* Add Havoc's patch that never got applied to HEAD (Bug #2436):
* bus/policy.c (bus_policy_allow_user): change default "user is
allowed" to be "user has same uid as the bus itself"; any
allow/deny rules will override.
* bus/session.conf.in: don't allow all users, since now by default
the user that ran the bus can connect.
+2005-08-29 John (J5) Palmieri <johnp@redhat.com>
+
+ * Release 0.36.2
+
+ * Add Havoc's patch that never got applied to HEAD (Bug #2436):
+
+ * bus/policy.c (bus_policy_allow_user): change default "user is
+ allowed" to be "user has same uid as the bus itself"; any
+ allow/deny rules will override.
+
+ * bus/session.conf.in: don't allow all users, since now by default
+ the user that ran the bus can connect.
+
2005-08-26 Colin Walters <walters@verbum.org>
* tools/dbus-print-message.c (print_message): Flush stdout
+D-BUS 0.36.2 (29 August 2005)
+===
+- Security: Restrict other users from connecting to another users
+ session bus
+
D-BUS 0.36.1 (24 August 2005)
===
- Python Bindings:
uid);
return FALSE;
}
-
- allowed = FALSE;
+
+ /* Default to "user owning bus" or root can connect */
+ allowed = uid == _dbus_getuid ();
allowed = list_allows_user (allowed,
&policy->default_rules,
<allow eavesdrop="true"/>
<!-- Allow anyone to own anything -->
<allow own="*"/>
- <!-- Allow any user to connect -->
- <allow user="*"/>
</policy>
<!-- This is included last so local configuration can override what's
projects / platform / upstream / dbus.git / commitdiff