1oddjobd.conf(5) File Formats Manual oddjobd.conf(5)
2
3
4
6 oddjobd.conf - configuration for oddjobd
7
8
10 The /etc/oddjobd.conf configuration file specifies which services the
11 oddjobd server provides over the D-Bus, and authorization rules which
12 are enforced in addition to those enforced by the system message bus.
13
14 The configuration file is an XML document. The top-level element type
15 is <oddjobconfig>, which contains one or more <service> elements. Each
16 <service> describes a service which will be provided on the system-wide
17 message bus.
18
19 Each <object> describes an object path which will will be recognized by
20 the specified service. The object path may include wildcards, in which
21 case any call to an object with a path name which matches the specified
22 path will be accepted. An object contains one or more <interface> ele‐
23 ments, each of which describes a group of methods described in <method>
24 elements.
25
26 Each <method> element must specify the method name as a value for its
27 name attribute and may include a <helper> element which the name of an
28 executable to run as its exec attribute and the number of arguments
29 which will be expected from the D-Bus client and passed to the helper
30 as its argument_count attribute. The <helper>'s exec attribute can
31 include one or more command line arguments, separated from the exe‐
32 cutable by whitespace. A <helper> may also include attributes indicat‐
33 ing whether or not the invoking user's name should be prepended to the
34 list of arguments received as part of the D-Bus request
35 (prepend_user_name, with recognized values "yes" or "no"), and whether
36 that set of arguments should be passed in to the helper via stdin (the
37 default) or on its command line (argument_passing_method, with recog‐
38 nized values "stdin" and "cmdline").
39
40 Each <oddjobconfig>, <service>, <object>, <interface>, or <method> ele‐
41 ment may also include authorization elements <allow> and <deny>. Each
42 <allow> or <deny> rule specifies some combination of a user name and/or
43 a UID range which the invoking user must match for the rule to apply.
44 A rule can also specify the caller's SELinux context, user, role, or
45 execution domain, and be applied or not based on whether or not policy
46 is being enforced. All <deny> rules for the method are checked first,
47 followed by all of its <allow> rules. If no matches are found, the
48 <deny> rules for the containing <interface> element are checked, fol‐
49 lowed by its <allow> rules, and so on. If all ACLs are searched and no
50 matches turn up, access is denied.
51
52 The oddjobd server will automatically supply information used by the D-
53 Bus introspection mechanism on behalf of your objects, but only if the
54 client which is requesting the information is allowed to invoke the
55 Introspect method of the org.freedesktop.DBus.Introspectable interface
56 provided by the object.
57
58 The configuration file may also indicate that the contents of other
59 files should be read by the configuration parser, using an <include>
60 element.
61
62
64 Here is an example file:
65 <?xml version="1.0"?>
66 <oddjobconfig/>
67
68 Another:
69 <?xml version="1.0"?>
70 <oddjobconfig>
71 <allow user="wally"/>
72 <service name="com.redhat.oddjob">
73 <allow user="polly"/>
74 <object name="/com/redhat/oddjob">
75 <allow user="holly"/>
76 <interface name="com.redhat.oddjob">
77 <allow user="bob"/>
78 <method name="pwd">
79 <helper exec="/bin/pwd" argument_count="0"
80 prepend_user_name="no"/>
81 <allow user="jimmy"/>
82 <allow user="billy"/>
83 <allow min_uid="0" max_uid="1000"/>
84 </method>
85 <method name="reboot">
86 <helper exec="/sbin/reboot" argument_count="0"/>
87 </method>
88 <method name="flush-nscd">
89 <helper exec="/sbin/nscd -i passwd -i group -i hosts" argu‐
90 ment_count="0"/>
91 </method>
92 </interface>
93 <interface name="org.freedesktop.DBus.Introspectable">
94 <allow min_uid="0" max_uid="0"/>
95 </interface>
96 </object>
97 </service>
98 <include ignore_missing="yes">/etc/oddjobd-local.conf</include>
99 <include ignore_missing="yes">/etc/oddjobd.conf.d/*.conf</include>
100 </oddjobconfig>
101
102 And another:
103 <?xml version="1.0"?>
104 <oddjobconfig>
105 <service name="com.example.management">
106 <object name="/com/example/power">
107 <interface name="com.example.shutdown">
108 <method name="reboot">
109 <allow user="root"/>
110 <helper exec="/sbin/reboot" argument_count="0"/>
111 </method>
112 </interface>
113 <interface name="org.freedesktop.DBus.Introspectable">
114 <allow min_uid="0" max_uid="0"/>
115 </interface>
116 </object>
117 <object name="/com/example/power">
118 <interface name="com.example.shutdown">
119 <method name="poweroff">
120 <allow user="root"/>
121 <helper exec="/sbin/poweroff" argument_count="0"/>
122 </method>
123 </interface>
124 <interface name="org.freedesktop.DBus.Introspectable">
125 <allow min_uid="0" max_uid="0"/>
126 </interface>
127 </object>
128 </service>
129 </oddjobconfig>
130
131
133 oddjob_request(1) oddjob.conf(5) oddjobd(8)
134
135
136
137oddjob Manual 24 June 2015 oddjobd.conf(5)