the screen. This property is for any login failure other than PAM_ABORT. Another login attempt is allowed, providing retries that have not been reached, or the PAM framework returns PAM_MAXTRIES. Default is 4 seconds. Minimum is 0 seconds. Maximum value is 5 seconds.
Sets the number of seconds to wait before abandoning a login session. The value can range between 0 and 900
Maximum time period in days that a password is valid.
Maximum time period in weeks that a password is valid.
Minimum time period in days before the password can be changed.
Time period in days until warning date of password's ensuing expiration.
Maximum number of allowable consecutive repeating characters. If password/complexity/max_repeats is not set or is zero (0), the default is no checks.
Minimum number of alpha characters required. If password/complexity/min_alpha is not set, the default is 2.
Minimum differences required between an old and a new password. If password/complexity/min_diff is not set, the default is 3.
Minimum number of digits required. If password/complexity/min_digit is not set or is set to zero (0), the default is no checks. You cannot specify password/complexity/min_digit if password/complexity/min_nonalpha is also specified.
Minimum number of lowercase letters required. If not set or zero (0), the default is no checks.
Minimum number of non-alpha (including numeric and special) required. If password/complexity/min_nonalpha is not set, the default is 1. You cannot specify password/complexity/min_nonalpha if password/complexity/min_digit or password/complexity/min_special is also specified.
Minimum number of special (non-alpha and non-digit) characters required. If password/complexity/min_special is not set or is zero (0), the default is no checks. You cannot specify password/complexity/min_special if you also specify password/complexity/min_nonalpha.
Minimum number of uppercase letters required. If password/complexity/min_upper is not set or is zero (0), the default is no checks.
Enables or disables checking of the login name. The default is to check login name. A case insensitive value disables this feature.
Minimum length of password, in characters.
Determines if white space characters are allowed in passwords.
Specifies the algorithms that are allowed for new passwords, and is enforced only in crypt_gensalt(3C).
Specifies the algorithm for new passwords that are to be deprecated. For example, to deprecate use of the traditional UNIX algorithm, set password/crypt/algorithms_deprecates=__unix__ and change pass-word/crypt/default= to another algorithm, such as password/crypt/default=6 for SHA512.
Specifies the default algorithm for new passwords. The Oracle Solaris default is 5 which is the crypt_sha256 algorithm.
A value must only be specified in either password/crypt/algorithms_allow or password/crypt/algorithms_deprecate. If the same value is specified in both keys, whichever is listed first in the file takes precedence. The algorithm specified for password/crypt/default must either be specified for password/crypt/algorithms_allow or not be specified for password/crypt/algorithms_deprecate. If password/crypt/default is not specified, the default is __unix__.
The directory where the generated dictionary databases reside. Defaults to /var/passwd.
If neither DICTIONLIST nor DICTIONDBDIR is specified, the system does not perform a dictionary check.
password/dictionary/min_word_length can contain a number specifying the minimum word length for the source files in password/dictionary/word_list. Words shorter than the specified length will be omitted from the password dictionary.
The minimum number of letters allowed is 2. The default value is 3.
password/dictionary/word_list can contain list of comma separated dictionary files such as password/dictionary/word_list=file1, file2, file3. Each dictionary file contains multiple lines and each line consists of a word and a NEWLINE character. Full path names must be specified. The words from these files are merged into a database that is used to determine whether a password is based on a dictionary word.
Spell-checking dictionary (similar to /usr/share/lib/dict/words) can be listed in password/dictionary/word_list but need to be pre-processed first. See password/dictionary/min_word_length below for an easy way.
If neither password/dictionary/word_list nor password/dictionary/db_dir is specified, the system does not perform a dictionary check.
For more information about how to pre-build the dictionary database, see the mkpwdict(8) man page.
Maximum number of prior password history to be kept for a user. Setting the password/history value to zero (0), or removing the flag, causes the prior password history of all users to be discarded at the next password change by any user. The default is not to define the password/history flag. The maximum value is 26. Currently, this functionality is enforced only for user accounts defined in the file name service. For more information, see the passwd(5) and shadow(5) man pages.
Specifies an additional default set of profiles granted to the console user. This entry is interpreted by chkauthattr(3C) and getexecuser(3C). The value is zero or more comma-separated profiles defined in prof_attr(5).
Specifies the default set of authenticated profiles granted to all users. The commands included in authenticated profiles require user re-authentication prior to execution. The entries in this list take precedence over the rbac/default_profiles list. This entry is interpreted by chkauthattr(3C) and getexecuser(3C). The value is zero or more comma-separated profiles defined in prof_attr(5).
Settings for these keys determine the default privileges that users have. If these keys are not set, the default privileges are taken from the inherited set. rabc/default_privileges determines the default set on login. rbac/default_limit_privileges defines the limit set on login. Users can have privileges assigned or taken away through use of user_attr. Privileges can be assigned to profiles, in which case users who have those profiles can exercise the assigned privileges through the pfexec command.
For maximum future compatibility, the privilege specifications should always include basic or all. Privileges should then be removed using negation. See the examples mentioned in the man page. By assigning privileges this way, you avoid a situation where, following an addition of a currently unprivileged operation to the basic privilege set, a user unexpectedly does not have the privileges that are needed to perform that now-privileged operation.
Removing privileges from the limit set, requires extreme care, as any set-uid root program might suddenly fail because it lacks certain privilege(s). Note that, dropping basic privileges from the default privilege set can cause unexpected failure modes in applications.
In the case of rbac/default_privileges, it is possible to specify an Extended Policy. For more information, see the privileges(7) man page.
Specifies the default set of unauthenticated profiles granted to all users that do not require re-authentication. This entry is interpreted by chkauthattr(3C) and getexecuser(3C). The value is zero or more comma-separated profiles are defined in prof_attr(5). If the 'Basic Solaris User' profile is included, it must be the last profile in the list.
Sets the initial shell PATH variable when using su command to a non root user.
Sets the initial shell PATH variable for su command to the root user.
% svccfg -s account-policy svc:/.../account-policy> setprop password/history = 5 svc:/.../account-policy> setprop password/complexity/min_special = 1 svc:/.../account-policy> refreshExample 2 Specifying Privileges
As noted above, you must specify privileges through negation, specifying all for rbac/default_limit_priv and basic for rbac/default_privileges, then subtracting privileges, as shown below.
setprop rbac/default_limit_privileges astring: = "all,!sys_linkdir" setprop rbac/default_privileges astring: = "basic,!file_link_any"
The first line above, takes away only the sys_linkdir privilege. The second line takes away only the file_link privilege. These privilege specifications are unaffected by any future addition of privileges that might occur.
To turn a given file to the master copy of the configuration when stenciling has been enabled run:
# svccfg -s svc:/system/account-policy:default \ setprop config/etc_default_login/disabled = boolean: true
Settings read by the login and su commands
Defines some parts of password policy
Settings specific to the su command
Defines RBAC, password hashing, and other account policies
See attributes(7) for descriptions of the following attributes:
The console user is defined as the owner of /dev/console.
The account-policy service was added in Oracle Solaris 11.4.0.