Table of Contents
D-BUS is a system for low-latency, low-overhead, easy to use interprocess communication (IPC). In more detail:
D-BUS is low-latency because it is designed to avoid round trips and allow asynchronous operation, much like the X protocol.
D-BUS is low-overhead because it uses a binary protocol, and does not have to convert to and from a text format such as XML. Because D-BUS is intended for potentially high-resolution same-machine IPC, not primarily for Internet IPC, this is an interesting optimization.
D-BUS is easy to use because it works in terms of messages rather than byte streams, and automatically handles a lot of the hard IPC issues. Also, the D-BUS library is designed to be wrapped in a way that lets developers use their framework's existing object/type system, rather than learning a new one specifically for IPC.
The base D-BUS protocol is a peer-to-peer protocol, specified in the section called “Message Protocol”. That is, it is a system for one application to talk to a single other application. However, the primary intended application of D-BUS is the D-BUS message bus, specified in the section called “Message Bus Specification”. The message bus is a special application that accepts connections from multiple other applications, and forwards messages among them.
Uses of D-BUS include notification of system changes (notification of when a camera is plugged in to a computer, or a new version of some software has been installed), or desktop interoperablity, for example a file monitoring service or a configuration service.
A message consists of a header and a body. If you think of a message as a package, the header is the address, and the body contains the package contents. The message delivery system uses the header information to figure out where to send the message and how to interpret it; the recipient inteprets the body of the message.
The body of the message is made up of zero or more arguments, which are typed values, such as an integer or a byte array.
Following the mandatory fields, there are zero or more named fields (see the section called “Header Fields”), and then nul bytes padding the header such that its total length in bytes is a multiple of 8.
The header MUST begin with the following mandatory fields in the following order:
| Size | Description |
|---|---|
| 1 byte | Endianness flag; ASCII 'l' for little-endian or ASCII 'B' for big-endian. |
| 1 byte | Type of message. Unknown types MUST be ignored. Currently-defined types are described below. |
| 1 byte | Bitwise OR of flags. Unknown flags MUST be ignored. Currently-defined flags are described below. |
| 1 byte | Major protocol version of the sending application. If the major protocol version of the receiving application does not match, the applications will not be able to communicate and the D-BUS connection MUST be disconnected. The major protocol version for this version of the specification is 0. |
| 4 bytes | An unsigned 32-bit integer in the message's byte order, indicating the total length in bytes of the header including named fields and any alignment padding. MUST be a multiple of 8. |
| 4 bytes | An unsigned 32-bit integer in the message's byte order, indicating the total length in bytes of the message body. |
| 4 bytes | The message's serial number, an unsigned 32-bit integer in the message's byte order. The serial number is a cookie used to identify message replies; thus all outstanding unreplied-to messages from the same connection MUST have a different serial number. Zero is not a valid serial number, but all other numbers are allowed. |
Types that can appear in the second byte of the header:
| Conventional name | Decimal value | Description |
|---|---|---|
| INVALID | 0 | This is an invalid type, if seen in a message the connection should be dropped immediately. |
| METHOD_CALL | 1 | Method call. |
| METHOD_RETURN | 2 | Method reply with returned data. |
| ERROR | 3 | Error reply. If the first argument exists and is a string, it is an error message. |
| SIGNAL | 4 | Signal emission. |
Flags that can appear in the third byte of the header:
| Conventional name | Hex value | Description |
|---|---|---|
| NO_REPLY_EXPECTED | 0x1 | This message does not expect method return replies or error replies; the reply can be omitted as an optimization. However, it is compliant with this specification to return the reply despite this flag. |
| AUTO_ACTIVATION | 0x2 | This message automatically activates the addressed service before the message is delivered. |
In addition to the required header information mentioned in the section called “Header Encoding”, the header must contain the required named header fields and zero or more of the optional named header fields. Future versions of this protocol specification may add new fields. Implementations must ignore fields they do not understand. Implementations must not invent their own header fields; only changes to this specification may introduce new header fields.
Header field names MUST consist of a single byte, possible values of which are defined below. Following the name, the field MUST have a type code represented as a single unsigned byte, and then a properly-aligned value of that type. See the section called “Message Arguments” for a description of how each type is encoded. If an implementation sees a header field name that it does not understand, it MUST ignore that field.
Here are the currently-defined named header fields:
| Conventional Name | Decimal Value | Type | Required | Description |
|---|---|---|---|---|
| INVALID | 0 | INVALID | no | Not a valid field name (error if it appears in a message) |
| PATH | 1 | OBJECT_PATH | yes | The object to send the message to; objects are identified by a path, "/foo/bar" |
| INTERFACE | 2 | STRING | yes | The interface to invoke a method call on, or that a signal is emitted from. e.g. "org.freedesktop.Introspectable" |
| MEMBER | 3 | STRING | yes | The member, either the method name or signal name. e.g. "Frobate" |
| ERROR_NAME | 4 | STRING | no | The name of the error that occurred, for errors |
| REPLY_SERIAL | 5 | UINT32 | no | The serial number of the message this message is a reply to. (The serial number is one of the mandatory header fields, see the section called “Header Encoding”.) |
| DESTINATION | 6 | STRING | no | The name of the service this message should be routed to. Only used in combination with the message bus, see the section called “Message Bus Specification”. |
| SENDER | 7 | STRING | no | Sender service. The name of the base service that sent this message. The message bus fills in this field; the field is only meaningful in combination with the message bus. |
To allow implementations to keep the header and the body in a single buffer while keeping data types aligned, the total length of the header must be a multiple of 8 bytes. To achieve this, the header MUST be padded with nul bytes to align its total length on an 8-byte boundary. The minimum number of padding bytes MUST be used. Because zero is an invalid field name, implementations can distinguish padding (which must be zero initialized) from additional named fields.
The message body is made up of arguments. Each argument is a type code, represented by a single unsigned byte, followed by the aligned value of the argument in a type-dependent format. Alignment padding between the typecode and the value is initialized to zero.
| Type name | Code | Description |
|---|---|---|
| INVALID | 0 (ASCII NUL) | Not a valid type code (error if it appears in a message) |
| NIL | 118 (ASCII 'v') | Marks a "void"/"unset"/"nonexistent"/"null" argument |
| BYTE | 121 (ASCII 'y') | 8-bit unsigned integer |
| BOOLEAN | 98 (ASCII 'b') | Boolean value, 0 is FALSE and 1 is TRUE. Everything else is invalid. |
| INT32 | 105 (ASCII 'i') | 32-bit signed integer |
| UINT32 | 117 (ASCII 'u') | 32-bit unsigned integer |
| INT64 | 120 (ASCII 'x') | 64-bit signed integer |
| UINT64 | 116 (ASCII 't') | 64-bit unsigned integer |
| DOUBLE | 100 (ASCII 'd') | IEEE 754 double |
| STRING | 115 (ASCII 's') | UTF-8 string (must be valid UTF-8). Must be zero terminated. |
| CUSTOM | 99 (ASCII 'c') | A named byte array, used for custom types |
| ARRAY | 97 (ASCII 'a') | Array |
| DICT | 109 (ASCII 'm') | A dictionary of key/value pairs |
| OBJECT_PATH | 111 (ASCII 'o') | Name of an object |
The types are encoded as follows:
| Type name | Encoding |
|---|---|
| INVALID | Not applicable; cannot be encoded. |
| NIL | No data is encoded; the type code is followed immediately by the type code of the next argument. |
| BYTE | A byte. |
| BOOLEAN | A byte, with valid values 0 and 1. |
| INT32 | 32-bit signed integer in the message's byte order, aligned to 4-byte boundary. |
| UINT32 | 32-bit unsigned integer in the message's byte order, aligned to 4-byte boundary. |
| INT64 | 64-bit signed integer in the message's byte order, aligned to 8-byte boundary. |
| UINT64 | 64-bit unsigned integer in the message's byte order, aligned to 8-byte boundary. |
| DOUBLE | 64-bit IEEE 754 double in the message's byte order, aligned to 8-byte boundary. |
| STRING | UINT32 aligned to 4-byte boundary indicating the string's length in bytes excluding its terminating nul, followed by string data of the given length, followed by a terminating nul byte. |
| CUSTOM | A string (encoded as the STRING type above) giving the name of the type followed by an UINT32 aligned to 4-byte boundary indicating the data length in bytes, followed by the data. The string has some restrictions on its content, see the section called “Valid names”. |
| ARRAY | A sequence of bytes giving the element type of the array, terminated by a type different from ARRAY (just one byte for one-dimensional arrays, but larger for multi-dimensional arrays), followed by an UINT32 (aligned to 4 bytes) giving the length of the array data in bytes. This is followed by each array entry encoded the way it would normally be encoded, except arrays, which are encoded without the type information, since that is already declared above. Arrays containing NIL are not allowed. |
| DICT | UINT32 giving the length of the dictionary data in bytes. This is followed by a number of keyname/value pairs, where the keyname is encoded as a STRING above, and the value is encoded as a byte with typecode and how that type normally would be encoded alone. |
| OBJECT_PATH | Encoded as if it were a STRING. |
The various names in D-BUS messages have some restrictions.
Interfaces have names with type STRING, meaning that they must be valid UTF-8. However, there are also some additional restrictions that apply to interface names specifically:
They are composed of 1 or more elements separated by a period ('.') character. All elements must contain at least one character.
Each element must only contain the ASCII characters "[A-Z][a-z][0-9]_" and must not begin with a digit.
They must contain at least one '.' (period) character (and thus at least two elements).
They must not begin with a '.' (period) character.
They must not exceed 256 bytes in length.
They must be at least 1 byte in length.
Service names have the same restrictions as interface names, with a special exception for base services. A base service name's first element must start with a colon (':') character. After the colon, any characters in the range "[A-Z][a-z][0-9]_" may appear. Elements after the first must follow the usual rules, except that they may start with a digit. Service names not starting with a colon have none of these exceptions and follow the same rules as interface names.
Method names:
Must only contain the ASCII characters "[A-Z][a-z][0-9]_" and may not begin with a digit.
Must not contain the '.' (period) character
Must not exceed 256 bytes in length
Must be at least 1 byte in length
A path (type OBJECT_PATH) must begin with an ASCII '/' (slash) character. Paths may not end with a slash character unless the path is the one-byte string "/". Two slash characters may not appear adjacent to one another (the empty string is not a valid "subdirectory"). Paths may not exceed 256 bytes in length.
Each of the message types (METHOD_CALL, METHOD_RETURN, ERROR, and SIGNAL) has its own expected usage conventions and header fields.
Some messages invoke an operation on a remote object. These are called method call messages and have the type tag METHOD_CALL. Such messages map naturally to methods on objects in a typical program.
A method call message is expected to have a MEMBER header field indicating the name of the method. Optionally, the message has an INTERFACE field giving the interface the method is a part of. In the absence of an INTERFACE field, if two interfaces on the same object have a method with the same name, it is undefined which of the two methods will be invoked. Implementations may also choose to return an error in this ambiguous case. However, if a method name is unique implementations should not require an interface field.
Method call messages also include a PATH field indicating the object to invoke the method on. If the call is passing through a message bus, the message will also have a SERVICE field giving the service to receive the message.
When an application handles a method call message, it is expected to return a reply. The reply is identified by a REPLY_SERIAL header field indicating the serial number of the METHOD_CALL being replied to. The reply can have one of two types; either METHOD_RETURN or ERROR.
If the reply has type METHOD_RETURN, the arguments to the reply message are the return value(s) or "out parameters" of the method call. If the reply has type ERROR, then an "exception" has been thrown, and the call fails; no return value will be provided. It makes no sense to send multiple replies to the same method call.
Even if a method call has no return values, a METHOD_RETURN reply is expected, so the caller will know the method was successfully processed.
The METHOD_RETURN or ERROR reply message MUST have the REPLY_SERIAL header field. If this field is missing, it should be treated as a corrupt message.
If a METHOD_CALL message has the flag NO_REPLY_EXPECTED, then as an optimization the application receiving the method call may choose to omit the reply message (regardless of whether the reply would have been METHOD_RETURN or ERROR). However, it is also acceptable to ignore the NO_REPLY_EXPECTED flag and reply anyway.
If a message has the flag AUTO_ACTIVATION, then the addressed service will be activated before the message is delivered, if not already active. The message will be held until the service is successfully activated or has failed to activate; in case of failure, an activation error will be returned.
APIs for D-BUS may map method calls to a method call in a specific programming language, such as C++, or may map a method call written in an IDL to a D-BUS message.
In APIs of this nature, arguments to a method are often termed "in" (which implies sent in the METHOD_CALL), or "out" (which implies returned in the METHOD_RETURN). Some APIs such as CORBA also have "inout" arguments, which are both sent and received, i.e. the caller passes in a value which is modified. Mapped to D-BUS, an "inout" argument is equivalent to an "in" argument, followed by an "out" argument. You can't pass things "by reference" over the wire, so "inout" is purely an illusion of the in-process API.
Given a method with zero or one return values, followed by zero or more arguments, where each argument may be "in", "out", or "inout", the caller constructs a message by appending each "in" or "inout" argument, in order. "out" arguments are not represented in the caller's message.
The recipient constructs a reply by appending first the return value if any, then each "out" or "inout" argument, in order. "in" arguments are not represented in the reply message.
Unlike method calls, signal emissions have no replies. A signal emission is simply a single message of type SIGNAL. It must have three header fields: PATH giving the object the signal was emitted from, plus INTERFACE and MEMBER giving the fully-qualified name of the signal.
This document uses a simple pseudo-IDL to describe particular method calls and signals. Here is an example of a method call:
org.freedesktop.DBus.ActivateService (in STRING service_name, in UINT32 flags,
out UINT32 resultcode)
This means INTERFACE = org.freedesktop.DBus, MEMBER = ActivateService, METHOD_CALL arguments are STRING and UINT32, METHOD_RETURN argument is UINT32. Remember that the MEMBER field can't contain any '.' (period) characters so it's known that the last part of the name in the "IDL" is the member name.
In C++ that might end up looking like this:
unsigned int org::freedesktop::DBus::ActivateService (const char *service_name,
unsigned int flags);
or equally valid, the return value could be done as an argument:
void org::freedesktop::DBus::ActivateService (const char *service_name,
unsigned int flags,
unsigned int *resultcode);
It's really up to the API designer how they want to make this look. You could design an API where the namespace wasn't used in C++, using STL or Qt, using varargs, or whatever you wanted.
Signals are written as follows:
org.freedesktop.DBus.ServiceLost (STRING service_name)
Signals don't specify "in" vs. "out" because only a single direction is possible.
In this ad hoc notation, the special type name ANY means any type other than NIL, and the special type name ANY_OR_NIL means any valid type.
It isn't especially encouraged to use this lame pseudo-IDL in actual API implementations; you might use the native notation for the language you're using, or you might use COM or CORBA IDL, for example.
Before the flow of messages begins, two applications must authenticate. A simple plain-text protocol is used for authentication; this protocol is a SASL profile, and maps fairly directly from the SASL specification. The message encoding is NOT used here, only plain text messages.
In examples, "C:" and "S:" indicate lines sent by the client and server respectively.
The protocol is a line-based protocol, where each line ends with \r\n. Each line begins with an all-caps ASCII command name containing only the character range [A-Z], a space, then any arguments for the command, then the \r\n ending the line. The protocol is case-sensitive. All bytes must be in the ASCII character set. Commands from the client to the server are as follows:
AUTH [mechanism] [initial-response]
CANCEL
BEGIN
DATA <data in hex encoding>
ERROR [human-readable error explanation]
From server to client are as follows:
REJECTED <space-separated list of mechanism names>
OK
DATA <data in hex encoding>
ERROR
Immediately after connecting to the server, the client must send a single nul byte. This byte may be accompanied by credentials information on some operating systems that use sendmsg() with SCM_CREDS or SCM_CREDENTIALS to pass credentials over UNIX domain sockets. However, the nul byte MUST be sent even on other kinds of socket, and even on operating systems that do not require a byte to be sent in order to transmit credentials. The text protocol described in this document begins after the single nul byte. If the first byte received from the client is not a nul byte, the server may disconnect that client.
A nul byte in any context other than the initial byte is an error; the protocol is ASCII-only.
The credentials sent along with the nul byte may be used with the SASL mechanism EXTERNAL.
If an AUTH command has no arguments, it is a request to list available mechanisms. The server SHOULD respond with a REJECTED command listing the mechanisms it understands.
If an AUTH command specifies a mechanism, and the server supports said mechanism, the server SHOULD begin exchanging SASL challenge-response data with the client using DATA commands.
If the server does not support the mechanism given in the AUTH command, it SHOULD send a REJECTED command listing the mechanisms it does support.
If the [initial-response] argument is provided, it is intended for use with mechanisms that have no initial challenge (or an empty initial challenge), as if it were the argument to an initial DATA command. If the selected mechanism has an initial challenge, the server should reject authentication by sending REJECTED.
If authentication succeeds after exchanging DATA commands, an OK command should be sent to the client.
The first octet received by the client after the \r\n of the OK command MUST be the first octet of the authenticated/encrypted stream of D-BUS messages.
The first octet received by the server after the \r\n of the BEGIN command from the client MUST be the first octet of the authenticated/encrypted stream of D-BUS messages.
At any time up to sending the BEGIN command, the client may send a CANCEL command. On receiving the CANCEL command, the server MUST send a REJECTED command and abort the current authentication exchange.
The DATA command may come from either client or server, and simply contains a hex-encoded block of data to be interpreted according to the SASL mechanism in use.
Some SASL mechanisms support sending an "empty string"; FIXME we need some way to do this.
The BEGIN command acknowledges that the client has received an OK command from the server, and that the stream of messages is about to begin.
The first octet received by the server after the \r\n of the BEGIN command from the client MUST be the first octet of the authenticated/encrypted stream of D-BUS messages.
The REJECTED command indicates that the current authentication exchange has failed, and further exchange of DATA is inappropriate. The client would normally try another mechanism, or try providing different responses to challenges.
Optionally, the REJECTED command has a space-separated list of available auth mechanisms as arguments. If a server ever provides a list of supported mechanisms, it MUST provide the same list each time it sends a REJECTED message. Clients are free to ignore all lists received after the first.
The OK command indicates that the client has been authenticated, and that further communication will be a stream of D-BUS messages (optionally encrypted, as negotiated) rather than this protocol.
The first octet received by the client after the \r\n of the OK command MUST be the first octet of the authenticated/encrypted stream of D-BUS messages.
The client MUST respond to the OK command by sending a BEGIN command, followed by its stream of messages, or by disconnecting. The server MUST NOT accept additional commands using this protocol after the OK command has been sent.
The ERROR command indicates that either server or client did not know a command, does not accept the given command in the current context, or did not understand the arguments to the command. This allows the protocol to be extended; a client or server can send a command present or permitted only in new protocol versions, and if an ERROR is received instead of an appropriate response, fall back to using some other technique.
If an ERROR is sent, the server or client that sent the error MUST continue as if the command causing the ERROR had never been received. However, the the server or client receiving the error should try something other than whatever caused the error; if only canceling/rejecting the authentication.
Figure 1. Example of successful magic cookie authentication
(MAGIC_COOKIE is a made up mechanism)
C: AUTH MAGIC_COOKIE 3138363935333137393635383634
S: OK
C: BEGIN
Figure 2. Example of finding out mechanisms then picking one
C: AUTH
S: REJECTED KERBEROS_V4 SKEY
C: AUTH SKEY 7ab83f32ee
S: DATA 8799cabb2ea93e
C: DATA 8ac876e8f68ee9809bfa876e6f9876g8fa8e76e98f
S: OK
C: BEGIN
Figure 3. Example of client sends unknown command then falls back to regular auth
C: FOOBAR
S: ERROR
C: AUTH MAGIC_COOKIE 3736343435313230333039
S: OK
C: BEGIN
Figure 4. Example of server doesn't support initial auth mechanism
C: AUTH MAGIC_COOKIE 3736343435313230333039
S: REJECTED KERBEROS_V4 SKEY
C: AUTH SKEY 7ab83f32ee
S: DATA 8799cabb2ea93e
C: DATA 8ac876e8f68ee9809bfa876e6f9876g8fa8e76e98f
S: OK
C: BEGIN
Figure 5. Example of wrong password or the like followed by successful retry
C: AUTH MAGIC_COOKIE 3736343435313230333039
S: REJECTED KERBEROS_V4 SKEY
C: AUTH SKEY 7ab83f32ee
S: DATA 8799cabb2ea93e
C: DATA 8ac876e8f68ee9809bfa876e6f9876g8fa8e76e98f
S: REJECTED
C: AUTH SKEY 7ab83f32ee
S: DATA 8799cabb2ea93e
C: DATA 8ac876e8f68ee9809bfa876e6f9876g8fa8e76e98f
S: OK
C: BEGIN
Figure 6. Example of skey cancelled and restarted
C: AUTH MAGIC_COOKIE 3736343435313230333039
S: REJECTED KERBEROS_V4 SKEY
C: AUTH SKEY 7ab83f32ee
S: DATA 8799cabb2ea93e
C: CANCEL
S: REJECTED
C: AUTH SKEY 7ab83f32ee
S: DATA 8799cabb2ea93e
C: DATA 8ac876e8f68ee9809bfa876e6f9876g8fa8e76e98f
S: OK
C: BEGIN
This section documents the auth protocol in terms of a state machine for the client and the server. This is probably the most robust way to implement the protocol.
