MercurialSymaptic / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | raw
| help
os/ossrv/ofdbus/dbus/data/valid-config-files/system.conf
changeset 0 bde4ae8d615e
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/os/ossrv/ofdbus/dbus/data/valid-config-files/system.conf	Fri Jun 15 03:10:57 2012 +0200
     1.3 @@ -0,0 +1,62 @@
     1.4 +<!-- This configuration file controls the systemwide message bus.
     1.5 +     Add a system-local.conf and edit that rather than changing this 
     1.6 +     file directly. -->
     1.7 +
     1.8 +<!-- Note that there are any number of ways you can hose yourself
     1.9 +     security-wise by screwing up this file; in particular, you
    1.10 +     probably don't want to listen on any more addresses, add any more
    1.11 +     auth mechanisms, run as a different user, etc. -->
    1.12 +
    1.13 +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
    1.14 + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
    1.15 +<busconfig>
    1.16 +
    1.17 +  <!-- Our well-known bus type, do not change this -->
    1.18 +  <type>system</type>
    1.19 +
    1.20 +  <!-- Run as special user -->
    1.21 +  <user>messagebus</user>
    1.22 +
    1.23 +  <!-- Fork into daemon mode -->
    1.24 +  <fork/>
    1.25 +
    1.26 +  <!-- Write a pid file -->
    1.27 +  <pidfile>/usr/local/var/run/messagebus.pid</pidfile>
    1.28 +
    1.29 +  <!-- Only allow socket-credentials-based authentication -->
    1.30 +  <auth>EXTERNAL</auth>
    1.31 +
    1.32 +  <!-- Only listen on a local socket. (abstract=/path/to/socket 
    1.33 +       means use abstract namespace, don't really create filesystem 
    1.34 +       file; only Linux supports this. Use path=/whatever on other 
    1.35 +       systems.) -->
    1.36 +  <listen>tcp:host=localhost,port=12437</listen>
    1.37 +
    1.38 +  <policy context="default">
    1.39 +    <!-- Deny everything then punch holes -->
    1.40 +    <deny send_interface="*"/>
    1.41 +    <deny receive_interface="*"/>
    1.42 +    <deny own="*"/>
    1.43 +    <!-- But allow all users to connect -->
    1.44 +    <allow user="*"/>
    1.45 +    <!-- Allow anyone to talk to the message bus -->
    1.46 +    <!-- FIXME I think currently these allow rules are always implicit 
    1.47 +         even if they aren't in here -->
    1.48 +    <allow send_destination="org.freedesktop.DBus"/>
    1.49 +    <allow receive_sender="org.freedesktop.DBus"/>
    1.50 +    <!-- valid replies are always allowed -->
    1.51 +    <allow send_requested_reply="true"/>
    1.52 +    <allow receive_requested_reply="true"/>
    1.53 +  </policy>
    1.54 +
    1.55 +  <!-- Config files are placed here that among other things, punch 
    1.56 +       holes in the above policy for specific services. -->
    1.57 +  <includedir>system.d</includedir>
    1.58 +
    1.59 +  <!-- This is included last so local configuration can override what's 
    1.60 +       in this standard file -->
    1.61 +  <include ignore_missing="yes">system-local.conf</include>
    1.62 +
    1.63 +  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
    1.64 +
    1.65 +</busconfig>
Symaptic