[134] | 1 | <?xml version="1.0"?> |
---|
| 2 | <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" |
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [ |
---|
| 4 | <!ENTITY legal SYSTEM "legal.xml"> |
---|
| 5 | <!ENTITY version "2.26.0"> |
---|
| 6 | <!ENTITY date "02/10/2009"> |
---|
| 7 | <!ENTITY mdash "—"> |
---|
| 8 | <!ENTITY percnt "%"> |
---|
| 9 | ]> |
---|
| 10 | |
---|
| 11 | <article id="index" lang="en"> |
---|
| 12 | <articleinfo> |
---|
| 13 | <title>GNOME Display Manager Reference Manual</title> |
---|
| 14 | |
---|
| 15 | <revhistory> |
---|
| 16 | <revision> |
---|
| 17 | <revnumber>0.0</revnumber> |
---|
| 18 | <date>2008-09</date> |
---|
| 19 | </revision> |
---|
| 20 | </revhistory> |
---|
| 21 | |
---|
| 22 | <abstract role="description"> |
---|
| 23 | <para> |
---|
| 24 | GDM is the GNOME Display Manager, a graphical login program. |
---|
| 25 | </para> |
---|
| 26 | </abstract> |
---|
| 27 | |
---|
| 28 | <authorgroup> |
---|
| 29 | <author> |
---|
| 30 | <firstname>Martin</firstname><othername>K.</othername> |
---|
| 31 | <surname>Petersen</surname> |
---|
| 32 | <affiliation> |
---|
| 33 | <address><email>mkp@mkp.net</email></address> |
---|
| 34 | </affiliation> |
---|
| 35 | </author> |
---|
| 36 | <author> |
---|
| 37 | <firstname>George</firstname><surname>Lebl</surname> |
---|
| 38 | <affiliation> |
---|
| 39 | <address><email>jirka@5z.com</email></address> |
---|
| 40 | </affiliation> |
---|
| 41 | </author> |
---|
| 42 | <author> |
---|
| 43 | <firstname>Jon</firstname><surname>McCann</surname> |
---|
| 44 | <affiliation> |
---|
| 45 | <address><email>mccann@jhu.edu</email></address> |
---|
| 46 | </affiliation> |
---|
| 47 | </author> |
---|
| 48 | <author> |
---|
| 49 | <firstname>Ray</firstname><surname>Strode</surname> |
---|
| 50 | <affiliation> |
---|
| 51 | <address><email>rstrode@redhat.com</email></address> |
---|
| 52 | </affiliation> |
---|
| 53 | </author> |
---|
| 54 | <author role="maintainer"> |
---|
| 55 | <firstname>Brian</firstname><surname>Cameron</surname> |
---|
| 56 | <affiliation> |
---|
| 57 | <address><email>Brian.Cameron@Sun.COM</email></address> |
---|
| 58 | </affiliation> |
---|
| 59 | </author> |
---|
| 60 | </authorgroup> |
---|
| 61 | <copyright> |
---|
| 62 | <year>1998</year> |
---|
| 63 | <year>1999</year> |
---|
| 64 | <holder>Martin K. Petersen</holder> |
---|
| 65 | </copyright> |
---|
| 66 | <copyright> |
---|
| 67 | <year>2001</year> |
---|
| 68 | <year>2003</year> |
---|
| 69 | <year>2004</year> |
---|
| 70 | <holder>George Lebl</holder> |
---|
| 71 | </copyright> |
---|
| 72 | <copyright> |
---|
| 73 | <year>2003</year> |
---|
| 74 | <year>2007</year> |
---|
| 75 | <year>2008</year> |
---|
| 76 | <holder>Red Hat, Inc.</holder> |
---|
| 77 | </copyright> |
---|
| 78 | <copyright> |
---|
| 79 | <year>2003</year> |
---|
| 80 | <year>2004</year> |
---|
| 81 | <year>2005</year> |
---|
| 82 | <year>2006</year> |
---|
| 83 | <year>2007</year> |
---|
| 84 | <year>2008</year> |
---|
| 85 | <holder>Sun Microsystems, Inc.</holder> |
---|
| 86 | </copyright> |
---|
| 87 | |
---|
| 88 | &legal; |
---|
| 89 | |
---|
| 90 | <releaseinfo> |
---|
| 91 | This manual describes version &version; of the GNOME Display Manager. |
---|
| 92 | It was last updated on &date;. |
---|
| 93 | </releaseinfo> |
---|
| 94 | </articleinfo> |
---|
| 95 | |
---|
| 96 | <!-- ============= Preface ================================== --> |
---|
| 97 | |
---|
| 98 | <sect1 id="preface"> |
---|
| 99 | <title>Terms and Conventions Used in This Manual</title> |
---|
| 100 | |
---|
| 101 | <para> |
---|
| 102 | This manual describes version &version; of the GNOME Display Manager. |
---|
| 103 | It was last updated on &date;. |
---|
| 104 | </para> |
---|
| 105 | |
---|
| 106 | <para> |
---|
| 107 | Chooser - A program used to select a remote host for managing a |
---|
| 108 | display remotely on the attached display (<command>gdm-host-chooser</command>). |
---|
| 109 | </para> |
---|
| 110 | |
---|
| 111 | <para> |
---|
| 112 | FreeDesktop - The organization providing desktop standards, such as the |
---|
| 113 | Desktop Entry Specification used by GDM. |
---|
| 114 | <ulink type="http" url="http://www.freedesktop.org/"> |
---|
| 115 | http://www.freedesktop.org</ulink>. |
---|
| 116 | </para> |
---|
| 117 | <para> |
---|
| 118 | GDM - GNOME Display Manager. Used to describe the software package as a |
---|
| 119 | whole. |
---|
| 120 | </para> |
---|
| 121 | |
---|
| 122 | <para> |
---|
| 123 | Greeter - The graphical login window (<command>gdm-simple-greeter</command>). |
---|
| 124 | </para> |
---|
| 125 | |
---|
| 126 | <para> |
---|
| 127 | PAM - Pluggable Authentication Mechanism |
---|
| 128 | </para> |
---|
| 129 | |
---|
| 130 | <para> |
---|
| 131 | XDMCP - X Display Manage Protocol |
---|
| 132 | </para> |
---|
| 133 | |
---|
| 134 | <para> |
---|
| 135 | Xserver - An implementation of the X Window System. For example the |
---|
| 136 | Xorg webserver provided by the X.org Foundation |
---|
| 137 | <ulink type="http" url="http://www.x.org/">http://www.x.org</ulink>. |
---|
| 138 | </para> |
---|
| 139 | |
---|
| 140 | <para> |
---|
| 141 | Paths that start with a word in angle brackets are relative to the |
---|
| 142 | installation prefix. I.e. <filename><share>/pixmaps/</filename> |
---|
| 143 | refers to <filename>/usr/share/pixmaps</filename> if GDM was |
---|
| 144 | configured with <command>--prefix=/usr</command>. |
---|
| 145 | </para> |
---|
| 146 | </sect1> |
---|
| 147 | |
---|
| 148 | <!-- ============= Overview ================================= --> |
---|
| 149 | |
---|
| 150 | <sect1 id="overview"> |
---|
| 151 | <title>Overview</title> |
---|
| 152 | |
---|
| 153 | <sect2 id="introduction"> |
---|
| 154 | <title>Introduction</title> |
---|
| 155 | |
---|
| 156 | <para> |
---|
| 157 | The GNOME Display Manager (GDM) is a display manager that implements |
---|
| 158 | all significant features required for managing attached and remote |
---|
| 159 | displays. GDM was written from scratch and does not contain any XDM or |
---|
| 160 | X Consortium code. |
---|
| 161 | </para> |
---|
| 162 | |
---|
| 163 | <para> |
---|
| 164 | Note that GDM is configurable, and many configuration settings have |
---|
| 165 | an impact on security. Issues to be aware of are highlighted in this |
---|
| 166 | document. |
---|
| 167 | </para> |
---|
| 168 | |
---|
| 169 | <para> |
---|
| 170 | Please note that some Operating Systems configure GDM to behave |
---|
| 171 | differently than the default values as described in this document. If |
---|
| 172 | GDM does not seem to behave as documented, then check to see if any |
---|
| 173 | related configuration may be different than described here. |
---|
| 174 | </para> |
---|
| 175 | |
---|
| 176 | <para> |
---|
| 177 | For further information about GDM, refer to the project website at |
---|
| 178 | <ulink type="http" url="http://www.gnome.org/projects/gdm/"> |
---|
| 179 | http://www.gnome.org/projects/gdm</ulink> and the project |
---|
| 180 | Wiki <ulink type="http" url="http://live.gnome.org/GDM"> |
---|
| 181 | http://live.gnome.org/GDM</ulink>. |
---|
| 182 | </para> |
---|
| 183 | |
---|
| 184 | <para> |
---|
| 185 | For discussion or queries about GDM, refer to the |
---|
| 186 | <address><email>gdm-list@gnome.org</email></address> mail list. This |
---|
| 187 | list is archived, and is a good resource to check to seek answers to |
---|
| 188 | common questions. This list is archived at |
---|
| 189 | <ulink type="http" url="http://mail.gnome.org/archives/gdm-list/"> |
---|
| 190 | http://mail.gnome.org/archives/gdm-list/</ulink> and has a search |
---|
| 191 | facility to look for messages with keywords. |
---|
| 192 | </para> |
---|
| 193 | |
---|
| 194 | <para> |
---|
| 195 | Please submit any bug reports or enhancement requests to the |
---|
| 196 | "gdm" category in |
---|
| 197 | <ulink type="http" url="http://bugzilla.gnome.org/"> |
---|
| 198 | http://bugzilla.gnome.org</ulink>. |
---|
| 199 | </para> |
---|
| 200 | </sect2> |
---|
| 201 | |
---|
| 202 | <sect2 id="stability"> |
---|
| 203 | <title>Interface Stability</title> |
---|
| 204 | |
---|
| 205 | <para> |
---|
| 206 | GDM 2.20 and earlier supported stable configuration interfaces. |
---|
| 207 | However, the codebase was completely rewritten for GDM 2.22, and |
---|
| 208 | is not completely backward compatible with older releases. This is |
---|
| 209 | in part because things work differently, so some options just don't |
---|
| 210 | make sense, in part because some options never made sense, and in |
---|
| 211 | part because some functionality has not been reimplemented yet. |
---|
| 212 | </para> |
---|
| 213 | |
---|
| 214 | <para> |
---|
| 215 | Interfaces which continue to be supported in a stable fashion include |
---|
| 216 | the Init, PreSession, PostSession, PostLogin, and Xsession scripts. |
---|
| 217 | Some daemon configuration options in the |
---|
| 218 | <filename><etc>/gdm/custom.conf</filename> file continue to be |
---|
| 219 | supported. Also, the <filename>~/.dmrc</filename>, and face browser |
---|
| 220 | image locations are still supported. |
---|
| 221 | </para> |
---|
| 222 | |
---|
| 223 | <para> |
---|
| 224 | GDM 2.20 and earlier supported the ability to manage multiple displays |
---|
| 225 | with separate graphics cards, such as used in terminal server |
---|
| 226 | environments, login in a window via a program like Xnest or Xephyr, the |
---|
| 227 | gdmsetup program, XML-based greeter themes, and the ability to run the |
---|
| 228 | XDMCP chooser from the login screen. These features were not |
---|
| 229 | added back during the 2.22 rewrite. |
---|
| 230 | </para> |
---|
| 231 | |
---|
| 232 | </sect2> |
---|
| 233 | |
---|
| 234 | <sect2 id="functionaldesc"> |
---|
| 235 | <title>Functional Description</title> |
---|
| 236 | |
---|
| 237 | <!-- |
---|
| 238 | <para> |
---|
| 239 | TODO - Would be good to discuss D-Bus, perhaps the new GObject model, |
---|
| 240 | and to explain the reasons why the rewrite made GDM better. |
---|
| 241 | From a high-level overview perspective, rather than the |
---|
| 242 | technical aspects. |
---|
| 243 | </para> |
---|
| 244 | --> |
---|
| 245 | |
---|
| 246 | <para> |
---|
| 247 | GDM is responsible for managing displays on the system. This includes |
---|
| 248 | authenticating users, starting the user session, and terminating the |
---|
| 249 | user session. GDM is configurable and the ways it can be configured |
---|
| 250 | are described in the "Configuring GDM" section of this |
---|
| 251 | document. GDM is also accessible for users with disabilities. |
---|
| 252 | </para> |
---|
| 253 | |
---|
| 254 | <para> |
---|
| 255 | GDM provides the ability to manage the main console display, and |
---|
| 256 | displays launched via VT. It is integrated with other programs, |
---|
| 257 | such as the Fast User Switch Applet (FUSA) and gnome-screensaver |
---|
| 258 | to manage multiple displays on the console via the Xserver Virtual |
---|
| 259 | Terminal (VT) interface. It also can manage XDMCP displays. |
---|
| 260 | </para> |
---|
| 261 | |
---|
| 262 | <para> |
---|
| 263 | Regardless of the display type, GDM will do the following when it |
---|
| 264 | manages the display. It will start an Xserver process, then run the |
---|
| 265 | <filename>Init</filename> script as the root user, and start the |
---|
| 266 | greeter program on the display. |
---|
| 267 | </para> |
---|
| 268 | |
---|
| 269 | <para> |
---|
| 270 | The greeter program is run as the unprivileged "gdm" |
---|
| 271 | user/group. This user and group are described in the |
---|
| 272 | "Security" section of this document. The main function of |
---|
| 273 | the greeter program is to authenticate the user. The authentication |
---|
| 274 | process is driven by Pluggable Authentication Modules (PAM). The PAM |
---|
| 275 | modules determine what prompts (if any) are shown to the user to |
---|
| 276 | authenticate. On the average system, the greeter program will request |
---|
| 277 | a username and password for authentication. However some systems may |
---|
| 278 | be configured to use alternative mechanisms such as a fingerprint or |
---|
| 279 | SmartCard reader. GDM and PAM can be configured to not require any |
---|
| 280 | input, which will cause GDM to automatically log in and simply |
---|
| 281 | start a session, which can be useful for some environments, such as |
---|
| 282 | for kiosks. |
---|
| 283 | </para> |
---|
| 284 | |
---|
| 285 | <para> |
---|
| 286 | In addition to authentication, the greeter program allows the user to |
---|
| 287 | select which session to start and which language to use. Sessions are |
---|
| 288 | defined by files that end in the .desktop suffix and more information |
---|
| 289 | about these files can be found in the "GDM User Session and Language |
---|
| 290 | Configuration" section of this document. By default, GDM is configured |
---|
| 291 | to display a face browser so the user can select their user account by |
---|
| 292 | clicking on an image instead of having to type their username. GDM |
---|
| 293 | keeps track of the user's default session and language in the user's |
---|
| 294 | <filename>~/.dmrc</filename> and will use these defaults if the user |
