1DBUS-DAEMON(1) User Commands DBUS-DAEMON(1)
2
6 dbus-daemon - Message bus daemon
7
9 dbus-daemon
10 dbus-daemon [--version] [--session] [--system] [--config-file=FILE]
12 [--print-address [=DESCRIPTOR]] [--print-pid [=DESCRIPTOR]]
13 [--fork] [--nosyslog] [--syslog] [--syslog-only]
14 [--ready-event-handle=value]
15
18 dbus-daemon is the D-Bus message bus daemon. See
19 http://www.freedesktop.org/software/dbus/ for more information about
20 the big picture. D-Bus is first a library that provides one-to-one
21 communication between any two applications; dbus-daemon is an
22 application that uses this library to implement a message bus daemon.
23 Multiple programs connect to the message bus daemon and can exchange
24 messages with one another.
25 There are two standard message bus instances: the systemwide message
27 bus (installed on many systems as the "messagebus" init service) and
28 the per-user-login-session message bus (started each time a user logs
29 in). dbus-daemon is used for both of these instances, but with a
30 different configuration file.
31 The --session option is equivalent to
33 "--config-file=/usr/share/dbus-1/session.conf" and the --system option
34 is equivalent to "--config-file=/usr/share/dbus-1/system.conf". By
35 creating additional configuration files and using the --config-file
36 option, additional special-purpose message bus daemons could be
37 created.
38 The systemwide daemon is normally launched by an init script,
40 standardly called simply "messagebus".
41 The systemwide daemon is largely used for broadcasting system events,
43 such as changes to the printer queue, or adding/removing devices.
44 The per-session daemon is used for various interprocess communication
46 among desktop applications (however, it is not tied to X or the GUI in
47 any way).
48 SIGHUP will cause the D-Bus daemon to PARTIALLY reload its
50 configuration file and to flush its user/group information caches. Some
51 configuration changes would require kicking all apps off the bus; so
52 they will only take effect if you restart the daemon. Policy changes
53 should take effect with SIGHUP.
54
56 The following options are supported:
57 --config-file=FILE
59 Use the given configuration file.
60 --fork
62 Force the message bus to fork and become a daemon, even if the
63 configuration file does not specify that it should. In most
64 contexts the configuration file already gets this right, though.
65 This option is not supported on Windows.
66 --nofork
68 Force the message bus not to fork and become a daemon, even if the
69 configuration file specifies that it should. On Windows, the
70 dbus-daemon never forks, so this option is allowed but does
71 nothing.
72 --print-address[=DESCRIPTOR]
74 Print the address of the message bus to standard output, or to the
75 given file descriptor. This is used by programs that launch the
76 message bus.
77 --print-pid[=DESCRIPTOR]
79 Print the process ID of the message bus to standard output, or to
80 the given file descriptor. This is used by programs that launch the
81 message bus.
82 --session
84 Use the standard configuration file for the per-login-session
85 message bus.
86 --system
88 Use the standard configuration file for the systemwide message bus.
89 --version
91 Print the version of the daemon.
92 --introspect
94 Print the introspection information for all D-Bus internal
95 interfaces.
96 --address[=ADDRESS]
98 Set the address to listen on. This option overrides the address
99 configured in the configuration file via the <listen> directive.
100 See the documentation of that directive for more details.
101 --systemd-activation
103 Enable systemd-style service activation. Only useful in conjunction
104 with the systemd system and session manager on Linux.
105 --nopidfile
107 Don't write a PID file even if one is configured in the
108 configuration files.
109 --syslog
111 Force the message bus to use the system log for messages, in
112 addition to writing to standard error, even if the configuration
113 file does not specify that it should. On Unix, this uses the
114 syslog; on Windows, this uses OutputDebugString().
115 --syslog-only
117 Force the message bus to use the system log for messages, and not
118 duplicate them to standard error. On Unix, this uses the syslog; on
119 Windows, this uses OutputDebugString().
120 --nosyslog
122 Force the message bus to use only standard error for messages, even
123 if the configuration file specifies that it should use the system
124 log.
125 --ready-event-handle=value
127 With this option, the dbus daemon raises an event when it is ready
128 to process connections. The handle must be the Windows handle for
129 an event object, in the format printed by the printf format string
130 %p. The parent process must create this event object (for example
131 with the CreateEvent function) in a nonsignaled state, then
132 configure it to be inherited by the dbus-daemon process. The
133 dbus-daemon will signal the event as if via SetEvent when it is
134 ready to receive connections from clients. The parent process can
135 wait for this to occur by using functions such as
136 WaitForSingleObject. This option is only supported under Windows.
137 On Unix platforms, a similar result can be achieved by waiting for
138 the address and/or process ID to be printed to the inherited file
139 descriptors used for --print-address and/or --print-pid.
140
142 A message bus daemon has a configuration file that specializes it for a
143 particular application. For example, one configuration file might set
144 up the message bus to be a systemwide message bus, while another might
145 set it up to be a per-user-login-session bus.
146 The configuration file also establishes resource limits, security
148 parameters, and so forth.
149 The configuration file is not part of any interoperability
151 specification and its backward compatibility is not guaranteed; this
152 document is documentation, not specification.
153 The standard systemwide and per-session message bus setups are
155 configured in the files "/usr/share/dbus-1/system.conf" and
156 "/usr/share/dbus-1/session.conf". These files normally <include> a
157 system-local.conf or session-local.conf in /etc/dbus-1; you can put
158 local overrides in those files to avoid modifying the primary
159 configuration files.
160 The standard system bus normally reads additional XML files from
162 /usr/share/dbus-1/system.d. Third-party packages should install the
163 default policies necessary for correct operation into that directory,
164 which has been supported since dbus 1.10 (released in 2015).
165 The standard system bus normally also reads XML files from
167 /etc/dbus-1/system.d, which should be used by system administrators if
168 they wish to override default policies.
169 Third-party packages would historically install XML files into
171 /etc/dbus-1/system.d, but this practice is now considered to be
172 deprecated: that directory should be treated as reserved for the system
173 administrator.
174 The configuration file is an XML document. It must have the following
176 doctype declaration:
177 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
180 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
181 The following elements may be present in the configuration file.
184 • <busconfig>
186 Root element.
188 • <type>
190 The well-known type of the message bus. Currently known values are
192 "system" and "session"; if other values are set, they should be either
193 added to the D-Bus specification, or namespaced. The last <type>
194 element "wins" (previous values are ignored). This element only
195 controls which message bus specific environment variables are set in
196 activated clients. Most of the policy that distinguishes a session bus
197 from the system bus is controlled from the other elements in the
198 configuration file.
199 If the well-known type of the message bus is "session", then the
201 DBUS_STARTER_BUS_TYPE environment variable will be set to "session" and
202 the DBUS_SESSION_BUS_ADDRESS environment variable will be set to the
203 address of the session bus. Likewise, if the type of the message bus is
204 "system", then the DBUS_STARTER_BUS_TYPE environment variable will be
205 set to "system" and the DBUS_SYSTEM_BUS_ADDRESS environment variable
206 will be set to the address of the system bus (which is normally well
207 known anyway).
208 Example: <type>session</type>
210 • <include>
212 Include a file <include>filename.conf</include> at this point. If the
214 filename is relative, it is located relative to the configuration file
215 doing the including.
216 <include> has an optional attribute "ignore_missing=(yes|no)" which
218 defaults to "no" if not provided. This attribute controls whether it's
219 a fatal error for the included file to be absent.
220 • <includedir>
222 Include all files in <includedir>foo.d</includedir> at this point.
224 Files in the directory are included in undefined order. Only files
225 ending in ".conf" are included.
226 This is intended to allow extension of the system bus by particular
228 packages. For example, if CUPS wants to be able to send out
229 notification of printer queue changes, it could install a file to
230 /usr/share/dbus-1/system.d that allowed all apps to receive this
231 message and allowed the printer daemon user to send it.
232 • <user>
234 The user account the daemon should run as, as either a username or a
236 UID. If the daemon cannot change to this UID on startup, it will exit.
237 If this element is not present, the daemon will not change or care
238 about its UID.
239 The last <user> entry in the file "wins", the others are ignored.
241 The user is changed after the bus has completed initialization. So
243 sockets etc. will be created before changing user, but no data will be
244 read from clients before changing user. This means that sockets and PID
245 files can be created in a location that requires root privileges for
246 writing.
247 • <fork>
249 If present, the bus daemon becomes a real daemon (forks into the
251 background, etc.). This is generally used rather than the --fork
252 command line option.
253 • <keep_umask>
255 If present, the bus daemon keeps its original umask when forking. This
257 may be useful to avoid affecting the behavior of child processes.
258 • <syslog>
260 If present, the bus daemon will log to syslog. The --syslog,
262 --syslog-only and --nosyslog command-line options take precedence over
263 this setting.
264 • <pidfile>
266 If present, the bus daemon will write its pid to the specified file.
268 The --nopidfile command-line option takes precedence over this setting.
269 • <allow_anonymous>
271 If present, connections that authenticated using the ANONYMOUS
273 mechanism will be authorized to connect. This option has no practical
274 effect unless the ANONYMOUS mechanism has also been enabled using the
275 <auth> element, described below.
276 Using this directive in the configuration of the well-known system bus
278 or the well-known session bus will make that bus insecure and should
279 never be done. Similarly, on custom bus types, using this directive
280 will usually make the custom bus insecure, unless its configuration has
281 been specifically designed to prevent anonymous users from causing
282 damage or escalating privileges.
283 • <listen>
285 Add an address that the bus should listen on. The address is in the
287 standard D-Bus format that contains a transport name plus possible
288 parameters/options.
289 On platforms other than Windows, unix-based transports (unix, systemd,
291 launchd) are the default for both the well-known system bus and the
292 well-known session bus, and are strongly recommended.
293 On Windows, unix-based transports are not available, so TCP-based
295 transports must be used. Similar to remote X11, the tcp and nonce-tcp
296 transports have no integrity or confidentiality protection, so they
297 should normally only be used across the local loopback interface, for
298 example using an address like tcp:host=127.0.0.1 or
299 nonce-tcp:host=localhost. In particular, configuring the well-known
300 system bus or the well-known session bus to listen on a non-loopback
301 TCP address is insecure.
302 Developers are sometimes tempted to use remote TCP as a debugging tool.
304 However, if this functionality is left enabled in finished products,
305 the result will be dangerously insecure. Instead of using remote TCP,
306 developers should relay connections via Secure Shell or a similar
307 protocol[1].
308 Remote TCP connections were historically sometimes used to share a
310 single session bus between login sessions of the same user on different
311 machines within a trusted local area network, in conjunction with
312 unencrypted remote X11, a NFS-shared home directory and NIS (YP)
313 authentication. This is insecure against an attacker on the same LAN
314 and should be considered strongly deprecated; more specifically, it is
315 insecure in the same ways and for the same reasons as unencrypted
316 remote X11 and NFSv2/NFSv3. The D-Bus maintainers recommend using a
317 separate session bus per (user, machine) pair, only accessible from
318 within that machine.
319 Example: <listen>unix:path=/tmp/foo</listen>
321 Example: <listen>tcp:host=localhost,port=1234</listen>
323 If there are multiple <listen> elements, then the bus listens on
325 multiple addresses. The bus will pass its address to started services
326 or other interested parties with the last address given in <listen>
327 first. That is, apps will try to connect to the last <listen> address
328 first.
329 tcp sockets can accept IPv4 addresses, IPv6 addresses or hostnames. If
331 a hostname resolves to multiple addresses, the server will bind to all
332 of them. The family=ipv4 or family=ipv6 options can be used to force it
333 to bind to a subset of addresses
334 Example: <listen>tcp:host=localhost,port=0,family=ipv4</listen>
336 A special case is using a port number of zero (or omitting the port),
338 which means to choose an available port selected by the operating
339 system. The port number chosen can be obtained with the --print-address
340 command line parameter and will be present in other cases where the
341 server reports its own address, such as when DBUS_SESSION_BUS_ADDRESS
342 is set.
343 Example: <listen>tcp:host=localhost,port=0</listen>
345 tcp/nonce-tcp addresses also allow a bind=hostname option, used in a
347 listenable address to configure the interface on which the server will
348 listen: either the hostname is the IP address of one of the local
349 machine's interfaces (most commonly 127.0.0.1), a DNS name that
350 resolves to one of those IP addresses, '0.0.0.0' to listen on all IPv4
351 interfaces simultaneously, or '::' to listen on all IPv4 and IPv6
352 interfaces simultaneously (if supported by the OS). If not specified,
353 the default is the same value as "host".
354 Example: <listen>tcp:host=localhost,bind=0.0.0.0,port=0</listen>
356 • <auth>
358 Lists permitted authorization mechanisms. If this element doesn't
360 exist, then all known mechanisms are allowed. If there are multiple
361 <auth> elements, all the listed mechanisms are allowed. The order in
362 which mechanisms are listed is not meaningful.
363 On non-Windows operating systems, allowing only the EXTERNAL
365 authentication mechanism is strongly recommended. This is the default
366 for the well-known system bus and for the well-known session bus.
367 Example: <auth>EXTERNAL</auth>
369 Example: <auth>DBUS_COOKIE_SHA1</auth>
371 • <servicedir>
373 Adds a directory to search for .service files, which tell the
375 dbus-daemon how to start a program to provide a particular well-known
376 bus name. See the D-Bus Specification for more details about the
377 contents of .service files.
378 If a particular service is found in more than one <servicedir>, the
380 first directory listed in the configuration file takes precedence. If
381 two service files providing the same well-known bus name are found in
382 the same directory, it is arbitrary which one will be chosen (this can
383 only happen if at least one of the service files does not have the
384 recommended name, which is its well-known bus name followed by
385 ".service").
386 • <standard_session_servicedirs/>
388 <standard_session_servicedirs/> requests a standard set of session
390 service directories. Its effect is similar to specifying a series of
391 <servicedir/> elements for each of the data directories, in the order
392 given here. It is not exactly equivalent, because there is currently no
393 way to disable directory monitoring or enforce strict service file
394 naming for a <servicedir/>.
395 As with <servicedir/> elements, if a particular service is found in
397 more than one service directory, the first directory takes precedence.
398 If two service files providing the same well-known bus name are found
399 in the same directory, it is arbitrary which one will be chosen (this
400 can only happen if at least one of the service files does not have the
401 recommended name, which is its well-known bus name followed by
402 ".service").
403 On Unix, the standard session service directories are:
405 • $XDG_RUNTIME_DIR/dbus-1/services, if XDG_RUNTIME_DIR is set (see
407 the XDG Base Directory Specification for details of
408 XDG_RUNTIME_DIR): this location is suitable for transient services
409 created at runtime by systemd generators (see
410 systemd.generator(7)), session managers or other session
411 infrastructure. It is an extension provided by the reference
412 implementation of dbus-daemon, and is not standardized in the D-Bus
413 Specification.
414 Unlike the other standard session service directories, this
416 directory enforces strict naming for the service files: the
417 filename must be exactly the well-known bus name of the service,
418 followed by ".service".
419 Also unlike the other standard session service directories, this
421 directory is never monitored with inotify(7) or similar APIs.
422 Programs that create service files in this directory while a
423 dbus-daemon is running are expected to call the dbus-daemon's
424 ReloadConfig() method after they have made changes.
425 • $XDG_DATA_HOME/dbus-1/services, where XDG_DATA_HOME defaults to
427 ~/.local/share (see the XDG Base Directory Specification): this
428 location is specified by the D-Bus Specification, and is suitable
429 for per-user, locally-installed software.
430 • directory/dbus-1/services for each directory in XDG_DATA_DIRS,
432 where XDG_DATA_DIRS defaults to /usr/local/share:/usr/share (see
433 the XDG Base Directory Specification): these locations are
434 specified by the D-Bus Specification. The defaults are suitable for
435 software installed locally by a system administrator
436 (/usr/local/share) or for software installed from operating system
437 packages (/usr/share). Per-user or system-wide configuration that
438 sets the XDG_DATA_DIRS environment variable can extend this search
439 path to cover installations in other locations, for example
440 ~/.local/share/flatpak/exports/share/ and
441 /var/lib/flatpak/exports/share/ when flatpak(1) is used.
442 • ${datadir}/dbus-1/services for the ${datadir} that was specified
444 when dbus was compiled, typically /usr/share: this location is an
445 extension provided by the reference dbus-daemon implementation, and
446 is suitable for software stacks installed alongside dbus-daemon.
447 The "XDG Base Directory Specification" can be found at
449 http://freedesktop.org/wiki/Standards/basedir-spec if it hasn't moved,
450 otherwise try your favorite search engine.
451 On Windows, the standard session service directories are:
453 • %CommonProgramFiles%/dbus-1/services if %CommonProgramFiles% is
455 set: this location is suitable for system-wide installed software
456 packages
457 • A share/dbus-1/services directory found in the same directory
459 hierarchy (prefix) as the dbus-daemon: this location is suitable
460 for software stacks installed alongside dbus-daemon
461 The <standard_session_servicedirs/> option is only relevant to the
463 per-user-session bus daemon defined in /etc/dbus-1/session.conf.
464 Putting it in any other configuration file would probably be nonsense.
465 • <standard_system_servicedirs/>
467 <standard_system_servicedirs/> specifies the standard system-wide
469 activation directories that should be searched for service files. As
470 with session services, the first directory listed has highest
471 precedence.
472 On Unix, the standard system service directories are:
474 • /usr/local/share/dbus-1/system-services: this location is specified
476 by the D-Bus Specification, and is suitable for software installed
477 locally by the system administrator
478 • /usr/share/dbus-1/system-services: this location is specified by
480 the D-Bus Specification, and is suitable for software installed by
481 operating system packages
482 • ${datadir}/dbus-1/system-services for the ${datadir} that was
484 specified when dbus was compiled, typically /usr/share: this
485 location is an extension provided by the reference dbus-daemon
486 implementation, and is suitable for software stacks installed
487 alongside dbus-daemon
488 • /lib/dbus-1/system-services: this location is specified by the
490 D-Bus Specification, and was intended for software installed by
491 operating system packages and used during early boot (but it should
492 be considered deprecated, because the reference dbus-daemon is not
493 designed to be available during early boot)
494 On Windows, there is no standard system bus, so there are no standard
496 system bus directories either.
497 The <standard_system_servicedirs/> option is only relevant to the
499 per-system bus daemon defined in /usr/share/dbus-1/system.conf. Putting
500 it in any other configuration file would probably be nonsense.
501 • <servicehelper/>
503 <servicehelper/> specifies the setuid helper that is used to launch
505 system daemons with an alternate user. Typically this should be the
506 dbus-daemon-launch-helper executable in located in libexec.
507 The <servicehelper/> option is only relevant to the per-system bus
509 daemon defined in /usr/share/dbus-1/system.conf. Putting it in any
510 other configuration file would probably be nonsense.
511 • <limit>
513 <limit> establishes a resource limit. For example:
515 <limit name="max_message_size">64</limit>
517 <limit name="max_completed_connections">512</limit>
518 The name attribute is mandatory. Available limit names are:
520 "max_incoming_bytes" : total size in bytes of messages
522 incoming from a single connection
523 "max_incoming_unix_fds" : total number of unix fds of messages
524 incoming from a single connection
525 "max_outgoing_bytes" : total size in bytes of messages
526 queued up for a single connection
527 "max_outgoing_unix_fds" : total number of unix fds of messages
528 queued up for a single connection
529 "max_message_size" : max size of a single message in
530 bytes
531 "max_message_unix_fds" : max unix fds of a single message
532 "service_start_timeout" : milliseconds (thousandths) until
533 a started service has to connect
534 "auth_timeout" : milliseconds (thousandths) a
535 connection is given to
536 authenticate
537 "pending_fd_timeout" : milliseconds (thousandths) a
538 fd is given to be transmitted to
539 dbus-daemon before disconnecting the
540 connection
541 "max_completed_connections" : max number of authenticated connections
542 "max_incomplete_connections" : max number of unauthenticated
543 connections
544 "max_connections_per_user" : max number of completed connections from
545 the same user (only enforced on Unix OSs)
546 "max_pending_service_starts" : max number of service launches in
547 progress at the same time
548 "max_names_per_connection" : max number of names a single
549 connection can own
550 "max_match_rules_per_connection": max number of match rules for a single
551 connection
552 "max_replies_per_connection" : max number of pending method
553 replies per connection
554 (number of calls-in-progress)
555 "reply_timeout" : milliseconds (thousandths)
556 until a method call times out
557 The max incoming/outgoing queue sizes allow a new message to be queued
559 if one byte remains below the max. So you can in fact exceed the max by
560 max_message_size.
561 max_completed_connections divided by max_connections_per_user is the
563 number of users that can work together to denial-of-service all other
564 users by using up all connections on the systemwide bus.
565 Limits are normally only of interest on the systemwide bus, not the
567 user session buses.
568 • <policy>
570 The <policy> element defines a security policy to be applied to a
572 particular set of connections to the bus. A policy is made up of
573 <allow> and <deny> elements. Policies are normally used with the
574 systemwide bus; they are analogous to a firewall in that they allow
575 expected traffic and prevent unexpected traffic.
576 Currently, the system bus has a default-deny policy for sending method
578 calls and owning bus names, and a default-allow policy for receiving
579 messages, sending signals, and sending a single success or error reply
580 for each method call that does not have the NO_REPLY flag. Sending more
581 than the expected number of replies is not allowed.
582 In general, it is best to keep system services as small, targeted
584 programs which run in their own process and provide a single bus name.
585 Then, all that is needed is an <allow> rule for the "own" permission to
586 let the process claim the bus name, and a "send_destination" rule to
587 allow traffic from some or all uids to your service.
588 The <policy> element has one of four attributes:
590 context="(default|mandatory)"
592 at_console="(true|false)"
593 user="username or userid"
594 group="group name or gid"
595 Policies are applied to a connection as follows:
597 - all context="default" policies are applied
599 - all group="connection's user's group" policies are applied
600 in undefined order
601 - all user="connection's auth user" policies are applied
602 in undefined order
603 - all at_console="true" policies are applied
604 - all at_console="false" policies are applied
605 - all context="mandatory" policies are applied
606 Policies applied later will override those applied earlier, when the
608 policies overlap. Multiple policies with the same user/group/context
609 are applied in the order they appear in the config file.
610 <deny>
612 <allow>
613 A <deny> element appears below a <policy> element and prohibits some
615 action. The <allow> element makes an exception to previous <deny>
616 statements, and works just like <deny> but with the inverse meaning.
617 The possible attributes of these elements are:
619 send_interface="interface_name" | "*"
621 send_member="method_or_signal_name" | "*"
622 send_error="error_name" | "*"
623 send_broadcast="true" | "false"
624 send_destination="name" | "*"
625 send_destination_prefix="name"
626 send_type="method_call" | "method_return" | "signal" | "error" | "*"
627 send_path="/path/name" | "*"
628 receive_interface="interface_name" | "*"
630 receive_member="method_or_signal_name" | "*"
631 receive_error="error_name" | "*"
632 receive_sender="name" | "*"
633 receive_type="method_call" | "method_return" | "signal" | "error" | "*"
634 receive_path="/path/name" | "*"
635 send_requested_reply="true" | "false"
637 receive_requested_reply="true" | "false"
638 eavesdrop="true" | "false"
640 own="name" | "*"
642 own_prefix="name"
643 user="username" | "*"
644 group="groupname" | "*"
645 Examples:
647 <deny send_destination="org.freedesktop.Service" send_interface="org.freedesktop.System" send_member="Reboot"/>
649 <deny send_destination="org.freedesktop.System"/>
650 <deny receive_sender="org.freedesktop.System"/>
651 <deny user="john"/>
652 <deny group="enemies"/>
653 The <deny> element's attributes determine whether the deny "matches" a
655 particular action. If it matches, the action is denied (unless later
656 rules in the config file allow it).
657 Rules with one or more of the send_* family of attributes are checked
659 in order when a connection attempts to send a message. The last rule
660 that matches the message determines whether it may be sent. The
661 well-known session bus normally allows sending any message. The
662 well-known system bus normally allows sending any signal, selected
663 method calls to the dbus-daemon, and exactly one reply to each
664 previously-sent method call (either success or an error). Either of
665 these can be overridden by configuration; on the system bus, services
666 that will receive method calls must install configuration that allows
667 them to do so, usually via rules of the form <policy
668 context="default"><allow send_destination="..."/><policy>.
669 Rules with one or more of the receive_* family of attributes, or with
671 the eavesdrop attribute and no others, are checked for each recipient
672 of a message (there might be more than one recipient if the message is
673 a broadcast or a connection is eavesdropping). The last rule that
674 matches the message determines whether it may be received. The
675 well-known session bus normally allows receiving any message, including
676 eavesdropping. The well-known system bus normally allows receiving any
677 message that was not eavesdropped (any unicast message addressed to the
678 recipient, and any broadcast message).
679 The eavesdrop, min_fds and max_fds attributes are modifiers that can be
681 applied to either send_* or receive_* rules, and are documented below.
682 send_destination and receive_sender rules mean that messages may not be
684 sent to or received from the *owner* of the given name, not that they
685 may not be sent *to that name*. That is, if a connection owns services
686 A, B, C, and sending to A is denied, sending to B or C will not work
687 either. As a special case, send_destination="*" matches any message
688 (whether it has a destination specified or not), and receive_sender="*"
689 similarly matches any message.
690 A send_destination_prefix rule opens or closes the whole namespace for
692 sending. It means that messages may or may not be sent to the owner of
693 any name matching the prefix, regardless of whether it is the primary
694 or the queued owner. In other words, for <allow
695 send_destination_prefix="a.b"/> rule and names "a.b", "a.b.c", and
696 "a.b.c.d" present on the bus, it works the same as if three separate
697 rules: <allow send_destination="a.b"/>, <allow
698 send_destination="a.b.c"/>, and <allow send_destination="a.b.c.d"/> had
699 been defined. The rules for matching names are the same as in
700 own_prefix (see below): a prefix of "a.b" matches names "a.b" or
701 "a.b.c" or "a.b.c.d", but not "a.bc" or "a.c". The
702 send_destination_prefix attribute cannot be combined with the
703 send_destination attribute in the same rule.
704 Rules with send_broadcast="true" match signal messages with no
706 destination (broadcasts). Rules with send_broadcast="false" are the
707 inverse: they match any unicast destination (unicast signals, together
708 with all method calls, replies and errors) but do not match messages
709 with no destination (broadcasts). This is not the same as
710 send_destination="*", which matches any sent message, regardless of
711 whether it has a destination or not.
712 The other send_* and receive_* attributes are purely textual/by-value
714 matches against the given field in the message header, except that for
715 the attributes where it is allowed, * matches any message (whether it
716 has the relevant header field or not). For example, send_interface="*"
717 matches any sent message, even if it does not contain an interface
718 header field. More complex glob matching such as foo.bar.* is not
719 allowed.
720 "Eavesdropping" occurs when an application receives a message that was
722 explicitly addressed to a name the application does not own, or is a
723 reply to such a message. Eavesdropping thus only applies to messages
724 that are addressed to services and replies to such messages (i.e. it
725 does not apply to signals).
726 For <allow>, eavesdrop="true" indicates that the rule matches even when
728 eavesdropping. eavesdrop="false" is the default and means that the rule
729 only allows messages to go to their specified recipient. For <deny>,
730 eavesdrop="true" indicates that the rule matches only when
731 eavesdropping. eavesdrop="false" is the default for <deny> also, but
732 here it means that the rule applies always, even when not
733 eavesdropping. The eavesdrop attribute can only be combined with send
734 and receive rules (with send_* and receive_* attributes).
735 The [send|receive]_requested_reply attribute works similarly to the
737 eavesdrop attribute. It controls whether the <deny> or <allow> matches
738 a reply that is expected (corresponds to a previous method call
739 message). This attribute only makes sense for reply messages (errors
740 and method returns), and is ignored for other message types.
741 For <allow>, [send|receive]_requested_reply="true" is the default and
743 indicates that only requested replies are allowed by the rule.
744 [send|receive]_requested_reply="false" means that the rule allows any
745 reply even if unexpected.
746 For <deny>, [send|receive]_requested_reply="false" is the default but
748 indicates that the rule matches only when the reply was not requested.
749 [send|receive]_requested_reply="true" indicates that the rule applies
750 always, regardless of pending reply state.
751 The min_fds and max_fds attributes modify either send_* or receive_*
753 rules. A rule with the min_fds attribute only matches messages if they
754 have at least that many Unix file descriptors attached. Conversely, a
755 rule with the max_fds attribute only matches messages if they have no
756 more than that many file descriptors attached. In practice, rules with
757 these attributes will most commonly take the form <allow
758 send_destination="..." max_fds="0"/>, <deny send_destination="..."
759 min_fds="1"/> or <deny receive_sender="*" min_fds="1"/>.
760 Rules with the user or group attribute are checked when a new
762 connection to the message bus is established, and control whether the
763 connection can continue. Each of these attributes cannot be combined
764 with any other attribute. As a special case, both user="*" and
765 group="*" match any connection. If there are no rules of this form, the
766 default is to allow connections from the same user ID that owns the
767 dbus-daemon process. The well-known session bus normally uses that
768 default behaviour, while the well-known system bus normally allows any
769 connection.
770 Rules with the own or own_prefix attribute are checked when a
772 connection attempts to own a well-known bus names. As a special case,
773 own="*" matches any well-known bus name. The well-known session bus
774 normally allows any connection to own any name, while the well-known
775 system bus normally does not allow any connection to own any name,
776 except where allowed by further configuration. System services that
777 will own a name must install configuration that allows them to do so,
778 usually via rules of the form <policy user="some-system-user"><allow
779 own="..."/></policy>.
780 <allow own_prefix="a.b"/> allows you to own the name "a.b" or any name
782 whose first dot-separated elements are "a.b": in particular, you can
783 own "a.b.c" or "a.b.c.d", but not "a.bc" or "a.c". This is useful when
784 services like Telepathy and ReserveDevice define a meaning for subtrees
785 of well-known names, such as
786 org.freedesktop.Telepathy.ConnectionManager.(anything) and
787 org.freedesktop.ReserveDevice1.(anything).
788 It does not make sense to deny a user or group inside a <policy> for a
790 user or group; user/group denials can only be inside context="default"
791 or context="mandatory" policies.
792 A single <deny> rule may specify combinations of attributes such as
794 send_destination and send_interface and send_type. In this case, the
795 denial applies only if both attributes match the message being denied.
796 e.g. <deny send_interface="foo.bar" send_destination="foo.blah"/> would
797 deny messages with the given interface AND the given bus name. To get
798 an OR effect you specify multiple <deny> rules.
799 You can't include both send_ and receive_ attributes on the same rule,
801 since "whether the message can be sent" and "whether it can be
802 received" are evaluated separately.
803 Be careful with send_interface/receive_interface, because the interface
805 field in messages is optional. In particular, do NOT specify <deny
806 send_interface="org.foo.Bar"/>! This will cause no-interface messages
807 to be blocked for all services, which is almost certainly not what you
808 intended. Always use rules of the form: <deny
809 send_interface="org.foo.Bar" send_destination="org.foo.Service"/>
810 • <selinux>
812 The <selinux> element contains settings related to Security Enhanced
814 Linux. More details below.
815 • <associate>
817 An <associate> element appears below an <selinux> element and creates a
819 mapping. Right now only one kind of association is possible:
820 <associate own="org.freedesktop.Foobar" context="foo_t"/>
822 This means that if a connection asks to own the name
824 "org.freedesktop.Foobar" then the source context will be the context of
825 the connection and the target context will be "foo_t" - see the short
826 discussion of SELinux below.
827 Note, the context here is the target context when requesting a name,
829 NOT the context of the connection owning the name.
830 There's currently no way to set a default for owning any name, if we
832 add this syntax it will look like:
833 <associate own="*" context="foo_t"/>
835 If you find a reason this is useful, let the developers know. Right now
837 the default will be the security context of the bus itself.
838 If two <associate> elements specify the same name, the element
840 appearing later in the configuration file will be used.
841 • <apparmor>
843 The <apparmor> element is used to configure AppArmor mediation on the
845 bus. It can contain one attribute that specifies the mediation mode:
846 <apparmor mode="(enabled|disabled|required)"/>
848 The default mode is "enabled". In "enabled" mode, AppArmor mediation
850 will be performed if AppArmor support is available in the kernel. If it
851 is not available, dbus-daemon will start but AppArmor mediation will
852 not occur. In "disabled" mode, AppArmor mediation is disabled. In
853 "required" mode, AppArmor mediation will be enabled if AppArmor support
854 is available, otherwise dbus-daemon will refuse to start.
855 The AppArmor mediation mode of the bus cannot be changed after the bus
857 starts. Modifying the mode in the configuration file and sending a
858 SIGHUP signal to the daemon has no effect on the mediation mode.
859
861 Integration files are not mandatory for session services: any program
862 with access to the session bus can request a well-known name and
863 provide D-Bus interfaces.
864 Many D-Bus session services support service activation, a mechanism in
866 which the dbus-daemon can launch the service on-demand, either by
867 running the session service itself or by communicating with systemd
868 --user. This is set up by creating a service file in the directory
869 ${datadir}/dbus-1/services, for example:
870 [D-BUS Service]
872 Name=com.example.SessionService1
873 Exec=/usr/bin/example-session-service
874 # Optional
875 SystemdService=example-session-service
876 See the D-Bus Specification[2] for details of the contents and
878 interpretation of service files.
879 If there is a service file for com.example.SessionService1, it should
881 be named com.example.SessionService1.service, although for
882 compatibility with legacy services this is not mandatory.
883 Session services that declare the optional SystemdService must also
885 provide a systemd user service unit file whose name or Alias matches
886 the SystemdService (see systemd.unit(5), systemd.service(5) for further
887 details on systemd service units), for example:
888 [Unit]
890 Description=Example session service
891 [Service]
893 Type=dbus
894 BusName=com.example.SessionService1
895 ExecStart=/usr/bin/example-session-service
896
899 The standard system bus does not allow method calls or owning
900 well-known bus names by default, so a useful D-Bus system service will
901 normally need to configure a default security policy that allows it to
902 work. D-Bus system services should install a default policy file in
903 ${datadir}/dbus-1/service.d, containing the policy rules necessary to
904 make that system service functional. A best-practice policy file will
905 often look like this:
906 <?xml version="1.0" encoding="UTF-8"?>
908 <!DOCTYPE busconfig PUBLIC
909 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
910 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
911 <busconfig>
912 <policy user="_example">
913 <allow own="com.example.Example1"/>
914 </policy>
915 <policy context="default">
917 <allow send_destination="com.example.Example1"/>
918 </policy>
919 </busconfig>
920 where _example is the username of the system uid that will run the
922 system service daemon process, and com.example.Example1 is its
923 well-known bus name.
924 The policy file for com.example.Example1 should normally be named
926 com.example.Example1.conf.
927 Some existing system services rely on more complex <policy> rules to
929 control the messages that the service can receive. However, the
930 dbus-daemon's policy language is not well-suited to finer-grained
931 policies: any policy has to be expressed in terms of D-Bus interfaces
932 and method names, not in terms of higher-level domain-specific concepts
933 like removable or built-in devices. It is recommended that new services
934 should normally accept method call messages from all callers, then
935 apply a sysadmin-controllable policy to decide whether to obey the
936 requests contained in those method call messages, for example by
937 consulting polkit[3].
938 Like session services, many D-Bus system services support service
940 activation, a mechanism in which the dbus-daemon can launch the service
941 on-demand, either by running the system service itself or by
942 communicating with systemd. This is set up by creating a service file
943 in the directory ${datadir}/dbus-1/system-services, for example:
944 [D-BUS Service]
946 Name=com.example.Example1
947 Exec=/usr/sbin/example-service
948 User=_example
949 # Optional
950 SystemdService=dbus-com.example.Example1.service
951 See the D-Bus Specification[2] for details of the contents and
953 interpretation of service files.
954 If there is a service file for com.example.Example1, it must be named
956 com.example.Example1.service.
957 System services that declare the optional SystemdService must also
959 provide a systemd service unit file whose name or Alias matches the
960 SystemdService (see systemd.unit(5), systemd.service(5) for further
961 details on systemd service units), for example:
962 [Unit]
964 Description=Example service
965 [Service]
967 Type=dbus
968 BusName=com.example.Example1
969 ExecStart=/usr/sbin/example-service
970 [Install]
972 WantedBy=multi-user.target
973 Alias=dbus-com.example.Example1.service
974
977 See http://www.nsa.gov/selinux/ for full details on SELinux. Some
978 useful excerpts:
979 Every subject (process) and object (e.g. file, socket, IPC object, etc)
981 in the system is assigned a collection of security attributes, known as
982 a security context. A security context contains all of the security
983 attributes associated with a particular subject or object that are
984 relevant to the security policy.
985 In order to better encapsulate security contexts and to provide greater
987 efficiency, the policy enforcement code of SELinux typically handles
988 security identifiers (SIDs) rather than security contexts. A SID is an
989 integer that is mapped by the security server to a security context at
990 runtime.
991 When a security decision is required, the policy enforcement code
993 passes a pair of SIDs (typically the SID of a subject and the SID of an
994 object, but sometimes a pair of subject SIDs or a pair of object SIDs),
995 and an object security class to the security server. The object
996 security class indicates the kind of object, e.g. a process, a regular
997 file, a directory, a TCP socket, etc.
998 Access decisions specify whether or not a permission is granted for a
1000 given pair of SIDs and class. Each object class has a set of associated
1001 permissions defined to control operations on objects with that class.
1002 D-Bus performs SELinux security checks in two places.
1004 First, any time a message is routed from one connection to another
1006 connection, the bus daemon will check permissions with the security
1007 context of the first connection as source, security context of the
1008 second connection as target, object class "dbus" and requested
1009 permission "send_msg".
1010 If a security context is not available for a connection (impossible
1012 when using UNIX domain sockets), then the target context used is the
1013 context of the bus daemon itself. There is currently no way to change
1014 this default, because we're assuming that only UNIX domain sockets will
1015 be used to connect to the systemwide bus. If this changes, we'll
1016 probably add a way to set the default connection context.
1017 Second, any time a connection asks to own a name, the bus daemon will
1019 check permissions with the security context of the connection as
1020 source, the security context specified for the name in the config file
1021 as target, object class "dbus" and requested permission "acquire_svc".
1022 The security context for a bus name is specified with the <associate>
1024 element described earlier in this document. If a name has no security
1025 context associated in the configuration file, the security context of
1026 the bus daemon itself will be used.
1027
1029 The AppArmor confinement context is stored when applications connect to
1030 the bus. The confinement context consists of a label and a confinement
1031 mode. When a security decision is required, the daemon uses the
1032 confinement context to query the AppArmor policy to determine if the
1033 action should be allowed or denied and if the action should be audited.
1034 The daemon performs AppArmor security checks in three places.
1036 First, any time a message is routed from one connection to another
1038 connection, the bus daemon will check permissions with the label of the
1039 first connection as source, label and/or connection name of the second
1040 connection as target, along with the bus name, the path name, the
1041 interface name, and the member name. Reply messages, such as
1042 method_return and error messages, are implicitly allowed if they are in
1043 response to a message that has already been allowed.
1044 Second, any time a connection asks to own a name, the bus daemon will
1046 check permissions with the label of the connection as source, the
1047 requested name as target, along with the bus name.
1048 Third, any time a connection attempts to eavesdrop, the bus daemon will
1050 check permissions with the label of the connection as the source, along
1051 with the bus name.
1052 AppArmor rules for bus mediation are not stored in the bus
1054 configuration files. They are stored in the application's AppArmor
1055 profile. Please see apparmor.d(5) for more details.
1056
1058 If you're trying to figure out where your messages are going or why you
1059 aren't getting messages, there are several things you can try.
1060 Remember that the system bus is heavily locked down and if you haven't
1062 installed a security policy file to allow your message through, it
1063 won't work. For the session bus, this is not a concern.
1064 The simplest way to figure out what's happening on the bus is to run
1066 the dbus-monitor program, which comes with the D-Bus package. You can
1067 also send test messages with dbus-send. These programs have their own
1068 man pages.
1069 If you want to know what the daemon itself is doing, you might consider
1071 running a separate copy of the daemon to test against. This will allow
1072 you to put the daemon under a debugger, or run it with verbose output,
1073 without messing up your real session and system daemons.
1074 To run a separate test copy of the daemon, for example you might open a
1076 terminal and type:
1077 DBUS_VERBOSE=1 dbus-daemon --session --print-address
1079 The test daemon address will be printed when the daemon starts. You
1081 will need to copy-and-paste this address and use it as the value of the
1082 DBUS_SESSION_BUS_ADDRESS environment variable when you launch the
1083 applications you want to test. This will cause those applications to
1084 connect to your test bus instead of the DBUS_SESSION_BUS_ADDRESS of
1085 your real session bus.
1086 DBUS_VERBOSE=1 will have NO EFFECT unless your copy of D-Bus was
1088 compiled with verbose mode enabled. This is not recommended in
1089 production builds due to performance impact. You may need to rebuild
1090 D-Bus if your copy was not built with debugging in mind. (DBUS_VERBOSE
1091 also affects the D-Bus library and thus applications using D-Bus; it
1092 may be useful to see verbose output on both the client side and from
1093 the daemon.)
1094 If you want to get fancy, you can create a custom bus configuration for
1096 your test bus (see the session.conf and system.conf files that define
1097 the two default configurations for example). This would allow you to
1098 specify a different directory for .service files, for example.
1099
1101 See http://www.freedesktop.org/software/dbus/doc/AUTHORS
1102
1104 Please send bug reports to the D-Bus mailing list or bug tracker, see
1105 http://www.freedesktop.org/software/dbus/
1106
1108 1. relay connections via Secure Shell or a similar protocol
1109 https://lists.freedesktop.org/archives/dbus/2018-April/017447.html
1110 2. D-Bus Specification
1112 https://dbus.freedesktop.org/doc/dbus-specification.html
1113 3. polkit
1115 https://www.freedesktop.org/wiki/Software/polkit/
1116D-Bus 1.14.10 09/01/2023 DBUS-DAEMON(1)