From 357569dd8039e580af3415f494756d321aae9357 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 12 Apr 2018 14:09:19 +0100 Subject: [PATCH 9/9] dbus-daemon(1): Recommend requiring EXTERNAL on non-Windows OSs This is the default, and blocks TCP-based attacks by making the attacker fail to authenticate (while also preventing inadvisable TCP-based configurations from working). Signed-off-by: Simon McVittie --- doc/dbus-daemon.1.xml.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in index 474dd3a7..bdc655e5 100644 --- a/doc/dbus-daemon.1.xml.in +++ b/doc/dbus-daemon.1.xml.in @@ -501,6 +501,10 @@ exist, then all known mechanisms are allowed. If there are multiple <auth> elements, all the listed mechanisms are allowed. The order in which mechanisms are listed is not meaningful. +On non-Windows operating systems, allowing only the + EXTERNAL authentication + mechanism is strongly recommended. This is the default for the + well-known system bus and for the well-known session bus. Example: <auth>EXTERNAL</auth> -- 2.17.0