doc: Clarify /etc/dbus-1/system.d and /usr/share/dbus-1/system.d
The documentation generally only mentioned the directory in /etc, even though we actually prefer security policies to be installed in /usr/share to allow for stateless and volatile systems (i.e. booting up with an empty /etc). Signed-off-by: Philip Withnall <withnall@endlessm.com> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99901 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This commit is contained in:
parent
aa751807fa
commit
71959d5bca
|
@ -826,6 +826,8 @@ however there are some steps which you can take when designing an API to ease
|
|||
security policy implementation.
|
||||
|
||||
D-Bus security policies are written as XML files in
|
||||
$file($var($$(datadir$)/dbus-1/system.d)),
|
||||
$file($var($$(datadir$)/dbus-1/session.d)),
|
||||
$file($var($$(sysconfdir$)/dbus-1/system.d)) and
|
||||
$file($var($$(sysconfdir$)/dbus-1/session.d)) and use an allow/deny model, where
|
||||
each message (method call, signal emission, etc.) can be allowed or denied
|
||||
|
@ -836,7 +838,10 @@ $code(send_destination) or $code(receive_sender) attribute set.
|
|||
When designing an API, bear in mind the need to write and install such a
|
||||
security policy, and consider splitting up methods or providing more restricted
|
||||
versions which accept constrained parameters, so that they can be exposed with
|
||||
less restrictive security policies if needed by less trusted clients.
|
||||
less restrictive security policies if needed by less trusted clients. Since
|
||||
dbus-daemon 1.10, security policies should be installed to
|
||||
$file($var($$(datadir$))) rather than $(file($var($$(sysconfdir$))); the latter
|
||||
is intended for system administators.
|
||||
|
||||
Secondly, the default D-Bus security policy for the system bus is restrictive
|
||||
enough to allow sensitive data, such as passwords, to be safely sent over the
|
||||
|
|
|
@ -46,7 +46,8 @@ Exec=/usr/sbin/dbus-test-server.py
|
|||
User=ftp
|
||||
|
||||
This gives the user to switch to, and also the path of the executable.
|
||||
The service name must match that specified in the /etc/dbus-1/system.d conf file.
|
||||
The service name must match that specified in the /etc/dbus-1/system.d or
|
||||
/usr/share/dbus-1/system.d conf file.
|
||||
|
||||
Precautions taken:
|
||||
|
||||
|
|
Loading…
Reference in New Issue