1dbus-daemon(1) General Commands Manual dbus-daemon(1)
2
3
4
6 dbus-daemon - Message bus daemon
7
9 dbus-daemon dbus-daemon [--version] [--session] [--system] [--config-
10 file=FILE] [--print-address[=DESCRIPTOR]] [--print-pid[=DESCRIPTOR]]
11 [--fork]
12
13
15 dbus-daemon is the D-Bus message bus daemon. See http://www.freedesk‐
16 top.org/software/dbus/ for more information about the big picture. D-
17 Bus is first a library that provides one-to-one communication between
18 any two applications; dbus-daemon is an application that uses this
19 library to implement a message bus daemon. Multiple programs connect to
20 the message bus daemon and can exchange messages with one another.
21
22
23 There are two standard message bus instances: the systemwide message
24 bus (installed on many systems as the "messagebus" init service) and
25 the per-user-login-session message bus (started each time a user logs
26 in). dbus-daemon is used for both of these instances, but with a dif‐
27 ferent configuration file.
28
29
30 The --session option is equivalent to "--config-file=/etc/dbus-1/ses‐
31 sion.conf" and the --system option is equivalent to "--config-
32 file=/etc/dbus-1/system.conf". By creating additional configuration
33 files and using the --config-file option, additional special-purpose
34 message bus daemons could be created.
35
36
37 The systemwide daemon is normally launched by an init script, stan‐
38 dardly called simply "messagebus".
39
40
41 The systemwide daemon is largely used for broadcasting system events,
42 such as changes to the printer queue, or adding/removing devices.
43
44
45 The per-session daemon is used for various interprocess communication
46 among desktop applications (however, it is not tied to X or the GUI in
47 any way).
48
49
50 SIGHUP will cause the D-Bus daemon to PARTIALLY reload its configura‐
51 tion file and to flush its user/group information caches. Some configu‐
52 ration changes would require kicking all apps off the bus; so they will
53 only take effect if you restart the daemon. Policy changes should take
54 effect with SIGHUP.
55
56
58 The following options are supported:
59
60 --config-file=FILE
61 Use the given configuration file.
62
63 --fork Force the message bus to fork and become a daemon, even if the
64 configuration file does not specify that it should. In most
65 contexts the configuration file already gets this right, though.
66
67 --print-address[=DESCRIPTOR]
68 Print the address of the message bus to standard output, or to
69 the given file descriptor. This is used by programs that launch
70 the message bus.
71
72 --print-pid[=DESCRIPTOR]
73 Print the process ID of the message bus to standard output, or
74 to the given file descriptor. This is used by programs that
75 launch the message bus.
76
77 --session
78 Use the standard configuration file for the per-login-session
79 message bus.
80
81 --system
82 Use the standard configuration file for the systemwide message
83 bus.
84
85 --version
86 Print the version of the daemon.
87
88
90 A message bus daemon has a configuration file that specializes it for a
91 particular application. For example, one configuration file might set
92 up the message bus to be a systemwide message bus, while another might
93 set it up to be a per-user-login-session bus.
94
95
96 The configuration file also establishes resource limits, security
97 parameters, and so forth.
98
99
100 The configuration file is not part of any interoperability specifica‐
101 tion and its backward compatibility is not guaranteed; this document is
102 documentation, not specification.
103
104
105 The standard systemwide and per-session message bus setups are config‐
106 ured in the files "/etc/dbus-1/system.conf" and "/etc/dbus-1/ses‐
107 sion.conf". These files normally <include> a system-local.conf or ses‐
108 sion-local.conf; you can put local overrides in those files to avoid
109 modifying the primary configuration files.
110
111
112 The configuration file is an XML document. It must have the following
113 doctype declaration:
114
115 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
116 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
117
118
119
120 The following elements may be present in the configuration file.
121
122
123 <busconfig>
124
125
126 Root element.
127
128
129 <type>
130
131
132 The well-known type of the message bus. Currently known values are
133 "system" and "session"; if other values are set, they should be either
134 added to the D-Bus specification, or namespaced. The last <type> ele‐
135 ment "wins" (previous values are ignored).
136
137
138 Example: <type>session</type>
139
140
141 <include>
142
143
144 Include a file <include>filename.conf</include> at this point. If the
145 filename is relative, it is located relative to the configuration file
146 doing the including.
147
148
149 <include> has an optional attribute "ignore_missing=(yes|no)" which
150 defaults to "no" if not provided. This attribute controls whether it's
151 a fatal error for the included file to be absent.
152
153
154 <includedir>
155
156
157 Include all files in <includedir>foo.d</includedir> at this point.
158 Files in the directory are included in undefined order. Only files
159 ending in ".conf" are included.
160
161
162 This is intended to allow extension of the system bus by particular
163 packages. For example, if CUPS wants to be able to send out notifica‐
164 tion of printer queue changes, it could install a file to
165 /etc/dbus-1/system.d that allowed all apps to receive this message and
166 allowed the printer daemon user to send it.
167
168
169 <user>
170
171
172 The user account the daemon should run as, as either a username or a
173 UID. If the daemon cannot change to this UID on startup, it will exit.
174 If this element is not present, the daemon will not change or care
175 about its UID.
176
177
178 The last <user> entry in the file "wins", the others are ignored.
179
180
181 The user is changed after the bus has completed initialization. So
182 sockets etc. will be created before changing user, but no data will be
183 read from clients before changing user. This means that sockets and PID
184 files can be created in a location that requires root privileges for
185 writing.
186
187
188 <fork>
189
190
191 If present, the bus daemon becomes a real daemon (forks into the back‐
192 ground, etc.). This is generally used rather than the --fork command
193 line option.
194
195
196 <listen>
197
198
199 Add an address that the bus should listen on. The address is in the
200 standard D-Bus format that contains a transport name plus possible
201 parameters/options.
202
203
204 Example: <listen>unix:path=/tmp/foo</listen>
205
206
207 If there are multiple <listen> elements, then the bus listens on multi‐
208 ple addresses. The bus will pass its address to started services or
209 other interested parties with the last address given in <listen> first.
210 That is, apps will try to connect to the last <listen> address first.
211
212
213 <auth>
214
215
216 Lists permitted authorization mechanisms. If this element doesn't
217 exist, then all known mechanisms are allowed. If there are multiple
218 <auth> elements, all the listed mechanisms are allowed. The order in
219 which mechanisms are listed is not meaningful.
220
221
222 Example: <auth>EXTERNAL</auth>
223
224
225 Example: <auth>DBUS_COOKIE_SHA1</auth>
226
227
228 <servicedir>
229
230
231 Adds a directory to scan for .service files. Directories are scanned
232 starting with the last to appear in the config file (the first .service
233 file found that provides a particular service will be used).
234
235
236 Service files tell the bus how to automatically start a program. They
237 are primarily used with the per-user-session bus, not the systemwide
238 bus.
239
240
241 <standard_session_servicedirs/>
242
243
244 <standard_session_servicedirs/> is equivalent to specifying a series of
245 <servicedir/> elements for each of the data directories in the "XDG
246 Base Directory Specification" with the subdirectory "dbus-1/services",
247 so for example "/usr/share/dbus-1/services" would be among the directo‐
248 ries searched.
249
250
251 The "XDG Base Directory Specification" can be found at http://freedesk‐
252 top.org/wiki/Standards/basedir-spec if it hasn't moved, otherwise try
253 your favorite search engine.
254
255
256 The <standard_session_servicedirs/> option is only relevant to the per-
257 user-session bus daemon defined in /etc/dbus-1/session.conf. Putting it
258 in any other configuration file would probably be nonsense.
259
260
261 <limit>
262
263
264 <limit> establishes a resource limit. For example:
265 <limit name="max_message_size">64</limit>
266 <limit name="max_completed_connections">512</limit>
267
268
269 The name attribute is mandatory. Available limit names are:
270 "max_incoming_bytes" : total size in bytes of messages
271 incoming from a single connection
272 "max_outgoing_bytes" : total size in bytes of messages
273 queued up for a single connection
274 "max_message_size" : max size of a single message in
275 bytes
276 "service_start_timeout" : milliseconds (thousandths) until
277 a started service has to connect
278 "auth_timeout" : milliseconds (thousandths) a
279 connection is given to
280 authenticate
281 "max_completed_connections" : max number of authenticated connections
282 "max_incomplete_connections" : max number of unauthenticated
283 connections
284 "max_connections_per_user" : max number of completed connections from
285 the same user
286 "max_pending_service_starts" : max number of service launches in
287 progress at the same time
288 "max_names_per_connection" : max number of names a single
289 connection can own
290 "max_match_rules_per_connection": max number of match rules for a single
291 connection
292 "max_replies_per_connection" : max number of pending method
293 replies per connection
294 (number of calls-in-progress)
295 "reply_timeout" : milliseconds (thousandths)
296 until a method call times out
297
298
299 The max incoming/outgoing queue sizes allow a new message to be queued
300 if one byte remains below the max. So you can in fact exceed the max by
301 max_message_size.
