1 | <?xml version="1.0"?> |
---|
2 | <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" |
---|
3 | "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [ |
---|
4 | <!ENTITY legal SYSTEM "legal.xml"> |
---|
5 | <!ENTITY version "2.26.0"> |
---|
6 | <!ENTITY date "02/10/2009"> |
---|
7 | <!ENTITY mdash "—"> |
---|
8 | <!ENTITY percnt "%"> |
---|
9 | ]> |
---|
10 | |
---|
11 | <article id="index" lang="en"> |
---|
12 | <articleinfo> |
---|
13 | <title>GNOME Display Manager Reference Manual</title> |
---|
14 | |
---|
15 | <revhistory> |
---|
16 | <revision> |
---|
17 | <revnumber>0.0</revnumber> |
---|
18 | <date>2008-09</date> |
---|
19 | </revision> |
---|
20 | </revhistory> |
---|
21 | |
---|
22 | <abstract role="description"> |
---|
23 | <para> |
---|
24 | GDM is the GNOME Display Manager, a graphical login program. |
---|
25 | </para> |
---|
26 | </abstract> |
---|
27 | |
---|
28 | <authorgroup> |
---|
29 | <author> |
---|
30 | <firstname>Martin</firstname><othername>K.</othername> |
---|
31 | <surname>Petersen</surname> |
---|
32 | <affiliation> |
---|
33 | <address><email>mkp@mkp.net</email></address> |
---|
34 | </affiliation> |
---|
35 | </author> |
---|
36 | <author> |
---|
37 | <firstname>George</firstname><surname>Lebl</surname> |
---|
38 | <affiliation> |
---|
39 | <address><email>jirka@5z.com</email></address> |
---|
40 | </affiliation> |
---|
41 | </author> |
---|
42 | <author> |
---|
43 | <firstname>Jon</firstname><surname>McCann</surname> |
---|
44 | <affiliation> |
---|
45 | <address><email>mccann@jhu.edu</email></address> |
---|
46 | </affiliation> |
---|
47 | </author> |
---|
48 | <author> |
---|
49 | <firstname>Ray</firstname><surname>Strode</surname> |
---|
50 | <affiliation> |
---|
51 | <address><email>rstrode@redhat.com</email></address> |
---|
52 | </affiliation> |
---|
53 | </author> |
---|
54 | <author role="maintainer"> |
---|
55 | <firstname>Brian</firstname><surname>Cameron</surname> |
---|
56 | <affiliation> |
---|
57 | <address><email>Brian.Cameron@Sun.COM</email></address> |
---|
58 | </affiliation> |
---|
59 | </author> |
---|
60 | </authorgroup> |
---|
61 | <copyright> |
---|
62 | <year>1998</year> |
---|
63 | <year>1999</year> |
---|
64 | <holder>Martin K. Petersen</holder> |
---|
65 | </copyright> |
---|
66 | <copyright> |
---|
67 | <year>2001</year> |
---|
68 | <year>2003</year> |
---|
69 | <year>2004</year> |
---|
70 | <holder>George Lebl</holder> |
---|
71 | </copyright> |
---|
72 | <copyright> |
---|
73 | <year>2003</year> |
---|
74 | <year>2007</year> |
---|
75 | <year>2008</year> |
---|
76 | <holder>Red Hat, Inc.</holder> |
---|
77 | </copyright> |
---|
78 | <copyright> |
---|
79 | <year>2003</year> |
---|
80 | <year>2004</year> |
---|
81 | <year>2005</year> |
---|
82 | <year>2006</year> |
---|
83 | <year>2007</year> |
---|
84 | <year>2008</year> |
---|
85 | <holder>Sun Microsystems, Inc.</holder> |
---|
86 | </copyright> |
---|
87 | |
---|
88 | &legal; |
---|
89 | |
---|
90 | <releaseinfo> |
---|
91 | This manual describes version &version; of the GNOME Display Manager. |
---|
92 | It was last updated on &date;. |
---|
93 | </releaseinfo> |
---|
94 | </articleinfo> |
---|
95 | |
---|
96 | <!-- ============= Preface ================================== --> |
---|
97 | |
---|
98 | <sect1 id="preface"> |
---|
99 | <title>Terms and Conventions Used in This Manual</title> |
---|
100 | |
---|
101 | <para> |
---|
102 | This manual describes version &version; of the GNOME Display Manager. |
---|
103 | It was last updated on &date;. |
---|
104 | </para> |
---|
105 | |
---|
106 | <para> |
---|
107 | Chooser - A program used to select a remote host for managing a |
---|
108 | display remotely on the attached display (<command>gdm-host-chooser</command>). |
---|
109 | </para> |
---|
110 | |
---|
111 | <para> |
---|
112 | FreeDesktop - The organization providing desktop standards, such as the |
---|
113 | Desktop Entry Specification used by GDM. |
---|
114 | <ulink type="http" url="http://www.freedesktop.org/"> |
---|
115 | http://www.freedesktop.org</ulink>. |
---|
116 | </para> |
---|
117 | <para> |
---|
118 | GDM - GNOME Display Manager. Used to describe the software package as a |
---|
119 | whole. |
---|
120 | </para> |
---|
121 | |
---|
122 | <para> |
---|
123 | Greeter - The graphical login window (<command>gdm-simple-greeter</command>). |
---|
124 | </para> |
---|
125 | |
---|
126 | <para> |
---|
127 | PAM - Pluggable Authentication Mechanism |
---|
128 | </para> |
---|
129 | |
---|
130 | <para> |
---|
131 | XDMCP - X Display Manage Protocol |
---|
132 | </para> |
---|
133 | |
---|
134 | <para> |
---|
135 | Xserver - An implementation of the X Window System. For example the |
---|
136 | Xorg webserver provided by the X.org Foundation |
---|
137 | <ulink type="http" url="http://www.x.org/">http://www.x.org</ulink>. |
---|
138 | </para> |
---|
139 | |
---|
140 | <para> |
---|
141 | Paths that start with a word in angle brackets are relative to the |
---|
142 | installation prefix. I.e. <filename><share>/pixmaps/</filename> |
---|
143 | refers to <filename>/usr/share/pixmaps</filename> if GDM was |
---|
144 | configured with <command>--prefix=/usr</command>. |
---|
145 | </para> |
---|
146 | </sect1> |
---|
147 | |
---|
148 | <!-- ============= Overview ================================= --> |
---|
149 | |
---|
150 | <sect1 id="overview"> |
---|
151 | <title>Overview</title> |
---|
152 | |
---|
153 | <sect2 id="introduction"> |
---|
154 | <title>Introduction</title> |
---|
155 | |
---|
156 | <para> |
---|
157 | The GNOME Display Manager (GDM) is a display manager that implements |
---|
158 | all significant features required for managing attached and remote |
---|
159 | displays. GDM was written from scratch and does not contain any XDM or |
---|
160 | X Consortium code. |
---|
161 | </para> |
---|
162 | |
---|
163 | <para> |
---|
164 | Note that GDM is configurable, and many configuration settings have |
---|
165 | an impact on security. Issues to be aware of are highlighted in this |
---|
166 | document. |
---|
167 | </para> |
---|
168 | |
---|
169 | <para> |
---|
170 | Please note that some Operating Systems configure GDM to behave |
---|
171 | differently than the default values as described in this document. If |
---|
172 | GDM does not seem to behave as documented, then check to see if any |
---|
173 | related configuration may be different than described here. |
---|
174 | </para> |
---|
175 | |
---|
176 | <para> |
---|
177 | For further information about GDM, refer to the project website at |
---|
178 | <ulink type="http" url="http://www.gnome.org/projects/gdm/"> |
---|
179 | http://www.gnome.org/projects/gdm</ulink> and the project |
---|
180 | Wiki <ulink type="http" url="http://live.gnome.org/GDM"> |
---|
181 | http://live.gnome.org/GDM</ulink>. |
---|
182 | </para> |
---|
183 | |
---|
184 | <para> |
---|
185 | For discussion or queries about GDM, refer to the |
---|
186 | <address><email>gdm-list@gnome.org</email></address> mail list. This |
---|
187 | list is archived, and is a good resource to check to seek answers to |
---|
188 | common questions. This list is archived at |
---|
189 | <ulink type="http" url="http://mail.gnome.org/archives/gdm-list/"> |
---|
190 | http://mail.gnome.org/archives/gdm-list/</ulink> and has a search |
---|
191 | facility to look for messages with keywords. |
---|
192 | </para> |
---|
193 | |
---|
194 | <para> |
---|
195 | Please submit any bug reports or enhancement requests to the |
---|
196 | "gdm" category in |
---|
197 | <ulink type="http" url="http://bugzilla.gnome.org/"> |
---|
198 | http://bugzilla.gnome.org</ulink>. |
---|
199 | </para> |
---|
200 | </sect2> |
---|
201 | |
---|
202 | <sect2 id="stability"> |
---|
203 | <title>Interface Stability</title> |
---|
204 | |
---|
205 | <para> |
---|
206 | GDM 2.20 and earlier supported stable configuration interfaces. |
---|
207 | However, the codebase was completely rewritten for GDM 2.22, and |
---|
208 | is not completely backward compatible with older releases. This is |
---|
209 | in part because things work differently, so some options just don't |
---|
210 | make sense, in part because some options never made sense, and in |
---|
211 | part because some functionality has not been reimplemented yet. |
---|
212 | </para> |
---|
213 | |
---|
214 | <para> |
---|
215 | Interfaces which continue to be supported in a stable fashion include |
---|
216 | the Init, PreSession, PostSession, PostLogin, and Xsession scripts. |
---|
217 | Some daemon configuration options in the |
---|
218 | <filename><etc>/gdm/custom.conf</filename> file continue to be |
---|
219 | supported. Also, the <filename>~/.dmrc</filename>, and face browser |
---|
220 | image locations are still supported. |
---|
221 | </para> |
---|
222 | |
---|
223 | <para> |
---|
224 | GDM 2.20 and earlier supported the ability to manage multiple displays |
---|
225 | with separate graphics cards, such as used in terminal server |
---|
226 | environments, login in a window via a program like Xnest or Xephyr, the |
---|
227 | gdmsetup program, XML-based greeter themes, and the ability to run the |
---|
228 | XDMCP chooser from the login screen. These features were not |
---|
229 | added back during the 2.22 rewrite. |
---|
230 | </para> |
---|
231 | |
---|
232 | </sect2> |
---|
233 | |
---|
234 | <sect2 id="functionaldesc"> |
---|
235 | <title>Functional Description</title> |
---|
236 | |
---|
237 | <!-- |
---|
238 | <para> |
---|
239 | TODO - Would be good to discuss D-Bus, perhaps the new GObject model, |
---|
240 | and to explain the reasons why the rewrite made GDM better. |
---|
241 | From a high-level overview perspective, rather than the |
---|
242 | technical aspects. |
---|
243 | </para> |
---|
244 | --> |
---|
245 | |
---|
246 | <para> |
---|
247 | GDM is responsible for managing displays on the system. This includes |
---|
248 | authenticating users, starting the user session, and terminating the |
---|
249 | user session. GDM is configurable and the ways it can be configured |
---|
250 | are described in the "Configuring GDM" section of this |
---|
251 | document. GDM is also accessible for users with disabilities. |
---|
252 | </para> |
---|
253 | |
---|
254 | <para> |
---|
255 | GDM provides the ability to manage the main console display, and |
---|
256 | displays launched via VT. It is integrated with other programs, |
---|
257 | such as the Fast User Switch Applet (FUSA) and gnome-screensaver |
---|
258 | to manage multiple displays on the console via the Xserver Virtual |
---|
259 | Terminal (VT) interface. It also can manage XDMCP displays. |
---|
260 | </para> |
---|
261 | |
---|
262 | <para> |
---|
263 | Regardless of the display type, GDM will do the following when it |
---|
264 | manages the display. It will start an Xserver process, then run the |
---|
265 | <filename>Init</filename> script as the root user, and start the |
---|
266 | greeter program on the display. |
---|
267 | </para> |
---|
268 | |
---|
269 | <para> |
---|
270 | The greeter program is run as the unprivileged "gdm" |
---|
271 | user/group. This user and group are described in the |
---|
272 | "Security" section of this document. The main function of |
---|
273 | the greeter program is to authenticate the user. The authentication |
---|
274 | process is driven by Pluggable Authentication Modules (PAM). The PAM |
---|
275 | modules determine what prompts (if any) are shown to the user to |
---|
276 | authenticate. On the average system, the greeter program will request |
---|
277 | a username and password for authentication. However some systems may |
---|
278 | be configured to use alternative mechanisms such as a fingerprint or |
---|
279 | SmartCard reader. GDM and PAM can be configured to not require any |
---|
280 | input, which will cause GDM to automatically log in and simply |
---|
281 | start a session, which can be useful for some environments, such as |
---|
282 | for kiosks. |
---|
283 | </para> |
---|
284 | |
---|
285 | <para> |
---|
286 | In addition to authentication, the greeter program allows the user to |
---|
287 | select which session to start and which language to use. Sessions are |
---|
288 | defined by files that end in the .desktop suffix and more information |
---|
289 | about these files can be found in the "GDM User Session and Language |
---|
290 | Configuration" section of this document. By default, GDM is configured |
---|
291 | to display a face browser so the user can select their user account by |
---|
292 | clicking on an image instead of having to type their username. GDM |
---|
293 | keeps track of the user's default session and language in the user's |
---|
294 | <filename>~/.dmrc</filename> and will use these defaults if the user |
