From 4e9b422b958e4cb6ed56b36b41379e007d2cfe22 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 19 Jul 2017 15:46:13 +0100 Subject: [PATCH] dbus-daemon(1): Clarify how user, group rules work Signed-off-by: Simon McVittie --- doc/dbus-daemon.1.xml.in | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in index be4e1aa8..447b7fd2 100644 --- a/doc/dbus-daemon.1.xml.in +++ b/doc/dbus-daemon.1.xml.in @@ -929,14 +929,18 @@ requested. [send|receive]_requested_reply="true" indicates that the rule applies always, regardless of pending reply state. -user and group denials mean that the given user or group may -not connect to the message bus. - - -For "name", "username", "groupname", etc. -the character "*" can be substituted, meaning "any." Complex globs -like "foo.bar.*" aren't allowed for now because they'd be work to -implement and maybe encourage sloppy security anyway. + + Rules with the user or group + attribute are checked when a new connection to the message bus is + established, and control whether the connection can continue. + Each of these attributes cannot be combined with any other + attribute. As a special case, both user="*" and + group="*" match any connection. If there are + no rules of this form, the default is to allow connections from the same + user ID that owns the dbus-daemon process. The well-known + session bus normally uses that default behaviour, while the well-known + system bus normally allows any connection. + Rules with the own or own_prefix -- 2.13.3