302
303
304 max_completed_connections divided by max_connections_per_user is the
305 number of users that can work together to denial-of-service all other
306 users by using up all connections on the systemwide bus.
307
308
309 Limits are normally only of interest on the systemwide bus, not the
310 user session buses.
311
312
313 <policy>
314
315
316 The <policy> element defines a security policy to be applied to a par‐
317 ticular set of connections to the bus. A policy is made up of <allow>
318 and <deny> elements. Policies are normally used with the systemwide
319 bus; they are analogous to a firewall in that they allow expected traf‐
320 fic and prevent unexpected traffic.
321
322
323 The <policy> element has one of three attributes:
324 context="(default|mandatory)"
325 user="username or userid"
326 group="group name or gid"
327
328
329 Policies are applied to a connection as follows:
330 - all context="default" policies are applied
331 - all group="connection's user's group" policies are applied
332 in undefined order
333 - all user="connection's auth user" policies are applied
334 in undefined order
335 - all context="mandatory" policies are applied
336
337
338 Policies applied later will override those applied earlier, when the
339 policies overlap. Multiple policies with the same user/group/context
340 are applied in the order they appear in the config file.
341
342
343 <deny> <allow>
344
345
346 A <deny> element appears below a <policy> element and prohibits some
347 action. The <allow> element makes an exception to previous <deny>
348 statements, and works just like <deny> but with the inverse meaning.
349
350
351 The possible attributes of these elements are:
352 send_interface="interface_name"
353 send_member="method_or_signal_name"
354 send_error="error_name"
355 send_destination="name"
356 send_type="method_call" | "method_return" | "signal" | "error"
357 send_path="/path/name"
358
359 receive_interface="interface_name"
360 receive_member="method_or_signal_name"
361 receive_error="error_name"
362 receive_sender="name"
363 receive_type="method_call" | "method_return" | "signal" | "error"
364 receive_path="/path/name"
365
366 send_requested_reply="true" | "false"
367 receive_requested_reply="true" | "false"
368
369 eavesdrop="true" | "false"
370
371 own="name"
372 user="username"
373 group="groupname"
374
375
376 Examples:
377 <deny send_interface="org.freedesktop.System" send_member="Reboot"/>
378 <deny receive_interface="org.freedesktop.System" receive_member="Reboot"/>
379 <deny own="org.freedesktop.System"/>
380 <deny send_destination="org.freedesktop.System"/>
381 <deny receive_sender="org.freedesktop.System"/>
382 <deny user="john"/>
383 <deny group="enemies"/>
384
385
386 The <deny> element's attributes determine whether the deny "matches" a
387 particular action. If it matches, the action is denied (unless later
388 rules in the config file allow it).
389
390
391 send_destination and receive_sender rules mean that messages may not be
392 sent to or received from the *owner* of the given name, not that they
393 may not be sent *to that name*. That is, if a connection owns services
394 A, B, C, and sending to A is denied, sending to B or C will not work
395 either.
396
397
398 The other send_* and receive_* attributes are purely textual/by-value
399 matches against the given field in the message header.
400
401
402 "Eavesdropping" occurs when an application receives a message that was
403 explicitly addressed to a name the application does not own. Eaves‐
404 dropping thus only applies to messages that are addressed to services
405 (i.e. it does not apply to signals).
406
407
408 For <allow>, eavesdrop="true" indicates that the rule matches even when
409 eavesdropping. eavesdrop="false" is the default and means that the rule
410 only allows messages to go to their specified recipient. For <deny>,
411 eavesdrop="true" indicates that the rule matches only when eavesdrop‐
412 ping. eavesdrop="false" is the default for <deny> also, but here it
413 means that the rule applies always, even when not eavesdropping. The
414 eavesdrop attribute can only be combined with receive rules (with
415 receive_* attributes).
416
417
418
419 The [send|receive]_requested_reply attribute works similarly to the
420 eavesdrop attribute. It controls whether the <deny> or <allow> matches
421 a reply that is expected (corresponds to a previous method call mes‐
422 sage). This attribute only makes sense for reply messages (errors and
423 method returns), and is ignored for other message types.
424
425
426 For <allow>, [send|receive]_requested_reply="true" is the default and
427 indicates that only requested replies are allowed by the rule.
428 [send|receive]_requested_reply="false" means that the rule allows any
429 reply even if unexpected.
430
431
432 For <deny>, [send|receive]_requested_reply="false" is the default but
433 indicates that the rule matches only when the reply was not requested.
434 [send|receive]_requested_reply="true" indicates that the rule applies
435 always, regardless of pending reply state.
436
437
438 user and group denials mean that the given user or group may not con‐
439 nect to the message bus.