---|
295 | did not pick a session or language in the login GUI. |
---|
296 | </para> |
---|
297 | |
---|
298 | <para> |
---|
299 | After authenticating a user, the daemon runs the |
---|
300 | <filename>PostLogin</filename> script as root, then runs the |
---|
301 | <filename>PreSession</filename> script as root. After running these |
---|
302 | scripts, the user session is started. When the user exits their |
---|
303 | session, the <filename>PostSession</filename> script is run as root. |
---|
304 | These scripts are provided as hooks for distributions and end-users |
---|
305 | to customize how sessions are managed. For example, using these |
---|
306 | hooks you could set up a machine which creates the user's $HOME |
---|
307 | directory on the fly, and erases it on logout. The difference |
---|
308 | between the <filename>PostLogin</filename> and |
---|
309 | <filename>PreSession</filename> scripts is that |
---|
310 | <filename>PostLogin</filename> is run before the pam_open_session call |
---|
311 | so is the right place to do anything which should be run before the |
---|
312 | user session is initialized. The <filename>PreSession</filename> |
---|
313 | script is called after session initialization. |
---|
314 | </para> |
---|
315 | </sect2> |
---|
316 | |
---|
317 | <sect2 id="greeterpanel"> |
---|
318 | <title>Greeter Panel</title> |
---|
319 | <para> |
---|
320 | The GDM greeter program displays a panel docked at the bottom of the |
---|
321 | screen which provides additional functionality. When a user is |
---|
322 | selected, the panel allows the user to select which session, language, |
---|
323 | and keyboard layout to use after logging in. The keyboard layout |
---|
324 | selector also changes the keyboard layout used when typing your |
---|
325 | password. The panel also contains an area for login services to leave |
---|
326 | status icons. Some example status icons include a battery icon for |
---|
327 | current battery usage, and an icon for enabling accessibility features. |
---|
328 | The greeter program also provides buttons which allow the user to |
---|
329 | shutdown or restart the system. It is possible to configure GDM to not |
---|
330 | provide the shutdown and restart buttons, if desired. GDM can also be |
---|
331 | configured via PolicyKit (or via RBAC on Solaris) to require the user |
---|
332 | have appropriate authorization before accepting the shutdown or restart |
---|
333 | request. |
---|
334 | </para> |
---|
335 | |
---|
336 | <para> |
---|
337 | Note that keyboard layout features are only available on systems that |
---|
338 | support libxklavier. |
---|
339 | </para> |
---|
340 | </sect2> |
---|
341 | |
---|
342 | <sect2 id="accessibility"> |
---|
343 | <title>Accessibility</title> |
---|
344 | |
---|
345 | <para> |
---|
346 | GDM supports "Accessible Login", allowing users to log into |
---|
347 | their desktop session even if they cannot easily use the screen, |
---|
348 | mouse, or keyboard in the usual way. Accessible Technology (AT) |
---|
349 | features such as an on-screen keyboard, screen reader, screen |
---|
350 | magnifier, and Xserver AccessX keyboard accessibility are available. |
---|
351 | It is also possible to enable large text or high contrast icons and |
---|
352 | controls, if needed. Refer to the "Accessibility |
---|
353 | Configuration" section of the document for more information |
---|
354 | how various accessibility features can be configured. |
---|
355 | </para> |
---|
356 | |
---|
357 | <para> |
---|
358 | On some Operating Systems, it is necessary to make sure that the GDM |
---|
359 | user is a member of the "audio" group for AT programs that |
---|
360 | require audio output (such as text-to-speech) to be functional. |
---|
361 | </para> |
---|
362 | </sect2> |
---|
363 | |
---|
364 | <sect2 id="facebrowser"> |
---|
365 | <title>The GDM Face Browser</title> |
---|
366 | |
---|
367 | <para> |
---|
368 | The Face Browser is the interface which allows users to select their |
---|
369 | username by clicking on an image. This feature can be enabled or |
---|
370 | disabled via the /apps/gdm/simple-greeter/disable_user_list GConf |
---|
371 | key and is on by default. When disabled, users must type their |
---|
372 | complete username by hand. When enabled, it displays all local users |
---|
373 | which are available for login on the system (all user accounts defined |
---|
374 | in the /etc/passwd file that have a valid shell and sufficiently high |
---|
375 | UID) and remote users that have recently logged in. |
---|
376 | The face browser in GDM 2.20 and earlier would attempt to display all |
---|
377 | remote users, which caused performance problems in large, |
---|
378 | enterprise deployments. |
---|
379 | </para> |
---|
380 | |
---|
381 | <para> |
---|
382 | The Face Browser is configured to display the users who log in most |
---|
383 | frequently at the top of the list. This helps to ensure that users |
---|
384 | who log in frequently can quickly find their login image. |
---|
385 | </para> |
---|
386 | |
---|
387 | <para> |
---|
388 | The Face Browser supports "type-ahead search" which dynamically |
---|
389 | moves the face selection as the user types to the corresponding username |
---|
390 | in the list. This means that a user with a long username will only |
---|
391 | have to type the first few characters of the username before the correct |
---|
392 | item in the list gets selected. |
---|
393 | </para> |
---|
394 | |
---|
395 | <para> |
---|
396 | The icons used by GDM can be installed globally by the sysadmin or can |
---|
397 | be located in the user's home directories. If installed globally |
---|
398 | they should be in the <filename><share>/pixmaps/faces/</filename> |
---|
399 | directory and the filename should be the name of the user. Face image |
---|
400 | files should be a standard image that GTK+ can read, such as PNG or |
---|
401 | JPEG. Face icons placed in the global face directory must be readable |
---|
402 | to the GDM user. |
---|
403 | </para> |
---|
404 | |
---|
405 | <!-- |
---|
406 | <para> |
---|
407 | TODO - In the old GDM the ~/gnome2/gdm file is used, but the new code |
---|
408 | seems to use ~/.gnome/gdm. Error? |
---|
409 | </para> |
---|
410 | --> |
---|
411 | <para> |
---|
412 | If there is no global icon for the user, GDM will look in the user's |
---|
413 | $HOME directory for the image file. GDM will first look for the user's |
---|
414 | face image in <filename>~/.face</filename>. If not found, it will try |
---|
415 | <filename>~/.face.icon</filename>. If still not found, it will use the |
---|
416 | value defined for "face/picture=" in the |
---|
417 | <filename>~/.gnome2/gdm</filename> file. |
---|
418 | </para> |
---|
419 | |
---|
420 | <para> |
---|
421 | If a user has no defined face image, GDM will use the |
---|
422 | "stock_person" icon defined in the current GTK+ theme. If no |
---|
423 | such image is defined, it will fallback to a generic face image. |
---|
424 | </para> |
---|
425 | |
---|
426 | <para> |
---|
427 | Please note that loading and scaling face icons located in remote user |
---|
428 | home directories can be a very time-consuming task. Since it not |
---|
429 | practical to load images over NIS or NFS, GDM does not attempt to load |
---|
430 | face images from remote home directories. |
---|
431 | </para> |
---|
432 | |
---|
433 | <para> |
---|
434 | When the browser is turned on, valid usernames on the computer are |
---|
435 | exposed for everyone to see. If XDMCP is enabled, then the usernames |
---|
436 | are exposed to remote users. This, of course, limits security |
---|
437 | somewhat since a malicious user does not need to guess valid usernames. |
---|
438 | In some very restrictive environments the face browser may not be |
---|
439 | appropriate. |
---|
440 | </para> |
---|
441 | |
---|
442 | </sect2> |
---|
443 | |
---|
444 | <sect2 id="xdmcp"> |
---|
445 | <title>XDMCP</title> |
---|
446 | |
---|
447 | <!-- |
---|
448 | <para> |
---|
449 | TODO - What XDMCP features actually work? I know that the |
---|
450 | chooser is missing. |
---|
451 | </para> |
---|
452 | --> |
---|
453 | |
---|
454 | <para> |
---|
455 | The GDM daemon can be configured to listen for and manage X Display |
---|
456 | Manage Protocol (XDMCP) requests from remote displays. By default |
---|
457 | XDMCP support is turned off, but can be enabled if desired. If GDM is |
---|
458 | built with TCP Wrapper support, then the daemon will only grant access |
---|
459 | to hosts specified in the GDM service section in the TCP Wrappers |
---|
460 | configuration file. |
---|
461 | </para> |
---|
462 | |
---|
463 | <para> |
---|
464 | GDM includes several measures making it more resistant to denial of |
---|
465 | service attacks on the XDMCP service. A lot of the protocol |
---|
466 | parameters, handshaking timeouts, etc. can be fine tuned. The default |
---|
467 | configuration should work reasonably on most systems. |
---|
468 | </para> |
---|
469 | |
---|
470 | <para> |
---|
471 | GDM by default listens for XDMCP requests on the normal UDP port used |
---|
472 | for XDMCP, port 177, and will respond to QUERY and BROADCAST_QUERY |
---|
473 | requests by sending a WILLING packet to the originator. |
---|
474 | </para> |
---|
475 | |
---|
476 | <para> |
---|
477 | GDM can also be configured to honor INDIRECT queries and present a |
---|
478 | host chooser to the remote display. GDM will remember the user's |
---|
479 | choice and forward subsequent requests to the chosen manager. GDM |
---|
480 | also supports an extension to the protocol which will make it forget |
---|
481 | the redirection once the user's connection succeeds. This extension |
---|
482 | is only supported if both daemons are GDM. It is transparent and |
---|
483 | will be ignored by XDM or other daemons that implement XDMCP. |
---|
484 | </para> |
---|
485 | |
---|
486 | <para> |
---|
487 | If XDMCP seems to not be working, make sure that all machines are |
---|
488 | specified in <filename>/etc/hosts</filename>. |
---|
489 | </para> |
---|
490 | |
---|
491 | <para> |
---|
492 | Refer to the "Security" section for information about |
---|
493 | security concerns when using XDMCP. |
---|
494 | </para> |
---|
495 | </sect2> |
---|
496 | |
---|
497 | <sect2 id="logging"> |
---|
498 | <title>Logging</title> |
---|
499 | |
---|
500 | <para> |
---|
501 | GDM uses syslog to log errors and status. It can also log debugging |
---|
502 | information, which can be useful for tracking down problems if GDM is |
---|
503 | not working properly. This can be enabled by starting the GDM daemon |
---|
504 | with the "--debug" option. |
---|
505 | </para> |
---|
506 | |
---|
507 | <para> |
---|
508 | Output from the various Xservers is stored in the GDM log directory, |
---|
509 | which is normally <filename><var>/log/gdm/</filename>. Any |
---|
510 | Xserver messages are saved to a file associated with the display value, |
---|
511 | <filename><display>.log</filename>. |
---|
512 | </para> |
---|
513 | |
---|
514 | <para> |
---|
515 | The session output is piped through the GDM daemon to the |
---|
516 | <filename>~/.xsession-errors</filename> file. The file is overwritten |
---|
517 | on each login, so logging out and logging back into the same user via |
---|
518 | GDM will cause any messages from the previous session to be lost. |
---|
519 | </para> |
---|
520 | |
---|
521 | <para> |
---|
522 | Note that if GDM can not create this file for some reason, then a |
---|
523 | fallback file will be created named <filename>~/.xsession-errors.XXXXXXXX</filename> |
---|
524 | where the <filename>XXXXXXXX</filename> are some random characters. |
---|
525 | </para> |
---|
526 | </sect2> |
---|
527 | |
---|
528 | <sect2 id="fusa"> |
---|
529 | <title>Fast User Switching</title> |
---|
530 | |
---|
531 | <para> |
---|
532 | GDM allows multiple users to be logged in at the same time. After one |
---|
533 | user is logged in, additional users can log in via the User Switcher |
---|
534 | on the GNOME Panel, or from the "Switch User" button in Lock Screen dialog |
---|
535 | of GNOME Screensaver. The active session can be changed back and forth using |
---|
536 | the same mechanism. Note that some distributions may not add the User Switcher |
---|
537 | to the default panel configuration. It can be added using the panel context |
---|
538 | menu. |
---|
539 | </para> |
---|
540 | <para> |
---|
541 | Note this feature is available on systems that support Virtual |
---|
542 | Terminals. This feature will not function if Virtual Terminals is not |
---|
543 | available. |
---|
544 | </para> |
---|
545 | </sect2> |
---|
546 | </sect1> |
---|
547 | |
---|
