'\" te
.\" Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved.
.TH policy.conf  4 "21 Feb 2012" "SunOS 5.11" "File Formats"
.SH NAME
policy.conf \- configuration file for security policy
.SH SYNOPSIS
.LP
.nf
/etc/security/policy.conf
.fi

.SH DESCRIPTION
.sp
.LP
The \fBpolicy.conf\fR file provides the security policy configuration for user-level attributes. Each entry consists of a key/value pair in the form:
.sp
.LP
key=value
.sp
.LP
The following keys are defined:
.sp
.ne 2
.mk
.na
\fB\fBAUTHS_GRANTED\fR\fR
.ad
.sp .6
.RS 4n
Specify the default set of authorizations granted to all users. This entry is interpreted by \fBchkauthattr\fR(3C). The value is zero or more comma-separated authorizations defined in \fBauth_attr\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fBCONSOLE_USER\fR\fR
.ad
.sp .6
.RS 4n
Specify an additional default set of profiles granted to the \fIconsole user\fR user. This entry is interpreted by \fBchkauthattr\fR(3C) and \fBgetexecuser\fR(3C). The value is zero or more comma-separated profiles defined in \fBprof_attr\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fBCRYPT_ALGORITHMS_ALLOW\fR\fR
.ad
.sp .6
.RS 4n
Specify the algorithms that are allowed for new passwords and is enforced only in \fBcrypt_gensalt\fR(3C).
.RE

.sp
.ne 2
.mk
.na
\fB\fBCRYPT_ALGORITHMS_DEPRECATE\fR\fR
.ad
.sp .6
.RS 4n
Specify the algorithm for new passwords that is to be deprecated. For example, to deprecate use of the traditional UNIX algorithm, specify \fBCRYPT_ALGORITHMS_DEPRECATE=__unix__\fR and change \fBCRYPT_DEFAULT=\fR to another algorithm, such as \fBCRYPT_DEFAULT=1\fR for BSD and Linux MD5.
.RE

.sp
.ne 2
.mk
.na
\fB\fBCRYPT_DEFAULT\fR\fR
.ad
.sp .6
.RS 4n
Specify the default algorithm for new passwords. The Oracle Solaris default is the \fBcrypt_sha256(4)\fR algorithm.
.RE

.sp
.ne 2
.mk
.na
\fB\fBLOCK_AFTER_RETRIES=YES|NO\fR\fR
.ad
.sp .6
.RS 4n
Specifies whether a local account is locked after the count of failed logins for a user equals or exceeds the allowed number of retries as defined by \fBRETRIES\fR in \fB/etc/default/login\fR. The default value for users is \fBNO\fR. Individual account overrides are provided by \fBuser_attr\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_POLICY\fR\fR
.ad
.sp .6
.RS 4n
Specifies the system-wide PAM policy (see \fBpam_user_policy\fR(5)) for all users who do not have \fBpam_policy\fR set in their user attributes. The value set here can be the filename of a PAM policy file in \fB/etc/security/pam_policy/\fR or an absolute path to a PAM policy file.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPRIV_DEFAULT\fR and \fBPRIV_LIMIT\fR\fR
.ad
.sp .6
.RS 4n
Settings for these keys determine the default privileges that users have. (See \fBprivileges\fR(5).) If these keys are not set, the default privileges are taken from the inherited set. \fBPRIV_DEFAULT\fR determines the default set on login. \fBPRIV_LIMIT\fR defines the limit set on login. Users can have privileges assigned or taken away through use of \fBuser_attr\fR(4). Privileges can also be assigned to profiles, in which case users who have those profiles can exercise the assigned privileges through \fBpfexec\fR(1).
.sp
For maximum future compatibility, the privilege specifications should always include \fBbasic\fR or \fBall\fR. Privileges should then be removed using negation. See EXAMPLES. By assigning privileges in this way, you avoid a situation where, following an addition of a currently unprivileged operation to the basic privilege set, a user unexpectedly does not have the privileges he needs to perform that now-privileged operation.
.sp
Removing privileges from the limit set requires \fBextreme\fR care, as any set-uid root program might suddenly fail because it lacks certain privilege(s). Note also that dropping \fBbasic\fR privileges from the default privilege set can cause unexpected failure modes in applications.
.sp
In the case of \fBPRIV_DEFAULT\fR, it is possible to specify an Extended Policy. See \fBprivileges\fR(5).
.RE

