dbus-daemon(1): Recommend requiring EXTERNAL on non-Windows OSs

This is the default, and blocks TCP-based attacks by making the
attacker fail to authenticate (while also preventing inadvisable
TCP-based configurations from working).

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in
index 3187205392978ed5fa18d6a61b346fc816a84cef..fabe8a1ba0710dd877bc3737cf85a752846a384d 100644 (file)
--- a/doc/dbus-daemon.1.xml.in
+++ b/doc/dbus-daemon.1.xml.in
@@ -491,6 +491,10 @@ exist, then all known mechanisms are allowed.  If there are multiple
 <auth> elements, all the listed mechanisms are allowed.  The order in
 which mechanisms are listed is not meaningful.</para>
 
+<para>On non-Windows operating systems, allowing only the
+  <literal>EXTERNAL</literal> authentication
+  mechanism is strongly recommended. This is the default for the
+  well-known system bus and for the well-known session bus.</para>
 
 <para>Example: &lt;auth&gt;EXTERNAL&lt;/auth&gt;</para>