From 5f2566d04ef27317880f7933f1868330941fd707 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 19 Jul 2017 15:46:00 +0100 Subject: [PATCH] dbus-daemon(1): Actually document "own" rules Signed-off-by: Simon McVittie --- doc/dbus-daemon.1.xml.in | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in index 5f8dddd6..be4e1aa8 100644 --- a/doc/dbus-daemon.1.xml.in +++ b/doc/dbus-daemon.1.xml.in @@ -938,6 +938,17 @@ the character "*" can be substituted, meaning "any." Complex globs like "foo.bar.*" aren't allowed for now because they'd be work to implement and maybe encourage sloppy security anyway. + + Rules with the own or own_prefix + attribute are checked when a connection attempts to own a well-known bus + names. As a special case, own="*" matches any well-known + bus name. The well-known session bus normally allows any connection to + own any name, while the well-known system bus normally does not allow any + connection to own any name, except where allowed by further configuration. + System services that will own a name must install configuration that allows + them to do so, usually via rules of the form + <policy user="some-system-user"><allow own="…"/></policy>. + <allow own_prefix="a.b"/> allows you to own the name "a.b" or any name whose first dot-separated elements are "a.b": in particular, -- 2.13.3