To more precisely describe the interaction between the protocol state machine and the authentication mechanisms the following notation is used: MECH(CHALL) means that the server challenge CHALL was fed to the mechanism MECH, which returns one of
CONTINUE(RESP) means continue the auth conversation and send RESP as the response to the server;
OK(RESP) means that after sending RESP to the server the client side of the auth conversation is finished and the server should return "OK";
ERROR means that CHALL was invalid and could not be processed.
Both RESP and CHALL may be empty.
The Client starts by getting an initial response from the default mechanism and sends AUTH MECH RESP, or AUTH MECH if the mechanism did not provide an initial response. If the mechanism returns CONTINUE, the client starts in state WaitingForData, if the mechanism returns OK the client starts in state WaitingForOK.
The client should keep track of available mechanisms and which it mechanisms it has already attempted. This list is used to decide which AUTH command to send. When the list is exhausted, the client should give up and close the connection.
WaitingForData.
Receive DATA CHALL
| MECH(CHALL) returns CONTINUE(RESP) → send DATA RESP, goto WaitingForData |
| MECH(CHALL) returns OK(RESP) → send DATA RESP, goto WaitingForOK |
| MECH(CHALL) returns ERROR → send ERROR [msg], goto WaitingForData |
Receive REJECTED [mechs] → send AUTH [next mech], goto WaitingForData or WaitingForOK
Receive ERROR → send CANCEL, goto WaitingForReject
Receive OK → send BEGIN, terminate auth conversation, authenticated
Receive anything else → send ERROR, goto WaitingForData
WaitingForOK.
Receive OK → send BEGIN, terminate auth conversation, authenticated
Receive REJECT [mechs] → send AUTH [next mech], goto WaitingForData or WaitingForOK
Receive DATA → send CANCEL, goto WaitingForReject
Receive ERROR → send CANCEL, goto WaitingForReject
Receive anything else → send ERROR, goto WaitingForOK
WaitingForReject.
Receive REJECT [mechs] → send AUTH [next mech], goto WaitingForData or WaitingForOK
Receive anything else → terminate auth conversation, disconnect
For the server MECH(RESP) means that the client response RESP was fed to the the mechanism MECH, which returns one of
CONTINUE(CHALL) means continue the auth conversation and send CHALL as the challenge to the client;
OK means that the client has been successfully authenticated;
REJECT means that the client failed to authenticate or there was an error in RESP.
The server starts out in state WaitingForAuth. If the client is rejected too many times the server must disconnect the client.
WaitingForAuth.
Receive AUTH → send REJECTED [mechs], goto WaitingForAuth
Receive AUTH MECH RESP
| MECH not valid mechanism → send REJECTED [mechs], goto WaitingForAuth |
| MECH(RESP) returns CONTINUE(CHALL) → send DATA CHALL, goto WaitingForData |
| MECH(RESP) returns OK → send OK, goto WaitingForBegin |
| MECH(RESP) returns REJECT → send REJECTED [mechs], goto WaitingForAuth |
Receive BEGIN → terminate auth conversation, disconnect
Receive ERROR → send REJECTED [mechs], goto WaitingForAuth
Receive anything else → send ERROR, goto WaitingForAuth
WaitingForData.
Receive DATA RESP
| MECH(RESP) returns CONTINUE(CHALL) → send DATA CHALL, goto WaitingForData |
| MECH(RESP) returns OK → send OK, goto WaitingForBegin |
| MECH(RESP) returns REJECT → send REJECTED [mechs], goto WaitingForAuth |
Receive BEGIN → terminate auth conversation, disconnect
Receive CANCEL → send REJECTED [mechs], goto WaitingForAuth
Receive ERROR → send REJECTED [mechs], goto WaitingForAuth
Receive anything else → send ERROR, goto WaitingForData
WaitingForBegin.
Receive BEGIN → terminate auth conversation, client authenticated
Receive CANCEL → send REJECTED [mechs], goto WaitingForAuth
Receive ERROR → send REJECTED [mechs], goto WaitingForAuth
Receive anything else → send ERROR, goto WaitingForBegin
This section describes some new authentication mechanisms. D-BUS also allows any standard SASL mechanism of course.
The DBUS_COOKIE_SHA1 mechanism is designed to establish that a client has the ability to read a private file owned by the user being authenticated. If the client can prove that it has access to a secret cookie stored in this file, then the client is authenticated. Thus the security of DBUS_COOKIE_SHA1 depends on a secure home directory.
Authentication proceeds as follows:
The client sends the username it would like to authenticate as.
The server sends the name of its "cookie context" (see below); a space character; the integer ID of the secret cookie the client must demonstrate knowledge of; a space character; then a hex-encoded randomly-generated challenge string.
The client locates the cookie, and generates its own hex-encoded randomly-generated challenge string. The client then concatentates the server's hex-encoded challenge, a ":" character, its own hex-encoded challenge, another ":" character, and the hex-encoded cookie. It computes the SHA-1 hash of this composite string. It sends back to the server the client's hex-encoded challenge string, a space character, and the SHA-1 hash.
The server generates the same concatenated string used by the client and computes its SHA-1 hash. It compares the hash with the hash received from the client; if the two hashes match, the client is authenticated.
Each server has a "cookie context," which is a name that identifies a set of cookies that apply to that server. A sample context might be "org_freedesktop_session_bus". Context names must be valid ASCII, nonzero length, and may not contain the characters slash ("/"), backslash ("\"), space (" "), newline ("\n"), carriage return ("\r"), tab ("\t"), or period ("."). There is a default context, "org_freedesktop_global" that's used by servers that do not specify otherwise.
Cookies are stored in a user's home directory, in the directory ~/.dbus-keyrings/. This directory must not be readable or writable by other users. If it is, clients and servers must ignore it. The directory contains cookie files named after the cookie context.
A cookie file contains one cookie per line. Each line has three space-separated fields:
The cookie ID number, which must be a non-negative integer and may not be used twice in the same file.
The cookie's creation time, in UNIX seconds-since-the-epoch format.
The cookie itself, a hex-encoded random block of bytes.
Only server processes modify the cookie file. They must do so with this procedure:
Create a lockfile name by appending ".lock" to the name of the cookie file. The server should attempt to create this file using O_CREAT | O_EXCL. If file creation fails, the lock fails. Servers should retry for a reasonable period of time, then they may choose to delete an existing lock to keep users from having to manually delete a stale lock. [1]
Once the lockfile has been created, the server loads the cookie file. It should then delete any cookies that are old (the timeout can be fairly short), or more than a reasonable time in the future (so that cookies never accidentally become permanent, if the clock was set far into the future at some point). If no recent keys remain, the server may generate a new key.
The pruned and possibly added-to cookie file must be resaved atomically (using a temporary file which is rename()'d).
The lock must be dropped by deleting the lockfile.
Clients need not lock the file in order to load it, because servers are required to save the file atomically.
Server addresses consist of a transport name followed by a colon, and then an optional, comma-separated list of keys and values in the form key=value. [FIXME how do you escape colon, comma, and semicolon in the values of the key=value pairs?]
For example:
unix:path=/tmp/dbus-test
Which is the address to a unix socket with the path /tmp/dbus-test.
[FIXME clarify if attempting to connect to each is a requirement or just a suggestion] When connecting to a server, multiple server addresses can be separated by a semi-colon. The library will then try to connect to the first address and if that fails, it'll try to connect to the next one specified, and so forth. For example
unix:path=/tmp/dbus-test;unix:path=/tmp/dbus-test2
[FIXME we need to specify in detail each transport and its possible arguments] Current transports include: unix domain sockets (including abstract namespace on linux), TCP/IP, and a debug/testing transport using in-process pipes. Future possible transports include one that tunnels over X11 protocol.
See the section called “Notation in this document” for details on the notation used in this section.
org.freedesktop.Peer.Ping ()
On receipt of the METHOD_CALL message org.freedesktop.Peer.Ping, an application should do nothing other than reply with a METHOD_RETURN as usual.
[FIXME this is just a bogus made-up method that isn't implemented or thought through, to save an example of table formatting for the argument descriptions]
org.freedesktop.Props.Get (in STRING property_name,
out ANY_OR_NIL property_value)
Message arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | in STRING | Name of the property to get |
| 1 | out ANY_OR_NIL | The value of the property. The type depends on the property. |
The message bus accepts connections from one or more applications. Once connected, applications can send and receive messages from the message bus, as in the peer-to-peer case.
The message bus keeps track of a set of services. A service is simply a name, such as com.yoyodyne.Screensaver, which can be owned by one or more of the connected applications. The message bus itself always owns the special service org.freedesktop.DBus.
Services may have secondary owners. Secondary owners of a service are kept in a queue; if the primary owner of a service disconnects, or releases the service, the next secondary owner becomes the new owner of the service.
Messages may have a SERVICE field (see the section called “Header Fields”). When the message bus receives a message, if the SERVICE field is absent, the message is taken to be a standard peer-to-peer message and interpreted by the message bus itself. For example, sending an org.freedesktop.Peer.Ping message with no SERVICE will cause the message bus itself to reply to the ping immediately; the message bus would never make this message visible to other applications.
If the SERVICE field is present, then it indicates a request for the message bus to route the message. In the usual case, messages are routed to the owner of the named service. Messages may also be broadcast by sending them to the special service org.freedesktop.DBus.Broadcast. Broadcast messages are sent to all applications with message matching rules that match the message.
Continuing the org.freedesktop.Peer.Ping example, if the ping message were sent with a SERVICE name of com.yoyodyne.Screensaver, then the ping would be forwarded, and the Yoyodyne Corporation screensaver application would be expected to reply to the ping. If org.freedesktop.Peer.Ping were sent to org.freedesktop.DBus.Broadcast, then multiple applications might receive the ping, and all would normally reply to it.
A service is a name that identifies a certain application. Each application connected to the message bus has at least one service name assigned at connection time and returned in response to the org.freedesktop.DBus.Hello message. This automatically-assigned service name is called the application's base service. Base service names are unique and MUST never be reused for two different applications.
Ownership of the base service is a prerequisite for interaction with the message bus. It logically follows that the base service is always the first service that an application comes to own, and the last service that it loses ownership of.
Base service names must begin with the character ':' (ASCII colon character); service names that are not base service names must not begin with this character. (The bus must reject any attempt by an application to manually create a service name beginning with ':'.) This restriction categorically prevents "spoofing"; messages sent to a base service name will always go to a single application instance and that instance only.
An application can request additional service names to be associated with it using the org.freedesktop.DBus.AcquireService message. [FIXME what service names are allowed; ASCII or unicode; length limit; etc.]
[FIXME this needs more detail, and should move the service-related message descriptions up into this section perhaps] Service ownership handling can be specified in the flags part of the org.freedesktop.DBus.AcquireService message. If an application specifies the DBUS_SERVICE_FLAGS_PROHIBIT_REPLACEMENT flag, then all applications trying to acquire the service will be put in a queue. When the primary owner disconnects from the bus or removes ownership from the service, the next application in the queue will be the primary owner. If the DBUS_SERVICE_FLAGS_PROHIBIT_REPLACEMENT flag is not specified, then the primary owner will lose ownership whenever another application requests ownership of the service.
When a client disconnects from the bus, all the services that the clients own are deleted, or in the case of a service that prohibits replacement, ownership is transferred to the next client in the queue, if any.
When a message is received by the message bus, the message's sndr header field MUST be set to the base service of the application which sent the message. If the service already has a sndr field, the pre-existing field is replaced. This rule means that a replies are always sent to the base service name, i.e. to the same application that sent the message being replied to.
[FIXME go into detail about broadcast, multicast, unicast, etc.]
Activation means to locate a service owner for a service that is currently unowned. For now, it means to launch an executable that will take ownership of a particular service.
To find an executable corresponding to a particular service, the bus daemon looks for service description files. Service description files define a mapping from service names to executables. Different kinds of message bus will look for these files in different places, see the section called “Well-known Message Bus Instances”.
[FIXME the file format should be much better specified than "similar to .desktop entries" esp. since desktop entries are already badly-specified. ;-)] Service description files have the ".service" file extension. The message bus will only load service description files ending with .service; all other files will be ignored. The file format is similar to that of desktop entries. All service description files must be in UTF-8 encoding. To ensure that there will be no name collisions, service files must be namespaced using the same mechanism as messages and service names.
Figure 7. Example service description file
# Sample service description file
[D-BUS Service]
Name=org.gnome.ConfigurationDatabase
Exec=/usr/libexec/gconfd-2
When an application requests a service to be activated, the bus daemon tries to find it in the list of activation entries. It then tries to spawn the executable associated with it. If this fails, it will report an error. [FIXME what happens if two .service files offer the same service; what kind of error is reported, should we have a way for the client to choose one?]
The executable launched will have the environment variable DBUS_ACTIVATION_ADDRESS set to the address of the message bus so it can connect and register the appropriate services.
The executable being launched may want to know whether the message bus activating it is one of the well-known message buses (see the section called “Well-known Message Bus Instances”). To facilitate this, the bus MUST also set the DBUS_ACTIVATION_BUS_TYPE environment variable if it is one of the well-known buses. The currently-defined values for this variable are system for the systemwide message bus, and session for the per-login-session message bus. The activated executable must still connect to the address given in DBUS_ACTIVATION_ADDRESS, but may assume that the resulting connection is to the well-known bus.
[FIXME there should be a timeout somewhere, either specified in the .service file, by the client, or just a global value and if the client being activated fails to connect within that timeout, an error should be sent back.]
Two standard message bus instances are defined here, along with how to locate them and where their service files live.
Each time a user logs in, a login session message bus may be started. All applications in the user's login session may interact with one another using this message bus.
The address of the login session message bus is given in the DBUS_SESSION_BUS_ADDRESS environment variable. If that variable is not set, applications may also try to read the address from the X Window System root window property _DBUS_SESSION_BUS_ADDRESS. The root window property must have type STRING. The environment variable should have precedence over the root window property.
[FIXME specify location of .service files, probably using DESKTOP_DIRS etc. from basedir specification, though login session bus is not really desktop-specific]
A computer may have a system message bus, accessible to all applications on the system. This message bus may be used to broadcast system events, such as adding new hardware devices, changes in the printer queue, and so forth.
The address of the login session message bus is given in the DBUS_SYSTEM_BUS_ADDRESS environment variable. If that variable is not set, applications should try to connect to the well-known address unix:path=/var/run/dbus/system_bus_socket. [2]
[FIXME specify location of system bus .service files]
The special message bus service org.freedesktop.DBus responds to a number of messages, allowing applications to interact with the message bus.
As a method:
STRING Hello ()
Reply arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Name of the service assigned to the application |
Before an application is able to send messages to other applications it must send the org.freedesktop.DBus.Hello message to the message bus service. If an application tries to send a message to another application, or a message to the message bus service that isn't the org.freedesktop.DBus.Hello message, it will be disconnected from the bus. If a client wishes to disconnect from the bus, it just has to disconnect from the transport used. No de-registration message is necessary.
The reply message contains the name of the application's base service.
As a method:
STRING_ARRAY ListServices ()
Reply arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING_ARRAY | Array of strings where each string is the name of a service |
Returns a list of all existing services registered with the message bus.
As a method:
BOOLEAN ServiceExists (in STRING service_name)
Message arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Name of the service |
Reply arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | BOOLEAN | Return value, true if the service exists |
Checks if a service with a specified name exists.
As a method:
UINT32 AcquireService (in STRING service_name)
Message arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Name of the service |
| 1 | UINT32 | Flags |
Reply arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | UINT32 | Return value |
Tries to become owner of a specific service. The flags specified can be the following values logically ORed together:
| Identifier | Value | Description |
|---|---|---|
| DBUS_SERVICE_FLAGS_PROHIBIT_REPLACEMENT | 0x1 | If the application succeeds in being the owner of the specified service, then ownership of the service can't be transferred until the service disconnects. If this flag is not set, then any application trying to become the owner of the service will succeed and the previous owner will be sent a org.freedesktop.DBus.ServiceLost message. |
| DBUS_SERVICE_FLAGS_REPLACE_EXISTING | 0x2 | Try to replace the current owner if there is one. If this flag is not set the application will only become the owner of the service if there is no current owner. |
[FIXME if it's one of the following values, why are the values done as flags instead of just 0, 1, 2, 3, 4] The return value can be one of the following values:
| Identifier | Value | Description |
|---|---|---|
| DBUS_SERVICE_REPLY_PRIMARY_OWNER | 0x1 | The application is now the primary owner of the service. |
| DBUS_SERVICE_REPLY_IN_QUEUE | 0x2 | The service already has an owner which do not want to give up ownership and therefore the application has been put in a queue. |
| DBUS_SERVICE_REPLY_SERVICE_EXISTS | 0x4 | The service does already have a primary owner, and DBUS_SERVICE_FLAG_REPLACE_EXISTING was not specified when trying to acquire the service. |
| DBUS_SERVICE_REPLY_ALREADY_OWNER | 0x8 | The application trying to request ownership of the service is already the owner of it. |
As a method:
ServiceAcquired (in STRING service_name)
Message arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Name of the service |
| 1 | UINT32 | Flags |
This message is sent to a specific application when it becomes the primary owner of a service.
As a method:
ServiceLost (in STRING service_name)
Message arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Name of the service |
| 1 | UINT32 | Flags |
This message is sent to a specific application when it loses primary ownership of a service. [FIXME instead of ServiceLost/ServiceCreated going only to a specific app, why not just OwnerChanged that covers both lost and created and changed owner and deleted]
As a method:
ServiceCreated (in STRING service_name)
Message arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Name of the service |
| 1 | UINT32 | Flags |
This message is broadcast to all applications when a service has been successfully registered on the message bus.
As a method:
ServiceDeleted (in STRING service_name)
Message arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Name of the service |
| 1 | UINT32 | Flags |
This message is broadcast to all applications when a service has been deleted from the message bus.
As a method:
UINT32 ActivateService (in STRING service_name, in UINT32 flags)
Message arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Name of the service to activate |
| 1 | UINT32 | Flags (currently not used) |
Reply arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | UINT32 | Return value |
Tries to launch the executable associated with a service. For more information, see the section called “Message Bus Service Activation”. [FIXME need semantics in much more detail here; for example, if I activate a service then send it a message, is the message queued for the new service or is there a race]
The return value can be one of the following values:
| Identifier | Value | Description |
|---|---|---|
| DBUS_ACTIVATION_REPLY_ACTIVATED | 0x0 | The service was activated successfully. |
| DBUS_ACTIVATION_REPLY_ALREADY_ACTIVE | 0x1 | The service is already active. |
As a method:
STRING GetServiceOwner (in STRING service_name)
Message arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Name of the service to query |
Reply arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Return value, a base service name |
Returns the base service name of the primary owner of the service in argument. If the requested service isn't active, returns a org.freedesktop.DBus.Error.ServiceHasNoOwner error.
As a method:
UINT32 GetConnectionUnixUser (in STRING connection_name)
Message arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | STRING | Name of the connection/service to query |
Reply arguments:
| Argument | Type | Description |
|---|---|---|
| 0 | UINT32 | unix user id |
Returns the unix uid of the process connected to the server. If unable to determine it, a org.freedesktop.DBus.Error.Failed error is returned.
As a method:
void NoMemory ()
Sent by the message bus when it can't process a message due to an out of memory failure.
This glossary defines some of the terms used in this specification.
The process of creating an owner for a particular service, typically by launching an executable.
The special service automatically assigned to an application by the message bus. This service may never change owner, and the service name will be unique (never reused during the lifetime of the message bus).
A message sent to the special org.freedesktop.DBus.Broadcast service; the message bus will forward the broadcast message to all applications that have expressed interest in it.
A message is the atomic unit of communication via the D-BUS protocol. It consists of a header and a body; the body is made up of arguments.
The message bus is a special application that forwards or broadcasts messages between a group of applications connected to the message bus. It also manages services.
Used to prevent collisions when defining message and service names. The convention used is the same as Java uses for defining classes: a reversed domain name.
Each application contains objects, which have interfaces and methods. Objects are referred to by a name, called a path or object reference.
Object references (object names) in D-BUS are organized into a filesystem-style hierarchy, so each object is named by a path. As in LDAP, there's no difference between "files" and "directories"; a path can refer to an object, while still having child objects below it.
An application talking directly to another application, without going through a message bus.
Each service has a primary owner; messages sent to the service name go to the primary owner. However, certain services also maintain a queue of secondary owners "waiting in the wings." If the primary owner releases the service, then the first secondary owner in the queue automatically becomes the primary owner.
A service is simply a named list of applications. For example, the hypothetical com.yoyodyne.Screensaver service might accept messages that affect a screensaver from Yoyodyne Corporation. An application is said to own a service if the message bus has associated the application with the service name. Services may also have secondary owners (see Secondary service owner).
The name used when referring to a service. If the service is a base service it has a unique service name, for example ":1-20", and otherwise it should be namespaced.
".service files" tell the bus how to activate a particular service. See Activation