548 | <!-- ============= Security ================================= --> |
---|
549 | |
---|
550 | <sect1 id="security"> |
---|
551 | <title>Security</title> |
---|
552 | |
---|
553 | <sect2 id="gdmuser"> |
---|
554 | <title>The GDM User And Group</title> |
---|
555 | |
---|
556 | <para> |
---|
557 | For security reasons a dedicated user and group id are recommended for |
---|
558 | proper operation. This user and group are normally "gdm" on |
---|
559 | most systems, but can be configured to any user or group. All GDM |
---|
560 | GUI programs are run as this user, so that the programs which interact |
---|
561 | with the user are run in a sandbox. This user and group should have |
---|
562 | limited privilege. |
---|
563 | </para> |
---|
564 | |
---|
565 | <para> |
---|
566 | The only special privilege the "gdm" user requires is the |
---|
567 | ability to read and write Xauth files to the |
---|
568 | <filename><var>/run/gdm</filename> directory. The |
---|
569 | <filename><var>/run/gdm</filename> directory should have |
---|
570 | root:gdm ownership and 1777 permissions. |
---|
571 | </para> |
---|
572 | |
---|
573 | <para> |
---|
574 | You should not, under any circumstances, configure the GDM user/group |
---|
575 | to a user which a user could easily gain access to, such as the user |
---|
576 | <filename>nobody</filename>. Any user who gains access to an Xauth |
---|
577 | key can snoop on and control running GUI programs running in the |
---|
578 | associated session or perform a denial-of-service attack on it. It |
---|
579 | is important to ensure that the system is configured properly so that |
---|
580 | only the "gdm" user has access to these files and that it |
---|
581 | is not easy to login to this account. For example, the account should |
---|
582 | be setup to not have a password or allow non-root users to login to the |
---|
583 | account. |
---|
584 | </para> |
---|
585 | |
---|
586 | <para> |
---|
587 | The GDM greeter configuration is stored in GConf. To allow the GDM |
---|
588 | user to be able to write configuration, it is necessary for the |
---|
589 | "gdm" user to have a writable $HOME directory. Users may |
---|
590 | configure the default GConf configuration as desired to avoid the |
---|
591 | need to provide the "gdm" user with a writable $HOME |
---|
592 | directory. However, some features of GDM may be disabled if it is |
---|
593 | unable to write state information to GConf configuration. |
---|
594 | </para> |
---|
595 | </sect2> |
---|
596 | |
---|
597 | <sect2 id="PAM"> |
---|
598 | <title>PAM</title> |
---|
599 | |
---|
600 | <para> |
---|
601 | GDM uses PAM for login authentication. PAM stands for Pluggable |
---|
602 | Authentication Module, and is used by most programs that request |
---|
603 | authentication on your computer. It allows the administrator to |
---|
604 | configure specific authentication behavior for different login programs |
---|
605 | (such as ssh, login GUI, screensaver, etc.) |
---|
606 | </para> |
---|
607 | |
---|
608 | <para> |
---|
609 | PAM is complicated and highly configurable, and this documentation does |
---|
610 | not intend to explain this in detail. Instead, it is intended to give |
---|
611 | an overview of how PAM configuration relates with GDM, how PAM is |
---|
612 | commonly configured with GDM, and known issues. It is expected that |
---|
613 | a person needing to do PAM configuration would need to do further |
---|
614 | reading of PAM documentation to understand how to configure PAM and |
---|
615 | to understand terms used in this section. |
---|
616 | </para> |
---|
617 | |
---|
618 | <para> |
---|
619 | PAM configuration has different, but similar, interfaces on different |
---|
620 | Operating Systems, so check the |
---|
621 | <ulink type="help" url="man:pam.d">pam.d</ulink> or |
---|
622 | <ulink type="help" url="man:pam.conf">pam.conf</ulink> man page for |
---|
623 | details. Be sure you read the PAM documentation and are comfortable |
---|
624 | with the security implications of any changes you intend to make to |
---|
625 | your configuration. |
---|
626 | </para> |
---|
627 | |
---|
628 | <para> |
---|
629 | Note that, by default, GDM uses the "gdm" PAM service name |
---|
630 | for normal login and the "gdm-autologin" PAM service name for |
---|
631 | automatic login. These services may not be defined in your pam.d or |
---|
632 | pam.conf configured file. If there is no entry, then GDM will use the |
---|
633 | default PAM behavior. On most systems this should work fine. |
---|
634 | However, the automatic login feature may not work if the gdm-autologin |
---|
635 | service is not defined. |
---|
636 | </para> |
---|
637 | |
---|
638 | <para> |
---|
639 | The <filename>PostLogin</filename> script is run before |
---|
640 | pam_open_session is called, and the <filename>PreSession</filename> |
---|
641 | script is called after. This allows the system administrator to add |
---|
642 | any scripting to the login process either before or after PAM |
---|
643 | initializes the session. |
---|
644 | </para> |
---|
645 | |
---|
646 | <para> |
---|
647 | If you wish to make GDM work with other types of authentication |
---|
648 | mechanisms (such as a fingerprint or SmartCard reader), then you should |
---|
649 | implement this by using a PAM service module for the desired |
---|
650 | authentication type rather than by trying to modify the GDM code |
---|
651 | directly. Refer to the PAM documentation on your system. How to do |
---|
652 | this is frequently discussed on the |
---|
653 | <address><email>gdm-list@gnome.org</email></address> mail list, |
---|
654 | so you can refer to the list archives for more information. |
---|
655 | </para> |
---|
656 | |
---|
657 | <para> |
---|
658 | PAM does have some limitations regarding being able to work with |
---|
659 | multiple types of authentication at the same time, like supporting |
---|
660 | the ability to accept either SmartCard and the ability to type the |
---|
661 | username and password into the login program. There are techniques |
---|
662 | that are used to make this work, and it is best to research how this |
---|
663 | problem is commonly solved when setting up such a configuration. |
---|
664 | </para> |
---|
665 | |
---|
666 | <para> |
---|
667 | If automatic login does not work on a system, check to see if the |
---|
668 | "gdm-autologin" PAM stack is defined in the PAM configuration. For |
---|
669 | this to work, it is necessary to use a PAM module that simply does no |
---|
670 | authentication, or which simply returns PAM_SUCCESS from all of its |
---|
671 | public interfaces. Assuming your system has a pam_allow.so PAM module |
---|
672 | which does this, a PAM configuration to enable "gdm-autologin" would |
---|
673 | look like this: |
---|
674 | </para> |
---|
675 | |
---|
676 | <screen> |
---|
677 | gdm-autologin auth required pam_unix_cred.so.1 |
---|
678 | gdm-autologin auth sufficient pam_allow.so.1 |
---|
679 | gdm-autologin account sufficient pam_allow.so.1 |
---|
680 | gdm-autologin session sufficient pam_allow.so.1 |
---|
681 | gdm-autologin password sufficient pam_allow.so.1 |
---|
682 | </screen> |
---|
683 | |
---|
684 | <para> |
---|
685 | The above setup will cause no lastlog entry to be generated. If a |
---|
686 | lastlog entry is desired, then use the following for the session: |
---|
687 | </para> |
---|
688 | |
---|
689 | <screen> |
---|
690 | gdm-autologin session required pam_unix_session.so.1 |
---|
691 | </screen> |
---|
692 | |
---|
693 | <para> |
---|
694 | If the computer is used by several people, which makes automatic login |
---|
695 | unsuitable, you may want to allow some users to log in without entering |
---|
696 | their password. This feature can be enabled as a per-user option in |
---|
697 | the users-admin tool from the gnome-system-tools; it is achieved by |
---|
698 | checking that the user is member a Unix group called |
---|
699 | "nopasswdlogin" before asking for a password. For this to work, |
---|
700 | the PAM configuration file for the "gdm" service must include |
---|
701 | a line such as: |
---|
702 | </para> |
---|
703 | |
---|
704 | <screen> |
---|
705 | gdm auth sufficient pam_succeed_if.so user ingroup nopasswdlogin |
---|
706 | </screen> |
---|
707 | |
---|
708 | </sect2> |
---|
709 | |
---|
710 | <sect2 id="utmpwtmp"> |
---|
711 | <title>utmp and wtmp</title> |
---|
712 | |
---|
713 | <para> |
---|
714 | GDM generates utmp and wtmp User Accounting Database entries upon |
---|
715 | session login and logout. The utmp database contains user access |
---|
716 | and accounting information that is accessed by commands such as |
---|
717 | <command>finger</command>, <command>last</command>, |
---|
718 | <command>login</command>, and <command>who</command>. The wtmp |
---|
719 | database contains the history of user access and accounting |
---|
720 | information for the utmp database. Refer to the |
---|
721 | <ulink type="help" url="man:utmp">utmp</ulink> and |
---|
722 | <ulink type="help" url="man:wtmp">wtmp</ulink> |
---|
723 | man pages on your system for more information. |
---|
724 | </para> |
---|
725 | </sect2> |
---|
726 | |
---|
727 | <sect2 id="xauth"> |
---|
728 | <title>Xserver Authentication Scheme</title> |
---|
729 | |
---|
730 | <para> |
---|
731 | Xserver authorization files are stored in a newly created subdirectory |
---|
732 | of <filename><var>/run/gdm</filename> at start up. These files |
---|
733 | are used to store and share a "password" between X clients |
---|
734 | and the Xserver. This "password" is unique for each session |
---|
735 | logged in, so users from one session can't snoop on users from another. |
---|
736 | </para> |
---|
737 | |
---|
738 | <para> |
---|
739 | GDM only supports the MIT-MAGIC-COOKIE-1 Xserver authentication |
---|
740 | scheme. Normally little is gained from the other schemes, and no |
---|
741 | effort has been made to implement them so far. Be especially |
---|
742 | careful about using XDMCP because the Xserver authentication cookie |
---|
743 | goes over the wire as clear text. If snooping is possible, then an |
---|
744 | attacker could simply snoop your authentication password as you log in, |
---|
745 | regardless of the authentication scheme being used. If snooping is |
---|
746 | possible and undesirable, then you should use ssh for tunneling an X |
---|
747 | connection rather then using XDMCP. You could think of XDMCP as a sort |
---|
748 | of graphical telnet, having the same security issues. In most cases, |
---|
749 | ssh -Y should be preferred over GDM's XDMCP features. |
---|
750 | </para> |
---|
751 | |
---|
752 | </sect2> |
---|
753 | |
---|
754 | <sect2 id="xdmcpsecurity"> |
---|
755 | <title>XDMCP Security</title> |
---|
756 | |
---|
757 | <para> |
---|
758 | Even though your display is protected by cookies, XEvents and thus |
---|
759 | keystrokes typed when entering passwords will still go over the wire in |
---|
760 | clear text. It is trivial to capture these. |
---|
761 | </para> |
---|
762 | |
---|
763 | <para> |
---|
764 | XDMCP is primarily useful for running thin clients such as in terminal |
---|
765 | labs. Those thin clients will only ever need the network to access |
---|
766 | the server, and so it seems like the best security policy to have |
---|
767 | those thin clients on a separate network that cannot be accessed by |
---|
768 | the outside world, and can only connect to the server. The only point |
---|
769 | from which you need to access outside is the server. This type of set up |
---|
770 | should never use an unmanaged hub or other sniffable network. |
---|
771 | </para> |
---|
772 | |
---|
773 | </sect2> |
---|
774 | |
---|
775 | <sect2 id="xdmcpaccess"> |
---|
776 | <title>XDMCP Access Control</title> |
---|
777 | |
---|
778 | <para> |
---|
779 | XDMCP access control is done using TCP wrappers. It is possible to |
---|
780 | compile GDM without TCP wrapper support, so this feature may not be |
---|
781 | supported on some Operating Systems. |
---|
782 | </para> |
---|
783 | |
---|
784 | <para> |
---|
785 | You should use the daemon name <command>gdm</command> in the |
---|
786 | <filename><etc>/hosts.allow</filename> and |
---|
787 | <filename><etc>/hosts.deny</filename> files. For example to |
---|
788 | deny computers from <filename>.evil.domain</filename> from logging in, |
---|
789 | then add |
---|
790 | </para> |
---|
791 | <screen> |
---|
792 | gdm: .evil.domain |
---|
793 | </screen> |
---|
794 | <para> |
---|
795 | to <filename><etc>/hosts.deny</filename>. You may also need |
---|
796 | to add |
---|
797 | </para> |
---|
798 | <screen> |
---|
799 | gdm: .your.domain |
---|
800 | </screen> |
---|
801 | <para> |
---|
802 | to your <filename><etc>/hosts.allow</filename> if you normally |
