From 4e9b422b958e4cb6ed56b36b41379e007d2cfe22 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 19 Jul 2017 15:46:13 +0100
Subject: [PATCH] dbus-daemon(1): Clarify how user, group rules work

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 doc/dbus-daemon.1.xml.in | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in
index be4e1aa8..447b7fd2 100644
--- a/doc/dbus-daemon.1.xml.in
+++ b/doc/dbus-daemon.1.xml.in
@@ -929,14 +929,18 @@ requested. [send|receive]_requested_reply="true" indicates that the rule applies
 always, regardless of pending reply state.</para>
 
 
-<para>user and group denials mean that the given user or group may
-not connect to the message bus.</para>
-
-
-<para>For "name", "username", "groupname", etc.
-the character "*" can be substituted, meaning "any." Complex globs
-like "foo.bar.*" aren't allowed for now because they'd be work to
-implement and maybe encourage sloppy security anyway.</para>
+<para>
+  Rules with the <literal>user</literal> or <literal>group</literal>
+  attribute are checked when a new connection to the message bus is
+  established, and control whether the connection can continue.
+  Each of these attributes cannot be combined with any other
+  attribute. As a special case, both <literal>user="*"</literal> and
+  <literal>group="*"</literal> match any connection. If there are
+  no rules of this form, the default is to allow connections from the same
+  user ID that owns the <command>dbus-daemon</command> process. The well-known
+  session bus normally uses that default behaviour, while the well-known
+  system bus normally allows any connection.
+</para>
 
 <para>
   Rules with the <literal>own</literal> or <literal>own_prefix</literal>
-- 
2.13.3