17c478bd9Sstevel@tonic-gate# 27c478bd9Sstevel@tonic-gate# CDDL HEADER START 37c478bd9Sstevel@tonic-gate# 47c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 5499fd601Sgww# Common Development and Distribution License (the "License"). 6499fd601Sgww# You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate# 87c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate# and limitations under the License. 127c478bd9Sstevel@tonic-gate# 137c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate# 197c478bd9Sstevel@tonic-gate# CDDL HEADER END 207c478bd9Sstevel@tonic-gate# 217c478bd9Sstevel@tonic-gate# 22c11c3631SJoep Vesseur# Copyright 2010 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate# Use is subject to license terms. 247c478bd9Sstevel@tonic-gate# 257c478bd9Sstevel@tonic-gate# /etc/security/policy.conf 267c478bd9Sstevel@tonic-gate# 27*bbf21555SRichard Lowe# security policy configuration for user attributes. see policy.conf(5) 287c478bd9Sstevel@tonic-gate# 29ead1f93eSLiane Praza 307c478bd9Sstevel@tonic-gateAUTHS_GRANTED=solaris.device.cdrw 317c478bd9Sstevel@tonic-gatePROFS_GRANTED=Basic Solaris User 32499fd601SgwwCONSOLE_USER=Console User 337c478bd9Sstevel@tonic-gate 347c478bd9Sstevel@tonic-gate# crypt(3c) Algorithms Configuration 357c478bd9Sstevel@tonic-gate# 367c478bd9Sstevel@tonic-gate# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to 377c478bd9Sstevel@tonic-gate# be used for new passwords. This is enforced only in crypt_gensalt(3c). 387c478bd9Sstevel@tonic-gate# 390cd13cbfSwyllysCRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 407c478bd9Sstevel@tonic-gate 417c478bd9Sstevel@tonic-gate# To deprecate use of the traditional unix algorithm, uncomment below 427c478bd9Sstevel@tonic-gate# and change CRYPT_DEFAULT= to another algorithm. For example, 437c478bd9Sstevel@tonic-gate# CRYPT_DEFAULT=1 for BSD/Linux MD5. 447c478bd9Sstevel@tonic-gate# 457c478bd9Sstevel@tonic-gate#CRYPT_ALGORITHMS_DEPRECATE=__unix__ 467c478bd9Sstevel@tonic-gate 47a9370e9fSRyan C. England# The illumos default is a SHA512 based algorithm. To revert to 48a9370e9fSRyan C. England# the policy present in former Solaris releases set CRYPT_DEFAULT=__unix__, 49*bbf21555SRichard Lowe# which is not listed in crypt.conf(5) since it is internal to libc. 507c478bd9Sstevel@tonic-gate# 51a9370e9fSRyan C. EnglandCRYPT_DEFAULT=6 527c478bd9Sstevel@tonic-gate# 537c478bd9Sstevel@tonic-gate# These settings determine the default privileges users have. If not set, 547c478bd9Sstevel@tonic-gate# the default privileges are taken from the inherited set. 557c478bd9Sstevel@tonic-gate# There are two different settings; PRIV_DEFAULT determines the default 567c478bd9Sstevel@tonic-gate# set on login; PRIV_LIMIT defines the Limit set on login. 577c478bd9Sstevel@tonic-gate# Individual users can have privileges assigned or taken away through 587c478bd9Sstevel@tonic-gate# user_attr. Privileges can also be assigned to profiles in which case 59c11c3631SJoep Vesseur# the users with those profiles can use those privileges through pfexec(1). 607c478bd9Sstevel@tonic-gate# For maximum future compatibility, the specifications should 617c478bd9Sstevel@tonic-gate# always include "basic" or "all"; privileges should then be removed using 627c478bd9Sstevel@tonic-gate# the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the 637c478bd9Sstevel@tonic-gate# sys_linkdir privilege, regardless of future additional privileges. 647c478bd9Sstevel@tonic-gate# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the 657c478bd9Sstevel@tonic-gate# file_link_any privilege from the basic privilege set; only that notation 667c478bd9Sstevel@tonic-gate# is immune from a future addition of currently unprivileged operations to 677c478bd9Sstevel@tonic-gate# the basic privilege set. 687c478bd9Sstevel@tonic-gate# NOTE: removing privileges from the the Limit set requires EXTREME care 697c478bd9Sstevel@tonic-gate# as any set-uid root program may suddenly fail because it lacks certain 707c478bd9Sstevel@tonic-gate# privilege(s). 717c478bd9Sstevel@tonic-gate# 727c478bd9Sstevel@tonic-gate#PRIV_DEFAULT=basic 737c478bd9Sstevel@tonic-gate#PRIV_LIMIT=all 747c478bd9Sstevel@tonic-gate# 757c478bd9Sstevel@tonic-gate# LOCK_AFTER_RETRIES specifies the default account locking policy for local 76*bbf21555SRichard Lowe# user accounts (passwd(5)/shadow(5)). The default may be overridden by 77*bbf21555SRichard Lowe# a user's user_attr(5) "lock_after_retries" value. 787c478bd9Sstevel@tonic-gate# YES enables local account locking, NO disables local account locking. 797c478bd9Sstevel@tonic-gate# The default value is NO. 807c478bd9Sstevel@tonic-gate# 817c478bd9Sstevel@tonic-gate#LOCK_AFTER_RETRIES=NO 82