|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
File Formats policy.conf(4)
NAME
policy.conf - configuration file for security policy
SYNOPSIS
/etc/security/policy.conf
DESCRIPTION
The policy.conf file provides the security policy configura-
tion for user-level attributes. Each entry consists of a
key/value pair in the form:
key=value
The following keys are defined:
AUTHS_GRANTED Specify the default set of
authorizations granted to
all users. This entry is
interpreted by
chkauthattr(3SECDB). The
value is one or more comma-
separated authorizations
defined in auth_attr(4).
PROFS_GRANTED Specify the default set of
profiles granted to all
users. This entry is inter-
preted by
chkauthattr(3SECDB) and
getexecuser(3SECDB). The
value is one or more comma-
separated profiles defined
in prof_attr(4).
PRIV_DEFAULT and PRIV_LIMIT Settings for these keys
determine the default
privileges that users have.
(See privileges(5).) If
these keys are not set, the
default privileges are taken
from the inherited set.
PRIV_DEFAULT determines the
default set on login.
PRIV_LIMIT defines the limit
set on login. Users can have
privileges assigned or taken
away through use of
SunOS 5.10 Last change: 16 Mar 2004 1
File Formats policy.conf(4)
user_attr(4). Privileges can
also be assigned to pro-
files, in which case users
who have those profiles can
exercise the assigned
privileges through
pfexec(1).
For maximum future compati-
bility, the privilege
specifications should always
include basic or all.
Privileges should then be
removed using negation. See
EXAMPLES. By assigning
privileges in this way, you
avoid a situation where,
following an addition of a
currently unprivileged
operation to the basic
privilege set, a user unex-
pectedly does not have the
privileges he needs to per-
form that now-privileged
operation.
Note that removing
privileges from the limit
set requires extreme care,
as any set-uid root program
might suddenly fail because
it lacks certain
privilege(s). Note also that
dropping basic privileges
from the default privilege
set can cause unexpected
failure modes in applica-
tions.
LOCK_AFTER_RETRIES=YES|NO Specifies whether a local
account is locked after the
count of failed logins for a
user equals or exceeds the
allowed number of retries as
defined by RETRIES in
/etc/default/login. The
default value for users is
NO. Individual account over-
rides are provided by
user_attr(4).
SunOS 5.10 Last change: 16 Mar 2004 2
File Formats policy.conf(4)
CRYPT_ALGORITHMS_ALLOW Specify the algorithms that
are allowed for new pass-
words and is enforced only
in crypt_gensalt(3C).
CRYPT_ALGORITHMS_DEPRECATE Specify the algorithm for
new passwords that is to be
deprecated. For example, to
deprecate use of the tradi-
tional UNIX algorithm,
specify
CRYPT_ALGORITHMS_DEPRECATE=__unix__
and change CRYPT_DEFAULT= to
another algorithm, such as
CRYPT_DEFAULT=1 for BSD and
Linux MD5.
CRYPT_DEFAULT Specify the default algo-
rithm for new passwords. The
Solaris default is the trad-
itional UNIX algorithm. This
is not listed in
crypt.conf(4) since it is
internal to libc. The
reserved name __unix__ is
used to refer to it.
The key/value pair must appear on a single line, and the key
must start the line. Lines starting with # are taken as com-
ments and ignored. Option name comparisons are case-
insensitive.
Only one CRYPT_ALGORITHMS_ALLOW or
CRYPT_ALGORITHMS_DEPRECATE value can be specified. Whichever
is listed first in the file takes precedence. The algorithm
specified for CRYPT_DEFAULT must either be specified for
CRYPT_ALGORITHMS_ALLOW or not be specified for
CRYPT_ALGORITHMS_DEPRECATE. If CRYPT_DEFAULT is not speci-
fied, the default is __unix__.
EXAMPLES
Example 1: Defining a Key/Value Pair
AUTHS_GRANTED=solaris.date
SunOS 5.10 Last change: 16 Mar 2004 3
File Formats policy.conf(4)
Example 2: Specifying Privileges
As noted above, you should specify privileges through nega-
tion, specifying all for PRIV_LIMIT and basic for
PRIV_DEFAULT, then subtracting privileges, as shown below.
PRIV_LIMIT=all,!sys_linkdir
PRIV_DEFAULT=basic,!file_link_any
The first line, above, takes away only the sys_linkdir
privilege. The second line takes away only the file_link
privilege. These privilege specifications will be unaffected
by any future addition of privileges that might occur.
FILES
/etc/user_attr Defines extended user attri-
butes.
/etc/security/auth_attr Defines authorizations.
/etc/security/prof_attr Defines profiles.
/etc/security/policy.conf Defines policy for the sys-
tem.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
login(1), pfexec(1), chkauthattr(3SECDB),
getexecuser(3SECDB), auth_attr(4), crypt.conf(4),
prof_attr(4), user_attr(4), attributes(5), privileges(5)
SunOS 5.10 Last change: 16 Mar 2004 4
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 21:37:31 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
CPAN man page (4333 hits)
(Suse Linux 10.1)
ssh man page (4186 hits)
(Suse Linux 10.1)
adv_cap_autoneg man page (4147 hits)
(Solaris 10 11_06)
sqlite3 man page (4070 hits)
(openSUSE 10.2)
svn man page (3249 hits)
(FreeBSD 6.2)
startproc man page (1908 hits)
(Suse Linux 10.1)
pprosetup man page (1666 hits)
(Solaris 10 11_06)
netcat man page (1613 hits)
(Suse Linux 10.1)
signal man page (1592 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (1558 hits)
(Solaris 10 11_06)
|
Man Pages 