.sp
.ne 2
.mk
.na
\fB\fBPROFS_GRANTED\fR\fR
.ad
.sp .6
.RS 4n
Specifies the default set of unauthenticated profiles granted to all users that do not require reauthentication. This entry is interpreted by \fBchkauthattr\fR(3C) and \fBgetexecuser\fR(3C). The value is zero or more comma-separated profiles defined in \fBprof_attr\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fBAUTHS_PROFS_GRANTED\fR\fR
.ad
.sp .6
.RS 4n
Specifies the default set of authenticated profiles granted to all users. The commands included in authenticated profiles require user reauthentication prior to execution. The entries in this list take precedence over the \fBPROF_GRANTED\fR list. This entry is interpreted by \fBchkauthattr\fR(3C) and \fBgetexecuser\fR(3C). The value is zero or more comma-separated profiles defined in \fBprof_attr\fR(4).
.RE

.sp
.LP
The key/value pair must appear on a single line, and the key must start the line. Lines starting with \fB#\fR are taken as comments and ignored. Option name comparisons are case-insensitive.
.sp
.LP
A value should only be specified in either \fBCRYPT_ALGORITHMS_ALLOW\fR or \fBCRYPT_ALGORITHMS_DEPRECATE\fR. If the same value is specified in both keys, whichever is listed first in the file takes precedence. The algorithm specified for \fBCRYPT_DEFAULT\fR must either be specified for \fBCRYPT_ALGORITHMS_ALLOW\fR or not be specified for \fBCRYPT_ALGORITHMS_DEPRECATE\fR. If \fBCRYPT_DEFAULT\fR is not specified, the default is \fB__unix__\fR.
.SH EXAMPLES
.LP
\fBExample 1 \fRDefining a Key/Value Pair
.sp
.in +2
.nf
\fBAUTHS_GRANTED=solaris.date\fR
.fi
.in -2
.sp

.LP
\fBExample 2 \fRSpecifying Privileges
.sp
.LP
As noted above, you should specify privileges through negation, specifying \fBall\fR for \fBPRIV_LIMIT\fR and \fBbasic\fR for \fBPRIV_DEFAULT\fR, then subtracting privileges, as shown below.

.sp
.in +2
.nf
PRIV_LIMIT=all,!sys_linkdir
PRIV_DEFAULT=basic,!file_link_any
.fi
.in -2

.sp
.LP
The first line, above, takes away only the \fBsys_linkdir\fR privilege. The second line takes away only the \fBfile_link\fR privilege. These privilege specifications are unaffected by any future addition of privileges that might occur.

.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/etc/user_attr\fR\fR
.ad
.RS 29n
.rt  
Defines extended user attributes.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/security/auth_attr\fR\fR
.ad
.RS 29n
.rt  
Defines authorizations.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/security/prof_attr\fR\fR
.ad
.RS 29n
.rt  
Defines profiles.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/security/policy.conf\fR\fR
.ad
.RS 29n
.rt  
Defines policy for the system.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Availabilitysystem/core-os
_
Interface StabilityCommitted
.TE

.SH SEE ALSO
.sp
.LP
\fBlogin\fR(1), \fBpfexec\fR(1), \fBchkauthattr\fR(3C), \fBgetexecuser\fR(3C), \fBauth_attr\fR(4), \fBcrypt.conf\fR(4), \fBprof_attr\fR(4), \fBuser_attr\fR(4), \fBattributes\fR(5), \fBprivileges\fR(5)
.SH NOTES
.sp
.LP
The \fIconsole user\fR is defined as the owner of \fB/dev/console\fR.