From: Colin Walters Date: Tue, 9 Dec 2008 14:18:49 +0000 (-0500) Subject: Add at_console docs to manpage, as well as brief foreward X-Git-Tag: dbus-1.2.8~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=120604d272ef47b9ab05e478b147ca4a0312c8db;p=thirdparty%2Fdbus.git Add at_console docs to manpage, as well as brief foreward We need some sort of general advice here. --- diff --git a/bus/dbus-daemon.1.in b/bus/dbus-daemon.1.in index 5599afe6f..826353c32 100644 --- a/bus/dbus-daemon.1.in +++ b/bus/dbus-daemon.1.in @@ -410,15 +410,28 @@ they are analogous to a firewall in that they allow expected traffic and prevent unexpected traffic. .PP -The element has one of three attributes: +Currently, the system bus has a default-deny policy for sending method calls +and owning bus names. Everything else, in particular reply messages, receive +checks, and signals has a default allow policy. + +.PP +In general, it is best to keep system services as small, targeted programs which +run in their own process and provide a single bus name. Then, all that is needed +is an rule for the "own" permission to let the process claim the bus +name, and a "send_destination" rule to allow traffic from some or all uids to +your service. + +.PP +The element has one of four attributes: +daemon.1.in .nf context="(default|mandatory)" + at_console="(true|false)" user="username or userid" group="group name or gid" .fi .PP - Policies are applied to a connection as follows: .nf - all context="default" policies are applied @@ -426,6 +439,8 @@ Policies are applied to a connection as follows: in undefined order - all user="connection's auth user" policies are applied in undefined order + - all at_console="true" policies are applied + - all at_console="false" policies are applied - all context="mandatory" policies are applied .fi