440
441
442 For "name", "username", "groupname", etc. the character "*" can be
443 substituted, meaning "any." Complex globs like "foo.bar.*" aren't
444 allowed for now because they'd be work to implement and maybe encourage
445 sloppy security anyway.
446
447
448 It does not make sense to deny a user or group inside a <policy> for a
449 user or group; user/group denials can only be inside context="default"
450 or context="mandatory" policies.
451
452
453 A single <deny> rule may specify combinations of attributes such as
454 send_destination and send_interface and send_type. In this case, the
455 denial applies only if both attributes match the message being denied.
456 e.g. <deny send_interface="foo.bar" send_destination="foo.blah"/> would
457 deny messages with the given interface AND the given bus name. To get
458 an OR effect you specify multiple <deny> rules.
459
460
461 You can't include both send_ and receive_ attributes on the same rule,
462 since "whether the message can be sent" and "whether it can be
463 received" are evaluated separately.
464
465
466 Be careful with send_interface/receive_interface, because the interface
467 field in messages is optional.
468
469
470 <selinux>
471
472
473 The <selinux> element contains settings related to Security Enhanced
474 Linux. More details below.
475
476
477 <associate>
478
479
480 An <associate> element appears below an <selinux> element and creates a
481 mapping. Right now only one kind of association is possible:
482 <associate own="org.freedesktop.Foobar" context="foo_t"/>
483
484
485 This means that if a connection asks to own the name "org.freedesk‐
486 top.Foobar" then the source context will be the context of the connec‐
487 tion and the target context will be "foo_t" - see the short discussion
488 of SELinux below.
489
490
491 Note, the context here is the target context when requesting a name,
492 NOT the context of the connection owning the name.
493
494
495 There's currently no way to set a default for owning any name, if we
496 add this syntax it will look like:
497 <associate own="*" context="foo_t"/>
498 If you find a reason this is useful, let the developers know. Right
499 now the default will be the security context of the bus itself.
500
501
502 If two <associate> elements specify the same name, the element appear‐
503 ing later in the configuration file will be used.
504
505
507 See http://www.nsa.gov/selinux/ for full details on SELinux. Some use‐
508 ful excerpts:
509
510
511 Every subject (process) and object (e.g. file, socket, IPC
512 object, etc) in the system is assigned a collection of security
513 attributes, known as a security context. A security context
514 contains all of the security attributes associated with a par‐
515 ticular subject or object that are relevant to the security
516 policy.
517
518
519 In order to better encapsulate security contexts and to provide
520 greater efficiency, the policy enforcement code of SELinux typ‐
521 ically handles security identifiers (SIDs) rather than security
522 contexts. A SID is an integer that is mapped by the security
523 server to a security context at runtime.
524
525
526 When a security decision is required, the policy enforcement
527 code passes a pair of SIDs (typically the SID of a subject and
528 the SID of an object, but sometimes a pair of subject SIDs or a
529 pair of object SIDs), and an object security class to the secu‐
530 rity server. The object security class indicates the kind of
531 object, e.g. a process, a regular file, a directory, a TCP
532 socket, etc.
533
534
535 Access decisions specify whether or not a permission is granted
536 for a given pair of SIDs and class. Each object class has a set
537 of associated permissions defined to control operations on
538 objects with that class.
539
540
541 D-Bus performs SELinux security checks in two places.
542
543
544 First, any time a message is routed from one connection to another con‐
545 nection, the bus daemon will check permissions with the security con‐
546 text of the first connection as source, security context of the second
547 connection as target, object class "dbus" and requested permission
548 "send_msg".
549
550
551 If a security context is not available for a connection (impossible
552 when using UNIX domain sockets), then the target context used is the
553 context of the bus daemon itself. There is currently no way to change
554 this default, because we're assuming that only UNIX domain sockets will
555 be used to connect to the systemwide bus. If this changes, we'll proba‐
556 bly add a way to set the default connection context.
557
558
559 Second, any time a connection asks to own a name, the bus daemon will
560 check permissions with the security context of the connection as
561 source, the security context specified for the name in the config file
562 as target, object class "dbus" and requested permission "acquire_svc".
563
564
565 The security context for a bus name is specified with the <associate>
566 element described earlier in this document. If a name has no security
567 context associated in the configuration file, the security context of
568 the bus daemon itself will be used.
569
570
572 See http://www.freedesktop.org/software/dbus/doc/AUTHORS
573
574
576 Please send bug reports to the D-Bus mailing list or bug tracker, see
577 http://www.freedesktop.org/software/dbus/
578
579
580
581 dbus-daemon(1)