---|
803 | disallow all services from all hosts. See the |
---|
804 | <ulink type="help" url="man:hosts.allow">hosts.allow(5)</ulink> man |
---|
805 | page for details. |
---|
806 | </para> |
---|
807 | </sect2> |
---|
808 | |
---|
809 | <sect2 id="firewall"> |
---|
810 | <title>Firewall Security</title> |
---|
811 | |
---|
812 | <para> |
---|
813 | Even though GDM tries to outsmart potential attackers trying to take |
---|
814 | advantage of XDMCP, it is still advised that you block the XDMCP port |
---|
815 | (normally UDP port 177) on your firewall unless really needed. GDM |
---|
816 | guards against denial of service attacks, but the X protocol is still |
---|
817 | inherently insecure and should only be used in controlled environments. |
---|
818 | Also each remote connection takes up lots of resources, so it is much |
---|
819 | easier to do a denial of service attack via XDMCP than attacking a |
---|
820 | webserver. |
---|
821 | </para> |
---|
822 | |
---|
823 | <para> |
---|
824 | It is also wise to block all of the Xserver ports. These are TCP |
---|
825 | ports 6000+ (one for each display number) on your firewall. Note that |
---|
826 | GDM will use display numbers 20 and higher for flexible on-demand |
---|
827 | servers. |
---|
828 | </para> |
---|
829 | |
---|
830 | <para> |
---|
831 | X is not a very safe protocol when using it over the Internet, and |
---|
832 | XDMCP is even less safe. |
---|
833 | </para> |
---|
834 | </sect2> |
---|
835 | |
---|
836 | <sect2 id="policykit"> |
---|
837 | <title>PolicyKit</title> |
---|
838 | |
---|
839 | <!-- |
---|
840 | <para> |
---|
841 | TODO - Should we say more? |
---|
842 | </para> |
---|
843 | --> |
---|
844 | |
---|
845 | <para> |
---|
846 | GDM may be configured to use PolicyKit to allow the system |
---|
847 | administrator to control whether the login screen should provide |
---|
848 | the shutdown and restart buttons on the greeter screen. |
---|
849 | </para> |
---|
850 | |
---|
851 | <para> |
---|
852 | These buttons are controlled by the |
---|
853 | <filename>org.freedesktop.consolekit.system.stop-multiple-users</filename> |
---|
854 | and |
---|
855 | <filename>org.freedesktop.consolekit.system.restart-multiple-users</filename> |
---|
856 | actions respectively. Policy for these actions can be set up using the |
---|
857 | polkit-gnome-authorization tool, or the polkit-auth command line program. |
---|
858 | </para> |
---|
859 | |
---|
860 | </sect2> |
---|
861 | |
---|
862 | <sect2 id="rbac"> |
---|
863 | <title>RBAC (Role Based Access Control)</title> |
---|
864 | |
---|
865 | <para> |
---|
866 | GDM may be configured to use RBAC instead of PolicyKit. In this |
---|
867 | case the RBAC configuration is used to control whether the login screen |
---|
868 | should provide the shutdown and restart buttons on the greeter screen. |
---|
869 | </para> |
---|
870 | |
---|
871 | <para> |
---|
872 | For example, on Solaris, the "solaris.system.shutdown" |
---|
873 | authorization is used to control this. Simply modify the |
---|
874 | <filename>/etc/user_attr</filename> file so that the "gdm" |
---|
875 | user has this authorization. |
---|
876 | </para> |
---|
877 | </sect2> |
---|
878 | |
---|
879 | </sect1> |
---|
880 | |
---|
881 | <!-- ============= ConsoleKit ================================ --> |
---|
882 | |
---|
883 | <sect1 id="consolekit"> |
---|
884 | <title>Support for ConsoleKit</title> |
---|
885 | |
---|
886 | <!-- |
---|
887 | <para> |
---|
888 | TODO - Should we update these docs? Probably should mention any |
---|
889 | configuration that users may want to do for using it with GDM? |
---|
890 | If so, perhaps this section should be moved to a subsection of |
---|
891 | the "Configure" section? |
---|
892 | </para> |
---|
893 | --> |
---|
894 | |
---|
895 | <para> |
---|
896 | GDM includes support for publishing user login information with the user |
---|
897 | and login session accounting framework known as ConsoleKit. ConsoleKit |
---|
898 | is able to keep track of all the users currently logged in. In this |
---|
899 | respect, it can be used as a replacement for the utmp or utmpx files that |
---|
900 | are available on most Unix-like Operating Systems. |
---|
901 | </para> |
---|
902 | |
---|
903 | <para> |
---|
904 | When GDM is about to create a new login process for a user it will call |
---|
905 | a privileged method of ConsoleKit in order to open a new session for this |
---|
906 | user. At this time GDM also provides ConsoleKit with information about |
---|
907 | this user session such as: the user ID, the X11 Display name that will be |
---|
908 | associated with the session, the host-name from which the session |
---|
909 | originates (useful in the case of an XDMCP session), whether or not this |
---|
910 | session is attached, etc. As the entity that initiates the user process, |
---|
911 | GDM is in a unique position to know about the user session and to be |
---|
912 | trusted to provide these bits of information. The use of this privileged |
---|
913 | method is restricted by the use of the D-Bus system message bus security |
---|
914 | policy. |
---|
915 | </para> |
---|
916 | |
---|
917 | <para> |
---|
918 | In case a user with an existing session has authenticated |
---|
919 | at GDM and requests to resume that existing session, GDM calls a |
---|
920 | privileged method of ConsoleKit to unlock that session. The exact |
---|
921 | details of what happens when the session receives this unlock signal are |
---|
922 | undefined and session-specific. However, most sessions will unlock a |
---|
923 | screensaver in response. |
---|
924 | </para> |
---|
925 | |
---|
926 | <para> |
---|
927 | When the user chooses to log out, or if GDM or the session quit |
---|
928 | unexpectedly the user session will be unregistered from ConsoleKit. |
---|
929 | </para> |
---|
930 | </sect1> |
---|
931 | |
---|
932 | <!-- ============= Configuration ============================= --> |
---|
933 | |
---|
934 | <sect1 id="configuration"> |
---|
935 | <title>Configuration</title> |
---|
936 | |
---|
937 | <para> |
---|
938 | GDM has a number of configuration interfaces. These include scripting |
---|
939 | integration points, daemon configuration, greeter configuration, |
---|
940 | general session settings, integration with gnome-settings-daemon |
---|
941 | configuration, and session configuration. These types of integration are |
---|
942 | described in detail below. |
---|
943 | </para> |
---|
944 | |
---|
945 | <sect2 id="scripting"> |
---|
946 | <title>Scripting Integration Points</title> |
---|
947 | |
---|
948 | <para> |
---|
949 | The GDM script integration points can be found in the |
---|
950 | <filename><etc>/gdm/</filename> directory: |
---|
951 | </para> |
---|
952 | |
---|
953 | <screen> |
---|
954 | Xsession |
---|
955 | Init/ |
---|
956 | PostLogin/ |
---|
957 | PreSession/ |
---|
958 | PostSession/ |
---|
959 | </screen> |
---|
960 | |
---|
961 | <para> |
---|
962 | The <filename>Init</filename>, <filename>PostLogin</filename>, |
---|
963 | <filename>PreSession</filename>, and <filename>PostSession</filename> |
---|
964 | scripts all work as described below. |
---|
965 | </para> |
---|
966 | |
---|
967 | <para> |
---|
968 | For each type of script, the default one which will be executed is |
---|
969 | called "Default" and is stored in a directory associated with |
---|
970 | the script type. So the default <filename>Init</filename> script is |
---|
971 | <filename><etc>/gdm/Init/Default</filename>. A per-display |
---|
972 | script can be provided, and if it exists it will be run instead of the |
---|
973 | default script. Such scripts are stored in the same directory as the |
---|
974 | default script and have the same name as the Xserver DISPLAY value for |
---|
975 | that display. For example, if the <filename><Init>/:0</filename> |
---|
976 | script exists, it will be run for DISPLAY ":0". |
---|
977 | </para> |
---|
978 | |
---|
979 | <para> |
---|
980 | All of these scripts are run with root privilege and return 0 if run |
---|
981 | successfully, and a non-zero return code if there was any failure that |
---|
982 | should cause the login session to be aborted. Also note that GDM will |
---|
983 | block until the scripts finish, so if any of these scripts hang, this |
---|
984 | will cause the login process to also hang. |
---|
985 | </para> |
---|
986 | |
---|
987 | <para> |
---|
988 | When the Xserver for the login GUI has been successfully started, but |
---|
989 | before the login GUI is actually displayed, GDM will run the |
---|
990 | <filename>Init</filename> script. This script is useful for starting |
---|
991 | programs that should be run while the login screen is showing, or for |
---|
992 | doing any special initialization if required. |
---|
993 | </para> |
---|
994 | |
---|
995 | <para> |
---|
996 | After the user has been successfully authenticated GDM will run the |
---|
997 | <filename>PostLogin</filename> script. This is done before any session |
---|
998 | setup has been done, including before the pam_open_session call. This |
---|
999 | script is useful for doing any session initialization that needs to |
---|
1000 | happen before the session starts. For example, you might setup the |
---|
1001 | user's $HOME directory if needed. |
---|
1002 | </para> |
---|
1003 | |
---|
1004 | <para> |
---|
1005 | After the user session has been initialized, GDM will run the |
---|
1006 | <filename>PreSession</filename> script. This script is useful for |
---|
1007 | doing any session initialization that needs to happen after the |
---|
1008 | session has been initialized. It can be used for session management or |
---|
1009 | accounting, for example. |
---|
1010 | </para> |
---|
1011 | |
---|
1012 | <para> |
---|
1013 | When a user terminates their session, GDM will run the |
---|
1014 | <filename>PostSession</filename> script. Note that the Xserver will |
---|
1015 | have been stopped by the time this script is run, so it should not be |
---|
1016 | accessed. |
---|
1017 | </para> |
---|
1018 | |
---|
1019 | <para> |
---|
1020 | Note that the <filename>PostSession</filename> script will be run |
---|
1021 | even when the display fails to respond due to an I/O error or |
---|
1022 | similar. Thus, there is no guarantee that X applications will work |
---|
1023 | during script execution. |
---|
1024 | </para> |
---|
1025 | |
---|
1026 | <para> |
---|
1027 | All of the above scripts will set the |
---|
1028 | <filename>$RUNNING_UNDER_GDM</filename> environment variable to |
---|
1029 | <filename>yes</filename>. If the scripts are also shared with other |
---|
1030 | display managers, this allows you to identify when GDM is calling these |
---|
1031 | scripts, so you can run specific code when GDM is used. |
---|
1032 | </para> |
---|
1033 | </sect2> |
---|
1034 | |
---|
1035 | <sect2 id="autostart"> |
---|
1036 | <title>Autostart Configuration</title> |
---|
1037 | |
---|
1038 | <para> |
---|
1039 | The <filename><share>/gdm/autostart/LoginWindow</filename> |
---|
1040 | directory contains files in the format specified by the |
---|
1041 | "FreeDesktop.org Desktop Application Autostart |
---|
1042 | Specification". Standard features in the specification may be |
---|
1043 | used to specify programs that should auto-restart or only be launched |
---|
1044 | if a GConf configuration value is set, etc. |
---|
1045 | </para> |
---|
1046 | |
---|
1047 | <para> |
---|
1048 | Any <filename>.desktop</filename> files in this directory will cause |
---|
1049 | the associated program to automatically start with the login GUI |
---|
1050 | greeter. By default, GDM is shipped with files which will autostart |
---|
1051 | the gdm-simple-greeter login GUI greeter itself, the |
---|
1052 | gnome-power-manager application, the gnome-settings-daemon, and the |
---|
1053 | Metacity window manager. These programs are needed for the greeter |
---|
1054 | program to work. In addition, desktop files are provided for starting |
---|
1055 | various AT programs if the configuration values specified in the |
---|
1056 | Accessibility Configuration section below are set. |
---|
1057 | </para> |
---|
1058 | </sect2> |
---|
1059 | |
---|
1060 | <sect2 id="xsessionscript"> |
---|
1061 | <title>Xsession Script</title> |
---|
1062 | |
---|
1063 | <para> |
---|
1064 | There is also an <filename>Xsession</filename> script located at |
---|
1065 | <filename><etc>/gdm/Xsession</filename> which is called between |
---|
1066 | the <filename>PreSession</filename> and the |
---|
1067 | <filename>PostSession</filename> scripts. This script does not |
---|
1068 | support per-display like the other scripts. This script is used for |
---|
