FreeBSD Manual Pages
policy.conf(4) File Formats policy.conf(4) NAME policy.conf - configuration file for security policy SYNOPSIS /etc/security/policy.conf DESCRIPTION The policy.conf file provides the security policy configuration for user-level attributes. Each entry consists of a key/value pair in the form: key=value The following keys are defined: AUTHS_GRANTED Specify the default set of authoriza- tions granted to all users. This entry is interpreted by chkauthattr(3SECDB). The value is one or more comma-sepa- rated authorizations defined in auth_attr(4). PROFS_GRANTED Specify the default set of profiles granted to all users. This entry is in- terpreted by chkauthattr(3SECDB) and getexecuser(3SECDB). The value is one or more comma-separated profiles de- fined in prof_attr(4). PRIV_DEFAULT and PRIV_LIMIT Settings for these keys determine the default privileges that users have. (See privileges(5).) If these keys are not set, the default privileges are taken from the inherited set. PRIV_DE- FAULT determines the default set on lo- gin. PRIV_LIMIT defines the limit set on login. Users can have privileges as- signed or taken away through use of user_attr(4). Privileges can also be assigned to profiles, in which case users who have those profiles can exer- cise the assigned privileges through pfexec(1). For maximum future compatibility, the privilege specifications should always include basic or all. Privileges should then be removed using negation. See EX- AMPLES. By assigning privileges in this way, you avoid a situation where, fol- lowing an addition of a currently un- privileged operation to the basic priv- ilege set, a user unexpectedly does not have the privileges he needs to perform that now-privileged operation. Note that removing privileges from the limit set requires extreme care, as any set-uid root program might suddenly fail because it lacks certain privi- lege(s). Note also that dropping basic privileges from the default privilege set can cause unexpected failure modes in applications. LOCK_AFTER_RETRIES=YES|NO Specifies whether a local account is locked after the count of failed logins for a user equals or exceeds the al- lowed number of retries as defined by RETRIES in /etc/default/login. The de- fault value for users is NO. Individual account overrides are provided by user_attr(4). CRYPT_ALGORITHMS_ALLOW Specify the algorithms that are allowed for new passwords and is enforced only in crypt_gensalt(3C). CRYPT_ALGORITHMS_DEPRECATE Specify the algorithm for new passwords that is to be deprecated. For example, to deprecate use of the traditional UNIX algorithm, specify CRYPT_ALGO- RITHMS_DEPRECATE=__unix__ and change CRYPT_DEFAULT= to another algorithm, such as CRYPT_DEFAULT=1 for BSD and Linux MD5. CRYPT_DEFAULT Specify the default algorithm for new passwords. The Solaris default is the traditional UNIX algorithm. This is not listed in crypt.conf(4) since it is in- ternal to libc. The reserved name __unix__ is used to refer to it. The key/value pair must appear on a single line, and the key must start the line. Lines starting with # are taken as comments and ignored. Op- tion name comparisons are case-insensitive. Only one CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRECATE value can be specified. Whichever is listed first in the file takes precedence. The algorithm specified for CRYPT_DEFAULT must either be specified for CRYPT_ALGORITHMS_ALLOW or not be specified for CRYPT_ALGORITHMS_DEPRE- CATE. If CRYPT_DEFAULT is not specified, the default is __unix__. EXAMPLES Example 1: Defining a Key/Value Pair AUTHS_GRANTED=solaris.date Example 2: Specifying Privileges As noted above, you should specify privileges through negation, speci- fying all for PRIV_LIMIT and basic for PRIV_DEFAULT, then subtracting privileges, as shown below. PRIV_LIMIT=all,!sys_linkdir PRIV_DEFAULT=basic,!file_link_any The first line, above, takes away only the sys_linkdir privilege. The second line takes away only the file_link privilege. These privilege specifications will be unaffected by any future addition of privileges that might occur. FILES /etc/user_attr Defines extended user attributes. /etc/security/auth_attr Defines authorizations. /etc/security/prof_attr Defines profiles. /etc/security/policy.conf Defines policy for the system. ATTRIBUTES See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWcsu | +-----------------------------+-----------------------------+ |Interface Stability |Evolving | +-----------------------------+-----------------------------+ SEE ALSO login(1), pfexec(1), chkauthattr(3SECDB), getexecuser(3SECDB), auth_attr(4), crypt.conf(4), prof_attr(4), user_attr(4), attributes(5), privileges(5) SunOS 5.10 16 Mar 2004 policy.conf(4)
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | FILES | ATTRIBUTES | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=policy.conf&sektion=4&manpath=SunOS+5.10>