svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
policy.conf(5)
policy.conf(5) File Formats policy.conf(5)
NAME
policy.conf - configuration file for security policy
SYNOPSIS
/etc/security/policy.conf
DESCRIPTION
The policy.conf file was previously used to provide the security policy
configuration for user-level attributes. Each entry consists of a
key/value pair in the form:
key=value
The /etc/security/policy.conf file is obsolete. Instead, you can use
the svc:/system/security/account-policy:default service to set the cor‐
responding SMF properties.
The following table lists the mapping between the properties in the
/etc/security/policy.conf file and the SMF properties:
tab(); lw(2.2i) lw(3.3i) lw(2.2i) lw(3.3i) /etc/security/policy.conf
PropertyCorresponding SMF Property _ AUTHS_GRANTEDrbac/default_autho‐
rizations CLEARANCElogin_policy/clearance CONSOLE_USERrbac/con‐
sole_user_profiles CRYPT_ALGORITHMS_ALLOWpassword/crypt/algo‐
rithms_allow CRYPT_ALGORITHMS_DEPRECATEpassword/crypt/algorithms_depre‐
cate CRYPT_DEFAULTpassword/crypt/default LOCK_AFTER_RETRIES=YES|NOlo‐
gin_policy/lock_after_retries UNLOCK_AFTER=<n>[m | h | d |
w]login/auto_unlock_time PAM_POLICYlogin_policy/pam_policy PRIV_DEFAULT
and PRIV_LIMITT{ rbac/default_privileges and rbac/default_limit_privi‐
leges T} PROFS_GRANTEDrbac/default_profiles AUTHS_PROFS_GRANTEDr‐
bac/default_auth_profiles ANNOTATION=YES|NO|OPTIONALlogin_policy/anno‐
tation
For information on managing the SMF properties, see the account-pol‐
icy(8S) man page.
The following keys are defined:
AUTHS_GRANTED
Specify the default set of authorizations granted to all users.
This entry is interpreted by chkauthattr(3C). The value is zero or
more comma-separated authorizations defined in auth_attr(5).
CLEARANCE
Specify the default process clearance that is used when starting
user sessions or SMF services when no explicit clearance is speci‐
fied. Explicit user clearances are maintained in user_attr(5) and
the default user clearance is maintained by labelcfg(8). If no
explicit clearance is associated with the user or role, and the
labeled service is not enabled then the clearance specified here is
used. For SMF services the explicit clearance is specified in the
method credential. The default value of the CLEARANCE property is
ADMIN_HIGH. ADMIN_LOW should be specified for strict enforcement of
the clearance policy.
CONSOLE_USER
Specify an additional default set of profiles granted to the con‐
sole user user. This entry is interpreted by chkauthattr(3C) and
getexecuser(3C). The value is zero or more comma-separated profiles
defined in prof_attr(5).
CRYPT_ALGORITHMS_ALLOW
Specify the algorithms that are allowed for new passwords and is
enforced only in crypt_gensalt(3C). Value should be a comma sepa‐
rated list of numeric codes for algorithms chosen from the list in
/etc/security/crypt.conf.
CRYPT_ALGORITHMS_DEPRECATE
Specify the algorithm for new passwords that is to be deprecated.
For example, to deprecate use of the traditional UNIX algorithm,
specify CRYPT_ALGORITHMS_DEPRECATE=__unix__ and ensure
CRYPT_DEFAULT= is set to another algorithm, such as CRYPT_DEFAULT=5
for SHA-256.
Note that, either CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRE‐
CATE can be specified. Enabling both is an error and results in a
syslog message.
CRYPT_DEFAULT
Specify the default algorithm for new passwords. The Oracle Solaris
default is the crypt_sha256 algorithm. The value should be a single
numeric code for an algorithm chosen from the list in /etc/secu‐
rity/crypt.conf. This is useful when there is no existing password,
or if an existing password uses an algorithm which is no longer
allowed. The algorithm must be present in the CRYPT_ALGORITHMS_DEP‐
RECATE list or is not present in the CRYPT_ALGORITHMS_ALLOW list,
which ever is active.
LOCK_AFTER_RETRIES=YES|NO
Specifies whether a local account is locked after the count of
failed logins for a user equals or exceeds the allowed number of
retries as defined by RETRIES in /etc/default/login. The default
value for users is NO. Individual account overrides are provided by
user_attr(5).
UNLOCK_AFTER=<n>[m | h | d | w]
Specifies the time after which an account lock for failed logins
will be unlocked upon a valid password entry. The time may be spec‐
ified as a number of minutes (m), hours (h), days (d), or weeks
(w). If unspecified, no unlock will occur. The default is unspeci‐
fied. Individual account overrides are provided by user_attr(5).