1069 | actually starting the user session. This script is run as the user, |
---|
1070 | and it will run whatever session was specified by the Desktop session |
---|
1071 | file the user selected to start. |
---|
1072 | </para> |
---|
1073 | </sect2> |
---|
1074 | |
---|
1075 | <sect2 id="daemonconfig"> |
---|
1076 | <title>Daemon Configuration</title> |
---|
1077 | |
---|
1078 | <para> |
---|
1079 | The GDM daemon is configured using the |
---|
1080 | <filename><etc>/gdm/custom.conf</filename> file. Default |
---|
1081 | values are stored in GConf in the <filename>gdm.schemas</filename> |
---|
1082 | file. It is recommended that end-users modify the |
---|
1083 | <filename>/etc/gdm/custom.conf</filename> file because the |
---|
1084 | schemas file may be overwritten when the user updates their system to |
---|
1085 | have a newer version of GDM. |
---|
1086 | </para> |
---|
1087 | |
---|
1088 | <para> |
---|
1089 | Note that older versions of GDM supported additional configuration |
---|
1090 | options which are no longer supported in the latest versions of GDM. |
---|
1091 | </para> |
---|
1092 | |
---|
1093 | <para> |
---|
1094 | The <filename><etc>/gdm/custom.conf</filename> file is in the |
---|
1095 | <filename>keyfile</filename> format. Keywords in brackets |
---|
1096 | define group sections, strings before an equal sign (=) are keys and |
---|
1097 | the data after equal sign represents their value. Empty lines or |
---|
1098 | lines starting with the hash mark (#) are ignored. |
---|
1099 | </para> |
---|
1100 | |
---|
1101 | <para> |
---|
1102 | The file <filename>/etc/gdm/custom.conf</filename> supports the |
---|
1103 | "[daemon]", "[security]", and "[xdmcp]" |
---|
1104 | group sections. Within each group, there are particular key/value |
---|
1105 | pairs that can be specified to modify how GDM behaves. For example, |
---|
1106 | to enable timed login and specify the timed login user to be a user |
---|
1107 | named "you", you would modify the file so it contains the |
---|
1108 | following lines: |
---|
1109 | </para> |
---|
1110 | |
---|
1111 | <screen> |
---|
1112 | [daemon] |
---|
1113 | TimedLoginEnable=true |
---|
1114 | TimedLogin=you |
---|
1115 | </screen> |
---|
1116 | |
---|
1117 | <para> |
---|
1118 | A full list of supported configuration keys follow: |
---|
1119 | </para> |
---|
1120 | |
---|
1121 | <sect3 id="choosersection"> |
---|
1122 | <title>[chooser]</title> |
---|
1123 | <variablelist> |
---|
1124 | |
---|
1125 | <varlistentry> |
---|
1126 | <term>Multicast</term> |
---|
1127 | <listitem> |
---|
1128 | <synopsis>Multicast=false</synopsis> |
---|
1129 | <para> |
---|
1130 | If true and IPv6 is enabled, the chooser will send a multicast |
---|
1131 | query to the local network and collect responses from the hosts |
---|
1132 | who have joined multicast group. |
---|
1133 | </para> |
---|
1134 | </listitem> |
---|
1135 | </varlistentry> |
---|
1136 | |
---|
1137 | <varlistentry> |
---|
1138 | <term>MulticastAddr</term> |
---|
1139 | <listitem> |
---|
1140 | <synopsis>MulticastAddr=ff02::1</synopsis> |
---|
1141 | <para> |
---|
1142 | This is the Link-local Multicast address. |
---|
1143 | </para> |
---|
1144 | </listitem> |
---|
1145 | </varlistentry> |
---|
1146 | </variablelist> |
---|
1147 | </sect3> |
---|
1148 | |
---|
1149 | <sect3 id="daemonsection"> |
---|
1150 | <title>[daemon]</title> |
---|
1151 | <variablelist> |
---|
1152 | |
---|
1153 | <varlistentry> |
---|
1154 | <term>Group</term> |
---|
1155 | <listitem> |
---|
1156 | <synopsis>Group=gdm</synopsis> |
---|
1157 | <para> |
---|
1158 | The group name under which the greeter and other GUI programs |
---|
1159 | are run. Refer to the <filename>User</filename> |
---|
1160 | configuration key and to the "Security->GDM User And |
---|
1161 | Group" section of this document for more information. |
---|
1162 | </para> |
---|
1163 | </listitem> |
---|
1164 | </varlistentry> |
---|
1165 | |
---|
1166 | <varlistentry> |
---|
1167 | <term>TimedLoginEnable</term> |
---|
1168 | <listitem> |
---|
1169 | <synopsis>TimedLoginEnable=false</synopsis> |
---|
1170 | <para> |
---|
1171 | If the user given in <filename>TimedLogin</filename> should be |
---|
1172 | logged in after a number of seconds (set with |
---|
1173 | <filename>TimedLoginDelay</filename>) of inactivity on the |
---|
1174 | login screen. This is useful for public access terminals or |
---|
1175 | perhaps even home use. If the user uses the keyboard or |
---|
1176 | browses the menus, the timeout will be reset to |
---|
1177 | <filename>TimedLoginDelay</filename> or 30 seconds, whichever |
---|
1178 | is higher. If the user does not enter a username but just |
---|
1179 | hits the ENTER key while the login program is requesting the |
---|
1180 | username, then GDM will assume the user wants to login |
---|
1181 | immediately as the timed user. Note that no password will be |
---|
1182 | asked for this user so you should be careful, although if using |
---|
1183 | PAM it can be configured to require password entry before |
---|
1184 | allowing login. Refer to the "Security->PAM" |
---|
1185 | section of the manual for more information, or for help if this |
---|
1186 | feature does not seem to work. |
---|
1187 | </para> |
---|
1188 | </listitem> |
---|
1189 | </varlistentry> |
---|
1190 | |
---|
1191 | <varlistentry> |
---|
1192 | <term>TimedLogin</term> |
---|
1193 | <listitem> |
---|
1194 | <synopsis>TimedLogin=</synopsis> |
---|
1195 | <para> |
---|
1196 | This is the user that should be logged in after a specified |
---|
1197 | number of seconds of inactivity. |
---|
1198 | </para> |
---|
1199 | <para> |
---|
1200 | If the value ends with a vertical bar | (the pipe symbol), |
---|
1201 | then GDM will execute the program specified and use whatever |
---|
1202 | value is returned on standard out from the program as the user. |
---|
1203 | The program is run with the DISPLAY environment variable set so |
---|
1204 | that it is possible to specify the user in a per-display |
---|
1205 | fashion. For example if the value is "/usr/bin/getloginuser|", |
---|
1206 | then the program "/usr/bin/getloginuser" will be run to get the |
---|
1207 | user value. |
---|
1208 | </para> |
---|
1209 | </listitem> |
---|
1210 | </varlistentry> |
---|
1211 | |
---|
1212 | <varlistentry> |
---|
1213 | <term>TimedLoginDelay</term> |
---|
1214 | <listitem> |
---|
1215 | <synopsis>TimedLoginDelay=30</synopsis> |
---|
1216 | <para> |
---|
1217 | Delay in seconds before the <filename>TimedLogin</filename> |
---|
1218 | user will be logged in. |
---|
1219 | </para> |
---|
1220 | </listitem> |
---|
1221 | </varlistentry> |
---|
1222 | |
---|
1223 | <varlistentry> |
---|
1224 | <term>AutomaticLoginEnable</term> |
---|
1225 | <listitem> |
---|
1226 | <synopsis>AutomaticLoginEnable=false</synopsis> |
---|
1227 | <para> |
---|
1228 | If true, the user given in <filename>AutomaticLogin</filename> |
---|
1229 | should be logged in immediately. This feature is like timed |
---|
1230 | login with a delay of 0 seconds. |
---|
1231 | </para> |
---|
1232 | </listitem> |
---|
1233 | </varlistentry> |
---|
1234 | |
---|
1235 | <varlistentry> |
---|
1236 | <term>AutomaticLogin</term> |
---|
1237 | <listitem> |
---|
1238 | <synopsis>AutomaticLogin=</synopsis> |
---|
1239 | <para> |
---|
1240 | This is the user that should be logged in immediately if |
---|
1241 | <filename>AutomaticLoginEnable</filename> is true. |
---|
1242 | </para> |
---|
1243 | <para> |
---|
1244 | If the value ends with a vertical bar | (the pipe symbol), |
---|
1245 | then GDM will execute the program specified and use whatever |
---|
1246 | value is returned on standard out from the program as the user. |
---|
1247 | The program is run with the DISPLAY environment variable set so |
---|
1248 | that it is possible to specify the user in a per-display |
---|
1249 | fashion. For example if the value is "/usr/bin/getloginuser|", |
---|
1250 | then the program "/usr/bin/getloginuser" will be run to get the |
---|
1251 | user value. |
---|
1252 | </para> |
---|
1253 | </listitem> |
---|
1254 | </varlistentry> |
---|
1255 | |
---|
1256 | <varlistentry> |
---|
1257 | <term>User</term> |
---|
1258 | <listitem> |
---|
1259 | <synopsis>User=gdm</synopsis> |
---|
1260 | <para> |
---|
1261 | The username under which the greeter and other GUI programs |
---|
1262 | are run. Refer to the <filename>Group</filename> |
---|
1263 | configuration key and to the "Security->GDM User And |
---|
1264 | Group" section of this document for more information. |
---|
1265 | </para> |
---|
1266 | </listitem> |
---|
1267 | </varlistentry> |
---|
1268 | </variablelist> |
---|
1269 | </sect3> |
---|
1270 | |
---|
1271 | <sect3 id="securitysection"> |
---|
1272 | <title>Security Options</title> |
---|
1273 | |
---|
1274 | <variablelist> |
---|
1275 | <title>[security]</title> |
---|
1276 | |
---|
1277 | <varlistentry> |
---|
1278 | <term>DisallowTCP</term> |
---|
1279 | <listitem> |
---|
1280 | <synopsis>DisallowTCP=true</synopsis> |
---|
1281 | <para> |
---|
1282 | If true, then always append <filename>-nolisten tcp</filename> |
---|
1283 | to the command line when starting attached Xservers, thus |
---|
1284 | disallowing TCP connection. This is a more secure |
---|
1285 | configuration if you are not using remote connections. |
---|
1286 | </para> |
---|
1287 | </listitem> |
---|
1288 | </varlistentry> |
---|
1289 | </variablelist> |
---|
1290 | </sect3> |
---|
1291 | |
---|
1292 | <sect3 id="xdmcpsection"> |
---|
1293 | <title>XDCMP Support</title> |
---|
1294 | |
---|
1295 | <variablelist> |
---|
1296 | <title>[xdmcp]</title> |
---|
1297 | |
---|
1298 | <varlistentry> |
---|
1299 | <term>DisplaysPerHost</term> |
---|
1300 | <listitem> |
---|
1301 | <synopsis>DisplaysPerHost=1</synopsis> |
---|
1302 | <para> |
---|
1303 | To prevent attackers from filling up the pending queue, GDM |
---|
1304 | will only allow one connection for each remote computer. If |
---|
1305 | you want to provide display services to computers with more |
---|
1306 | than one screen, you should increase this value. |
---|
1307 | </para> |
---|
1308 | |
---|
1309 | <para> |
---|
1310 | Note that the number of attached DISPLAYS allowed is not |
---|
1311 | limited. Only remote connections via XDMCP are limited by |
---|
1312 | this configuration option. |
---|
1313 | </para> |
---|
1314 | </listitem> |
---|
1315 | </varlistentry> |
---|
1316 | |
---|
1317 | <varlistentry> |
---|
1318 | <term>Enable</term> |
---|
1319 | <listitem> |
---|
1320 | <synopsis>Enable=false</synopsis> |
---|
1321 | <para> |
---|
1322 | Setting this to true enables XDMCP support allowing remote |
---|
1323 | displays/X terminals to be managed by GDM. |
---|
1324 | </para> |
---|
1325 | |
---|
1326 | <para> |
---|
1327 | <filename>gdm</filename> listens for requests on UDP port 177. |
---|
1328 | See the Port option for more information. |
---|
1329 | </para> |
---|
1330 | |
---|
1331 | <para> |
---|
1332 | If GDM is compiled to support it, access from remote displays |
---|
1333 | can be controlled using the TCP Wrappers library. The service |
---|
1334 | name is <filename>gdm</filename> |
---|
1335 | </para> |
---|
1336 | |
---|
1337 | <para> |
---|
1338 | You should add |
---|
1339 | <screen> |
---|
1340 | gdm:.my.domain |
---|
1341 | </screen> |
---|
1342 | to your <filename><etc>/hosts.allow</filename>, depending |
---|
1343 | on your TCP Wrappers configuration. See the |
---|
1344 | <ulink type="help" url="man:hosts.allow">hosts.allow</ulink> |
---|
1345 | man page for details. |
---|
1346 | </para> |
---|
1347 | |
---|
1348 | <para> |
---|
1349 | Please note that XDMCP is not a particularly secure protocol |
---|
1350 | and that it is a good idea to block UDP port 177 on your |
---|
1351 | firewall unless you really need it. |
---|
1352 | </para> |
---|
1353 | </listitem> |
---|
1354 | </varlistentry> |
---|
1355 | |
---|
1356 | <varlistentry> |
---|
1357 | <term>HonorIndirect</term> |
---|
1358 | <listitem> |
---|
1359 | <synopsis>HonorIndirect=true</synopsis> |
---|
1360 | <para> |
---|
1361 | Enables XDMCP INDIRECT choosing (i.e. remote execution of |
---|
1362 | <filename>gdmchooser</filename>) for X-terminals which do not |
---|
1363 | supply their own display browser. |
---|
1364 | </para> |
---|
1365 | </listitem> |
---|
1366 | </varlistentry> |
---|
1367 | |
---|
1368 | <varlistentry> |
---|
1369 | <term>MaxPending</term> |
---|
1370 | <listitem> |
---|
1371 | <synopsis>MaxPending=4</synopsis> |
---|
1372 | <para> |
---|
1373 | To avoid denial of service attacks, GDM has fixed size queue |
---|
1374 | of pending connections. Only MaxPending displays can start at |
---|
1375 | the same time. |
---|
1376 | </para> |
---|
1377 | |
---|
1378 | <para> |
---|
