# # Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. # # /etc/security/policy.conf # # security policy configuration for user attributes. see policy.conf(4) # AUTHS_GRANTED= PROFS_GRANTED=Basic Solaris User AUTH_PROFS_GRANTED= CONSOLE_USER=Console User # PAM_POLICY specifies the system-wide PAM policy (see pam_user_policy(5)) # for all users who don't have 'pam_policy' set in their user attributes. # The search for a 'pam_policy' key follows the order described in # getuserattrnam(3C) with user_attr(4) first, then profiles assigned to # the user, and then PAM_POLICY here in policy.conf(4). # The value set here can be the filename of a PAM policy file in # /etc/security/pam_policy/ or an absolute path to a PAM policy file. # If 'pam_policy' isn't set in a user's attributes and there isn't a # system-wide default set here then pam_user_policy(5) will return # PAM_IGNORE. #PAM_POLICY= # crypt(3c) Algorithms Configuration # # CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to # be used for new passwords. This is enforced only in crypt_gensalt(3c). # CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 # To deprecate use of the traditional unix algorithm, uncomment below # and change CRYPT_DEFAULT= to another algorithm. For example, # CRYPT_DEFAULT=1 for BSD/Linux MD5. # #CRYPT_ALGORITHMS_DEPRECATE=__unix__ # The OpenSolaris default is a SHA256 based algorithm. To revert to # the policy present in Solaris releases set CRYPT_DEFAULT=__unix__, # which is not listed in crypt.conf(4) since it is internal to libc. # CRYPT_DEFAULT=5 # # These settings determine the default privileges users have. If not set, # the default privileges are taken from the inherited set. # There are two different settings; PRIV_DEFAULT determines the default # set on login; PRIV_LIMIT defines the Limit set on login. # Individual users can have privileges assigned or taken away through # user_attr. Privileges can also be assigned to profiles in which case # the users with those profiles can use those privileges through pfexec(1). # For maximum future compatibility, the specifications should # always include "basic" or "all"; privileges should then be removed using # the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the # sys_linkdir privilege, regardless of future additional privileges. # Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the # file_link_any privilege from the basic privilege set; only that notation # is immune from a future addition of currently unprivileged operations to # the basic privilege set. # NOTE: removing privileges from the the Limit set requires EXTREME care # as any set-uid root program may suddenly fail because it lacks certain # privilege(s). # #PRIV_DEFAULT=basic #PRIV_LIMIT=all # # LOCK_AFTER_RETRIES specifies the default account locking policy for local # user accounts (passwd(4)/shadow(4)). The default may be overridden by # a user's user_attr(4) "lock_after_retries" value. # YES enables local account locking, NO disables local account locking. # The default value is NO. # #LOCK_AFTER_RETRIES=NO