PAM_POLICY
Specifies the system-wide PAM policy (see pam_user_policy(7)) for
all users who do not have pam_policy set in their user attributes.
The value set here can be the filename of a PAM policy file in
/etc/security/pam_policy/ or an absolute path to a PAM policy file.
PRIV_DEFAULT and PRIV_LIMIT
Settings for these keys determine the default privileges that users
have. (See privileges(7).) If these keys are not set, the default
privileges are taken from the inherited set. PRIV_DEFAULT deter‐
mines the default set on login. PRIV_LIMIT defines the limit set on
login. Users can have privileges assigned or taken away through use
of user_attr(5). Privileges can also be assigned to profiles, in
which case users who have those profiles can exercise the assigned
privileges through pfexec(1).
For maximum future compatibility, the privilege specifications
should always include basic or all. Privileges should then be
removed using negation. See EXAMPLES. By assigning privileges in
this way, you avoid a situation where, following an addition of a
currently unprivileged operation to the basic privilege set, a user
unexpectedly does not have the privileges needed to perform that
now-privileged operation.
Removing privileges from the limit set requires extreme care, as
any set-uid root program might suddenly fail because it lacks cer‐
tain privilege(s). Note also that dropping basic privileges from
the default privilege set can cause unexpected failure modes in
applications.
In the case of PRIV_DEFAULT, it is possible to specify an Extended
Policy. See privileges(7).
PROFS_GRANTED
Specifies the default set of unauthenticated profiles granted to
all users that do not require reauthentication. This entry is
interpreted by chkauthattr(3C) and getexecuser(3C). The value is
zero or more comma-separated profiles defined in prof_attr(5). If
the 'Basic Solaris User' profile is included, it must be the last
profile in the list.
AUTHS_PROFS_GRANTED
Specifies the default set of authenticated profiles granted to all
users. The commands included in authenticated profiles require user
reauthentication prior to execution. The entries in this list take
precedence over the PROF_GRANTED list. This entry is interpreted by
chkauthattr(3C) and getexecuser(3C). The value is zero or more
comma-separated profiles defined in prof_attr(5).
ANNOTATION=YES|NO|OPTIONAL
Specifies whether a user is prompted for an audit record annotation
description. yes requires the user to provide an annotation
description when prompted. optional allows the user to specify an
annotation description when prompted. no will not prompt the user
for an annotation description, and is the default choice. Individ‐
ual account overrides are provided by user_attr(5).
An audit record annotation description is a text line terminated by
a newline returned by the application's PAM conversation function.
The annotation text is included in each audit record generated by
the user.
The key/value pair must appear on a single line, and the key must start
the line. Lines starting with # are taken as comments and ignored.
Option name comparisons are case-insensitive.
A value should only be specified in either CRYPT_ALGORITHMS_ALLOW or
CRYPT_ALGORITHMS_DEPRECATE. If the same value is specified in both
keys, whichever is listed first in the file takes precedence. The algo‐
rithm specified for CRYPT_DEFAULT must either be specified for
CRYPT_ALGORITHMS_ALLOW or not be specified for CRYPT_ALGORITHMS_DEPRE‐
CATE. If CRYPT_DEFAULT is not specified, the default is __unix__.
EXAMPLES
Example 1 Defining a Key/Value Pair
AUTHS_GRANTED=solaris.date
Example 2 Specifying Privileges
As noted above, you should specify privileges through negation, speci‐
fying all for PRIV_LIMIT and basic for PRIV_DEFAULT, then subtracting
privileges, as shown below.
PRIV_LIMIT=all,!sys_linkdir
PRIV_DEFAULT=basic,!file_link_any
The first line, above, takes away only the sys_linkdir privilege. The
second line takes away only the file_link privilege. These privilege
specifications are unaffected by any future addition of privileges that
might occur.
FILES
/etc/user_attr Defines extended user attributes.
/etc/security/auth_attr Defines authorizations.
/etc/security/prof_attr Defines profiles.
/etc/security/policy.conf Defines policy for the system.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilityCommit‐
ted
SEE ALSO
login(1), pfexec(1), chkauthattr(3C), getexecuser(3C), auth_attr(5),
crypt.conf(5), prof_attr(5), user_attr(5), attributes(7), clearance(7),
privileges(7), account-policy(8S)
NOTES
The console user is defined as the owner of /dev/console.
Oracle Solaris 11.4 27 Apr 2020 policy.conf(5)