1379 | Please note that this parameter does not limit the number of |
---|
1380 | remote displays which can be managed. It only limits the number |
---|
1381 | of displays initiating a connection simultaneously. |
---|
1382 | </para> |
---|
1383 | </listitem> |
---|
1384 | </varlistentry> |
---|
1385 | |
---|
1386 | <varlistentry> |
---|
1387 | <term>MaxSessions</term> |
---|
1388 | <listitem> |
---|
1389 | <synopsis>MaxSessions=16</synopsis> |
---|
1390 | <para> |
---|
1391 | Determines the maximum number of remote display connections |
---|
1392 | which will be managed simultaneously. I.e. the total number of |
---|
1393 | remote displays that can use your host. |
---|
1394 | </para> |
---|
1395 | </listitem> |
---|
1396 | </varlistentry> |
---|
1397 | |
---|
1398 | <varlistentry> |
---|
1399 | <term>MaxWait</term> |
---|
1400 | <listitem> |
---|
1401 | <synopsis>MaxWait=30</synopsis> |
---|
1402 | <para> |
---|
1403 | When GDM is ready to manage a display an ACCEPT packet is sent |
---|
1404 | to it containing a unique session id which will be used in |
---|
1405 | future XDMCP conversations. |
---|
1406 | </para> |
---|
1407 | |
---|
1408 | <para> |
---|
1409 | GDM will then place the session id in the pending queue |
---|
1410 | waiting for the display to respond with a MANAGE request. |
---|
1411 | </para> |
---|
1412 | |
---|
1413 | <para> |
---|
1414 | If no response is received within MaxWait seconds, GDM will |
---|
1415 | declare the display dead and erase it from the pending queue |
---|
1416 | freeing up the slot for other displays. |
---|
1417 | </para> |
---|
1418 | </listitem> |
---|
1419 | </varlistentry> |
---|
1420 | |
---|
1421 | <varlistentry> |
---|
1422 | <term>MaxWaitIndirect</term> |
---|
1423 | <listitem> |
---|
1424 | <synopsis>MaxWaitIndirect=30</synopsis> |
---|
1425 | <para> |
---|
1426 | The MaxWaitIndirect parameter determines the maximum number of |
---|
1427 | seconds between the time where a user chooses a host and the |
---|
1428 | subsequent indirect query where the user is connected to the |
---|
1429 | host. When the timeout is exceeded, the information about the |
---|
1430 | chosen host is forgotten and the indirect slot freed up for |
---|
1431 | other displays. The information may be forgotten earlier if |
---|
1432 | there are more hosts trying to send indirect queries then |
---|
1433 | <filename>MaxPendingIndirect</filename>. |
---|
1434 | </para> |
---|
1435 | </listitem> |
---|
1436 | </varlistentry> |
---|
1437 | |
---|
1438 | <varlistentry> |
---|
1439 | <term>PingIntervalSeconds</term> |
---|
1440 | <listitem> |
---|
1441 | <synopsis>PingIntervalSeconds=15</synopsis> |
---|
1442 | <para> |
---|
1443 | Interval in which to ping the Xserver in seconds. If the |
---|
1444 | Xserver does not respond before the next time we ping it, the |
---|
1445 | connection is stopped and the session ended. This is a |
---|
1446 | combination of the XDM PingInterval and PingTimeout, but in |
---|
1447 | seconds. |
---|
1448 | </para> |
---|
1449 | |
---|
1450 | <para> |
---|
1451 | Note that GDM in the past used to have a |
---|
1452 | <filename>PingInterval</filename> configuration key which was |
---|
1453 | also in minutes. For most purposes you'd want this setting |
---|
1454 | to be lower than one minute. However since in most cases where |
---|
1455 | XDMCP would be used (such as terminal labs), a lag of more |
---|
1456 | than 15 or so seconds would really mean that the terminal was |
---|
1457 | turned off or restarted and you would want to end the session. |
---|
1458 | </para> |
---|
1459 | </listitem> |
---|
1460 | </varlistentry> |
---|
1461 | |
---|
1462 | <varlistentry> |
---|
1463 | <term>Port</term> |
---|
1464 | <listitem> |
---|
1465 | <synopsis>Port=177</synopsis> |
---|
1466 | <para> |
---|
1467 | The UDP port number <filename>gdm</filename> should listen to |
---|
1468 | for XDMCP requests. Do not change this unless you know what |
---|
1469 | you are doing. |
---|
1470 | </para> |
---|
1471 | </listitem> |
---|
1472 | </varlistentry> |
---|
1473 | |
---|
1474 | <varlistentry> |
---|
1475 | <term>Willing</term> |
---|
1476 | <listitem> |
---|
1477 | <synopsis>Willing=<etc>/gdm/Xwilling</synopsis> |
---|
1478 | <para> |
---|
1479 | When the machine sends a WILLING packet back after a QUERY it |
---|
1480 | sends a string that gives the current status of this server. |
---|
1481 | The default message is the system ID, but it is possible to |
---|
1482 | create a script that displays customized message. If this |
---|
1483 | script does not exist or this key is empty the default message |
---|
1484 | is sent. If this script succeeds and produces some output, |
---|
1485 | the first line of it's output is sent (and only the first |
---|
1486 | line). It runs at most once every 3 seconds to prevent |
---|
1487 | possible denial of service by flooding the machine with QUERY |
---|
1488 | packets. |
---|
1489 | </para> |
---|
1490 | </listitem> |
---|
1491 | </varlistentry> |
---|
1492 | </variablelist> |
---|
1493 | </sect3> |
---|
1494 | </sect2> |
---|
1495 | |
---|
1496 | <sect2 id="greeterconfiguration"> |
---|
1497 | <title>Simple Greeter Configuration</title> |
---|
1498 | |
---|
1499 | <para> |
---|
1500 | The GDM default greeter is called the simple Greeter and is |
---|
1501 | configured via GConf. Default values are stored in GConf in the |
---|
1502 | <filename>gdm-simple-greeter.schemas</filename> file. These defaults |
---|
1503 | can be overridden if the "gdm" user has a writable $HOME |
---|
1504 | directory to store GConf settings. These values can be edited using |
---|
1505 | the <command>gconftool-2</command> or <command>gconf-editor</command> |
---|
1506 | programs. The following configuration options are supported: |
---|
1507 | </para> |
---|
1508 | |
---|
1509 | <variablelist> |
---|
1510 | <title>Greeter Configuration Keys</title> |
---|
1511 | |
---|
1512 | <varlistentry> |
---|
1513 | <term>/apps/gdm/simple-greeter/banner_message_enable</term> |
---|
1514 | <listitem> |
---|
1515 | <synopsis>false (boolean)</synopsis> |
---|
1516 | <para> |
---|
1517 | Controls whether the banner message text is displayed. |
---|
1518 | </para> |
---|
1519 | </listitem> |
---|
1520 | </varlistentry> |
---|
1521 | |
---|
1522 | <varlistentry> |
---|
1523 | <term>/apps/gdm/simple-greeter/banner_message_text</term> |
---|
1524 | <listitem> |
---|
1525 | <synopsis>NULL (string)</synopsis> |
---|
1526 | <para> |
---|
1527 | Specifies the text banner message to show on the greeter |
---|
1528 | window. |
---|
1529 | </para> |
---|
1530 | </listitem> |
---|
1531 | </varlistentry> |
---|
1532 | |
---|
1533 | <varlistentry> |
---|
1534 | <term>/apps/gdm/simple-greeter/debug</term> |
---|
1535 | <listitem> |
---|
1536 | <synopsis>false (boolean)</synopsis> |
---|
1537 | <para> |
---|
1538 | If true, then debugging mode is enabled for the greeter. |
---|
1539 | </para> |
---|
1540 | </listitem> |
---|
1541 | </varlistentry> |
---|
1542 | |
---|
1543 | <varlistentry> |
---|
1544 | <term>/apps/gdm/simple-greeter/disable_restart_buttons</term> |
---|
1545 | <listitem> |
---|
1546 | <synopsis>false (boolean)</synopsis> |
---|
1547 | <para> |
---|
1548 | Controls whether to show the restart buttons in the login |
---|
1549 | window. |
---|
1550 | </para> |
---|
1551 | </listitem> |
---|
1552 | </varlistentry> |
---|
1553 | |
---|
1554 | <varlistentry> |
---|
1555 | <term>/apps/gdm/simple-greeter/disable_user_list</term> |
---|
1556 | <listitem> |
---|
1557 | <synopsis>false (boolean)</synopsis> |
---|
1558 | <para> |
---|
1559 | If true, then the face browser with known users is not shown |
---|
1560 | in the login window. |
---|
1561 | </para> |
---|
1562 | </listitem> |
---|
1563 | </varlistentry> |
---|
1564 | |
---|
1565 | <varlistentry> |
---|
1566 | <term>/apps/gdm/simple-greeter/include</term> |
---|
1567 | <listitem> |
---|
1568 | <synopsis>[] (string list)</synopsis> |
---|
1569 | <para> |
---|
1570 | Set to a list of users to always include in the Face Browser. |
---|
1571 | </para> |
---|
1572 | </listitem> |
---|
1573 | </varlistentry> |
---|
1574 | |
---|
1575 | <varlistentry> |
---|
1576 | <term>/apps/gdm/simple-greeter/include_all</term> |
---|
1577 | <listitem> |
---|
1578 | <synopsis>true (boolean)</synopsis> |
---|
1579 | <para> |
---|
1580 | If true, then the face browser will show all users on the |
---|
1581 | local machine. If false, the face browser will only show |
---|
1582 | users who have recently logged in. |
---|
1583 | </para> |
---|
1584 | <para> |
---|
1585 | To provide more detail on how this option works. When this key |
---|
1586 | is true, GDM will call fgetpwent() to get a list of local users |
---|
1587 | on the system. The Face Browser also will display any users |
---|
1588 | that have previously logged in on the system (for example |
---|
1589 | NIS/LDAP users). It gets this list via calling the ck-history |
---|
1590 | ConsoleKit interface. It will also filter out any users which |
---|
1591 | do not have a valid shell (valid shells are any shell that |
---|
1592 | getusershell() returns. <filename>/sbin/nologin</filename> or |
---|
1593 | <filename>/bin/false</filename> are considered invalid shells |
---|
1594 | even if getusershell() returns them). |
---|
1595 | </para> |
---|
1596 | |
---|
1597 | <para> |
---|
1598 | If false, then GDM more simply only displays users that have |
---|
1599 | previously logged in on the system (local or NIS/LDAP users) by |
---|
1600 | calling the ck-history ConsoleKit interface. |
---|
1601 | </para> |
---|
1602 | |
---|
1603 | <para> |
---|
1604 | In both cases, GDM filters out any users with a UID less than |
---|
1605 | 500 (or 100 if running on Solaris). Such users are considered |
---|
1606 | system users. |
---|
1607 | </para> |
---|
1608 | </listitem> |
---|
1609 | </varlistentry> |
---|
1610 | |
---|
1611 | <varlistentry> |
---|
1612 | <term>/apps/gdm/simple-greeter/exclude</term> |
---|
1613 | <listitem> |
---|
1614 | <synopsis>[] (string list)</synopsis> |
---|
1615 | <para> |
---|
1616 | Set to a list of users to always exclude in the Face Browser. |
---|
1617 | </para> |
---|
1618 | </listitem> |
---|
1619 | </varlistentry> |
---|
1620 | |
---|
1621 | <varlistentry> |
---|
1622 | <term>/apps/gdm/simple-greeter/logo_icon_name</term> |
---|
1623 | <listitem> |
---|
1624 | <synopsis>computer (string)</synopsis> |
---|
1625 | <para> |
---|
1626 | Set to the themed icon name to use for the greeter logo. |
---|
1627 | </para> |
---|
1628 | </listitem> |
---|
1629 | </varlistentry> |
---|
1630 | |
---|
1631 | <varlistentry> |
---|
1632 | <term>/apps/gdm/simple-greeter/recent-languages</term> |
---|
1633 | <listitem> |
---|
1634 | <synopsis>[] (string list)</synopsis> |
---|
1635 | <para> |
---|
1636 | Set to a list of languages to be shown by default in the login |
---|
1637 | window. Default value is "[]". With the default setting only |
---|
1638 | the system default language is shown and the option "Other..." |
---|
1639 | which pops-up a dialog box showing a full list of available |
---|
1640 | languages which the user can select. |
---|
1641 | </para> |
---|
1642 | |
---|
1643 | <para> |
---|
1644 | Users are not intended to change this setting by hand. Instead |
---|
1645 | GDM keeps track of any languages selected in this configuration |
---|
1646 | key, and will show them in the language combo box along with |
---|
1647 | the "Other..." choice. This way, commonly selected languages |
---|
1648 | are easier to select. |
---|
1649 | </para> |
---|
1650 | </listitem> |
---|
1651 | </varlistentry> |
---|
1652 | |
---|
1653 | <varlistentry> |
---|
1654 | <term>/apps/gdm/simple-greeter/recent-layouts</term> |
---|
1655 | <listitem> |
---|
1656 | <synopsis>[] (string list)</synopsis> |
---|
1657 | <para> |
---|
1658 | Set to a list of keyboard layouts to be shown by default in the |
---|
1659 | login panel. Default value is "[]". With the default setting |
---|
1660 | only the system default keyboard layout is shown and the option |
---|
1661 | "Other..." which pops-up a dialog box showing a full list of |
---|
1662 | available keyboard layouts which the user can select. |
---|
1663 | </para> |
---|
1664 | |
---|
1665 | <para> |
---|
1666 | Users are not intended to change this setting by hand. Instead |
---|
1667 | GDM keeps track of any keyboard layouts selected in this |
---|
1668 | configuration key, and will show them in the keyboard layout |
---|
1669 | combo box along with the "Other..." choice. This way, commonly |
---|
1670 | selected keyboard layouts are easier to select. |
---|
1671 | </para> |
---|
1672 | </listitem> |
---|
1673 | </varlistentry> |
---|
1674 | |
---|
1675 | <varlistentry> |
---|
1676 | <term>/apps/gdm/simple-greeter/wm_use_compiz</term> |
---|
1677 | <listitem> |
---|
1678 | <synopsis>false (boolean)</synopsis> |
---|
1679 | <para> |
---|
1680 | Controls whether compiz is used as the window manager instead |
---|
1681 | of metacity. |
---|
1682 | </para> |
---|
1683 | </listitem> |
---|
1684 | </varlistentry> |
---|
1685 | </variablelist> |
---|
1686 | </sect2> |
---|
1687 | |
---|
1688 | <sect2 id="accessibilityconfiguration"> |
---|
1689 | <title>Accessibility Configuration</title> |
---|
1690 | |
---|
1691 | <para> |
---|
1692 | This section describes the accessibility configuration options available |
---|
1693 | in GDM. |
---|
1694 | </para> |
---|
1695 | |
---|
1696 | <sect3 id="accessibilitydialog"> |
---|
1697 | <title>GDM Accessibility Dialog And Gconf Keys</title> |
---|
1698 | |
---|
1699 | <para> |
---|
1700 | The GDM greeter panel at the login screen displays an accessibility |
---|
1701 | icon. Clicking on that icon opens the GDM Accessibility Dialog. In |
---|
1702 | the GDM Accessibility Dialog, there is a list of checkboxes, so the |
---|
1703 | user can enable or disable the associated assistive tools. |
---|
1704 | </para> |
---|
1705 | |
---|
1706 | <para> |
---|
1707 | The checkboxes that correspond to the on-screen keyboard, screen |
---|
1708 | magnifier and screen reader assistive tools act on the three GConf |
---|
1709 | keys that are described in the next section of this document. By |
---|
1710 | enabling or disabling these checkboxes, the associated GConf key is |
---|
1711 | set to "true" or "false". When the GConf key is set to true, the |
---|
1712 | assistive tools linked to this GConf key are launched. When the |
---|
1713 | GConf key is set to "false", any running assistive tool linked to |
---|
1714 | this GConf key are terminated. These GConf keys are not automatically |
---|
1715 | reset to a default state after the user has logged in. Consequently, |
---|
1716 | the assistive tools that were running during the last GDM login |
---|
1717 | session will automatically be launched at the next GDM login session. |
---|
1718 | </para> |
---|
1719 | |
---|
1720 | <para> |
---|
1721 | The other checkboxes in the GDM Accessibility Dialog do not have |
---|
1722 | corresponding GConf keys because no additional program is launched to |
---|
1723 | provide the accessibility features that they offer. These other |
---|
1724 | options coorespond to accessibility features that are provided by the |
---|
1725 | Xserver, which is always running during the GDM session. |
---|
1726 | </para> |
---|
1727 | </sect3> |
---|
1728 | |
---|
1729 | <sect3 id="accessibilitygconfconfiguration"> |
---|
1730 | <title>Accessibility GConf Keys</title> |
---|
1731 | |
---|
1732 | <para> |
---|
1733 | GDM offers the following GConf keys to control its accessibility |
---|
1734 | features: |
---|
1735 | </para> |
---|
1736 | |
---|
1737 | <variablelist> |
---|
1738 | <title>GDM Configuration Keys</title> |
---|
1739 | |
---|
1740 | <varlistentry> |
---|
1741 | <term>/desktop/gnome/interface/accessibility</term> |
---|
1742 | <listitem> |
---|
1743 | <synopsis>false (boolean)</synopsis> |
---|
1744 | <para> |
---|
1745 | Controls whether the Accessibility infrastructure will be |
---|
1746 | started with the GDM GUI. This is needed for many |
---|
1747 | accessibility technology programs to work. |
---|
1748 | </para> |
---|
1749 | </listitem> |
---|
1750 | </varlistentry> |
---|
1751 | <varlistentry> |
---|
1752 | <term>/desktop/gnome/applications/at/screen_magnifier_enabled</term> |
---|
1753 | <listitem> |
---|
1754 | <synopsis>false (boolean)</synopsis> |
---|
1755 | <para> |
---|
1756 | If set, then the assistive tools linked to this GConf key will |
---|
1757 | be started with the GDM GUI program. By default this is a |
---|
1758 | screen magnifier application. |
---|
1759 | </para> |
---|
1760 | </listitem> |
---|
1761 | </varlistentry> |
---|
1762 | <varlistentry> |
---|
1763 | <term>/desktop/gnome/applications/at/screen_keyboard_enabled</term> |
---|
1764 | <listitem> |
---|
1765 | <synopsis>false (boolean)</synopsis> |
---|
1766 | <para> |
---|
1767 | If set, then the assistive tools linked to this GConf key will |
---|
1768 | be started with the GDM GUI program. By default this is an |
---|
1769 | on-screen keyboard application. |
---|
1770 | </para> |
---|
1771 | </listitem> |
---|
1772 | </varlistentry> |
---|
1773 | <varlistentry> |
---|
1774 | <term>/desktop/gnome/applications/at/screen_reader_enabled</term> |
---|
1775 | <listitem> |
---|
1776 | <synopsis>false (boolean)</synopsis> |
---|
1777 | <para> |
---|
1778 | If set, then the assistive tools linked to this GConf key will |
---|
1779 | be started with the GDM GUI program. By default this is a |
---|
1780 | screen reader application. |
---|
1781 | </para> |
---|
1782 | </listitem> |
---|
1783 | </varlistentry> |
---|
1784 | </variablelist> |
---|
1785 | </sect3> |
---|
1786 | |
---|
1787 | <sect3 id="accessibilitytoolsconfiguration"> |
---|
1788 | <title>Linking GConf Keys to Accessbility Tools</title> |
---|
1789 | |
---|
1790 | <para> |
---|
1791 | For the screen_magnifier_enabled, the screen_keyboard_enabled, and the |
---|
1792 | screen_reader_enabled GConf keys, the assistive tool which gets |
---|
1793 | launched depends on the desktop files located in the GDM autostart |
---|
1794 | directory as described in the "Autostart Configuration" section of |
---|
1795 | this manual. Any desktop file in the GDM autostart directory can be |
---|
1796 | linked to these GConf key via specifying that GConf key in the |
---|
1797 | AutostartCondition value in the desktop file. So the exact |
---|
1798 | AutostartCondition line in the desktop file could be one of the |
---|
1799 | following: |
---|
1800 | </para> |
---|
1801 | |
---|
1802 | <screen> |
---|
1803 | AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled |
---|
1804 | AutostartCondition=GNOME /desktop/gnome/applications/at/screen_magnifier_enabled |
---|
1805 | AutostartCondition=GNOME /desktop/gnome/applications/at/screen_reader_enabled |
---|
1806 | </screen> |
---|
1807 | |
---|
1808 | <para> |
---|
1809 | When an accesibility key is true, then any program which is linked to |
---|
1810 | that key in a GDM autostart desktop file will be launched (unless the |
---|
1811 | Hidden key is set to true in that desktop file). A single GConf key |
---|
1812 | can even start multiple assistive tools if there are multiple desktop |
---|
1813 | files with this AutostartCondition in the GDM autostart directory. |
---|
1814 | </para> |
---|
1815 | </sect3> |
---|
1816 | |
---|
1817 | <sect3 id="accessibilitytoolexample"> |
---|
1818 | <title>Example Of Modifying Accessibility Tool Configuration</title> |
---|
1819 | |
---|
1820 | <para> |
---|
1821 | For example, if GNOME is distributed with GOK as the default on-screen |
---|
1822 | keyboard, then this could be replaced with a different program if |
---|
1823 | desired. To replace GOK with the on-screen keyboard application |
---|
1824 | "onboard" and additionally activate the assistive tool "mousetweaks" |
---|
1825 | for dwelling support, then the following configuration is needed. |
---|
1826 | </para> |
---|
1827 | |
---|
1828 | <para> |
---|
1829 | Create a desktop file for onboard and a second one for mousetweaks; |
---|
1830 | for example, onboard.desktop and mousetweaks.desktop. These files |
---|
1831 | must be placed in the GDM autostart directory and be in the format |
---|
1832 | as explained in the "Autostart Configuration" section of this |
---|
1833 | document. |
---|
1834 | </para> |
---|
1835 | |
---|
1836 | <para> |
---|
1837 | The following is an example <filename>onboard.desktop</filename> file: |
---|
1838 | </para> |
---|
1839 | |
---|
1840 | <screen> |
---|
1841 | [Desktop Entry] |
---|
1842 | Encoding=UTF-8 |
---|
1843 | Name=Onboard Onscreen Keyboard |
---|
1844 | Comment=Use an on-screen keyboard |
---|
1845 | TryExec=onboard |
---|
1846 | Exec=onboard --size 500x180 -x 20 -y 10 |
---|
1847 | Terminal=false |
---|
1848 | Type=Application |
---|
1849 | StartupNotify=true |
---|
1850 | Categories=GNOME;GTK;Accessibility; |
---|
1851 | AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled |
---|
1852 | </screen> |
---|
1853 | |
---|
1854 | <para> |
---|
1855 | The following is an example <filename>mousetweaks.desktop</filename> |
---|
1856 | file: |
---|
1857 | </para> |
---|
1858 | |
---|
1859 | <screen> |
---|
1860 | [Desktop Entry] |
---|
1861 | Encoding=UTF-8 |
---|
1862 | Name=Software Mouse-Clicks |
---|
1863 | Comment=Perform clicks by dwelling with the pointer |
---|
1864 | TryExec=mousetweaks |
---|
1865 | Exec=mousetweaks --enable-dwell -m window -c -x 20 -y 240 |
---|
1866 | Terminal=false |
---|
1867 | Type=Application |
---|
1868 | StartupNotify=true |
---|
1869 | Categories=GNOME;GTK;Accessibility; |
---|
1870 | AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled |
---|
1871 | </screen> |
---|
1872 | |
---|
1873 | <para> |
---|
1874 | Note the line with the AutostartCondition that links both desktop |
---|
1875 | files to the GConf key for the on-screen keyboard. |
---|
1876 | </para> |
---|
1877 | |
---|
1878 | <para> |
---|
1879 | To disable GOK from starting, the desktop file for the GOK on-screen |
---|
1880 | keyboard must be removed or deactivated. Otherwise onboard and GOK |
---|
1881 | would simultaneously be started. This can be done by removing the |
---|
1882 | gok.desktop file from the GDM autostart directory, or by adding the |
---|
1883 | "Hidden=true" key setting to the gok.desktop file. |
---|
1884 | </para> |
---|
1885 | |
---|
1886 | <para> |
---|
1887 | After making these changes, GOK will no longer be started when the |
---|
1888 | user activates the on-screen keyboard in the GDM session; but onboard |
---|
1889 | and mousetweaks will instead be launched. |
---|
1890 | </para> |
---|
1891 | </sect3> |
---|
1892 | </sect2> |
---|
1893 | |
---|
1894 | <sect2 id="generalsessionconfig"> |
---|
1895 | <title>General Session Settings</title> |
---|
1896 | <!-- |
---|
1897 | <para> |
---|
1898 | TODO - I think this section should be expanded upon. What specific |
---|
1899 | keys are of interest, or would some users be likely to want |
---|
1900 | to configure? Also, would be good to be more specific about |
---|
1901 | how lock down management is handled. |
---|
1902 | </para> |
---|
1903 | --> |
---|
1904 | <para> |
---|
1905 | The GDM Greeter uses some of the same framework that your desktop |
---|
1906 | session will use. And so, it is influenced by a number of the same |
---|
1907 | GConf settings. For each of these settings the Greeter will use the |
---|
1908 | default value unless it is specifically overridden by a) GDM's |
---|
1909 | installed mandatory policy b) system mandatory policy. GDM installs |
---|
1910 | its own mandatory policy to lock down some settings for security. |
---|
1911 | </para> |
---|
1912 | </sect2> |
---|
1913 | |
---|
1914 | <sect2 id="gnomesettingsdaemon"> |
---|
1915 | <title>GNOME Settings Daemon</title> |
---|
1916 | <!-- |
---|
1917 | <para> |
---|
1918 | TODO - I think this section should be expanded upon. What specific |
---|
1919 | keys are of interest, or would some users be likely to want |
---|
1920 | to configure? Also, would be good to give a more complete |
---|
1921 | list of plugins that users might want to consider disabling. |
---|
1922 | Also, shouldn't we list the sound/active key in the Greeter |
---|
1923 | configuration setting? Oddly I do not find this key used |
---|
1924 | in anything but the chooser in SVN. |
---|
1925 | </para> |
---|
1926 | --> |
---|
1927 | |
---|
1928 | <para> |
---|
1929 | GDM enables the following gnome-settings-daemon plugins: |
---|
1930 | a11y-keyboard, background, sound, xsettings. |
---|
1931 | </para> |
---|
1932 | |
---|
1933 | <para> |
---|
1934 | These are responsible for things like the background image, font and |
---|
1935 | theme settings, sound events, etc. |
---|
1936 | </para> |
---|
1937 | |
---|
1938 | <para> |
---|
1939 | Plugins can also be disabled using GConf. For example, if you want to |
---|
1940 | disable the sound plugin then unset the following key: |
---|
1941 | <filename>/apps/gdm/simple-greeter/settings-manager-plugins/sound/active</filename>. |
---|
1942 | </para> |
---|
1943 | </sect2> |
---|
1944 | |
---|
1945 | <sect2 id="sessionconfig"> |
---|
1946 | <title>GDM Session Configuration</title> |
---|
1947 | |
---|
1948 | <para> |
---|
1949 | GDM sessions are specified using the FreeDesktop.org Desktop Entry |
---|
1950 | Specification, which can be referenced at the following URL: |
---|
1951 | <ulink url="http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec"> |
---|
