From 5971e29f3bcc1aa244a83152b4326906fa04aed0 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 12 Apr 2018 13:57:00 +0100
Subject: [PATCH 4/9] spec, dbus-daemon(1): Say that non-local TCP is insecure

With some fairly reasonable threat models (active or passive local
attacker able to eavesdrop on the network link, confidential
information being transferred via D-Bus), secure authentication is
insufficient to make this transport secure: it does not protect
confidentiality or integrity either.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 doc/dbus-daemon.1.xml.in   | 24 ++++++++++++++++++++++--
 doc/dbus-specification.xml |  9 +++++++--
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in
index 6368464f..b0e0aae0 100644
--- a/doc/dbus-daemon.1.xml.in
+++ b/doc/dbus-daemon.1.xml.in
@@ -148,8 +148,10 @@ bus.</para>
   <varlistentry>
   <term><option>--address[=ADDRESS]</option></term>
   <listitem>
-<para>Set the address to listen on. This option overrides the address
-configured in the configuration file.</para>
+    <para>Set the address to listen on. This option overrides the address
+      configured in the configuration file via the
+      <literal>&lt;listen&gt;</literal> directive.
+      See the documentation of that directive for more details.</para>
   </listitem>
   </varlistentry>
   <varlistentry>
@@ -395,6 +397,24 @@ effect unless the ANONYMOUS mechanism has also been enabled using the
 address is in the standard D-Bus format that contains
 a transport name plus possible parameters/options.</para>
 
+<para>On platforms other than Windows, <literal>unix</literal>-based
+  transports (<literal>unix</literal>, <literal>systemd</literal>,
+  <literal>launchd</literal>) are the default for both the well-known
+  system bus and the well-known session bus, and are strongly
+  recommended.</para>
+
+<para>
+  On Windows, <literal>unix</literal>-based transports are not available,
+  so TCP-based transports must be used.
+  Similar to remote X11, the <literal>tcp</literal> and
+  <literal>nonce-tcp</literal> transports have no integrity or
+  confidentiality protection, so they should normally only be
+  used across the local loopback interface, for example using an
+  address like <literal>tcp:host=127.0.0.1</literal> or
+  <literal>nonce-tcp:host=localhost</literal>. In particular,
+  configuring the well-known system bus or the well-known session
+  bus to listen on a non-loopback TCP address is insecure.
+</para>
 
 <para>Example: &lt;listen&gt;unix:path=/tmp/foo&lt;/listen&gt;</para>
 
diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml
index a2c8b192..fbeecdac 100644
--- a/doc/dbus-specification.xml
+++ b/doc/dbus-specification.xml
@@ -3717,8 +3717,13 @@
         located on the same or different hosts.
       </para>
       <para>
-        Using tcp transport without any additional secure authentification mechanismus
-        over a network is unsecure.
+        Similar to remote X11, the TCP transport has no integrity or
+        confidentiality protection, so it should normally only be
+        used across the local loopback interface, for example using an
+        address like <literal>tcp:host=127.0.0.1</literal> or
+        <literal>tcp:host=localhost</literal>. In particular,
+        configuring the well-known system bus or the well-known session
+        bus to listen on a non-loopback TCP address is insecure.
       </para>
       <para>
         On Windows and most Unix platforms, the TCP stack is unable to transfer
-- 
2.17.0