Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
policy.conf(4)			 File Formats			policy.conf(4)

NAME
       policy.conf - configuration file	for security policy

SYNOPSIS
       /etc/security/policy.conf

DESCRIPTION
       The  policy.conf	 file  provides	 the security policy configuration for
       user-level attributes. Each entry consists of a key/value pair  in  the
       form:

	      key=value

       The following keys are defined:

       AUTHS_GRANTED		       Specify	the  default set of authoriza-
				       tions granted to	all users. This	 entry
				       is  interpreted by chkauthattr(3SECDB).
				       The value is one	 or  more  comma-sepa-
				       rated	authorizations	  defined   in
				       auth_attr(4).

       PROFS_GRANTED		       Specify the  default  set  of  profiles
				       granted to all users. This entry	is in-
				       terpreted  by  chkauthattr(3SECDB)  and
				       getexecuser(3SECDB).  The  value	is one
				       or more	comma-separated	 profiles  de-
				       fined in	prof_attr(4).

       PRIV_DEFAULT and	PRIV_LIMIT     Settings	 for  these keys determine the
				       default	privileges  that  users	 have.
				       (See  privileges(5).) If	these keys are
				       not set,	 the  default  privileges  are
				       taken  from the inherited set. PRIV_DE-
				       FAULT determines	the default set	on lo-
				       gin.  PRIV_LIMIT	 defines the limit set
				       on login. Users can have	privileges as-
				       signed  or  taken  away	through	use of
				       user_attr(4). Privileges	 can  also  be
				       assigned	 to  profiles,	in  which case
				       users who have those profiles can exer-
				       cise  the  assigned  privileges through
				       pfexec(1).

				       For maximum future  compatibility,  the
				       privilege  specifications should	always
				       include basic or	all. Privileges	should
				       then be removed using negation. See EX-
				       AMPLES. By assigning privileges in this
				       way,  you avoid a situation where, fol-
				       lowing an addition of a	currently  un-
				       privileged operation to the basic priv-
				       ilege set, a user unexpectedly does not
				       have the	privileges he needs to perform
				       that now-privileged operation.

				       Note that removing privileges from  the
				       limit set requires extreme care,	as any
				       set-uid	root  program  might  suddenly
				       fail  because  it  lacks	certain	privi-
				       lege(s).	Note also that dropping	 basic
				       privileges  from	 the default privilege
				       set can cause unexpected	failure	 modes
				       in applications.

       LOCK_AFTER_RETRIES=YES|NO       Specifies  whether  a  local account is
				       locked after the	count of failed	logins
				       for  a  user  equals or exceeds the al-
				       lowed number of retries as  defined  by
				       RETRIES in /etc/default/login.  The de-
				       fault value for users is	NO. Individual
				       account	 overrides   are  provided  by
				       user_attr(4).

       CRYPT_ALGORITHMS_ALLOW	       Specify the algorithms that are allowed
				       for  new	passwords and is enforced only
				       in crypt_gensalt(3C).

       CRYPT_ALGORITHMS_DEPRECATE      Specify the algorithm for new passwords
				       that  is	to be deprecated. For example,
				       to deprecate  use  of  the  traditional
				       UNIX   algorithm,  specify  CRYPT_ALGO-
				       RITHMS_DEPRECATE=__unix__  and	change
				       CRYPT_DEFAULT=  to  another  algorithm,
				       such as	CRYPT_DEFAULT=1	 for  BSD  and
				       Linux MD5.

       CRYPT_DEFAULT		       Specify	the  default algorithm for new
				       passwords. The Solaris default  is  the
				       traditional UNIX	algorithm. This	is not
				       listed in crypt.conf(4) since it	is in-
				       ternal	to  libc.  The	reserved  name
				       __unix__	is used	to refer to it.

       The key/value pair must appear on a single line,	and the	key must start
       the  line. Lines	starting with #	are taken as comments and ignored. Op-
       tion name comparisons are case-insensitive.

       Only one	CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRECATE value can
       be  specified.  Whichever is listed first in the	file takes precedence.
       The algorithm specified for CRYPT_DEFAULT must either be	specified  for
       CRYPT_ALGORITHMS_ALLOW  or not be specified for CRYPT_ALGORITHMS_DEPRE-
       CATE. If	CRYPT_DEFAULT is not specified,	the default is __unix__.

EXAMPLES
       Example 1: Defining a Key/Value Pair

       AUTHS_GRANTED=solaris.date

       Example 2: Specifying Privileges

       As noted	above, you should specify privileges through negation,	speci-
       fying  all  for PRIV_LIMIT and basic for	PRIV_DEFAULT, then subtracting
       privileges, as shown below.

       PRIV_LIMIT=all,!sys_linkdir
       PRIV_DEFAULT=basic,!file_link_any

       The first line, above, takes away only the sys_linkdir  privilege.  The
       second  line  takes  away only the file_link privilege. These privilege
       specifications will be unaffected by any	future addition	of  privileges
       that might occur.

FILES
       /etc/user_attr		       Defines extended	user attributes.

       /etc/security/auth_attr	       Defines authorizations.

       /etc/security/prof_attr	       Defines profiles.

       /etc/security/policy.conf       Defines policy for the system.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO
       login(1),    pfexec(1),	  chkauthattr(3SECDB),	  getexecuser(3SECDB),
       auth_attr(4), crypt.conf(4), prof_attr(4), user_attr(4),	attributes(5),
       privileges(5)

SunOS 5.10			  16 Mar 2004			policy.conf(4)

NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | FILES | ATTRIBUTES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=policy.conf&sektion=4&manpath=SunOS+5.10>

home | help