* Release 0.36.2

* Add Havoc's patch that never got applied to HEAD (Bug #2436):

* bus/policy.c (bus_policy_allow_user): change default "user is
allowed" to be "user has same uid as the bus itself"; any
allow/deny rules will override.

* bus/session.conf.in: don't allow all users, since now by default
the user that ran the bus can connect.

2 files changed, 3 insertions, 4 deletions

diff --git a/bus/policy.c b/bus/policy.c
index 7759dfad..c0244bdc 100644
--- a/bus/policy.c
+++ b/bus/policy.c
@@ -453,8 +453,9 @@ bus_policy_allow_user (BusPolicy        *policy,
                      uid);
       return FALSE;
     }
-  
-  allowed = FALSE;
+
+  /* Default to "user owning bus" or root can connect */
+  allowed = uid == _dbus_getuid ();
 
   allowed = list_allows_user (allowed,
                               &policy->default_rules,
diff --git a/bus/session.conf.in b/bus/session.conf.in
index 8b6d65f7..1a6dfda5 100644
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@@ -19,8 +19,6 @@
     <allow eavesdrop="true"/>
     <!-- Allow anyone to own anything -->
     <allow own="*"/>
-    <!-- Allow any user to connect -->
-    <allow user="*"/>
   </policy>
 
   <!-- This is included last so local configuration can override what's