Commit ff09f3ba authored by Simon McVittie's avatar Simon McVittie Committed by Simon McVittie

dbus-daemon(1): Clarify how user, group rules work

Signed-off-by: Simon McVittie's avatarSimon McVittie <>
Reviewed-by: Thiago Macieira's avatarThiago Macieira <>
parent c1348e23
......@@ -929,14 +929,18 @@ requested. [send|receive]_requested_reply="true" indicates that the rule applies
always, regardless of pending reply state.</para>
<para>user and group denials mean that the given user or group may
not connect to the message bus.</para>
<para>For "name", "username", "groupname", etc.
the character "*" can be substituted, meaning "any." Complex globs
like "*" aren't allowed for now because they'd be work to
implement and maybe encourage sloppy security anyway.</para>
Rules with the <literal>user</literal> or <literal>group</literal>
attribute are checked when a new connection to the message bus is
established, and control whether the connection can continue.
Each of these attributes cannot be combined with any other
attribute. As a special case, both <literal>user="*"</literal> and
<literal>group="*"</literal> match any connection. If there are
no rules of this form, the default is to allow connections from the same
user ID that owns the <command>dbus-daemon</command> process. The well-known
session bus normally uses that default behaviour, while the well-known
system bus normally allows any connection.
Rules with the <literal>own</literal> or <literal>own_prefix</literal>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment