diff options
Diffstat (limited to 'tags/d/dbus-policy-at-console.tag')
-rw-r--r-- | tags/d/dbus-policy-at-console.tag | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/tags/d/dbus-policy-at-console.tag b/tags/d/dbus-policy-at-console.tag new file mode 100644 index 0000000..74f29d4 --- /dev/null +++ b/tags/d/dbus-policy-at-console.tag @@ -0,0 +1,28 @@ +Tag: dbus-policy-at-console +Severity: warning +Check: desktop/dbus +Explanation: The package contains D-Bus policy configuration that uses the + deprecated <code>at_console</code> condition to impose a different policy + for users who are "logged in at the console" according to + systemd-logind, ConsoleKit or similar APIs, such as: + . + <policy context="default"> + <deny send_destination="com.example.PowerManagementDaemon"/> + </policy> + <policy at_console="true"> + <allow send_destination="com.example.PowerManagementDaemon"/> + </policy> + . + The maintainers of D-Bus recommend that services should allow or deny + method calls according to broad categories that are not typically altered + by the system administrator (usually either "all users", or only root + and/or a specified system user). + . + If finer-grained authorization + is required, the service should accept the method call message, then call + out to PolicyKit to decide whether to honor the request. PolicyKit can + use system-administrator-configurable policies to make that decision, + including distinguishing between users who are "at the console" and + those who are not. +See-Also: + https://bugs.freedesktop.org/show_bug.cgi?id=39611 |