The OpenNET Project / Index page

[ новости /+++ | форум | wiki | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

policy.conf (4)
  • >> policy.conf (4) ( Solaris man: Специальные файлы /dev/* )
  •  

    NAME

    policy.conf - configuration file for security policy
     
    

    SYNOPSIS

    /etc/security/policy.conf
    

     

    DESCRIPTION

    The policy.conf file provides the security policy configuration for user-level attributes. Each entry consists of a key/value pair in the form:

    key=value

    The following keys are defined:

    AUTHS_GRANTED

    Specify the default set of authorizations granted to all users. This entry is interpreted by chkauthattr(3SECDB). The value is zero or more comma-separated authorizations defined in auth_attr(4).

    PROFS_GRANTED

    Specify the default set of profiles granted to all users. This entry is interpreted by chkauthattr(3SECDB) and getexecuser(3SECDB). The value is zero or more comma-separated profiles defined in prof_attr(4).

    CONSOLE_USER

    Specify an additional default set of profiles granted to the console user user. This entry is interpreted by chkauthattr(3SECDB) and getexecuser(3SECDB). The value is zero or more comma-separated profiles defined in prof_attr(4).

    PRIV_DEFAULT and PRIV_LIMIT

    Settings for these keys determine the default privileges that users have. (See privileges(5).) If these keys are not set, the default privileges are taken from the inherited set. PRIV_DEFAULT determines the default set on login. PRIV_LIMIT defines the limit set on login. Users can have privileges assigned or taken away through use of user_attr(4). Privileges can also be assigned to profiles, in which case users who have those profiles can exercise the assigned privileges through pfexec(1).

    For maximum future compatibility, the privilege specifications should always include basic or all. Privileges should then be removed using negation. See EXAMPLES. By assigning privileges in this way, you avoid a situation where, following an addition of a currently unprivileged operation to the basic privilege set, a user unexpectedly does not have the privileges he needs to perform that now-privileged operation.

    Note that removing privileges from the limit set requires extreme care, as any set-uid root program might suddenly fail because it lacks certain privilege(s). Note also that dropping basic privileges from the default privilege set can cause unexpected failure modes in applications.

    LOCK_AFTER_RETRIES=YES|NO

    Specifies whether a local account is locked after the count of failed logins for a user equals or exceeds the allowed number of retries as defined by RETRIES in /etc/default/login. The default value for users is NO. Individual account overrides are provided by user_attr(4).

    CRYPT_ALGORITHMS_ALLOW

    Specify the algorithms that are allowed for new passwords and is enforced only in crypt_gensalt(3C).

    CRYPT_ALGORITHMS_DEPRECATE

    Specify the algorithm for new passwords that is to be deprecated. For example, to deprecate use of the traditional UNIX algorithm, specify CRYPT_ALGORITHMS_DEPRECATE=__unix__ and change CRYPT_DEFAULT= to another algorithm, such as CRYPT_DEFAULT=1 for BSD and Linux MD5.

    CRYPT_DEFAULT

    Specify the default algorithm for new passwords. The Solaris default is the traditional UNIX algorithm. This is not listed in crypt.conf(4) since it is internal to libc. The reserved name __unix__ is used to refer to it.

    The key/value pair must appear on a single line, and the key must start the line. Lines starting with # are taken as comments and ignored. Option name comparisons are case-insensitive.

    Only one CRYPT_ALGORITHMS_ALLOW or CRYPT_ALGORITHMS_DEPRECATE value can be specified. Whichever is listed first in the file takes precedence. The algorithm specified for CRYPT_DEFAULT must either be specified for CRYPT_ALGORITHMS_ALLOW or not be specified for CRYPT_ALGORITHMS_DEPRECATE. If CRYPT_DEFAULT is not specified, the default is __unix__.  

    EXAMPLES

    Example 1 Defining a Key/Value Pair

    AUTHS_GRANTED=solaris.date
    

    Example 2 Specifying Privileges

    As noted above, you should specify privileges through negation, specifying all for PRIV_LIMIT and basic for PRIV_DEFAULT, then subtracting privileges, as shown below.

    PRIV_LIMIT=all,!sys_linkdir
    PRIV_DEFAULT=basic,!file_link_any
    

    The first line, above, takes away only the sys_linkdir privilege. The second line takes away only the file_link privilege. These privilege specifications are unaffected by any future addition of privileges that might occur.

     

    FILES

    /etc/user_attr

    Defines extended user attributes.

    /etc/security/auth_attr

    Defines authorizations.

    /etc/security/prof_attr

    Defines profiles.

    /etc/security/policy.conf

    Defines policy for the system.

     

    ATTRIBUTES

    See attributes(5) for descriptions of the following attributes:

    ATTRIBUTE TYPEATTRIBUTE VALUE

    AvailabilitySUNWcsu

    Interface Stability

     

    SEE ALSO

    login(1), pfexec(1), chkauthattr(3SECDB), getexecuser(3SECDB), auth_attr(4), crypt.conf(4), prof_attr(4), user_attr(4), attributes(5), privileges(5)  

    NOTES

    The console user is defined as the owner of /dev/console.


     

    Index

    NAME
    SYNOPSIS
    DESCRIPTION
    EXAMPLES
    FILES
    ATTRIBUTES
    SEE ALSO
    NOTES


    Поиск по тексту MAN-ов: 




    Спонсоры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2022 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру