1dbus-daemon(1) General Commands Manual dbus-daemon(1)
2
6 dbus-daemon - Message bus daemon
7
9 dbus-daemon dbus-daemon [--version] [--session] [--system] [--config-
10 file=FILE] [--print-address[=DESCRIPTOR]] [--print-pid[=DESCRIPTOR]]
11 [--fork]
12
15 dbus-daemon is the D-Bus message bus daemon. See http://www.freedesk‐
16 top.org/software/dbus/ for more information about the big picture. D-
17 Bus is first a library that provides one-to-one communication between
18 any two applications; dbus-daemon is an application that uses this
19 library to implement a message bus daemon. Multiple programs connect to
20 the message bus daemon and can exchange messages with one another.
21 There are two standard message bus instances: the systemwide message
24 bus (installed on many systems as the "messagebus" init service) and
25 the per-user-login-session message bus (started each time a user logs
26 in). dbus-daemon is used for both of these instances, but with a dif‐
27 ferent configuration file.
28 The --session option is equivalent to "--config-file=/etc/dbus-1/ses‐
31 sion.conf" and the --system option is equivalent to "--config-
32 file=/etc/dbus-1/system.conf". By creating additional configuration
33 files and using the --config-file option, additional special-purpose
34 message bus daemons could be created.
35 The systemwide daemon is normally launched by an init script, stan‐
38 dardly called simply "messagebus".
39 The systemwide daemon is largely used for broadcasting system events,
42 such as changes to the printer queue, or adding/removing devices.
43 The per-session daemon is used for various interprocess communication
46 among desktop applications (however, it is not tied to X or the GUI in
47 any way).
48 SIGHUP will cause the D-Bus daemon to PARTIALLY reload its configura‐
51 tion file and to flush its user/group information caches. Some configu‐
52 ration changes would require kicking all apps off the bus; so they will
53 only take effect if you restart the daemon. Policy changes should take
54 effect with SIGHUP.
55
58 The following options are supported:
59 --config-file=FILE
61 Use the given configuration file.
62 --fork Force the message bus to fork and become a daemon, even if the
64 configuration file does not specify that it should. In most
65 contexts the configuration file already gets this right, though.
66 --print-address[=DESCRIPTOR]
68 Print the address of the message bus to standard output, or to
69 the given file descriptor. This is used by programs that launch
70 the message bus.
71 --print-pid[=DESCRIPTOR]
73 Print the process ID of the message bus to standard output, or
74 to the given file descriptor. This is used by programs that
75 launch the message bus.
76 --session
78 Use the standard configuration file for the per-login-session
79 message bus.
80 --system
82 Use the standard configuration file for the systemwide message
83 bus.
84 --version
86 Print the version of the daemon.
87
90 A message bus daemon has a configuration file that specializes it for a
91 particular application. For example, one configuration file might set
92 up the message bus to be a systemwide message bus, while another might
93 set it up to be a per-user-login-session bus.
94 The configuration file also establishes resource limits, security
97 parameters, and so forth.
98 The configuration file is not part of any interoperability specifica‐
101 tion and its backward compatibility is not guaranteed; this document is
102 documentation, not specification.
103 The standard systemwide and per-session message bus setups are config‐
106 ured in the files "/etc/dbus-1/system.conf" and "/etc/dbus-1/ses‐
107 sion.conf". These files normally <include> a system-local.conf or ses‐
108 sion-local.conf; you can put local overrides in those files to avoid
109 modifying the primary configuration files.
110 The configuration file is an XML document. It must have the following
113 doctype declaration:
114 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
116 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
117 The following elements may be present in the configuration file.
121 <busconfig>
124 Root element.
127 <type>
130 The well-known type of the message bus. Currently known values are
133 "system" and "session"; if other values are set, they should be either
134 added to the D-Bus specification, or namespaced. The last <type> ele‐
135 ment "wins" (previous values are ignored).
136 Example: <type>session</type>
139 <include>
142 Include a file <include>filename.conf</include> at this point. If the
145 filename is relative, it is located relative to the configuration file
146 doing the including.
147 <include> has an optional attribute "ignore_missing=(yes|no)" which
150 defaults to "no" if not provided. This attribute controls whether it's
151 a fatal error for the included file to be absent.
152 <includedir>
155 Include all files in <includedir>foo.d</includedir> at this point.
158 Files in the directory are included in undefined order. Only files
159 ending in ".conf" are included.
160 This is intended to allow extension of the system bus by particular
163 packages. For example, if CUPS wants to be able to send out notifica‐
164 tion of printer queue changes, it could install a file to
165 /etc/dbus-1/system.d that allowed all apps to receive this message and
166 allowed the printer daemon user to send it.
167 <user>
170 The user account the daemon should run as, as either a username or a
173 UID. If the daemon cannot change to this UID on startup, it will exit.
174 If this element is not present, the daemon will not change or care
175 about its UID.
176 The last <user> entry in the file "wins", the others are ignored.
179 The user is changed after the bus has completed initialization. So
182 sockets etc. will be created before changing user, but no data will be
183 read from clients before changing user. This means that sockets and PID
184 files can be created in a location that requires root privileges for
185 writing.
186 <fork>
189 If present, the bus daemon becomes a real daemon (forks into the back‐
192 ground, etc.). This is generally used rather than the --fork command
193 line option.
194 <listen>
197 Add an address that the bus should listen on. The address is in the
200 standard D-Bus format that contains a transport name plus possible
201 parameters/options.
202 Example: <listen>unix:path=/tmp/foo</listen>
205 If there are multiple <listen> elements, then the bus listens on multi‐
208 ple addresses. The bus will pass its address to started services or
209 other interested parties with the last address given in <listen> first.
210 That is, apps will try to connect to the last <listen> address first.
211 <auth>
214 Lists permitted authorization mechanisms. If this element doesn't
217 exist, then all known mechanisms are allowed. If there are multiple
218 <auth> elements, all the listed mechanisms are allowed. The order in
219 which mechanisms are listed is not meaningful.
220 Example: <auth>EXTERNAL</auth>
223 Example: <auth>DBUS_COOKIE_SHA1</auth>
226 <servicedir>
229 Adds a directory to scan for .service files. Directories are scanned
232 starting with the last to appear in the config file (the first .service
233 file found that provides a particular service will be used).
234 Service files tell the bus how to automatically start a program. They
237 are primarily used with the per-user-session bus, not the systemwide
238 bus.
239 <standard_session_servicedirs/>
242 <standard_session_servicedirs/> is equivalent to specifying a series of
245 <servicedir/> elements for each of the data directories in the "XDG
246 Base Directory Specification" with the subdirectory "dbus-1/services",
247 so for example "/usr/share/dbus-1/services" would be among the directo‐
248 ries searched.
249 The "XDG Base Directory Specification" can be found at http://freedesk‐
252 top.org/wiki/Standards/basedir-spec if it hasn't moved, otherwise try
253 your favorite search engine.
254 The <standard_session_servicedirs/> option is only relevant to the per-
257 user-session bus daemon defined in /etc/dbus-1/session.conf. Putting it
258 in any other configuration file would probably be nonsense.
259 <limit>
262 <limit> establishes a resource limit. For example:
265 <limit name="max_message_size">64</limit>
266 <limit name="max_completed_connections">512</limit>
267 The name attribute is mandatory. Available limit names are:
270 "max_incoming_bytes" : total size in bytes of messages
271 incoming from a single connection
272 "max_outgoing_bytes" : total size in bytes of messages
273 queued up for a single connection
274 "max_message_size" : max size of a single message in
275 bytes
276 "service_start_timeout" : milliseconds (thousandths) until
277 a started service has to connect
278 "auth_timeout" : milliseconds (thousandths) a
279 connection is given to
280 authenticate
281 "max_completed_connections" : max number of authenticated connections
282 "max_incomplete_connections" : max number of unauthenticated
283 connections
284 "max_connections_per_user" : max number of completed connections from
285 the same user
286 "max_pending_service_starts" : max number of service launches in
287 progress at the same time
288 "max_names_per_connection" : max number of names a single
289 connection can own
290 "max_match_rules_per_connection": max number of match rules for a single
291 connection
292 "max_replies_per_connection" : max number of pending method
293 replies per connection
294 (number of calls-in-progress)
295 "reply_timeout" : milliseconds (thousandths)
296 until a method call times out
297 The max incoming/outgoing queue sizes allow a new message to be queued
300 if one byte remains below the max. So you can in fact exceed the max by
301 max_message_size.
302 max_completed_connections divided by max_connections_per_user is the
305 number of users that can work together to denial-of-service all other
306 users by using up all connections on the systemwide bus.
307 Limits are normally only of interest on the systemwide bus, not the
310 user session buses.
311 <policy>
314 The <policy> element defines a security policy to be applied to a par‐
317 ticular set of connections to the bus. A policy is made up of <allow>
318 and <deny> elements. Policies are normally used with the systemwide
319 bus; they are analogous to a firewall in that they allow expected traf‐
320 fic and prevent unexpected traffic.
321 The <policy> element has one of three attributes:
324 context="(default|mandatory)"
325 user="username or userid"
326 group="group name or gid"
327 Policies are applied to a connection as follows:
330 - all context="default" policies are applied
331 - all group="connection's user's group" policies are applied
332 in undefined order
333 - all user="connection's auth user" policies are applied
334 in undefined order
335 - all context="mandatory" policies are applied
336 Policies applied later will override those applied earlier, when the
339 policies overlap. Multiple policies with the same user/group/context
340 are applied in the order they appear in the config file.
341 <deny> <allow>
344 A <deny> element appears below a <policy> element and prohibits some
347 action. The <allow> element makes an exception to previous <deny>
348 statements, and works just like <deny> but with the inverse meaning.
349 The possible attributes of these elements are:
352 send_interface="interface_name"
353 send_member="method_or_signal_name"
354 send_error="error_name"
355 send_destination="name"
356 send_type="method_call" | "method_return" | "signal" | "error"
357 send_path="/path/name"
358 receive_interface="interface_name"
360 receive_member="method_or_signal_name"
361 receive_error="error_name"
362 receive_sender="name"
363 receive_type="method_call" | "method_return" | "signal" | "error"
364 receive_path="/path/name"
365 send_requested_reply="true" | "false"
367 receive_requested_reply="true" | "false"
368 eavesdrop="true" | "false"
370 own="name"
372 user="username"
373 group="groupname"
374 Examples:
377 <deny send_interface="org.freedesktop.System" send_member="Reboot"/>
378 <deny receive_interface="org.freedesktop.System" receive_member="Reboot"/>
379 <deny own="org.freedesktop.System"/>
380 <deny send_destination="org.freedesktop.System"/>
381 <deny receive_sender="org.freedesktop.System"/>
382 <deny user="john"/>
383 <deny group="enemies"/>
384 The <deny> element's attributes determine whether the deny "matches" a
387 particular action. If it matches, the action is denied (unless later
388 rules in the config file allow it).
389 send_destination and receive_sender rules mean that messages may not be
392 sent to or received from the *owner* of the given name, not that they
393 may not be sent *to that name*. That is, if a connection owns services
394 A, B, C, and sending to A is denied, sending to B or C will not work
395 either.
396 The other send_* and receive_* attributes are purely textual/by-value
399 matches against the given field in the message header.
400 "Eavesdropping" occurs when an application receives a message that was
403 explicitly addressed to a name the application does not own. Eaves‐
404 dropping thus only applies to messages that are addressed to services
405 (i.e. it does not apply to signals).
406 For <allow>, eavesdrop="true" indicates that the rule matches even when
409 eavesdropping. eavesdrop="false" is the default and means that the rule
410 only allows messages to go to their specified recipient. For <deny>,
411 eavesdrop="true" indicates that the rule matches only when eavesdrop‐
412 ping. eavesdrop="false" is the default for <deny> also, but here it
413 means that the rule applies always, even when not eavesdropping. The
414 eavesdrop attribute can only be combined with receive rules (with
415 receive_* attributes).
416 The [send|receive]_requested_reply attribute works similarly to the
420 eavesdrop attribute. It controls whether the <deny> or <allow> matches
421 a reply that is expected (corresponds to a previous method call mes‐
422 sage). This attribute only makes sense for reply messages (errors and
423 method returns), and is ignored for other message types.
424 For <allow>, [send|receive]_requested_reply="true" is the default and
427 indicates that only requested replies are allowed by the rule.
428 [send|receive]_requested_reply="false" means that the rule allows any
429 reply even if unexpected.
430 For <deny>, [send|receive]_requested_reply="false" is the default but
433 indicates that the rule matches only when the reply was not requested.
434 [send|receive]_requested_reply="true" indicates that the rule applies
435 always, regardless of pending reply state.
436 user and group denials mean that the given user or group may not con‐
439 nect to the message bus.
440 For "name", "username", "groupname", etc. the character "*" can be
443 substituted, meaning "any." Complex globs like "foo.bar.*" aren't
444 allowed for now because they'd be work to implement and maybe encourage
445 sloppy security anyway.
446 It does not make sense to deny a user or group inside a <policy> for a
449 user or group; user/group denials can only be inside context="default"
450 or context="mandatory" policies.
451 A single <deny> rule may specify combinations of attributes such as
454 send_destination and send_interface and send_type. In this case, the
455 denial applies only if both attributes match the message being denied.
456 e.g. <deny send_interface="foo.bar" send_destination="foo.blah"/> would
457 deny messages with the given interface AND the given bus name. To get
458 an OR effect you specify multiple <deny> rules.
459 You can't include both send_ and receive_ attributes on the same rule,
462 since "whether the message can be sent" and "whether it can be
463 received" are evaluated separately.
464 Be careful with send_interface/receive_interface, because the interface
467 field in messages is optional.
468 <selinux>
471 The <selinux> element contains settings related to Security Enhanced
474 Linux. More details below.
475 <associate>
478 An <associate> element appears below an <selinux> element and creates a
481 mapping. Right now only one kind of association is possible:
482 <associate own="org.freedesktop.Foobar" context="foo_t"/>
483 This means that if a connection asks to own the name "org.freedesk‐
486 top.Foobar" then the source context will be the context of the connec‐
487 tion and the target context will be "foo_t" - see the short discussion
488 of SELinux below.
489 Note, the context here is the target context when requesting a name,
492 NOT the context of the connection owning the name.
493 There's currently no way to set a default for owning any name, if we
496 add this syntax it will look like:
497 <associate own="*" context="foo_t"/>
498 If you find a reason this is useful, let the developers know. Right
499 now the default will be the security context of the bus itself.
500 If two <associate> elements specify the same name, the element appear‐
503 ing later in the configuration file will be used.
504
507 See http://www.nsa.gov/selinux/ for full details on SELinux. Some use‐
508 ful excerpts:
509 Every subject (process) and object (e.g. file, socket, IPC
512 object, etc) in the system is assigned a collection of security
513 attributes, known as a security context. A security context
514 contains all of the security attributes associated with a par‐
515 ticular subject or object that are relevant to the security
516 policy.
517 In order to better encapsulate security contexts and to provide
520 greater efficiency, the policy enforcement code of SELinux typ‐
521 ically handles security identifiers (SIDs) rather than security
522 contexts. A SID is an integer that is mapped by the security
523 server to a security context at runtime.
524 When a security decision is required, the policy enforcement
527 code passes a pair of SIDs (typically the SID of a subject and
528 the SID of an object, but sometimes a pair of subject SIDs or a
529 pair of object SIDs), and an object security class to the secu‐
530 rity server. The object security class indicates the kind of
531 object, e.g. a process, a regular file, a directory, a TCP
532 socket, etc.
533 Access decisions specify whether or not a permission is granted
536 for a given pair of SIDs and class. Each object class has a set
537 of associated permissions defined to control operations on
538 objects with that class.
539 D-Bus performs SELinux security checks in two places.
542 First, any time a message is routed from one connection to another con‐
545 nection, the bus daemon will check permissions with the security con‐
546 text of the first connection as source, security context of the second
547 connection as target, object class "dbus" and requested permission
548 "send_msg".
549 If a security context is not available for a connection (impossible
552 when using UNIX domain sockets), then the target context used is the
553 context of the bus daemon itself. There is currently no way to change
554 this default, because we're assuming that only UNIX domain sockets will
555 be used to connect to the systemwide bus. If this changes, we'll proba‐
556 bly add a way to set the default connection context.
557 Second, any time a connection asks to own a name, the bus daemon will
560 check permissions with the security context of the connection as
561 source, the security context specified for the name in the config file
562 as target, object class "dbus" and requested permission "acquire_svc".
563 The security context for a bus name is specified with the <associate>
566 element described earlier in this document. If a name has no security
567 context associated in the configuration file, the security context of
568 the bus daemon itself will be used.
569
572 See http://www.freedesktop.org/software/dbus/doc/AUTHORS
573
576 Please send bug reports to the D-Bus mailing list or bug tracker, see
577 http://www.freedesktop.org/software/dbus/
578 dbus-daemon(1)