* Release 0.36.2

* Add Havoc's patch that never got applied to HEAD (Bug #2436):

* bus/policy.c (bus_policy_allow_user): change default "user is
allowed" to be "user has same uid as the bus itself"; any
allow/deny rules will override.

* bus/session.conf.in: don't allow all users, since now by default
the user that ran the bus can connect.

3 files changed, 16 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 3d9962d7..5e0c9eec 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,18 @@
 2005-08-24  John (J5) Palmieri  <johnp@redhat.com>
 
+	* Release 0.36.2
+
+	* Add Havoc's patch that never got applied to HEAD (Bug #2436):
+
+	* bus/policy.c (bus_policy_allow_user): change default "user is
+	allowed" to be "user has same uid as the bus itself"; any
+	allow/deny rules will override.
+
+	* bus/session.conf.in: don't allow all users, since now by default
+	the user that ran the bus can connect.
+
+2005-08-24  John (J5) Palmieri  <johnp@redhat.com>
+
 	* Release 0.36.1
 
 	* python/_dbus.py: 
diff --git a/bus/policy.c b/bus/policy.c
index 7759dfad..c0244bdc 100644
--- a/bus/policy.c
+++ b/bus/policy.c
@@ -453,8 +453,9 @@ bus_policy_allow_user (BusPolicy        *policy,
                      uid);
       return FALSE;
     }
-  
-  allowed = FALSE;
+
+  /* Default to "user owning bus" or root can connect */
+  allowed = uid == _dbus_getuid ();
 
   allowed = list_allows_user (allowed,
                               &policy->default_rules,
diff --git a/bus/session.conf.in b/bus/session.conf.in
index 8b6d65f7..1a6dfda5 100644
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@@ -19,8 +19,6 @@
     <allow eavesdrop="true"/>
     <!-- Allow anyone to own anything -->
     <allow own="*"/>
-    <!-- Allow any user to connect -->
-    <allow user="*"/>
   </policy>
 
   <!-- This is included last so local configuration can override what's