1952 | http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec</ulink>. |
---|
1953 | </para> |
---|
1954 | |
---|
1955 | <para> |
---|
1956 | By default, GDM will install desktop files in the |
---|
1957 | <filename><share>/xsessions</filename> directory. GDM will |
---|
1958 | search the following directories in this order to find desktop files: |
---|
1959 | <filename><etc>/X11/sessions/</filename>, |
---|
1960 | <filename><dmconfdir>/Sessions</filename>, |
---|
1961 | <filename><share>/xsessions</filename>, and |
---|
1962 | <filename><share/gdm/BuiltInSessions</filename>. By default the |
---|
1963 | <filename><dmconfdir></filename> is set to |
---|
1964 | <filename><etc>/dm/</filename> unless GDM is configured to use |
---|
1965 | a different directory via the "--with-dmconfdir" option. |
---|
1966 | </para> |
---|
1967 | |
---|
1968 | <para> |
---|
1969 | A session can be disabled by editing the desktop file and adding a line |
---|
1970 | that says <filename>Hidden=true</filename>. |
---|
1971 | </para> |
---|
1972 | </sect2> |
---|
1973 | |
---|
1974 | <sect2 id="userconfig"> |
---|
1975 | <title>GDM User Session and Language Configuration</title> |
---|
1976 | <para> |
---|
1977 | The user's default session and language choices are stored in the |
---|
1978 | <filename>~/.dmrc</filename> file. When a user logs in for the first |
---|
1979 | time, this file is created with the user's initial choices. The user |
---|
1980 | can change these default values by simply changing to a different value |
---|
1981 | when logging in. GDM will remember this change for subsequent logins. |
---|
1982 | </para> |
---|
1983 | |
---|
1984 | <para> |
---|
1985 | The <filename>~/.dmrc</filename> file is in the standard |
---|
1986 | <filename>INI</filename> format. It has one section called |
---|
1987 | <filename>[Desktop]</filename> which has two keys: |
---|
1988 | <filename>Session</filename> and <filename>Language</filename>. |
---|
1989 | </para> |
---|
1990 | |
---|
1991 | <para> |
---|
1992 | The <filename>Session</filename> key specifies the basename of the |
---|
1993 | session <filename>.desktop</filename> file that the user wishes to |
---|
1994 | normally use without the <filename>.desktop</filename> extension. |
---|
1995 | The <filename>Language</filename> key specifies the language that the |
---|
1996 | user wishes to use by default. If either of these keys is missing, the |
---|
1997 | system default is used. The file would normally look as follows: |
---|
1998 | </para> |
---|
1999 | |
---|
2000 | <screen> |
---|
2001 | [Desktop] |
---|
2002 | Session=gnome |
---|
2003 | Language=cs_CZ.UTF-8 |
---|
2004 | </screen> |
---|
2005 | </sect2> |
---|
2006 | |
---|
2007 | </sect1> |
---|
2008 | |
---|
2009 | <!-- ============= GDM Commands ============================= --> |
---|
2010 | |
---|
2011 | <sect1 id="binaries"> |
---|
2012 | <title>GDM Commands</title> |
---|
2013 | |
---|
2014 | <sect2 id="sbindir_binaries"> |
---|
2015 | <title>GDM Root User Commands</title> |
---|
2016 | |
---|
2017 | <para> |
---|
2018 | The GDM package provides the following commands in |
---|
2019 | <filename>sbindir</filename> intended to be run by the root user: |
---|
2020 | </para> |
---|
2021 | |
---|
2022 | <sect3 id="gdmcommandline"> |
---|
2023 | <title><command>gdm</command> and <command>gdm-binary</command> |
---|
2024 | Command Line Options</title> |
---|
2025 | |
---|
2026 | <para> |
---|
2027 | The <command>gdm</command> command is really just a script which |
---|
2028 | runs the <command>gdm-binary</command>, passing along any options. |
---|
2029 | Before launching <command>gdm-binary</command>, the gdm wrapper |
---|
2030 | script will source the <filename><etc>/profile</filename> file |
---|
2031 | to set the standard system environment variables. In order to better |
---|
2032 | support internationalization, it will also set the LC_MESSAGES |
---|
2033 | environment variable to LANG if neither LC_MESSAGES or LC_ALL are |
---|
2034 | set. The <command>gdm-binary</command> is the actual GDM daemon. |
---|
2035 | </para> |
---|
2036 | |
---|
2037 | <variablelist> |
---|
2038 | <title><command>gdm</command> and <command>gdm-binary</command> |
---|
2039 | Command Line Options</title> |
---|
2040 | |
---|
2041 | <varlistentry> |
---|
2042 | <term>-?, --help</term> |
---|
2043 | <listitem> |
---|
2044 | <para> |
---|
2045 | Gives a brief overview of the command line options. |
---|
2046 | </para> |
---|
2047 | </listitem> |
---|
2048 | </varlistentry> |
---|
2049 | |
---|
2050 | <varlistentry> |
---|
2051 | <term>--debug</term> |
---|
2052 | <listitem> |
---|
2053 | <para> |
---|
2054 | Print debug output to the syslog. This is typically |
---|
2055 | <filename><var>/log/messages</filename> or |
---|
2056 | <filename><var>/adm/messages</filename> depending on |
---|
2057 | your Operating System. |
---|
2058 | </para> |
---|
2059 | </listitem> |
---|
2060 | </varlistentry> |
---|
2061 | |
---|
2062 | <varlistentry> |
---|
2063 | <term>--fatal-warnings</term> |
---|
2064 | <listitem> |
---|
2065 | <para> |
---|
2066 | Make all warnings cause GDM to exit. |
---|
2067 | </para> |
---|
2068 | </listitem> |
---|
2069 | </varlistentry> |
---|
2070 | |
---|
2071 | <varlistentry> |
---|
2072 | <term>--timed-exit</term> |
---|
2073 | <listitem> |
---|
2074 | <para> |
---|
2075 | Exit after 30 seconds. Useful for debugging. |
---|
2076 | </para> |
---|
2077 | </listitem> |
---|
2078 | </varlistentry> |
---|
2079 | |
---|
2080 | <varlistentry> |
---|
2081 | <term>--version</term> |
---|
2082 | <listitem> |
---|
2083 | <para> |
---|
2084 | Print the version of the GDM daemon. |
---|
2085 | </para> |
---|
2086 | </listitem> |
---|
2087 | </varlistentry> |
---|
2088 | </variablelist> |
---|
2089 | </sect3> |
---|
2090 | |
---|
2091 | <sect3 id="gdmrestartcommandline"> |
---|
2092 | <title><command>gdm-restart</command> Command Line Options</title> |
---|
2093 | |
---|
2094 | <para> |
---|
2095 | <command>gdm-restart</command> stops and restarts GDM by sending |
---|
2096 | the GDM daemon a HUP signal. This command will immediately terminate |
---|
2097 | all sessions and log out users currently logged in with GDM. |
---|
2098 | </para> |
---|
2099 | </sect3> |
---|
2100 | |
---|
2101 | <sect3 id="gdmsaferestartcommandline"> |
---|
2102 | <title><command>gdm-safe-restart</command> Command Line Options</title> |
---|
2103 | |
---|
2104 | <para> |
---|
2105 | <command>gdm-safe-restart</command> stops and restarts GDM by |
---|
2106 | sending the GDM daemon a USR1 signal. GDM will be restarted as soon |
---|
2107 | as all users log out. |
---|
2108 | </para> |
---|
2109 | </sect3> |
---|
2110 | |
---|
2111 | <sect3 id="gdmstopcommandline"> |
---|
2112 | <title><command>gdm-stop</command> Command Line Options</title> |
---|
2113 | |
---|
2114 | <para> |
---|
2115 | <command>gdm-stop</command> stops GDM by sending the GDM daemon |
---|
2116 | a TERM signal. |
---|
2117 | </para> |
---|
2118 | </sect3> |
---|
2119 | </sect2> |
---|
2120 | </sect1> |
---|
2121 | |
---|
2122 | <!-- ============= Troubleshooting =========================== --> |
---|
2123 | |
---|
2124 | <sect1 id="troubleshooting"> |
---|
2125 | <title>Troubleshooting</title> |
---|
2126 | <!-- |
---|
2127 | <para> |
---|
2128 | TODO - any other tips we should add? Might be useful to highlight any |
---|
2129 | common D-Bus configuration issues? |
---|
2130 | </para> |
---|
2131 | --> |
---|
2132 | |
---|
2133 | <para> |
---|
2134 | This section discusses helpful tips for getting GDM working. In general, |
---|
2135 | if you have a problem using GDM, you can submit a bug or send an email |
---|
2136 | to the gdm-list mailing list. Information about how to do this is in |
---|
2137 | the Introduction section of the document. |
---|
2138 | </para> |
---|
2139 | |
---|
2140 | <para> |
---|
2141 | If GDM is failing to work properly, it is always a good idea to include |
---|
2142 | debug information. To turn on debug, launch gdm with the --debug |
---|
2143 | option. Then use GDM to the point where it fails, and debug output will |
---|
2144 | be sent to your system log |
---|
2145 | (<filename><var>/log/messages</filename> or |
---|
2146 | <filename><var>/adm/messages</filename> depending on your Operating |
---|
2147 | System). If you share this output with the GDM community via a bug |
---|
2148 | report or email, please only include the GDM related debug information |
---|
2149 | and not the entire file since it can be large. If you do not see any |
---|
2150 | GDM syslog output, you may need to configure syslog (refer to the |
---|
2151 | <ulink type="help" url="man:syslog">syslog</ulink> man page). |
---|
2152 | </para> |
---|
2153 | |
---|
2154 | <sect2 id="wontstart"> |
---|
2155 | <title>GDM Will Not Start</title> |
---|
2156 | |
---|
2157 | <para> |
---|
2158 | There are a many problems that can cause GDM to fail to start, but |
---|
2159 | this section will discuss a few common problems and how to approach |
---|
2160 | tracking down a problem with GDM starting. Some problems will |
---|
2161 | cause GDM to respond with an error message or dialog when it tries |
---|
2162 | to start, but it can be difficult to track down problems when GDM |
---|
2163 | fails silently. |
---|
2164 | </para> |
---|
2165 | |
---|
2166 | <para> |
---|
2167 | First make sure that the Xserver is configured properly. The |
---|
2168 | GDM configuration file contains a command in the [server-Standard] |
---|
2169 | section that is used for starting the Xserver. Verify that this |
---|
2170 | command works on your system. Running this command from the |
---|
2171 | console should start the Xserver. If it fails, then the problem |
---|
2172 | is likely with your Xserver configuration. Refer to your Xserver |
---|
2173 | error log for an idea of what the problem may be. The problem may |
---|
2174 | also be that your Xserver requires different command-line options. |
---|
2175 | If so, then modify the Xserver command in the GDM configuration file |
---|
2176 | so that it is correct for your system. |
---|
2177 | </para> |
---|
2178 | |
---|
2179 | <para> |
---|
2180 | Also make sure that the <filename>/tmp</filename> directory has |
---|
2181 | reasonable ownership and permissions, and that the machine's file |
---|
2182 | system is not full. These problems will cause GDM to fail to start. |
---|
2183 | </para> |
---|
2184 | </sect2> |
---|
2185 | </sect1> |
---|
2186 | |
---|
2187 | <!-- ============= Application License ============================= --> |
---|
2188 | |
---|
2189 | <sect1 id="license"> |
---|
2190 | <title>License</title> |
---|
2191 | <para> |
---|
2192 | This program is free software; you can redistribute it and/or |
---|
2193 | modify it under the terms of the <ulink type="help" url="gnome-help:gpl"> |
---|
2194 | <citetitle>GNU General Public License</citetitle></ulink> as |
---|
2195 | published by the Free Software Foundation; |
---|
2196 | either version 2 of the License, or (at your option) any later |
---|
2197 | version. |
---|
2198 | </para> |
---|
2199 | <para> |
---|
2200 | This program is distributed in the hope that it will be useful, but |
---|
2201 | WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
2202 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
2203 | <citetitle>GNU General Public License</citetitle> for more details. |
---|
2204 | </para> |
---|
2205 | <para> |
---|
2206 | A copy of the <citetitle>GNU General Public License</citetitle> is |
---|
2207 | included as an appendix to the <citetitle>GNOME Users |
---|
2208 | Guide</citetitle>. You may also obtain a copy of the |
---|
2209 | <citetitle>GNU General Public License</citetitle> from the Free |
---|
2210 | Software Foundation by visiting |
---|
2211 | <ulink type="http" url="http://www.fsf.org">their Web site</ulink> or by |
---|
2212 | writing to |
---|
2213 | <address> |
---|
2214 | Free Software Foundation, Inc. |
---|
2215 | <street>51 Franklin Street, Fifth Floor</street> |
---|
2216 | <city>Boston</city>, <state>MA</state> <postcode>02110-1301</postcode> |
---|
2217 | <country>USA</country> |
---|
2218 | </address> |
---|
2219 | </para> |
---|
2220 | </sect1> |
---|
2221 | </article> |
---|
2222 | |
---|
2223 | <!-- Keep this comment at the end of the file |
---|
2224 | Local variables: |
---|
2225 | mode: sgml |
---|
2226 | sgml-omittag:t |
---|
2227 | sgml-shorttag:t |
---|
2228 | sgml-minimize-attributes:nil |
---|
2229 | sgml-always-quote-attributes:t |
---|
2230 | sgml-indent-step:2 |
---|
2231 | sgml-indent-data:t |
---|
2232 | sgml-parent-document:nil |
---|
2233 | sgml-exposed-tags:nil |
---|
2234 | sgml-local-catalogs:nil |
---|
2235 | sgml-local-ecat-files:nil |
---|
2236 | End: |
---|
2237 | --> |
---|