Document best practices for usernames in <policy>
Submitted by Simon McVittie
Assigned to D-Bus Maintainers
Link to original bug (#104586)
Description
Because some NSS mechanisms require network access, and some network access mechanisms like NetworkManager require D-Bus, usernames in the <policy>
for the dbus-daemon must be resolvable during boot prior to network access becoming available. In practice, this means they must be local (for example nss_files, nss_db, or even nss_systemd's special cases for the root and nobody users).
(In reply to Tom Gundersen on Bug #104224)
As such, no dbus-based NSS resolution is possible. This is ok because we assume any user/group names used in the configuration files are given statically in /etc/passwd and friends, rather than resolved over something like LDAP (local policy referencing remote users sounds very strange). This is not at all obvious, and it is probably something we should document better. I'd even propose to add this to the spec if we all agreed.
dbus-daemon's XML configuration language is not (currently) in the scope of the spec, but I'd welcome patches to dbus-daemon(1) that said this.
Version: git master