diff options
| author | Havoc Pennington <hp@redhat.com> | 2003-04-01 05:33:01 +0000 |
|---|---|---|
| committer | Havoc Pennington <hp@redhat.com> | 2003-04-01 05:33:01 +0000 |
| commit | 44ed933284589134603913b05f55ca55e8c5a566 (patch) | |
| tree | 7091c28eba6a2d93cd02ca80c39b3175ccca06f5 /bus/system.conf.in | |
| parent | 8dfe82beb530aefce505a9bf915a749647e7183f (diff) | |
2003-04-01 Havoc Pennington <hp@pobox.com>
* dbus/dbus-server.c (dbus_server_set_auth_mechanisms): new
function
* dbus/dbus-auth.c (_dbus_auth_set_mechanisms): new
* dbus/dbus-internals.c (_dbus_dup_string_array): new function
* dbus/dbus-sysdeps.c (_dbus_listen_unix_socket): chmod the
socket 0777, and unlink any existing socket.
* bus/bus.c (bus_context_new): change our UID/GID and fork if
the configuration file so specifies; set up auth mechanism
restrictions
* bus/config-parser.c (bus_config_parser_content): add support
for <fork> option and fill in code for <auth>
* bus/system.conf.in: add <fork/> to default configuration,
and limit auth mechanisms to EXTERNAL
* doc/config-file.txt (Elements): add <fork>
* dbus/dbus-sysdeps.c (_dbus_become_daemon): new function
(_dbus_change_identity): new function
Diffstat (limited to 'bus/system.conf.in')
| -rw-r--r-- | bus/system.conf.in | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/bus/system.conf.in b/bus/system.conf.in index fe4e049a..7752b576 100644 --- a/bus/system.conf.in +++ b/bus/system.conf.in @@ -2,13 +2,29 @@ Add a system-local.conf and edit that rather than changing this file directly. --> +<!-- Note that there are any number of ways you can hose yourself + security-wise by screwing up this file; in particular, you + probably don't want to listen on any more addresses, add any more + auth mechanisms, run as a different user, etc. --> + <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> - <user>fixme</user> + + <!-- Run as special user --> + <user>messagebus</user> + + <!-- Fork into daemon mode --> + <fork/> + + <!-- Only allow socket-credentials-based authentication --> + <auth>EXTERNAL</auth> + + <!-- Only listen on a local socket --> <listen>unix:path=@EXPANDED_LOCALSTATEDIR@/@DBUS_SYSTEM_SOCKET@</listen> + <policy context="default"> - <!-- Deny everything --> + <!-- Deny everything then punch holes --> <deny send="*"/> <deny receive="*"/> <deny own="*"/> |