LADI
/
dbus
1
Fork 0
Code Issues 1 Wiki Activity

doc: Clarify /etc/dbus-1/system.d and /usr/share/dbus-1/system.d 

The documentation generally only mentioned the directory in /etc, even
though we actually prefer security policies to be installed in
/usr/share to allow for stateless and volatile systems (i.e. booting up
with an empty /etc).

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99901
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This commit is contained in:
Philip Withnall 2017-02-22 13:22:37 +00:00 committed by Simon McVittie
parent aa751807fa
commit 71959d5bca
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/dbus-api-design.duck
View File

@ -826,6 +826,8 @@ however there are some steps which you can take when designing an API to ease
security policy implementation.
D-Bus security policies are written as XML files in
$file($var($$(datadir$)/dbus-1/system.d)),
$file($var($$(datadir$)/dbus-1/session.d)),
$file($var($$(sysconfdir$)/dbus-1/system.d)) and
$file($var($$(sysconfdir$)/dbus-1/session.d)) and use an allow/deny model, where
each message (method call, signal emission, etc.) can be allowed or denied
@ -836,7 +838,10 @@ $code(send_destination) or $code(receive_sender) attribute set.
When designing an API, bear in mind the need to write and install such a
security policy, and consider splitting up methods or providing more restricted
versions which accept constrained parameters, so that they can be exposed with
less restrictive security policies if needed by less trusted clients.
less restrictive security policies if needed by less trusted clients. Since
dbus-daemon 1.10, security policies should be installed to
$file($var($$(datadir$))) rather than $(file($var($$(sysconfdir$))); the latter
is intended for system administators.
Secondly, the default D-Bus security policy for the system bus is restrictive
enough to allow sensitive data, such as passwords, to be safely sent over the

3
doc/system-activation.txt
View File

@ -46,7 +46,8 @@ Exec=/usr/sbin/dbus-test-server.py
User=ftp
This gives the user to switch to, and also the path of the executable.
The service name must match that specified in the /etc/dbus-1/system.d conf file.
The service name must match that specified in the /etc/dbus-1/system.d or
/usr/share/dbus-1/system.d conf file.
Precautions taken: