From 357569dd8039e580af3415f494756d321aae9357 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 12 Apr 2018 14:09:19 +0100
Subject: [PATCH 9/9] dbus-daemon(1): Recommend requiring EXTERNAL on
 non-Windows OSs

This is the default, and blocks TCP-based attacks by making the
attacker fail to authenticate (while also preventing inadvisable
TCP-based configurations from working).

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 doc/dbus-daemon.1.xml.in | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in
index 474dd3a7..bdc655e5 100644
--- a/doc/dbus-daemon.1.xml.in
+++ b/doc/dbus-daemon.1.xml.in
@@ -501,6 +501,10 @@ exist, then all known mechanisms are allowed.  If there are multiple
 &lt;auth&gt; elements, all the listed mechanisms are allowed.  The order in
 which mechanisms are listed is not meaningful.</para>
 
+<para>On non-Windows operating systems, allowing only the
+  <literal>EXTERNAL</literal> authentication
+  mechanism is strongly recommended. This is the default for the
+  well-known system bus and for the well-known session bus.</para>
 
 <para>Example: &lt;auth&gt;EXTERNAL&lt;/auth&gt;</para>
 
-- 
2.17.0