---|
| 295 | did not pick a session or language in the login GUI. |
---|
| 296 | </para> |
---|
| 297 | |
---|
| 298 | <para> |
---|
| 299 | After authenticating a user, the daemon runs the |
---|
| 300 | <filename>PostLogin</filename> script as root, then runs the |
---|
| 301 | <filename>PreSession</filename> script as root. After running these |
---|
| 302 | scripts, the user session is started. When the user exits their |
---|
| 303 | session, the <filename>PostSession</filename> script is run as root. |
---|
| 304 | These scripts are provided as hooks for distributions and end-users |
---|
| 305 | to customize how sessions are managed. For example, using these |
---|
| 306 | hooks you could set up a machine which creates the user's $HOME |
---|
| 307 | directory on the fly, and erases it on logout. The difference |
---|
| 308 | between the <filename>PostLogin</filename> and |
---|
| 309 | <filename>PreSession</filename> scripts is that |
---|
| 310 | <filename>PostLogin</filename> is run before the pam_open_session call |
---|
| 311 | so is the right place to do anything which should be run before the |
---|
| 312 | user session is initialized. The <filename>PreSession</filename> |
---|
| 313 | script is called after session initialization. |
---|
| 314 | </para> |
---|
| 315 | </sect2> |
---|
| 316 | |
---|
| 317 | <sect2 id="greeterpanel"> |
---|
| 318 | <title>Greeter Panel</title> |
---|
| 319 | <para> |
---|
| 320 | The GDM greeter program displays a panel docked at the bottom of the |
---|
| 321 | screen which provides additional functionality. When a user is |
---|
| 322 | selected, the panel allows the user to select which session, language, |
---|
| 323 | and keyboard layout to use after logging in. The keyboard layout |
---|
| 324 | selector also changes the keyboard layout used when typing your |
---|
| 325 | password. The panel also contains an area for login services to leave |
---|
| 326 | status icons. Some example status icons include a battery icon for |
---|
| 327 | current battery usage, and an icon for enabling accessibility features. |
---|
| 328 | The greeter program also provides buttons which allow the user to |
---|
| 329 | shutdown or restart the system. It is possible to configure GDM to not |
---|
| 330 | provide the shutdown and restart buttons, if desired. GDM can also be |
---|
| 331 | configured via PolicyKit (or via RBAC on Solaris) to require the user |
---|
| 332 | have appropriate authorization before accepting the shutdown or restart |
---|
| 333 | request. |
---|
| 334 | </para> |
---|
| 335 | |
---|
| 336 | <para> |
---|
| 337 | Note that keyboard layout features are only available on systems that |
---|
| 338 | support libxklavier. |
---|
| 339 | </para> |
---|
| 340 | </sect2> |
---|
| 341 | |
---|
| 342 | <sect2 id="accessibility"> |
---|
| 343 | <title>Accessibility</title> |
---|
| 344 | |
---|
| 345 | <para> |
---|
| 346 | GDM supports "Accessible Login", allowing users to log into |
---|
| 347 | their desktop session even if they cannot easily use the screen, |
---|
| 348 | mouse, or keyboard in the usual way. Accessible Technology (AT) |
---|
| 349 | features such as an on-screen keyboard, screen reader, screen |
---|
| 350 | magnifier, and Xserver AccessX keyboard accessibility are available. |
---|
| 351 | It is also possible to enable large text or high contrast icons and |
---|
| 352 | controls, if needed. Refer to the "Accessibility |
---|
| 353 | Configuration" section of the document for more information |
---|
| 354 | how various accessibility features can be configured. |
---|
| 355 | </para> |
---|
| 356 | |
---|
| 357 | <para> |
---|
| 358 | On some Operating Systems, it is necessary to make sure that the GDM |
---|
| 359 | user is a member of the "audio" group for AT programs that |
---|
| 360 | require audio output (such as text-to-speech) to be functional. |
---|
| 361 | </para> |
---|
| 362 | </sect2> |
---|
| 363 | |
---|
| 364 | <sect2 id="facebrowser"> |
---|
| 365 | <title>The GDM Face Browser</title> |
---|
| 366 | |
---|
| 367 | <para> |
---|
| 368 | The Face Browser is the interface which allows users to select their |
---|
| 369 | username by clicking on an image. This feature can be enabled or |
---|
| 370 | disabled via the /apps/gdm/simple-greeter/disable_user_list GConf |
---|
| 371 | key and is on by default. When disabled, users must type their |
---|
| 372 | complete username by hand. When enabled, it displays all local users |
---|
| 373 | which are available for login on the system (all user accounts defined |
---|
| 374 | in the /etc/passwd file that have a valid shell and sufficiently high |
---|
| 375 | UID) and remote users that have recently logged in. |
---|
| 376 | The face browser in GDM 2.20 and earlier would attempt to display all |
---|
| 377 | remote users, which caused performance problems in large, |
---|
| 378 | enterprise deployments. |
---|
| 379 | </para> |
---|
| 380 | |
---|
| 381 | <para> |
---|
| 382 | The Face Browser is configured to display the users who log in most |
---|
| 383 | frequently at the top of the list. This helps to ensure that users |
---|
| 384 | who log in frequently can quickly find their login image. |
---|
| 385 | </para> |
---|
| 386 | |
---|
| 387 | <para> |
---|
| 388 | The Face Browser supports "type-ahead search" which dynamically |
---|
| 389 | moves the face selection as the user types to the corresponding username |
---|
| 390 | in the list. This means that a user with a long username will only |
---|
| 391 | have to type the first few characters of the username before the correct |
---|
| 392 | item in the list gets selected. |
---|
| 393 | </para> |
---|
| 394 | |
---|
| 395 | <para> |
---|
| 396 | The icons used by GDM can be installed globally by the sysadmin or can |
---|
| 397 | be located in the user's home directories. If installed globally |
---|
| 398 | they should be in the <filename><share>/pixmaps/faces/</filename> |
---|
| 399 | directory and the filename should be the name of the user. Face image |
---|
| 400 | files should be a standard image that GTK+ can read, such as PNG or |
---|
| 401 | JPEG. Face icons placed in the global face directory must be readable |
---|
| 402 | to the GDM user. |
---|
| 403 | </para> |
---|
| 404 | |
---|
| 405 | <!-- |
---|
| 406 | <para> |
---|
| 407 | TODO - In the old GDM the ~/gnome2/gdm file is used, but the new code |
---|
| 408 | seems to use ~/.gnome/gdm. Error? |
---|
| 409 | </para> |
---|
| 410 | --> |
---|
| 411 | <para> |
---|
| 412 | If there is no global icon for the user, GDM will look in the user's |
---|
| 413 | $HOME directory for the image file. GDM will first look for the user's |
---|
| 414 | face image in <filename>~/.face</filename>. If not found, it will try |
---|
| 415 | <filename>~/.face.icon</filename>. If still not found, it will use the |
---|
| 416 | value defined for "face/picture=" in the |
---|
| 417 | <filename>~/.gnome2/gdm</filename> file. |
---|
| 418 | </para> |
---|
| 419 | |
---|
| 420 | <para> |
---|
| 421 | If a user has no defined face image, GDM will use the |
---|
| 422 | "stock_person" icon defined in the current GTK+ theme. If no |
---|
| 423 | such image is defined, it will fallback to a generic face image. |
---|
| 424 | </para> |
---|
| 425 | |
---|
| 426 | <para> |
---|
| 427 | Please note that loading and scaling face icons located in remote user |
---|
| 428 | home directories can be a very time-consuming task. Since it not |
---|
| 429 | practical to load images over NIS or NFS, GDM does not attempt to load |
---|
| 430 | face images from remote home directories. |
---|
| 431 | </para> |
---|
| 432 | |
---|
| 433 | <para> |
---|
| 434 | When the browser is turned on, valid usernames on the computer are |
---|
| 435 | exposed for everyone to see. If XDMCP is enabled, then the usernames |
---|
| 436 | are exposed to remote users. This, of course, limits security |
---|
| 437 | somewhat since a malicious user does not need to guess valid usernames. |
---|
| 438 | In some very restrictive environments the face browser may not be |
---|
| 439 | appropriate. |
---|
| 440 | </para> |
---|
| 441 | |
---|
| 442 | </sect2> |
---|
| 443 | |
---|
| 444 | <sect2 id="xdmcp"> |
---|
| 445 | <title>XDMCP</title> |
---|
| 446 | |
---|
| 447 | <!-- |
---|
| 448 | <para> |
---|
| 449 | TODO - What XDMCP features actually work? I know that the |
---|
| 450 | chooser is missing. |
---|
| 451 | </para> |
---|
| 452 | --> |
---|
| 453 | |
---|
| 454 | <para> |
---|
| 455 | The GDM daemon can be configured to listen for and manage X Display |
---|
| 456 | Manage Protocol (XDMCP) requests from remote displays. By default |
---|
| 457 | XDMCP support is turned off, but can be enabled if desired. If GDM is |
---|
| 458 | built with TCP Wrapper support, then the daemon will only grant access |
---|
| 459 | to hosts specified in the GDM service section in the TCP Wrappers |
---|
| 460 | configuration file. |
---|
| 461 | </para> |
---|
| 462 | |
---|
| 463 | <para> |
---|
| 464 | GDM includes several measures making it more resistant to denial of |
---|
| 465 | service attacks on the XDMCP service. A lot of the protocol |
---|
| 466 | parameters, handshaking timeouts, etc. can be fine tuned. The default |
---|
| 467 | configuration should work reasonably on most systems. |
---|
| 468 | </para> |
---|
| 469 | |
---|
| 470 | <para> |
---|
| 471 | GDM by default listens for XDMCP requests on the normal UDP port used |
---|
| 472 | for XDMCP, port 177, and will respond to QUERY and BROADCAST_QUERY |
---|
| 473 | requests by sending a WILLING packet to the originator. |
---|
| 474 | </para> |
---|
| 475 | |
---|
| 476 | <para> |
---|
| 477 | GDM can also be configured to honor INDIRECT queries and present a |
---|
| 478 | host chooser to the remote display. GDM will remember the user's |
---|
| 479 | choice and forward subsequent requests to the chosen manager. GDM |
---|
| 480 | also supports an extension to the protocol which will make it forget |
---|
| 481 | the redirection once the user's connection succeeds. This extension |
---|
| 482 | is only supported if both daemons are GDM. It is transparent and |
---|
| 483 | will be ignored by XDM or other daemons that implement XDMCP. |
---|
| 484 | </para> |
---|
| 485 | |
---|
| 486 | <para> |
---|
| 487 | If XDMCP seems to not be working, make sure that all machines are |
---|
| 488 | specified in <filename>/etc/hosts</filename>. |
---|
| 489 | </para> |
---|
| 490 | |
---|
| 491 | <para> |
---|
| 492 | Refer to the "Security" section for information about |
---|
| 493 | security concerns when using XDMCP. |
---|
| 494 | </para> |
---|
| 495 | </sect2> |
---|
| 496 | |
---|
| 497 | <sect2 id="logging"> |
---|
| 498 | <title>Logging</title> |
---|
| 499 | |
---|
| 500 | <para> |
---|
| 501 | GDM uses syslog to log errors and status. It can also log debugging |
---|
| 502 | information, which can be useful for tracking down problems if GDM is |
---|
| 503 | not working properly. This can be enabled by starting the GDM daemon |
---|
| 504 | with the "--debug" option. |
---|
| 505 | </para> |
---|
| 506 | |
---|
| 507 | <para> |
---|
| 508 | Output from the various Xservers is stored in the GDM log directory, |
---|
| 509 | which is normally <filename><var>/log/gdm/</filename>. Any |
---|
| 510 | Xserver messages are saved to a file associated with the display value, |
---|
| 511 | <filename><display>.log</filename>. |
---|
| 512 | </para> |
---|
| 513 | |
---|
| 514 | <para> |
---|
| 515 | The session output is piped through the GDM daemon to the |
---|
| 516 | <filename>~/.xsession-errors</filename> file. The file is overwritten |
---|
| 517 | on each login, so logging out and logging back into the same user via |
---|
| 518 | GDM will cause any messages from the previous session to be lost. |
---|
| 519 | </para> |
---|
| 520 | |
---|
| 521 | <para> |
---|
| 522 | Note that if GDM can not create this file for some reason, then a |
---|
| 523 | fallback file will be created named <filename>~/.xsession-errors.XXXXXXXX</filename> |
---|
| 524 | where the <filename>XXXXXXXX</filename> are some random characters. |
---|
| 525 | </para> |
---|
| 526 | </sect2> |
---|
| 527 | |
---|
| 528 | <sect2 id="fusa"> |
---|
| 529 | <title>Fast User Switching</title> |
---|
| 530 | |
---|
| 531 | <para> |
---|
| 532 | GDM allows multiple users to be logged in at the same time. After one |
---|
| 533 | user is logged in, additional users can log in via the User Switcher |
---|
| 534 | on the GNOME Panel, or from the "Switch User" button in Lock Screen dialog |
---|
| 535 | of GNOME Screensaver. The active session can be changed back and forth using |
---|
| 536 | the same mechanism. Note that some distributions may not add the User Switcher |
---|
| 537 | to the default panel configuration. It can be added using the panel context |
---|
| 538 | menu. |
---|
| 539 | </para> |
---|
| 540 | <para> |
---|
| 541 | Note this feature is available on systems that support Virtual |
---|
| 542 | Terminals. This feature will not function if Virtual Terminals is not |
---|
| 543 | available. |
---|
| 544 | </para> |
---|
| 545 | </sect2> |
---|
| 546 | </sect1> |
---|
| 547 | |
---|
| 548 | <!-- ============= Security ================================= --> |
---|
| 549 | |
---|
| 550 | <sect1 id="security"> |
---|
| 551 | <title>Security</title> |
---|
| 552 | |
---|
| 553 | <sect2 id="gdmuser"> |
---|
| 554 | <title>The GDM User And Group</title> |
---|
| 555 | |
---|
| 556 | <para> |
---|
| 557 | For security reasons a dedicated user and group id are recommended for |
---|
| 558 | proper operation. This user and group are normally "gdm" on |
---|
| 559 | most systems, but can be configured to any user or group. All GDM |
---|
| 560 | GUI programs are run as this user, so that the programs which interact |
---|
| 561 | with the user are run in a sandbox. This user and group should have |
---|
| 562 | limited privilege. |
---|
| 563 | </para> |
---|
| 564 | |
---|
| 565 | <para> |
---|
| 566 | The only special privilege the "gdm" user requires is the |
---|
| 567 | ability to read and write Xauth files to the |
---|
| 568 | <filename><var>/run/gdm</filename> directory. The |
---|
| 569 | <filename><var>/run/gdm</filename> directory should have |
---|
| 570 | root:gdm ownership and 1777 permissions. |
---|
| 571 | </para> |
---|
| 572 | |
---|
| 573 | <para> |
---|
| 574 | You should not, under any circumstances, configure the GDM user/group |
---|
| 575 | to a user which a user could easily gain access to, such as the user |
---|
| 576 | <filename>nobody</filename>. Any user who gains access to an Xauth |
---|
| 577 | key can snoop on and control running GUI programs running in the |
---|
| 578 | associated session or perform a denial-of-service attack on it. It |
---|
| 579 | is important to ensure that the system is configured properly so that |
---|
| 580 | only the "gdm" user has access to these files and that it |
---|
| 581 | is not easy to login to this account. For example, the account should |
---|
| 582 | be setup to not have a password or allow non-root users to login to the |
---|
| 583 | account. |
---|
| 584 | </para> |
---|
| 585 | |
---|
| 586 | <para> |
---|
| 587 | The GDM greeter configuration is stored in GConf. To allow the GDM |
---|
| 588 | user to be able to write configuration, it is necessary for the |
---|
| 589 | "gdm" user to have a writable $HOME directory. Users may |
---|
| 590 | configure the default GConf configuration as desired to avoid the |
---|
| 591 | need to provide the "gdm" user with a writable $HOME |
---|
| 592 | directory. However, some features of GDM may be disabled if it is |
---|
| 593 | unable to write state information to GConf configuration. |
---|
| 594 | </para> |
---|
| 595 | </sect2> |
---|
| 596 | |
---|
| 597 | <sect2 id="PAM"> |
---|
| 598 | <title>PAM</title> |
---|
| 599 | |
---|
| 600 | <para> |
---|
| 601 | GDM uses PAM for login authentication. PAM stands for Pluggable |
---|
| 602 | Authentication Module, and is used by most programs that request |
---|
| 603 | authentication on your computer. It allows the administrator to |
---|
| 604 | configure specific authentication behavior for different login programs |
---|
| 605 | (such as ssh, login GUI, screensaver, etc.) |
---|
| 606 | </para> |
---|
| 607 | |
---|
| 608 | <para> |
---|
| 609 | PAM is complicated and highly configurable, and this documentation does |
---|
| 610 | not intend to explain this in detail. Instead, it is intended to give |
---|
| 611 | an overview of how PAM configuration relates with GDM, how PAM is |
---|
| 612 | commonly configured with GDM, and known issues. It is expected that |
---|
| 613 | a person needing to do PAM configuration would need to do further |
---|
| 614 | reading of PAM documentation to understand how to configure PAM and |
---|
| 615 | to understand terms used in this section. |
---|
| 616 | </para> |
---|
| 617 | |
---|
| 618 | <para> |
---|
| 619 | PAM configuration has different, but similar, interfaces on different |
---|
| 620 | Operating Systems, so check the |
---|
| 621 | <ulink type="help" url="man:pam.d">pam.d</ulink> or |
---|
| 622 | <ulink type="help" url="man:pam.conf">pam.conf</ulink> man page for |
---|
| 623 | details. Be sure you read the PAM documentation and are comfortable |
---|
| 624 | with the security implications of any changes you intend to make to |
---|
| 625 | your configuration. |
---|
| 626 | </para> |
---|
| 627 | |
---|
| 628 | <para> |
---|
| 629 | Note that, by default, GDM uses the "gdm" PAM service name |
---|
| 630 | for normal login and the "gdm-autologin" PAM service name for |
---|
| 631 | automatic login. These services may not be defined in your pam.d or |
---|
| 632 | pam.conf configured file. If there is no entry, then GDM will use the |
---|
| 633 | default PAM behavior. On most systems this should work fine. |
---|
| 634 | However, the automatic login feature may not work if the gdm-autologin |
---|
| 635 | service is not defined. |
---|
| 636 | </para> |
---|
| 637 | |
---|
| 638 | <para> |
---|
| 639 | The <filename>PostLogin</filename> script is run before |
---|
| 640 | pam_open_session is called, and the <filename>PreSession</filename> |
---|
| 641 | script is called after. This allows the system administrator to add |
---|
| 642 | any scripting to the login process either before or after PAM |
---|
| 643 | initializes the session. |
---|
| 644 | </para> |
---|
| 645 | |
---|
| 646 | <para> |
---|
| 647 | If you wish to make GDM work with other types of authentication |
---|
| 648 | mechanisms (such as a fingerprint or SmartCard reader), then you should |
---|
| 649 | implement this by using a PAM service module for the desired |
---|
| 650 | authentication type rather than by trying to modify the GDM code |
---|
| 651 | directly. Refer to the PAM documentation on your system. How to do |
---|
| 652 | this is frequently discussed on the |
---|
| 653 | <address><email>gdm-list@gnome.org</email></address> mail list, |
---|
| 654 | so you can refer to the list archives for more information. |
---|
| 655 | </para> |
---|
| 656 | |
---|
| 657 | <para> |
---|
| 658 | PAM does have some limitations regarding being able to work with |
---|
| 659 | multiple types of authentication at the same time, like supporting |
---|
| 660 | the ability to accept either SmartCard and the ability to type the |
---|
| 661 | username and password into the login program. There are techniques |
---|
| 662 | that are used to make this work, and it is best to research how this |
---|
| 663 | problem is commonly solved when setting up such a configuration. |
---|
| 664 | </para> |
---|
| 665 | |
---|
| 666 | <para> |
---|
| 667 | If automatic login does not work on a system, check to see if the |
---|
| 668 | "gdm-autologin" PAM stack is defined in the PAM configuration. For |
---|
| 669 | this to work, it is necessary to use a PAM module that simply does no |
---|
| 670 | authentication, or which simply returns PAM_SUCCESS from all of its |
---|
| 671 | public interfaces. Assuming your system has a pam_allow.so PAM module |
---|
| 672 | which does this, a PAM configuration to enable "gdm-autologin" would |
---|
| 673 | look like this: |
---|
| 674 | </para> |
---|
| 675 | |
---|
| 676 | <screen> |
---|
| 677 | gdm-autologin auth required pam_unix_cred.so.1 |
---|
| 678 | gdm-autologin auth sufficient pam_allow.so.1 |
---|
| 679 | gdm-autologin account sufficient pam_allow.so.1 |
---|
| 680 | gdm-autologin session sufficient pam_allow.so.1 |
---|
| 681 | gdm-autologin password sufficient pam_allow.so.1 |
---|
| 682 | </screen> |
---|
| 683 | |
---|
| 684 | <para> |
---|
| 685 | The above setup will cause no lastlog entry to be generated. If a |
---|
| 686 | lastlog entry is desired, then use the following for the session: |
---|
| 687 | </para> |
---|
| 688 | |
---|
| 689 | <screen> |
---|
| 690 | gdm-autologin session required pam_unix_session.so.1 |
---|
| 691 | </screen> |
---|
| 692 | |
---|
| 693 | <para> |
---|
| 694 | If the computer is used by several people, which makes automatic login |
---|
| 695 | unsuitable, you may want to allow some users to log in without entering |
---|
| 696 | their password. This feature can be enabled as a per-user option in |
---|
| 697 | the users-admin tool from the gnome-system-tools; it is achieved by |
---|
| 698 | checking that the user is member a Unix group called |
---|
| 699 | "nopasswdlogin" before asking for a password. For this to work, |
---|
| 700 | the PAM configuration file for the "gdm" service must include |
---|
| 701 | a line such as: |
---|
| 702 | </para> |
---|
| 703 | |
---|
| 704 | <screen> |
---|
| 705 | gdm auth sufficient pam_succeed_if.so user ingroup nopasswdlogin |
---|
| 706 | </screen> |
---|
| 707 | |
---|
| 708 | </sect2> |
---|
| 709 | |
---|
| 710 | <sect2 id="utmpwtmp"> |
---|
| 711 | <title>utmp and wtmp</title> |
---|
| 712 | |
---|
| 713 | <para> |
---|
| 714 | GDM generates utmp and wtmp User Accounting Database entries upon |
---|
| 715 | session login and logout. The utmp database contains user access |
---|
| 716 | and accounting information that is accessed by commands such as |
---|
| 717 | <command>finger</command>, <command>last</command>, |
---|
| 718 | <command>login</command>, and <command>who</command>. The wtmp |
---|
| 719 | database contains the history of user access and accounting |
---|
| 720 | information for the utmp database. Refer to the |
---|
| 721 | <ulink type="help" url="man:utmp">utmp</ulink> and |
---|
| 722 | <ulink type="help" url="man:wtmp">wtmp</ulink> |
---|
| 723 | man pages on your system for more information. |
---|
| 724 | </para> |
---|
| 725 | </sect2> |
---|
| 726 | |
---|
| 727 | <sect2 id="xauth"> |
---|
| 728 | <title>Xserver Authentication Scheme</title> |
---|
| 729 | |
---|
| 730 | <para> |
---|
| 731 | Xserver authorization files are stored in a newly created subdirectory |
---|
| 732 | of <filename><var>/run/gdm</filename> at start up. These files |
---|
| 733 | are used to store and share a "password" between X clients |
---|
| 734 | and the Xserver. This "password" is unique for each session |
---|
| 735 | logged in, so users from one session can't snoop on users from another. |
---|
| 736 | </para> |
---|
| 737 | |
---|
| 738 | <para> |
---|
| 739 | GDM only supports the MIT-MAGIC-COOKIE-1 Xserver authentication |
---|
| 740 | scheme. Normally little is gained from the other schemes, and no |
---|
| 741 | effort has been made to implement them so far. Be especially |
---|
| 742 | careful about using XDMCP because the Xserver authentication cookie |
---|
| 743 | goes over the wire as clear text. If snooping is possible, then an |
---|
| 744 | attacker could simply snoop your authentication password as you log in, |
---|
| 745 | regardless of the authentication scheme being used. If snooping is |
---|
| 746 | possible and undesirable, then you should use ssh for tunneling an X |
---|
| 747 | connection rather then using XDMCP. You could think of XDMCP as a sort |
---|
| 748 | of graphical telnet, having the same security issues. In most cases, |
---|
| 749 | ssh -Y should be preferred over GDM's XDMCP features. |
---|
| 750 | </para> |
---|
| 751 | |
---|
| 752 | </sect2> |
---|
| 753 | |
---|
| 754 | <sect2 id="xdmcpsecurity"> |
---|
| 755 | <title>XDMCP Security</title> |
---|
| 756 | |
---|
| 757 | <para> |
---|
| 758 | Even though your display is protected by cookies, XEvents and thus |
---|
| 759 | keystrokes typed when entering passwords will still go over the wire in |
---|
| 760 | clear text. It is trivial to capture these. |
---|
| 761 | </para> |
---|
| 762 | |
---|
| 763 | <para> |
---|
| 764 | XDMCP is primarily useful for running thin clients such as in terminal |
---|
| 765 | labs. Those thin clients will only ever need the network to access |
---|
| 766 | the server, and so it seems like the best security policy to have |
---|
| 767 | those thin clients on a separate network that cannot be accessed by |
---|
| 768 | the outside world, and can only connect to the server. The only point |
---|
| 769 | from which you need to access outside is the server. This type of set up |
---|
| 770 | should never use an unmanaged hub or other sniffable network. |
---|
| 771 | </para> |
---|
| 772 | |
---|
| 773 | </sect2> |
---|
| 774 | |
---|
| 775 | <sect2 id="xdmcpaccess"> |
---|
| 776 | <title>XDMCP Access Control</title> |
---|
| 777 | |
---|
| 778 | <para> |
---|
| 779 | XDMCP access control is done using TCP wrappers. It is possible to |
---|
| 780 | compile GDM without TCP wrapper support, so this feature may not be |
---|
| 781 | supported on some Operating Systems. |
---|
| 782 | </para> |
---|
| 783 | |
---|
| 784 | <para> |
---|
| 785 | You should use the daemon name <command>gdm</command> in the |
---|
| 786 | <filename><etc>/hosts.allow</filename> and |
---|
| 787 | <filename><etc>/hosts.deny</filename> files. For example to |
---|
| 788 | deny computers from <filename>.evil.domain</filename> from logging in, |
---|
| 789 | then add |
---|
| 790 | </para> |
---|
| 791 | <screen> |
---|
| 792 | gdm: .evil.domain |
---|
| 793 | </screen> |
---|
| 794 | <para> |
---|
| 795 | to <filename><etc>/hosts.deny</filename>. You may also need |
---|
| 796 | to add |
---|
| 797 | </para> |
---|
| 798 | <screen> |
---|
| 799 | gdm: .your.domain |
---|
| 800 | </screen> |
---|
| 801 | <para> |
---|
| 802 | to your <filename><etc>/hosts.allow</filename> if you normally |
---|
| 803 | disallow all services from all hosts. See the |
---|
| 804 | <ulink type="help" url="man:hosts.allow">hosts.allow(5)</ulink> man |
---|
| 805 | page for details. |
---|
| 806 | </para> |
---|
| 807 | </sect2> |
---|
| 808 | |
---|
| 809 | <sect2 id="firewall"> |
---|
| 810 | <title>Firewall Security</title> |
---|
| 811 | |
---|
| 812 | <para> |
---|
| 813 | Even though GDM tries to outsmart potential attackers trying to take |
---|
| 814 | advantage of XDMCP, it is still advised that you block the XDMCP port |
---|
| 815 | (normally UDP port 177) on your firewall unless really needed. GDM |
---|
| 816 | guards against denial of service attacks, but the X protocol is still |
---|
| 817 | inherently insecure and should only be used in controlled environments. |
---|
| 818 | Also each remote connection takes up lots of resources, so it is much |
---|
| 819 | easier to do a denial of service attack via XDMCP than attacking a |
---|
| 820 | webserver. |
---|
| 821 | </para> |
---|
| 822 | |
---|
| 823 | <para> |
---|
| 824 | It is also wise to block all of the Xserver ports. These are TCP |
---|
| 825 | ports 6000+ (one for each display number) on your firewall. Note that |
---|
| 826 | GDM will use display numbers 20 and higher for flexible on-demand |
---|
| 827 | servers. |
---|
| 828 | </para> |
---|
| 829 | |
---|
| 830 | <para> |
---|
| 831 | X is not a very safe protocol when using it over the Internet, and |
---|
| 832 | XDMCP is even less safe. |
---|
| 833 | </para> |
---|
| 834 | </sect2> |
---|
| 835 | |
---|
| 836 | <sect2 id="policykit"> |
---|
| 837 | <title>PolicyKit</title> |
---|
| 838 | |
---|
| 839 | <!-- |
---|
| 840 | <para> |
---|
| 841 | TODO - Should we say more? |
---|
| 842 | </para> |
---|
| 843 | --> |
---|
| 844 | |
---|
| 845 | <para> |
---|
| 846 | GDM may be configured to use PolicyKit to allow the system |
---|
| 847 | administrator to control whether the login screen should provide |
---|
| 848 | the shutdown and restart buttons on the greeter screen. |
---|
| 849 | </para> |
---|
| 850 | |
---|
| 851 | <para> |
---|
| 852 | These buttons are controlled by the |
---|
| 853 | <filename>org.freedesktop.consolekit.system.stop-multiple-users</filename> |
---|
| 854 | and |
---|
| 855 | <filename>org.freedesktop.consolekit.system.restart-multiple-users</filename> |
---|
| 856 | actions respectively. Policy for these actions can be set up using the |
---|
| 857 | polkit-gnome-authorization tool, or the polkit-auth command line program. |
---|
| 858 | </para> |
---|
| 859 | |
---|
| 860 | </sect2> |
---|
| 861 | |
---|
| 862 | <sect2 id="rbac"> |
---|
| 863 | <title>RBAC (Role Based Access Control)</title> |
---|
| 864 | |
---|
| 865 | <para> |
---|
| 866 | GDM may be configured to use RBAC instead of PolicyKit. In this |
---|
| 867 | case the RBAC configuration is used to control whether the login screen |
---|
| 868 | should provide the shutdown and restart buttons on the greeter screen. |
---|
| 869 | </para> |
---|
| 870 | |
---|
| 871 | <para> |
---|
| 872 | For example, on Solaris, the "solaris.system.shutdown" |
---|
| 873 | authorization is used to control this. Simply modify the |
---|
| 874 | <filename>/etc/user_attr</filename> file so that the "gdm" |
---|
| 875 | user has this authorization. |
---|
| 876 | </para> |
---|
| 877 | </sect2> |
---|
| 878 | |
---|
| 879 | </sect1> |
---|
| 880 | |
---|
| 881 | <!-- ============= ConsoleKit ================================ --> |
---|
| 882 | |
---|
| 883 | <sect1 id="consolekit"> |
---|
| 884 | <title>Support for ConsoleKit</title> |
---|
| 885 | |
---|
| 886 | <!-- |
---|
| 887 | <para> |
---|
| 888 | TODO - Should we update these docs? Probably should mention any |
---|
| 889 | configuration that users may want to do for using it with GDM? |
---|
| 890 | If so, perhaps this section should be moved to a subsection of |
---|
| 891 | the "Configure" section? |
---|
| 892 | </para> |
---|
| 893 | --> |
---|
| 894 | |
---|
| 895 | <para> |
---|
| 896 | GDM includes support for publishing user login information with the user |
---|
| 897 | and login session accounting framework known as ConsoleKit. ConsoleKit |
---|
| 898 | is able to keep track of all the users currently logged in. In this |
---|
| 899 | respect, it can be used as a replacement for the utmp or utmpx files that |
---|
| 900 | are available on most Unix-like Operating Systems. |
---|
| 901 | </para> |
---|
| 902 | |
---|
| 903 | <para> |
---|
| 904 | When GDM is about to create a new login process for a user it will call |
---|
| 905 | a privileged method of ConsoleKit in order to open a new session for this |
---|
| 906 | user. At this time GDM also provides ConsoleKit with information about |
---|
| 907 | this user session such as: the user ID, the X11 Display name that will be |
---|
| 908 | associated with the session, the host-name from which the session |
---|
| 909 | originates (useful in the case of an XDMCP session), whether or not this |
---|
| 910 | session is attached, etc. As the entity that initiates the user process, |
---|
| 911 | GDM is in a unique position to know about the user session and to be |
---|
| 912 | trusted to provide these bits of information. The use of this privileged |
---|
| 913 | method is restricted by the use of the D-Bus system message bus security |
---|
| 914 | policy. |
---|
| 915 | </para> |
---|
| 916 | |
---|
| 917 | <para> |
---|
| 918 | In case a user with an existing session has authenticated |
---|
| 919 | at GDM and requests to resume that existing session, GDM calls a |
---|
| 920 | privileged method of ConsoleKit to unlock that session. The exact |
---|
| 921 | details of what happens when the session receives this unlock signal are |
---|
| 922 | undefined and session-specific. However, most sessions will unlock a |
---|
| 923 | screensaver in response. |
---|
| 924 | </para> |
---|
| 925 | |
---|
| 926 | <para> |
---|
| 927 | When the user chooses to log out, or if GDM or the session quit |
---|
| 928 | unexpectedly the user session will be unregistered from ConsoleKit. |
---|
| 929 | </para> |
---|
| 930 | </sect1> |
---|
| 931 | |
---|
| 932 | <!-- ============= Configuration ============================= --> |
---|
| 933 | |
---|
| 934 | <sect1 id="configuration"> |
---|
| 935 | <title>Configuration</title> |
---|
| 936 | |
---|
| 937 | <para> |
---|
| 938 | GDM has a number of configuration interfaces. These include scripting |
---|
| 939 | integration points, daemon configuration, greeter configuration, |
---|
| 940 | general session settings, integration with gnome-settings-daemon |
---|
| 941 | configuration, and session configuration. These types of integration are |
---|
| 942 | described in detail below. |
---|
| 943 | </para> |
---|
| 944 | |
---|
| 945 | <sect2 id="scripting"> |
---|
| 946 | <title>Scripting Integration Points</title> |
---|
| 947 | |
---|
| 948 | <para> |
---|
| 949 | The GDM script integration points can be found in the |
---|
| 950 | <filename><etc>/gdm/</filename> directory: |
---|
| 951 | </para> |
---|
| 952 | |
---|
| 953 | <screen> |
---|
| 954 | Xsession |
---|
| 955 | Init/ |
---|
| 956 | PostLogin/ |
---|
| 957 | PreSession/ |
---|
| 958 | PostSession/ |
---|
| 959 | </screen> |
---|
| 960 | |
---|
| 961 | <para> |
---|
| 962 | The <filename>Init</filename>, <filename>PostLogin</filename>, |
---|
| 963 | <filename>PreSession</filename>, and <filename>PostSession</filename> |
---|
| 964 | scripts all work as described below. |
---|
| 965 | </para> |
---|
| 966 | |
---|
| 967 | <para> |
---|
| 968 | For each type of script, the default one which will be executed is |
---|
| 969 | called "Default" and is stored in a directory associated with |
---|
| 970 | the script type. So the default <filename>Init</filename> script is |
---|
| 971 | <filename><etc>/gdm/Init/Default</filename>. A per-display |
---|
| 972 | script can be provided, and if it exists it will be run instead of the |
---|
| 973 | default script. Such scripts are stored in the same directory as the |
---|
| 974 | default script and have the same name as the Xserver DISPLAY value for |
---|
| 975 | that display. For example, if the <filename><Init>/:0</filename> |
---|
| 976 | script exists, it will be run for DISPLAY ":0". |
---|
| 977 | </para> |
---|
| 978 | |
---|
| 979 | <para> |
---|
| 980 | All of these scripts are run with root privilege and return 0 if run |
---|
| 981 | successfully, and a non-zero return code if there was any failure that |
---|
| 982 | should cause the login session to be aborted. Also note that GDM will |
---|
| 983 | block until the scripts finish, so if any of these scripts hang, this |
---|
| 984 | will cause the login process to also hang. |
---|
| 985 | </para> |
---|
| 986 | |
---|
| 987 | <para> |
---|
| 988 | When the Xserver for the login GUI has been successfully started, but |
---|
| 989 | before the login GUI is actually displayed, GDM will run the |
---|
| 990 | <filename>Init</filename> script. This script is useful for starting |
---|
| 991 | programs that should be run while the login screen is showing, or for |
---|
| 992 | doing any special initialization if required. |
---|
| 993 | </para> |
---|
| 994 | |
---|
| 995 | <para> |
---|
| 996 | After the user has been successfully authenticated GDM will run the |
---|
| 997 | <filename>PostLogin</filename> script. This is done before any session |
---|
| 998 | setup has been done, including before the pam_open_session call. This |
---|
| 999 | script is useful for doing any session initialization that needs to |
---|
| 1000 | happen before the session starts. For example, you might setup the |
---|
| 1001 | user's $HOME directory if needed. |
---|
| 1002 | </para> |
---|
| 1003 | |
---|
| 1004 | <para> |
---|
| 1005 | After the user session has been initialized, GDM will run the |
---|
| 1006 | <filename>PreSession</filename> script. This script is useful for |
---|
| 1007 | doing any session initialization that needs to happen after the |
---|
| 1008 | session has been initialized. It can be used for session management or |
---|
| 1009 | accounting, for example. |
---|
| 1010 | </para> |
---|
| 1011 | |
---|
| 1012 | <para> |
---|
| 1013 | When a user terminates their session, GDM will run the |
---|
| 1014 | <filename>PostSession</filename> script. Note that the Xserver will |
---|
| 1015 | have been stopped by the time this script is run, so it should not be |
---|
| 1016 | accessed. |
---|
| 1017 | </para> |
---|
| 1018 | |
---|
| 1019 | <para> |
---|
| 1020 | Note that the <filename>PostSession</filename> script will be run |
---|
| 1021 | even when the display fails to respond due to an I/O error or |
---|
| 1022 | similar. Thus, there is no guarantee that X applications will work |
---|
| 1023 | during script execution. |
---|
| 1024 | </para> |
---|
| 1025 | |
---|
| 1026 | <para> |
---|
| 1027 | All of the above scripts will set the |
---|
| 1028 | <filename>$RUNNING_UNDER_GDM</filename> environment variable to |
---|
| 1029 | <filename>yes</filename>. If the scripts are also shared with other |
---|
| 1030 | display managers, this allows you to identify when GDM is calling these |
---|
| 1031 | scripts, so you can run specific code when GDM is used. |
---|
| 1032 | </para> |
---|
| 1033 | </sect2> |
---|
| 1034 | |
---|
| 1035 | <sect2 id="autostart"> |
---|
| 1036 | <title>Autostart Configuration</title> |
---|
| 1037 | |
---|
| 1038 | <para> |
---|
| 1039 | The <filename><share>/gdm/autostart/LoginWindow</filename> |
---|
| 1040 | directory contains files in the format specified by the |
---|
| 1041 | "FreeDesktop.org Desktop Application Autostart |
---|
| 1042 | Specification". Standard features in the specification may be |
---|
| 1043 | used to specify programs that should auto-restart or only be launched |
---|
| 1044 | if a GConf configuration value is set, etc. |
---|
| 1045 | </para> |
---|
| 1046 | |
---|
| 1047 | <para> |
---|
| 1048 | Any <filename>.desktop</filename> files in this directory will cause |
---|
| 1049 | the associated program to automatically start with the login GUI |
---|
| 1050 | greeter. By default, GDM is shipped with files which will autostart |
---|
| 1051 | the gdm-simple-greeter login GUI greeter itself, the |
---|
| 1052 | gnome-power-manager application, the gnome-settings-daemon, and the |
---|
| 1053 | Metacity window manager. These programs are needed for the greeter |
---|
| 1054 | program to work. In addition, desktop files are provided for starting |
---|
| 1055 | various AT programs if the configuration values specified in the |
---|
| 1056 | Accessibility Configuration section below are set. |
---|
| 1057 | </para> |
---|
| 1058 | </sect2> |
---|
| 1059 | |
---|
| 1060 | <sect2 id="xsessionscript"> |
---|
| 1061 | <title>Xsession Script</title> |
---|
| 1062 | |
---|
| 1063 | <para> |
---|
| 1064 | There is also an <filename>Xsession</filename> script located at |
---|
| 1065 | <filename><etc>/gdm/Xsession</filename> which is called between |
---|
| 1066 | the <filename>PreSession</filename> and the |
---|
| 1067 | <filename>PostSession</filename> scripts. This script does not |
---|
| 1068 | support per-display like the other scripts. This script is used for |
---|
| 1069 | actually starting the user session. This script is run as the user, |
---|
| 1070 | and it will run whatever session was specified by the Desktop session |
---|
| 1071 | file the user selected to start. |
---|
| 1072 | </para> |
---|
| 1073 | </sect2> |
---|
| 1074 | |
---|
| 1075 | <sect2 id="daemonconfig"> |
---|
| 1076 | <title>Daemon Configuration</title> |
---|
| 1077 | |
---|
| 1078 | <para> |
---|
| 1079 | The GDM daemon is configured using the |
---|
| 1080 | <filename><etc>/gdm/custom.conf</filename> file. Default |
---|
| 1081 | values are stored in GConf in the <filename>gdm.schemas</filename> |
---|
| 1082 | file. It is recommended that end-users modify the |
---|
| 1083 | <filename>/etc/gdm/custom.conf</filename> file because the |
---|
| 1084 | schemas file may be overwritten when the user updates their system to |
---|
| 1085 | have a newer version of GDM. |
---|
| 1086 | </para> |
---|
| 1087 | |
---|
| 1088 | <para> |
---|
| 1089 | Note that older versions of GDM supported additional configuration |
---|
| 1090 | options which are no longer supported in the latest versions of GDM. |
---|
| 1091 | </para> |
---|
| 1092 | |
---|
| 1093 | <para> |
---|
| 1094 | The <filename><etc>/gdm/custom.conf</filename> file is in the |
---|
| 1095 | <filename>keyfile</filename> format. Keywords in brackets |
---|
| 1096 | define group sections, strings before an equal sign (=) are keys and |
---|
| 1097 | the data after equal sign represents their value. Empty lines or |
---|
| 1098 | lines starting with the hash mark (#) are ignored. |
---|
| 1099 | </para> |
---|
| 1100 | |
---|
| 1101 | <para> |
---|
| 1102 | The file <filename>/etc/gdm/custom.conf</filename> supports the |
---|
| 1103 | "[daemon]", "[security]", and "[xdmcp]" |
---|
| 1104 | group sections. Within each group, there are particular key/value |
---|
| 1105 | pairs that can be specified to modify how GDM behaves. For example, |
---|
| 1106 | to enable timed login and specify the timed login user to be a user |
---|
| 1107 | named "you", you would modify the file so it contains the |
---|
| 1108 | following lines: |
---|
| 1109 | </para> |
---|
| 1110 | |
---|
| 1111 | <screen> |
---|
| 1112 | [daemon] |
---|
| 1113 | TimedLoginEnable=true |
---|
| 1114 | TimedLogin=you |
---|
| 1115 | </screen> |
---|
| 1116 | |
---|
| 1117 | <para> |
---|
| 1118 | A full list of supported configuration keys follow: |
---|
| 1119 | </para> |
---|
| 1120 | |
---|
| 1121 | <sect3 id="choosersection"> |
---|
| 1122 | <title>[chooser]</title> |
---|
| 1123 | <variablelist> |
---|
| 1124 | |
---|
| 1125 | <varlistentry> |
---|
| 1126 | <term>Multicast</term> |
---|
| 1127 | <listitem> |
---|
| 1128 | <synopsis>Multicast=false</synopsis> |
---|
| 1129 | <para> |
---|
| 1130 | If true and IPv6 is enabled, the chooser will send a multicast |
---|
| 1131 | query to the local network and collect responses from the hosts |
---|
| 1132 | who have joined multicast group. |
---|
| 1133 | </para> |
---|
| 1134 | </listitem> |
---|
| 1135 | </varlistentry> |
---|
| 1136 | |
---|
| 1137 | <varlistentry> |
---|
| 1138 | <term>MulticastAddr</term> |
---|
| 1139 | <listitem> |
---|
| 1140 | <synopsis>MulticastAddr=ff02::1</synopsis> |
---|
| 1141 | <para> |
---|
| 1142 | This is the Link-local Multicast address. |
---|
| 1143 | </para> |
---|
| 1144 | </listitem> |
---|
| 1145 | </varlistentry> |
---|
| 1146 | </variablelist> |
---|
| 1147 | </sect3> |
---|
| 1148 | |
---|
| 1149 | <sect3 id="daemonsection"> |
---|
| 1150 | <title>[daemon]</title> |
---|
| 1151 | <variablelist> |
---|
| 1152 | |
---|
| 1153 | <varlistentry> |
---|
| 1154 | <term>Group</term> |
---|
| 1155 | <listitem> |
---|
| 1156 | <synopsis>Group=gdm</synopsis> |
---|
| 1157 | <para> |
---|
| 1158 | The group name under which the greeter and other GUI programs |
---|
| 1159 | are run. Refer to the <filename>User</filename> |
---|
| 1160 | configuration key and to the "Security->GDM User And |
---|
| 1161 | Group" section of this document for more information. |
---|
| 1162 | </para> |
---|
| 1163 | </listitem> |
---|
| 1164 | </varlistentry> |
---|
| 1165 | |
---|
| 1166 | <varlistentry> |
---|
| 1167 | <term>TimedLoginEnable</term> |
---|
| 1168 | <listitem> |
---|
| 1169 | <synopsis>TimedLoginEnable=false</synopsis> |
---|
| 1170 | <para> |
---|
| 1171 | If the user given in <filename>TimedLogin</filename> should be |
---|
| 1172 | logged in after a number of seconds (set with |
---|
| 1173 | <filename>TimedLoginDelay</filename>) of inactivity on the |
---|
| 1174 | login screen. This is useful for public access terminals or |
---|
| 1175 | perhaps even home use. If the user uses the keyboard or |
---|
| 1176 | browses the menus, the timeout will be reset to |
---|
| 1177 | <filename>TimedLoginDelay</filename> or 30 seconds, whichever |
---|
| 1178 | is higher. If the user does not enter a username but just |
---|
| 1179 | hits the ENTER key while the login program is requesting the |
---|
| 1180 | username, then GDM will assume the user wants to login |
---|
| 1181 | immediately as the timed user. Note that no password will be |
---|
| 1182 | asked for this user so you should be careful, although if using |
---|
| 1183 | PAM it can be configured to require password entry before |
---|
| 1184 | allowing login. Refer to the "Security->PAM" |
---|
| 1185 | section of the manual for more information, or for help if this |
---|
| 1186 | feature does not seem to work. |
---|
| 1187 | </para> |
---|
| 1188 | </listitem> |
---|
| 1189 | </varlistentry> |
---|
| 1190 | |
---|
| 1191 | <varlistentry> |
---|
| 1192 | <term>TimedLogin</term> |
---|
| 1193 | <listitem> |
---|
| 1194 | <synopsis>TimedLogin=</synopsis> |
---|
| 1195 | <para> |
---|
| 1196 | This is the user that should be logged in after a specified |
---|
| 1197 | number of seconds of inactivity. |
---|
| 1198 | </para> |
---|
| 1199 | <para> |
---|
| 1200 | If the value ends with a vertical bar | (the pipe symbol), |
---|
| 1201 | then GDM will execute the program specified and use whatever |
---|
| 1202 | value is returned on standard out from the program as the user. |
---|
| 1203 | The program is run with the DISPLAY environment variable set so |
---|
| 1204 | that it is possible to specify the user in a per-display |
---|
| 1205 | fashion. For example if the value is "/usr/bin/getloginuser|", |
---|
| 1206 | then the program "/usr/bin/getloginuser" will be run to get the |
---|
| 1207 | user value. |
---|
| 1208 | </para> |
---|
| 1209 | </listitem> |
---|
| 1210 | </varlistentry> |
---|
| 1211 | |
---|
| 1212 | <varlistentry> |
---|
| 1213 | <term>TimedLoginDelay</term> |
---|
| 1214 | <listitem> |
---|
| 1215 | <synopsis>TimedLoginDelay=30</synopsis> |
---|
| 1216 | <para> |
---|
| 1217 | Delay in seconds before the <filename>TimedLogin</filename> |
---|
| 1218 | user will be logged in. |
---|
| 1219 | </para> |
---|
| 1220 | </listitem> |
---|
| 1221 | </varlistentry> |
---|
| 1222 | |
---|
| 1223 | <varlistentry> |
---|
| 1224 | <term>AutomaticLoginEnable</term> |
---|
| 1225 | <listitem> |
---|
| 1226 | <synopsis>AutomaticLoginEnable=false</synopsis> |
---|
| 1227 | <para> |
---|
| 1228 | If true, the user given in <filename>AutomaticLogin</filename> |
---|
| 1229 | should be logged in immediately. This feature is like timed |
---|
| 1230 | login with a delay of 0 seconds. |
---|
| 1231 | </para> |
---|
| 1232 | </listitem> |
---|
| 1233 | </varlistentry> |
---|
| 1234 | |
---|
| 1235 | <varlistentry> |
---|
| 1236 | <term>AutomaticLogin</term> |
---|
| 1237 | <listitem> |
---|
| 1238 | <synopsis>AutomaticLogin=</synopsis> |
---|
| 1239 | <para> |
---|
| 1240 | This is the user that should be logged in immediately if |
---|
| 1241 | <filename>AutomaticLoginEnable</filename> is true. |
---|
| 1242 | </para> |
---|
| 1243 | <para> |
---|
| 1244 | If the value ends with a vertical bar | (the pipe symbol), |
---|
| 1245 | then GDM will execute the program specified and use whatever |
---|
| 1246 | value is returned on standard out from the program as the user. |
---|
| 1247 | The program is run with the DISPLAY environment variable set so |
---|
| 1248 | that it is possible to specify the user in a per-display |
---|
| 1249 | fashion. For example if the value is "/usr/bin/getloginuser|", |
---|
| 1250 | then the program "/usr/bin/getloginuser" will be run to get the |
---|
| 1251 | user value. |
---|
| 1252 | </para> |
---|
| 1253 | </listitem> |
---|
| 1254 | </varlistentry> |
---|
| 1255 | |
---|
| 1256 | <varlistentry> |
---|
| 1257 | <term>User</term> |
---|
| 1258 | <listitem> |
---|
| 1259 | <synopsis>User=gdm</synopsis> |
---|
| 1260 | <para> |
---|
| 1261 | The username under which the greeter and other GUI programs |
---|
| 1262 | are run. Refer to the <filename>Group</filename> |
---|
| 1263 | configuration key and to the "Security->GDM User And |
---|
| 1264 | Group" section of this document for more information. |
---|
| 1265 | </para> |
---|
| 1266 | </listitem> |
---|
| 1267 | </varlistentry> |
---|
| 1268 | </variablelist> |
---|
| 1269 | </sect3> |
---|
| 1270 | |
---|
| 1271 | <sect3 id="securitysection"> |
---|
| 1272 | <title>Security Options</title> |
---|
| 1273 | |
---|
| 1274 | <variablelist> |
---|
| 1275 | <title>[security]</title> |
---|
| 1276 | |
---|
| 1277 | <varlistentry> |
---|
| 1278 | <term>DisallowTCP</term> |
---|
| 1279 | <listitem> |
---|
| 1280 | <synopsis>DisallowTCP=true</synopsis> |
---|
| 1281 | <para> |
---|
| 1282 | If true, then always append <filename>-nolisten tcp</filename> |
---|
| 1283 | to the command line when starting attached Xservers, thus |
---|
| 1284 | disallowing TCP connection. This is a more secure |
---|
| 1285 | configuration if you are not using remote connections. |
---|
| 1286 | </para> |
---|
| 1287 | </listitem> |
---|
| 1288 | </varlistentry> |
---|
| 1289 | </variablelist> |
---|
| 1290 | </sect3> |
---|
| 1291 | |
---|
| 1292 | <sect3 id="xdmcpsection"> |
---|
| 1293 | <title>XDCMP Support</title> |
---|
| 1294 | |
---|
| 1295 | <variablelist> |
---|
| 1296 | <title>[xdmcp]</title> |
---|
| 1297 | |
---|
| 1298 | <varlistentry> |
---|
| 1299 | <term>DisplaysPerHost</term> |
---|
| 1300 | <listitem> |
---|
| 1301 | <synopsis>DisplaysPerHost=1</synopsis> |
---|
| 1302 | <para> |
---|
| 1303 | To prevent attackers from filling up the pending queue, GDM |
---|
| 1304 | will only allow one connection for each remote computer. If |
---|
| 1305 | you want to provide display services to computers with more |
---|
| 1306 | than one screen, you should increase this value. |
---|
| 1307 | </para> |
---|
| 1308 | |
---|
| 1309 | <para> |
---|
| 1310 | Note that the number of attached DISPLAYS allowed is not |
---|
| 1311 | limited. Only remote connections via XDMCP are limited by |
---|
| 1312 | this configuration option. |
---|
| 1313 | </para> |
---|
| 1314 | </listitem> |
---|
| 1315 | </varlistentry> |
---|
| 1316 | |
---|
| 1317 | <varlistentry> |
---|
| 1318 | <term>Enable</term> |
---|
| 1319 | <listitem> |
---|
| 1320 | <synopsis>Enable=false</synopsis> |
---|
| 1321 | <para> |
---|
| 1322 | Setting this to true enables XDMCP support allowing remote |
---|
| 1323 | displays/X terminals to be managed by GDM. |
---|
| 1324 | </para> |
---|
| 1325 | |
---|
| 1326 | <para> |
---|
| 1327 | <filename>gdm</filename> listens for requests on UDP port 177. |
---|
| 1328 | See the Port option for more information. |
---|
| 1329 | </para> |
---|
| 1330 | |
---|
| 1331 | <para> |
---|
| 1332 | If GDM is compiled to support it, access from remote displays |
---|
| 1333 | can be controlled using the TCP Wrappers library. The service |
---|
| 1334 | name is <filename>gdm</filename> |
---|
| 1335 | </para> |
---|
| 1336 | |
---|
| 1337 | <para> |
---|
| 1338 | You should add |
---|
| 1339 | <screen> |
---|
| 1340 | gdm:.my.domain |
---|
| 1341 | </screen> |
---|
| 1342 | to your <filename><etc>/hosts.allow</filename>, depending |
---|
| 1343 | on your TCP Wrappers configuration. See the |
---|
| 1344 | <ulink type="help" url="man:hosts.allow">hosts.allow</ulink> |
---|
| 1345 | man page for details. |
---|
| 1346 | </para> |
---|
| 1347 | |
---|
| 1348 | <para> |
---|
| 1349 | Please note that XDMCP is not a particularly secure protocol |
---|
| 1350 | and that it is a good idea to block UDP port 177 on your |
---|
| 1351 | firewall unless you really need it. |
---|
| 1352 | </para> |
---|
| 1353 | </listitem> |
---|
| 1354 | </varlistentry> |
---|
| 1355 | |
---|
| 1356 | <varlistentry> |
---|
| 1357 | <term>HonorIndirect</term> |
---|
| 1358 | <listitem> |
---|
| 1359 | <synopsis>HonorIndirect=true</synopsis> |
---|
| 1360 | <para> |
---|
| 1361 | Enables XDMCP INDIRECT choosing (i.e. remote execution of |
---|
| 1362 | <filename>gdmchooser</filename>) for X-terminals which do not |
---|
| 1363 | supply their own display browser. |
---|
| 1364 | </para> |
---|
| 1365 | </listitem> |
---|
| 1366 | </varlistentry> |
---|
| 1367 | |
---|
| 1368 | <varlistentry> |
---|
| 1369 | <term>MaxPending</term> |
---|
| 1370 | <listitem> |
---|
| 1371 | <synopsis>MaxPending=4</synopsis> |
---|
| 1372 | <para> |
---|
| 1373 | To avoid denial of service attacks, GDM has fixed size queue |
---|
| 1374 | of pending connections. Only MaxPending displays can start at |
---|
| 1375 | the same time. |
---|
| 1376 | </para> |
---|
| 1377 | |
---|
| 1378 | <para> |
---|
| 1379 | Please note that this parameter does not limit the number of |
---|
| 1380 | remote displays which can be managed. It only limits the number |
---|
| 1381 | of displays initiating a connection simultaneously. |
---|
| 1382 | </para> |
---|
| 1383 | </listitem> |
---|
| 1384 | </varlistentry> |
---|
| 1385 | |
---|
| 1386 | <varlistentry> |
---|
| 1387 | <term>MaxSessions</term> |
---|
| 1388 | <listitem> |
---|
| 1389 | <synopsis>MaxSessions=16</synopsis> |
---|
| 1390 | <para> |
---|
| 1391 | Determines the maximum number of remote display connections |
---|
| 1392 | which will be managed simultaneously. I.e. the total number of |
---|
| 1393 | remote displays that can use your host. |
---|
| 1394 | </para> |
---|
| 1395 | </listitem> |
---|
| 1396 | </varlistentry> |
---|
| 1397 | |
---|
| 1398 | <varlistentry> |
---|
| 1399 | <term>MaxWait</term> |
---|
| 1400 | <listitem> |
---|
| 1401 | <synopsis>MaxWait=30</synopsis> |
---|
| 1402 | <para> |
---|
| 1403 | When GDM is ready to manage a display an ACCEPT packet is sent |
---|
| 1404 | to it containing a unique session id which will be used in |
---|
| 1405 | future XDMCP conversations. |
---|
| 1406 | </para> |
---|
| 1407 | |
---|
| 1408 | <para> |
---|
| 1409 | GDM will then place the session id in the pending queue |
---|
| 1410 | waiting for the display to respond with a MANAGE request. |
---|
| 1411 | </para> |
---|
| 1412 | |
---|
| 1413 | <para> |
---|
| 1414 | If no response is received within MaxWait seconds, GDM will |
---|
| 1415 | declare the display dead and erase it from the pending queue |
---|
| 1416 | freeing up the slot for other displays. |
---|
| 1417 | </para> |
---|
| 1418 | </listitem> |
---|
| 1419 | </varlistentry> |
---|
| 1420 | |
---|
| 1421 | <varlistentry> |
---|
| 1422 | <term>MaxWaitIndirect</term> |
---|
| 1423 | <listitem> |
---|
| 1424 | <synopsis>MaxWaitIndirect=30</synopsis> |
---|
| 1425 | <para> |
---|
| 1426 | The MaxWaitIndirect parameter determines the maximum number of |
---|
| 1427 | seconds between the time where a user chooses a host and the |
---|
| 1428 | subsequent indirect query where the user is connected to the |
---|
| 1429 | host. When the timeout is exceeded, the information about the |
---|
| 1430 | chosen host is forgotten and the indirect slot freed up for |
---|
| 1431 | other displays. The information may be forgotten earlier if |
---|
| 1432 | there are more hosts trying to send indirect queries then |
---|
| 1433 | <filename>MaxPendingIndirect</filename>. |
---|
| 1434 | </para> |
---|
| 1435 | </listitem> |
---|
| 1436 | </varlistentry> |
---|
| 1437 | |
---|
| 1438 | <varlistentry> |
---|
| 1439 | <term>PingIntervalSeconds</term> |
---|
| 1440 | <listitem> |
---|
| 1441 | <synopsis>PingIntervalSeconds=15</synopsis> |
---|
| 1442 | <para> |
---|
| 1443 | Interval in which to ping the Xserver in seconds. If the |
---|
| 1444 | Xserver does not respond before the next time we ping it, the |
---|
| 1445 | connection is stopped and the session ended. This is a |
---|
| 1446 | combination of the XDM PingInterval and PingTimeout, but in |
---|
| 1447 | seconds. |
---|
| 1448 | </para> |
---|
| 1449 | |
---|
| 1450 | <para> |
---|
| 1451 | Note that GDM in the past used to have a |
---|
| 1452 | <filename>PingInterval</filename> configuration key which was |
---|
| 1453 | also in minutes. For most purposes you'd want this setting |
---|
| 1454 | to be lower than one minute. However since in most cases where |
---|
| 1455 | XDMCP would be used (such as terminal labs), a lag of more |
---|
| 1456 | than 15 or so seconds would really mean that the terminal was |
---|
| 1457 | turned off or restarted and you would want to end the session. |
---|
| 1458 | </para> |
---|
| 1459 | </listitem> |
---|
| 1460 | </varlistentry> |
---|
| 1461 | |
---|
| 1462 | <varlistentry> |
---|
| 1463 | <term>Port</term> |
---|
| 1464 | <listitem> |
---|
| 1465 | <synopsis>Port=177</synopsis> |
---|
| 1466 | <para> |
---|
| 1467 | The UDP port number <filename>gdm</filename> should listen to |
---|
| 1468 | for XDMCP requests. Do not change this unless you know what |
---|
| 1469 | you are doing. |
---|
| 1470 | </para> |
---|
| 1471 | </listitem> |
---|
| 1472 | </varlistentry> |
---|
| 1473 | |
---|
| 1474 | <varlistentry> |
---|
| 1475 | <term>Willing</term> |
---|
| 1476 | <listitem> |
---|
| 1477 | <synopsis>Willing=<etc>/gdm/Xwilling</synopsis> |
---|
| 1478 | <para> |
---|
| 1479 | When the machine sends a WILLING packet back after a QUERY it |
---|
| 1480 | sends a string that gives the current status of this server. |
---|
| 1481 | The default message is the system ID, but it is possible to |
---|
| 1482 | create a script that displays customized message. If this |
---|
| 1483 | script does not exist or this key is empty the default message |
---|
| 1484 | is sent. If this script succeeds and produces some output, |
---|
| 1485 | the first line of it's output is sent (and only the first |
---|
| 1486 | line). It runs at most once every 3 seconds to prevent |
---|
| 1487 | possible denial of service by flooding the machine with QUERY |
---|
| 1488 | packets. |
---|
| 1489 | </para> |
---|
| 1490 | </listitem> |
---|
| 1491 | </varlistentry> |
---|
| 1492 | </variablelist> |
---|
| 1493 | </sect3> |
---|
| 1494 | </sect2> |
---|
| 1495 | |
---|
| 1496 | <sect2 id="greeterconfiguration"> |
---|
| 1497 | <title>Simple Greeter Configuration</title> |
---|
| 1498 | |
---|
| 1499 | <para> |
---|
| 1500 | The GDM default greeter is called the simple Greeter and is |
---|
| 1501 | configured via GConf. Default values are stored in GConf in the |
---|
| 1502 | <filename>gdm-simple-greeter.schemas</filename> file. These defaults |
---|
| 1503 | can be overridden if the "gdm" user has a writable $HOME |
---|
| 1504 | directory to store GConf settings. These values can be edited using |
---|
| 1505 | the <command>gconftool-2</command> or <command>gconf-editor</command> |
---|
| 1506 | programs. The following configuration options are supported: |
---|
| 1507 | </para> |
---|
| 1508 | |
---|
| 1509 | <variablelist> |
---|
| 1510 | <title>Greeter Configuration Keys</title> |
---|
| 1511 | |
---|
| 1512 | <varlistentry> |
---|
| 1513 | <term>/apps/gdm/simple-greeter/banner_message_enable</term> |
---|
| 1514 | <listitem> |
---|
| 1515 | <synopsis>false (boolean)</synopsis> |
---|
| 1516 | <para> |
---|
| 1517 | Controls whether the banner message text is displayed. |
---|
| 1518 | </para> |
---|
| 1519 | </listitem> |
---|
| 1520 | </varlistentry> |
---|
| 1521 | |
---|
| 1522 | <varlistentry> |
---|
| 1523 | <term>/apps/gdm/simple-greeter/banner_message_text</term> |
---|
| 1524 | <listitem> |
---|
| 1525 | <synopsis>NULL (string)</synopsis> |
---|
| 1526 | <para> |
---|
| 1527 | Specifies the text banner message to show on the greeter |
---|
| 1528 | window. |
---|
| 1529 | </para> |
---|
| 1530 | </listitem> |
---|
| 1531 | </varlistentry> |
---|
| 1532 | |
---|
| 1533 | <varlistentry> |
---|
| 1534 | <term>/apps/gdm/simple-greeter/debug</term> |
---|
| 1535 | <listitem> |
---|
| 1536 | <synopsis>false (boolean)</synopsis> |
---|
| 1537 | <para> |
---|
| 1538 | If true, then debugging mode is enabled for the greeter. |
---|
| 1539 | </para> |
---|
| 1540 | </listitem> |
---|
| 1541 | </varlistentry> |
---|
| 1542 | |
---|
| 1543 | <varlistentry> |
---|
| 1544 | <term>/apps/gdm/simple-greeter/disable_restart_buttons</term> |
---|
| 1545 | <listitem> |
---|
| 1546 | <synopsis>false (boolean)</synopsis> |
---|
| 1547 | <para> |
---|
| 1548 | Controls whether to show the restart buttons in the login |
---|
| 1549 | window. |
---|
| 1550 | </para> |
---|
| 1551 | </listitem> |
---|
| 1552 | </varlistentry> |
---|
| 1553 | |
---|
| 1554 | <varlistentry> |
---|
| 1555 | <term>/apps/gdm/simple-greeter/disable_user_list</term> |
---|
| 1556 | <listitem> |
---|
| 1557 | <synopsis>false (boolean)</synopsis> |
---|
| 1558 | <para> |
---|
| 1559 | If true, then the face browser with known users is not shown |
---|
| 1560 | in the login window. |
---|
| 1561 | </para> |
---|
| 1562 | </listitem> |
---|
| 1563 | </varlistentry> |
---|
| 1564 | |
---|
| 1565 | <varlistentry> |
---|
| 1566 | <term>/apps/gdm/simple-greeter/include</term> |
---|
| 1567 | <listitem> |
---|
| 1568 | <synopsis>[] (string list)</synopsis> |
---|
| 1569 | <para> |
---|
| 1570 | Set to a list of users to always include in the Face Browser. |
---|
| 1571 | </para> |
---|
| 1572 | </listitem> |
---|
| 1573 | </varlistentry> |
---|
| 1574 | |
---|
| 1575 | <varlistentry> |
---|
| 1576 | <term>/apps/gdm/simple-greeter/include_all</term> |
---|
| 1577 | <listitem> |
---|
| 1578 | <synopsis>true (boolean)</synopsis> |
---|
| 1579 | <para> |
---|
| 1580 | If true, then the face browser will show all users on the |
---|
| 1581 | local machine. If false, the face browser will only show |
---|
| 1582 | users who have recently logged in. |
---|
| 1583 | </para> |
---|
| 1584 | <para> |
---|
| 1585 | To provide more detail on how this option works. When this key |
---|
| 1586 | is true, GDM will call fgetpwent() to get a list of local users |
---|
| 1587 | on the system. The Face Browser also will display any users |
---|
| 1588 | that have previously logged in on the system (for example |
---|
| 1589 | NIS/LDAP users). It gets this list via calling the ck-history |
---|
| 1590 | ConsoleKit interface. It will also filter out any users which |
---|
| 1591 | do not have a valid shell (valid shells are any shell that |
---|
| 1592 | getusershell() returns. <filename>/sbin/nologin</filename> or |
---|
| 1593 | <filename>/bin/false</filename> are considered invalid shells |
---|
| 1594 | even if getusershell() returns them). |
---|
| 1595 | </para> |
---|
| 1596 | |
---|
| 1597 | <para> |
---|
| 1598 | If false, then GDM more simply only displays users that have |
---|
| 1599 | previously logged in on the system (local or NIS/LDAP users) by |
---|
| 1600 | calling the ck-history ConsoleKit interface. |
---|
| 1601 | </para> |
---|
| 1602 | |
---|
| 1603 | <para> |
---|
| 1604 | In both cases, GDM filters out any users with a UID less than |
---|
| 1605 | 500 (or 100 if running on Solaris). Such users are considered |
---|
| 1606 | system users. |
---|
| 1607 | </para> |
---|
| 1608 | </listitem> |
---|
| 1609 | </varlistentry> |
---|
| 1610 | |
---|
| 1611 | <varlistentry> |
---|
| 1612 | <term>/apps/gdm/simple-greeter/exclude</term> |
---|
| 1613 | <listitem> |
---|
| 1614 | <synopsis>[] (string list)</synopsis> |
---|
| 1615 | <para> |
---|
| 1616 | Set to a list of users to always exclude in the Face Browser. |
---|
| 1617 | </para> |
---|
| 1618 | </listitem> |
---|
| 1619 | </varlistentry> |
---|
| 1620 | |
---|
| 1621 | <varlistentry> |
---|
| 1622 | <term>/apps/gdm/simple-greeter/logo_icon_name</term> |
---|
| 1623 | <listitem> |
---|
| 1624 | <synopsis>computer (string)</synopsis> |
---|
| 1625 | <para> |
---|
| 1626 | Set to the themed icon name to use for the greeter logo. |
---|
| 1627 | </para> |
---|
| 1628 | </listitem> |
---|
| 1629 | </varlistentry> |
---|
| 1630 | |
---|
| 1631 | <varlistentry> |
---|
| 1632 | <term>/apps/gdm/simple-greeter/recent-languages</term> |
---|
| 1633 | <listitem> |
---|
| 1634 | <synopsis>[] (string list)</synopsis> |
---|
| 1635 | <para> |
---|
| 1636 | Set to a list of languages to be shown by default in the login |
---|
| 1637 | window. Default value is "[]". With the default setting only |
---|
| 1638 | the system default language is shown and the option "Other..." |
---|
| 1639 | which pops-up a dialog box showing a full list of available |
---|
| 1640 | languages which the user can select. |
---|
| 1641 | </para> |
---|
| 1642 | |
---|
| 1643 | <para> |
---|
| 1644 | Users are not intended to change this setting by hand. Instead |
---|
| 1645 | GDM keeps track of any languages selected in this configuration |
---|
| 1646 | key, and will show them in the language combo box along with |
---|
| 1647 | the "Other..." choice. This way, commonly selected languages |
---|
| 1648 | are easier to select. |
---|
| 1649 | </para> |
---|
| 1650 | </listitem> |
---|
| 1651 | </varlistentry> |
---|
| 1652 | |
---|
| 1653 | <varlistentry> |
---|
| 1654 | <term>/apps/gdm/simple-greeter/recent-layouts</term> |
---|
| 1655 | <listitem> |
---|
| 1656 | <synopsis>[] (string list)</synopsis> |
---|
| 1657 | <para> |
---|
| 1658 | Set to a list of keyboard layouts to be shown by default in the |
---|
| 1659 | login panel. Default value is "[]". With the default setting |
---|
| 1660 | only the system default keyboard layout is shown and the option |
---|
| 1661 | "Other..." which pops-up a dialog box showing a full list of |
---|
| 1662 | available keyboard layouts which the user can select. |
---|
| 1663 | </para> |
---|
| 1664 | |
---|
| 1665 | <para> |
---|
| 1666 | Users are not intended to change this setting by hand. Instead |
---|
| 1667 | GDM keeps track of any keyboard layouts selected in this |
---|
| 1668 | configuration key, and will show them in the keyboard layout |
---|
| 1669 | combo box along with the "Other..." choice. This way, commonly |
---|
| 1670 | selected keyboard layouts are easier to select. |
---|
| 1671 | </para> |
---|
| 1672 | </listitem> |
---|
| 1673 | </varlistentry> |
---|
| 1674 | |
---|
| 1675 | <varlistentry> |
---|
| 1676 | <term>/apps/gdm/simple-greeter/wm_use_compiz</term> |
---|
| 1677 | <listitem> |
---|
| 1678 | <synopsis>false (boolean)</synopsis> |
---|
| 1679 | <para> |
---|
| 1680 | Controls whether compiz is used as the window manager instead |
---|
| 1681 | of metacity. |
---|
| 1682 | </para> |
---|
| 1683 | </listitem> |
---|
| 1684 | </varlistentry> |
---|
| 1685 | </variablelist> |
---|
| 1686 | </sect2> |
---|
| 1687 | |
---|
| 1688 | <sect2 id="accessibilityconfiguration"> |
---|
| 1689 | <title>Accessibility Configuration</title> |
---|
| 1690 | |
---|
| 1691 | <para> |
---|
| 1692 | This section describes the accessibility configuration options available |
---|
| 1693 | in GDM. |
---|
| 1694 | </para> |
---|
| 1695 | |
---|
| 1696 | <sect3 id="accessibilitydialog"> |
---|
| 1697 | <title>GDM Accessibility Dialog And Gconf Keys</title> |
---|
| 1698 | |
---|
| 1699 | <para> |
---|
| 1700 | The GDM greeter panel at the login screen displays an accessibility |
---|
| 1701 | icon. Clicking on that icon opens the GDM Accessibility Dialog. In |
---|
| 1702 | the GDM Accessibility Dialog, there is a list of checkboxes, so the |
---|
| 1703 | user can enable or disable the associated assistive tools. |
---|
| 1704 | </para> |
---|
| 1705 | |
---|
| 1706 | <para> |
---|
| 1707 | The checkboxes that correspond to the on-screen keyboard, screen |
---|
| 1708 | magnifier and screen reader assistive tools act on the three GConf |
---|
| 1709 | keys that are described in the next section of this document. By |
---|
| 1710 | enabling or disabling these checkboxes, the associated GConf key is |
---|
| 1711 | set to "true" or "false". When the GConf key is set to true, the |
---|
| 1712 | assistive tools linked to this GConf key are launched. When the |
---|
| 1713 | GConf key is set to "false", any running assistive tool linked to |
---|
| 1714 | this GConf key are terminated. These GConf keys are not automatically |
---|
| 1715 | reset to a default state after the user has logged in. Consequently, |
---|
| 1716 | the assistive tools that were running during the last GDM login |
---|
| 1717 | session will automatically be launched at the next GDM login session. |
---|
| 1718 | </para> |
---|
| 1719 | |
---|
| 1720 | <para> |
---|
| 1721 | The other checkboxes in the GDM Accessibility Dialog do not have |
---|
| 1722 | corresponding GConf keys because no additional program is launched to |
---|
| 1723 | provide the accessibility features that they offer. These other |
---|
| 1724 | options coorespond to accessibility features that are provided by the |
---|
| 1725 | Xserver, which is always running during the GDM session. |
---|
| 1726 | </para> |
---|
| 1727 | </sect3> |
---|
| 1728 | |
---|
| 1729 | <sect3 id="accessibilitygconfconfiguration"> |
---|
| 1730 | <title>Accessibility GConf Keys</title> |
---|
| 1731 | |
---|
| 1732 | <para> |
---|
| 1733 | GDM offers the following GConf keys to control its accessibility |
---|
| 1734 | features: |
---|
| 1735 | </para> |
---|
| 1736 | |
---|
| 1737 | <variablelist> |
---|
| 1738 | <title>GDM Configuration Keys</title> |
---|
| 1739 | |
---|
| 1740 | <varlistentry> |
---|
| 1741 | <term>/desktop/gnome/interface/accessibility</term> |
---|
| 1742 | <listitem> |
---|
| 1743 | <synopsis>false (boolean)</synopsis> |
---|
| 1744 | <para> |
---|
| 1745 | Controls whether the Accessibility infrastructure will be |
---|
| 1746 | started with the GDM GUI. This is needed for many |
---|
| 1747 | accessibility technology programs to work. |
---|
| 1748 | </para> |
---|
| 1749 | </listitem> |
---|
| 1750 | </varlistentry> |
---|
| 1751 | <varlistentry> |
---|
| 1752 | <term>/desktop/gnome/applications/at/screen_magnifier_enabled</term> |
---|
| 1753 | <listitem> |
---|
| 1754 | <synopsis>false (boolean)</synopsis> |
---|
| 1755 | <para> |
---|
| 1756 | If set, then the assistive tools linked to this GConf key will |
---|
| 1757 | be started with the GDM GUI program. By default this is a |
---|
| 1758 | screen magnifier application. |
---|
| 1759 | </para> |
---|
| 1760 | </listitem> |
---|
| 1761 | </varlistentry> |
---|
| 1762 | <varlistentry> |
---|
| 1763 | <term>/desktop/gnome/applications/at/screen_keyboard_enabled</term> |
---|
| 1764 | <listitem> |
---|
| 1765 | <synopsis>false (boolean)</synopsis> |
---|
| 1766 | <para> |
---|
| 1767 | If set, then the assistive tools linked to this GConf key will |
---|
| 1768 | be started with the GDM GUI program. By default this is an |
---|
| 1769 | on-screen keyboard application. |
---|
| 1770 | </para> |
---|
| 1771 | </listitem> |
---|
| 1772 | </varlistentry> |
---|
| 1773 | <varlistentry> |
---|
| 1774 | <term>/desktop/gnome/applications/at/screen_reader_enabled</term> |
---|
| 1775 | <listitem> |
---|
| 1776 | <synopsis>false (boolean)</synopsis> |
---|
| 1777 | <para> |
---|
| 1778 | If set, then the assistive tools linked to this GConf key will |
---|
| 1779 | be started with the GDM GUI program. By default this is a |
---|
| 1780 | screen reader application. |
---|
| 1781 | </para> |
---|
| 1782 | </listitem> |
---|
| 1783 | </varlistentry> |
---|
| 1784 | </variablelist> |
---|
| 1785 | </sect3> |
---|
| 1786 | |
---|
| 1787 | <sect3 id="accessibilitytoolsconfiguration"> |
---|
| 1788 | <title>Linking GConf Keys to Accessbility Tools</title> |
---|
| 1789 | |
---|
| 1790 | <para> |
---|
| 1791 | For the screen_magnifier_enabled, the screen_keyboard_enabled, and the |
---|
| 1792 | screen_reader_enabled GConf keys, the assistive tool which gets |
---|
| 1793 | launched depends on the desktop files located in the GDM autostart |
---|
| 1794 | directory as described in the "Autostart Configuration" section of |
---|
| 1795 | this manual. Any desktop file in the GDM autostart directory can be |
---|
| 1796 | linked to these GConf key via specifying that GConf key in the |
---|
| 1797 | AutostartCondition value in the desktop file. So the exact |
---|
| 1798 | AutostartCondition line in the desktop file could be one of the |
---|
| 1799 | following: |
---|
| 1800 | </para> |
---|
| 1801 | |
---|
| 1802 | <screen> |
---|
| 1803 | AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled |
---|
| 1804 | AutostartCondition=GNOME /desktop/gnome/applications/at/screen_magnifier_enabled |
---|
| 1805 | AutostartCondition=GNOME /desktop/gnome/applications/at/screen_reader_enabled |
---|
| 1806 | </screen> |
---|
| 1807 | |
---|
| 1808 | <para> |
---|
| 1809 | When an accesibility key is true, then any program which is linked to |
---|
| 1810 | that key in a GDM autostart desktop file will be launched (unless the |
---|
| 1811 | Hidden key is set to true in that desktop file). A single GConf key |
---|
| 1812 | can even start multiple assistive tools if there are multiple desktop |
---|
| 1813 | files with this AutostartCondition in the GDM autostart directory. |
---|
| 1814 | </para> |
---|
| 1815 | </sect3> |
---|
| 1816 | |
---|
| 1817 | <sect3 id="accessibilitytoolexample"> |
---|
| 1818 | <title>Example Of Modifying Accessibility Tool Configuration</title> |
---|
| 1819 | |
---|
| 1820 | <para> |
---|
| 1821 | For example, if GNOME is distributed with GOK as the default on-screen |
---|
| 1822 | keyboard, then this could be replaced with a different program if |
---|
| 1823 | desired. To replace GOK with the on-screen keyboard application |
---|
| 1824 | "onboard" and additionally activate the assistive tool "mousetweaks" |
---|
| 1825 | for dwelling support, then the following configuration is needed. |
---|
| 1826 | </para> |
---|
| 1827 | |
---|
| 1828 | <para> |
---|
| 1829 | Create a desktop file for onboard and a second one for mousetweaks; |
---|
| 1830 | for example, onboard.desktop and mousetweaks.desktop. These files |
---|
| 1831 | must be placed in the GDM autostart directory and be in the format |
---|
| 1832 | as explained in the "Autostart Configuration" section of this |
---|
| 1833 | document. |
---|
| 1834 | </para> |
---|
| 1835 | |
---|
| 1836 | <para> |
---|
| 1837 | The following is an example <filename>onboard.desktop</filename> file: |
---|
| 1838 | </para> |
---|
| 1839 | |
---|
| 1840 | <screen> |
---|
| 1841 | [Desktop Entry] |
---|
| 1842 | Encoding=UTF-8 |
---|
| 1843 | Name=Onboard Onscreen Keyboard |
---|
| 1844 | Comment=Use an on-screen keyboard |
---|
| 1845 | TryExec=onboard |
---|
| 1846 | Exec=onboard --size 500x180 -x 20 -y 10 |
---|
| 1847 | Terminal=false |
---|
| 1848 | Type=Application |
---|
| 1849 | StartupNotify=true |
---|
| 1850 | Categories=GNOME;GTK;Accessibility; |
---|
| 1851 | AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled |
---|
| 1852 | </screen> |
---|
| 1853 | |
---|
| 1854 | <para> |
---|
| 1855 | The following is an example <filename>mousetweaks.desktop</filename> |
---|
| 1856 | file: |
---|
| 1857 | </para> |
---|
| 1858 | |
---|
| 1859 | <screen> |
---|
| 1860 | [Desktop Entry] |
---|
| 1861 | Encoding=UTF-8 |
---|
| 1862 | Name=Software Mouse-Clicks |
---|
| 1863 | Comment=Perform clicks by dwelling with the pointer |
---|
| 1864 | TryExec=mousetweaks |
---|
| 1865 | Exec=mousetweaks --enable-dwell -m window -c -x 20 -y 240 |
---|
| 1866 | Terminal=false |
---|
| 1867 | Type=Application |
---|
| 1868 | StartupNotify=true |
---|
| 1869 | Categories=GNOME;GTK;Accessibility; |
---|
| 1870 | AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled |
---|
| 1871 | </screen> |
---|
| 1872 | |
---|
| 1873 | <para> |
---|
| 1874 | Note the line with the AutostartCondition that links both desktop |
---|
| 1875 | files to the GConf key for the on-screen keyboard. |
---|
| 1876 | </para> |
---|
| 1877 | |
---|
| 1878 | <para> |
---|
| 1879 | To disable GOK from starting, the desktop file for the GOK on-screen |
---|
| 1880 | keyboard must be removed or deactivated. Otherwise onboard and GOK |
---|
| 1881 | would simultaneously be started. This can be done by removing the |
---|
| 1882 | gok.desktop file from the GDM autostart directory, or by adding the |
---|
| 1883 | "Hidden=true" key setting to the gok.desktop file. |
---|
| 1884 | </para> |
---|
| 1885 | |
---|
| 1886 | <para> |
---|
| 1887 | After making these changes, GOK will no longer be started when the |
---|
| 1888 | user activates the on-screen keyboard in the GDM session; but onboard |
---|
| 1889 | and mousetweaks will instead be launched. |
---|
| 1890 | </para> |
---|
| 1891 | </sect3> |
---|
| 1892 | </sect2> |
---|
| 1893 | |
---|
| 1894 | <sect2 id="generalsessionconfig"> |
---|
| 1895 | <title>General Session Settings</title> |
---|
| 1896 | <!-- |
---|
| 1897 | <para> |
---|
| 1898 | TODO - I think this section should be expanded upon. What specific |
---|
| 1899 | keys are of interest, or would some users be likely to want |
---|
| 1900 | to configure? Also, would be good to be more specific about |
---|
| 1901 | how lock down management is handled. |
---|
| 1902 | </para> |
---|
| 1903 | --> |
---|
| 1904 | <para> |
---|
| 1905 | The GDM Greeter uses some of the same framework that your desktop |
---|
| 1906 | session will use. And so, it is influenced by a number of the same |
---|
| 1907 | GConf settings. For each of these settings the Greeter will use the |
---|
| 1908 | default value unless it is specifically overridden by a) GDM's |
---|
| 1909 | installed mandatory policy b) system mandatory policy. GDM installs |
---|
| 1910 | its own mandatory policy to lock down some settings for security. |
---|
| 1911 | </para> |
---|
| 1912 | </sect2> |
---|
| 1913 | |
---|
| 1914 | <sect2 id="gnomesettingsdaemon"> |
---|
| 1915 | <title>GNOME Settings Daemon</title> |
---|
| 1916 | <!-- |
---|
| 1917 | <para> |
---|
| 1918 | TODO - I think this section should be expanded upon. What specific |
---|
| 1919 | keys are of interest, or would some users be likely to want |
---|
| 1920 | to configure? Also, would be good to give a more complete |
---|
| 1921 | list of plugins that users might want to consider disabling. |
---|
| 1922 | Also, shouldn't we list the sound/active key in the Greeter |
---|
| 1923 | configuration setting? Oddly I do not find this key used |
---|
| 1924 | in anything but the chooser in SVN. |
---|
| 1925 | </para> |
---|
| 1926 | --> |
---|
| 1927 | |
---|
| 1928 | <para> |
---|
| 1929 | GDM enables the following gnome-settings-daemon plugins: |
---|
| 1930 | a11y-keyboard, background, sound, xsettings. |
---|
| 1931 | </para> |
---|
| 1932 | |
---|
| 1933 | <para> |
---|
| 1934 | These are responsible for things like the background image, font and |
---|
| 1935 | theme settings, sound events, etc. |
---|
| 1936 | </para> |
---|
| 1937 | |
---|
| 1938 | <para> |
---|
| 1939 | Plugins can also be disabled using GConf. For example, if you want to |
---|
| 1940 | disable the sound plugin then unset the following key: |
---|
| 1941 | <filename>/apps/gdm/simple-greeter/settings-manager-plugins/sound/active</filename>. |
---|
| 1942 | </para> |
---|
| 1943 | </sect2> |
---|
| 1944 | |
---|
| 1945 | <sect2 id="sessionconfig"> |
---|
| 1946 | <title>GDM Session Configuration</title> |
---|
| 1947 | |
---|
| 1948 | <para> |
---|
| 1949 | GDM sessions are specified using the FreeDesktop.org Desktop Entry |
---|
| 1950 | Specification, which can be referenced at the following URL: |
---|
| 1951 | <ulink url="http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec"> |
---|
| 1952 | http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec</ulink>. |
---|
| 1953 | </para> |
---|
| 1954 | |
---|
| 1955 | <para> |
---|
| 1956 | By default, GDM will install desktop files in the |
---|
| 1957 | <filename><share>/xsessions</filename> directory. GDM will |
---|
| 1958 | search the following directories in this order to find desktop files: |
---|
| 1959 | <filename><etc>/X11/sessions/</filename>, |
---|
| 1960 | <filename><dmconfdir>/Sessions</filename>, |
---|
| 1961 | <filename><share>/xsessions</filename>, and |
---|
| 1962 | <filename><share/gdm/BuiltInSessions</filename>. By default the |
---|
| 1963 | <filename><dmconfdir></filename> is set to |
---|
| 1964 | <filename><etc>/dm/</filename> unless GDM is configured to use |
---|
| 1965 | a different directory via the "--with-dmconfdir" option. |
---|
| 1966 | </para> |
---|
| 1967 | |
---|
| 1968 | <para> |
---|
| 1969 | A session can be disabled by editing the desktop file and adding a line |
---|
| 1970 | that says <filename>Hidden=true</filename>. |
---|
| 1971 | </para> |
---|
| 1972 | </sect2> |
---|
| 1973 | |
---|
| 1974 | <sect2 id="userconfig"> |
---|
| 1975 | <title>GDM User Session and Language Configuration</title> |
---|
| 1976 | <para> |
---|
| 1977 | The user's default session and language choices are stored in the |
---|
| 1978 | <filename>~/.dmrc</filename> file. When a user logs in for the first |
---|
| 1979 | time, this file is created with the user's initial choices. The user |
---|
| 1980 | can change these default values by simply changing to a different value |
---|
| 1981 | when logging in. GDM will remember this change for subsequent logins. |
---|
| 1982 | </para> |
---|
| 1983 | |
---|
| 1984 | <para> |
---|
| 1985 | The <filename>~/.dmrc</filename> file is in the standard |
---|
| 1986 | <filename>INI</filename> format. It has one section called |
---|
| 1987 | <filename>[Desktop]</filename> which has two keys: |
---|
| 1988 | <filename>Session</filename> and <filename>Language</filename>. |
---|
| 1989 | </para> |
---|
| 1990 | |
---|
| 1991 | <para> |
---|
| 1992 | The <filename>Session</filename> key specifies the basename of the |
---|
| 1993 | session <filename>.desktop</filename> file that the user wishes to |
---|
| 1994 | normally use without the <filename>.desktop</filename> extension. |
---|
| 1995 | The <filename>Language</filename> key specifies the language that the |
---|
| 1996 | user wishes to use by default. If either of these keys is missing, the |
---|
| 1997 | system default is used. The file would normally look as follows: |
---|
| 1998 | </para> |
---|
| 1999 | |
---|
| 2000 | <screen> |
---|
| 2001 | [Desktop] |
---|
| 2002 | Session=gnome |
---|
| 2003 | Language=cs_CZ.UTF-8 |
---|
| 2004 | </screen> |
---|
| 2005 | </sect2> |
---|
| 2006 | |
---|
| 2007 | </sect1> |
---|
| 2008 | |
---|
| 2009 | <!-- ============= GDM Commands ============================= --> |
---|
| 2010 | |
---|
| 2011 | <sect1 id="binaries"> |
---|
| 2012 | <title>GDM Commands</title> |
---|
| 2013 | |
---|
| 2014 | <sect2 id="sbindir_binaries"> |
---|
| 2015 | <title>GDM Root User Commands</title> |
---|
| 2016 | |
---|
| 2017 | <para> |
---|
| 2018 | The GDM package provides the following commands in |
---|
| 2019 | <filename>sbindir</filename> intended to be run by the root user: |
---|
| 2020 | </para> |
---|
| 2021 | |
---|
| 2022 | <sect3 id="gdmcommandline"> |
---|
| 2023 | <title><command>gdm</command> and <command>gdm-binary</command> |
---|
| 2024 | Command Line Options</title> |
---|
| 2025 | |
---|
| 2026 | <para> |
---|
| 2027 | The <command>gdm</command> command is really just a script which |
---|
| 2028 | runs the <command>gdm-binary</command>, passing along any options. |
---|
| 2029 | Before launching <command>gdm-binary</command>, the gdm wrapper |
---|
| 2030 | script will source the <filename><etc>/profile</filename> file |
---|
| 2031 | to set the standard system environment variables. In order to better |
---|
| 2032 | support internationalization, it will also set the LC_MESSAGES |
---|
| 2033 | environment variable to LANG if neither LC_MESSAGES or LC_ALL are |
---|
| 2034 | set. The <command>gdm-binary</command> is the actual GDM daemon. |
---|
| 2035 | </para> |
---|
| 2036 | |
---|
| 2037 | <variablelist> |
---|
| 2038 | <title><command>gdm</command> and <command>gdm-binary</command> |
---|
| 2039 | Command Line Options</title> |
---|
| 2040 | |
---|
| 2041 | <varlistentry> |
---|
| 2042 | <term>-?, --help</term> |
---|
| 2043 | <listitem> |
---|
| 2044 | <para> |
---|
| 2045 | Gives a brief overview of the command line options. |
---|
| 2046 | </para> |
---|
| 2047 | </listitem> |
---|
| 2048 | </varlistentry> |
---|
| 2049 | |
---|
| 2050 | <varlistentry> |
---|
| 2051 | <term>--debug</term> |
---|
| 2052 | <listitem> |
---|
| 2053 | <para> |
---|
| 2054 | Print debug output to the syslog. This is typically |
---|
| 2055 | <filename><var>/log/messages</filename> or |
---|
| 2056 | <filename><var>/adm/messages</filename> depending on |
---|
| 2057 | your Operating System. |
---|
| 2058 | </para> |
---|
| 2059 | </listitem> |
---|
| 2060 | </varlistentry> |
---|
| 2061 | |
---|
| 2062 | <varlistentry> |
---|
| 2063 | <term>--fatal-warnings</term> |
---|
| 2064 | <listitem> |
---|
| 2065 | <para> |
---|
| 2066 | Make all warnings cause GDM to exit. |
---|
| 2067 | </para> |
---|
| 2068 | </listitem> |
---|
| 2069 | </varlistentry> |
---|
| 2070 | |
---|
| 2071 | <varlistentry> |
---|
| 2072 | <term>--timed-exit</term> |
---|
| 2073 | <listitem> |
---|
| 2074 | <para> |
---|
| 2075 | Exit after 30 seconds. Useful for debugging. |
---|
| 2076 | </para> |
---|
| 2077 | </listitem> |
---|
| 2078 | </varlistentry> |
---|
| 2079 | |
---|
| 2080 | <varlistentry> |
---|
| 2081 | <term>--version</term> |
---|
| 2082 | <listitem> |
---|
| 2083 | <para> |
---|
| 2084 | Print the version of the GDM daemon. |
---|
| 2085 | </para> |
---|
| 2086 | </listitem> |
---|
| 2087 | </varlistentry> |
---|
| 2088 | </variablelist> |
---|
| 2089 | </sect3> |
---|
| 2090 | |
---|
| 2091 | <sect3 id="gdmrestartcommandline"> |
---|
| 2092 | <title><command>gdm-restart</command> Command Line Options</title> |
---|
| 2093 | |
---|
| 2094 | <para> |
---|
| 2095 | <command>gdm-restart</command> stops and restarts GDM by sending |
---|
| 2096 | the GDM daemon a HUP signal. This command will immediately terminate |
---|
| 2097 | all sessions and log out users currently logged in with GDM. |
---|
| 2098 | </para> |
---|
| 2099 | </sect3> |
---|
| 2100 | |
---|
| 2101 | <sect3 id="gdmsaferestartcommandline"> |
---|
| 2102 | <title><command>gdm-safe-restart</command> Command Line Options</title> |
---|
| 2103 | |
---|
| 2104 | <para> |
---|
| 2105 | <command>gdm-safe-restart</command> stops and restarts GDM by |
---|
| 2106 | sending the GDM daemon a USR1 signal. GDM will be restarted as soon |
---|
| 2107 | as all users log out. |
---|
| 2108 | </para> |
---|
| 2109 | </sect3> |
---|
| 2110 | |
---|
| 2111 | <sect3 id="gdmstopcommandline"> |
---|
| 2112 | <title><command>gdm-stop</command> Command Line Options</title> |
---|
| 2113 | |
---|
| 2114 | <para> |
---|
| 2115 | <command>gdm-stop</command> stops GDM by sending the GDM daemon |
---|
| 2116 | a TERM signal. |
---|
| 2117 | </para> |
---|
| 2118 | </sect3> |
---|
| 2119 | </sect2> |
---|
| 2120 | </sect1> |
---|
| 2121 | |
---|
| 2122 | <!-- ============= Troubleshooting =========================== --> |
---|
| 2123 | |
---|
| 2124 | <sect1 id="troubleshooting"> |
---|
| 2125 | <title>Troubleshooting</title> |
---|
| 2126 | <!-- |
---|
| 2127 | <para> |
---|
| 2128 | TODO - any other tips we should add? Might be useful to highlight any |
---|
| 2129 | common D-Bus configuration issues? |
---|
| 2130 | </para> |
---|
| 2131 | --> |
---|
| 2132 | |
---|
| 2133 | <para> |
---|
| 2134 | This section discusses helpful tips for getting GDM working. In general, |
---|
| 2135 | if you have a problem using GDM, you can submit a bug or send an email |
---|
| 2136 | to the gdm-list mailing list. Information about how to do this is in |
---|
| 2137 | the Introduction section of the document. |
---|
| 2138 | </para> |
---|
| 2139 | |
---|
| 2140 | <para> |
---|
| 2141 | If GDM is failing to work properly, it is always a good idea to include |
---|
| 2142 | debug information. To turn on debug, launch gdm with the --debug |
---|
| 2143 | option. Then use GDM to the point where it fails, and debug output will |
---|
| 2144 | be sent to your system log |
---|
| 2145 | (<filename><var>/log/messages</filename> or |
---|
| 2146 | <filename><var>/adm/messages</filename> depending on your Operating |
---|
| 2147 | System). If you share this output with the GDM community via a bug |
---|
| 2148 | report or email, please only include the GDM related debug information |
---|
| 2149 | and not the entire file since it can be large. If you do not see any |
---|
| 2150 | GDM syslog output, you may need to configure syslog (refer to the |
---|
| 2151 | <ulink type="help" url="man:syslog">syslog</ulink> man page). |
---|
| 2152 | </para> |
---|
| 2153 | |
---|
| 2154 | <sect2 id="wontstart"> |
---|
| 2155 | <title>GDM Will Not Start</title> |
---|
| 2156 | |
---|
| 2157 | <para> |
---|
| 2158 | There are a many problems that can cause GDM to fail to start, but |
---|
| 2159 | this section will discuss a few common problems and how to approach |
---|
| 2160 | tracking down a problem with GDM starting. Some problems will |
---|
| 2161 | cause GDM to respond with an error message or dialog when it tries |
---|
| 2162 | to start, but it can be difficult to track down problems when GDM |
---|
| 2163 | fails silently. |
---|
| 2164 | </para> |
---|
| 2165 | |
---|
| 2166 | <para> |
---|
| 2167 | First make sure that the Xserver is configured properly. The |
---|
| 2168 | GDM configuration file contains a command in the [server-Standard] |
---|
| 2169 | section that is used for starting the Xserver. Verify that this |
---|
| 2170 | command works on your system. Running this command from the |
---|
| 2171 | console should start the Xserver. If it fails, then the problem |
---|
| 2172 | is likely with your Xserver configuration. Refer to your Xserver |
---|
| 2173 | error log for an idea of what the problem may be. The problem may |
---|
| 2174 | also be that your Xserver requires different command-line options. |
---|
| 2175 | If so, then modify the Xserver command in the GDM configuration file |
---|
| 2176 | so that it is correct for your system. |
---|
| 2177 | </para> |
---|
| 2178 | |
---|
| 2179 | <para> |
---|
| 2180 | Also make sure that the <filename>/tmp</filename> directory has |
---|
| 2181 | reasonable ownership and permissions, and that the machine's file |
---|
| 2182 | system is not full. These problems will cause GDM to fail to start. |
---|
| 2183 | </para> |
---|
| 2184 | </sect2> |
---|
| 2185 | </sect1> |
---|
| 2186 | |
---|
| 2187 | <!-- ============= Application License ============================= --> |
---|
| 2188 | |
---|
| 2189 | <sect1 id="license"> |
---|
| 2190 | <title>License</title> |
---|
| 2191 | <para> |
---|
| 2192 | This program is free software; you can redistribute it and/or |
---|
| 2193 | modify it under the terms of the <ulink type="help" url="gnome-help:gpl"> |
---|
| 2194 | <citetitle>GNU General Public License</citetitle></ulink> as |
---|
| 2195 | published by the Free Software Foundation; |
---|
| 2196 | either version 2 of the License, or (at your option) any later |
---|
| 2197 | version. |
---|
| 2198 | </para> |
---|
| 2199 | <para> |
---|
| 2200 | This program is distributed in the hope that it will be useful, but |
---|
| 2201 | WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 2202 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 2203 | <citetitle>GNU General Public License</citetitle> for more details. |
---|
| 2204 | </para> |
---|
| 2205 | <para> |
---|
| 2206 | A copy of the <citetitle>GNU General Public License</citetitle> is |
---|
| 2207 | included as an appendix to the <citetitle>GNOME Users |
---|
| 2208 | Guide</citetitle>. You may also obtain a copy of the |
---|
| 2209 | <citetitle>GNU General Public License</citetitle> from the Free |
---|
| 2210 | Software Foundation by visiting |
---|
| 2211 | <ulink type="http" url="http://www.fsf.org">their Web site</ulink> or by |
---|
| 2212 | writing to |
---|
| 2213 | <address> |
---|
| 2214 | Free Software Foundation, Inc. |
---|
| 2215 | <street>51 Franklin Street, Fifth Floor</street> |
---|
| 2216 | <city>Boston</city>, <state>MA</state> <postcode>02110-1301</postcode> |
---|
| 2217 | <country>USA</country> |
---|
| 2218 | </address> |
---|
| 2219 | </para> |
---|
| 2220 | </sect1> |
---|
| 2221 | </article> |
---|
| 2222 | |
---|
| 2223 | <!-- Keep this comment at the end of the file |
---|
| 2224 | Local variables: |
---|
| 2225 | mode: sgml |
---|
| 2226 | sgml-omittag:t |
---|
| 2227 | sgml-shorttag:t |
---|
| 2228 | sgml-minimize-attributes:nil |
---|
| 2229 | sgml-always-quote-attributes:t |
---|
| 2230 | sgml-indent-step:2 |
---|
| 2231 | sgml-indent-data:t |
---|
| 2232 | sgml-parent-document:nil |
---|
| 2233 | sgml-exposed-tags:nil |
---|
| 2234 | sgml-local-catalogs:nil |
---|
| 2235 | sgml-local-ecat-files:nil |
---|
| 2236 | End: |
---|
| 2237 | --> |
---|