1
<?xml version="1.0" encoding="utf-8"?>
2
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
3
<!ENTITY legal SYSTEM "legal.xml">
4
<!ENTITY version "2.19.7">
5
<!ENTITY date "07/09/2007">
6
<!ENTITY mdash "—">
7
<!ENTITY percnt "%">
9
<article id="index" lang="oc">
11
<title>Gnome Display Manager Reference Manual</title>
15
<revnumber>0.0</revnumber>
20
<abstract role="description">
22
GDM is the GNOME Display Manager, a graphical login program.
28
<firstname>Martin</firstname><othername>K.</othername>
29
<surname>Petersen</surname>
31
<address><email>mkp@mkp.net</email></address>
35
<firstname>George</firstname><surname>Lebl</surname>
37
<address><email>jirka@5z.com</email></address>
40
<author role="maintainer">
41
<firstname>Brian</firstname><surname>Cameron</surname>
43
<address><email>Brian.Cameron@Sun.COM</email></address>
47
<firstname>Bill</firstname><surname>Haneman</surname>
49
<address><email>Bill.Haneman@Sun.COM</email></address>
54
<year>1998</year><year>1999</year><holder>Martin K. Petersen</holder>
57
<year>2001</year><year>2003</year><year>2004</year>
58
<holder>George Lebl</holder>
61
<year>2003</year> <holder>Red Hat, Inc.</holder>
64
<year>2003</year><year>2004</year><holder>Sun Microsystems, Inc.</holder>
67
<legalnotice id="legalnotice">
69
Permission is granted to copy, distribute and/or modify this
70
document under the terms of the GNU Free Documentation
71
License (GFDL), Version 1.1 or any later version published
72
by the Free Software Foundation with no Invariant Sections,
73
no Front-Cover Texts, and no Back-Cover Texts. You can find
74
a copy of the GFDL at this <ulink type="help" url="ghelp:fdl">link</ulink> or in the file COPYING-DOCS
75
distributed with this manual.
77
<para> This manual is part of a collection of GNOME manuals
78
distributed under the GFDL. If you want to distribute this
79
manual separately from the collection, you can do so by
80
adding a copy of the license to the manual, as described in
81
section 6 of the license.
85
Many of the names used by companies to distinguish their
86
products and services are claimed as trademarks. Where those
87
names appear in any GNOME documentation, and the members of
88
the GNOME Documentation Project are made aware of those
89
trademarks, then the names are in capital letters or initial
94
DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT ARE PROVIDED
95
UNDER THE TERMS OF THE GNU FREE DOCUMENTATION LICENSE
96
WITH THE FURTHER UNDERSTANDING THAT:
100
<para>DOCUMENT IS PROVIDED ON AN "AS IS" BASIS,
101
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
102
IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES
103
THAT THE DOCUMENT OR MODIFIED VERSION OF THE
104
DOCUMENT IS FREE OF DEFECTS MERCHANTABLE, FIT FOR
105
A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE
106
RISK AS TO THE QUALITY, ACCURACY, AND PERFORMANCE
107
OF THE DOCUMENT OR MODIFIED VERSION OF THE
108
DOCUMENT IS WITH YOU. SHOULD ANY DOCUMENT OR
109
MODIFIED VERSION PROVE DEFECTIVE IN ANY RESPECT,
110
YOU (NOT THE INITIAL WRITER, AUTHOR OR ANY
111
CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY
112
SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER
113
OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS
114
LICENSE. NO USE OF ANY DOCUMENT OR MODIFIED
115
VERSION OF THE DOCUMENT IS AUTHORIZED HEREUNDER
116
EXCEPT UNDER THIS DISCLAIMER; AND
120
<para>UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL
121
THEORY, WHETHER IN TORT (INCLUDING NEGLIGENCE),
122
CONTRACT, OR OTHERWISE, SHALL THE AUTHOR,
123
INITIAL WRITER, ANY CONTRIBUTOR, OR ANY
124
DISTRIBUTOR OF THE DOCUMENT OR MODIFIED VERSION
125
OF THE DOCUMENT, OR ANY SUPPLIER OF ANY OF SUCH
126
PARTIES, BE LIABLE TO ANY PERSON FOR ANY
127
DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR
128
CONSEQUENTIAL DAMAGES OF ANY CHARACTER
129
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS
130
OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR
131
MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR
132
LOSSES ARISING OUT OF OR RELATING TO USE OF THE
133
DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT,
134
EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF
135
THE POSSIBILITY OF SUCH DAMAGES.
145
This manual describes version 2.19.7 of the GNOME Display Manager.
146
It was last updated on 07/09/2007.
151
<title>Terms and Conventions Used in This Manual</title>
154
This manual describes version 2.19.7 of the GNOME Display Manager.
155
It was last updated on 07/09/2007.
159
Chooser - A program used to select a remote host for managing a
160
display remotely on the attached display (<command>gdmchooser</command>).
164
Configurator - The configuration application
165
(<command>gdmsetup</command>).
169
GDM - Gnome Display Manager. Used to describe the software package as a
170
whole. Sometimes also referred to as GDM2.
174
gdm - The Gnome Display Manager daemon (<command>gdm</command>).
178
Greeter - The graphical login window (<command>gdmlogin</command> or
179
<command>gdmgreeter</command>).
183
GTK+ Greeter - The standard login window (<command>gdmlogin</command>).
187
PAM - Pluggable Authentication Mechanism
191
Themed Greeter - The themable login window (
192
<command>gdmgreeter</command>).
196
XDMCP - X Display Manage Protocol
200
Paths that start with a word in angle brackets are relative to the
201
installation prefix. I.e. <filename><share>/pixmaps/</filename>
202
refers to <filename><share>/pixmaps</filename> if GDM was configured
203
with <command>--prefix=/usr</command>. Normally also note that
204
GDM is installed with <command>--sysconfigdir=<etc>/X11</command>,
205
meaning any path to which we refer to as
206
<filename><etc>/gdm/PreSession</filename> usually means
207
<filename><etc/X11>/gdm/PreSession</filename>. Note that for
208
interoperability it is recommended that you use a --prefix of
209
<filename>/usr</filename> and a --sysconfdir of
210
<filename><etc>/X11</filename>.
214
<sect1 id="overview">
215
<title>Overview</title>
217
<sect2 id="introduction">
223
The Gnome Display Manager (GDM) is a display manager that
224
implements all significant features required for managing
225
attached and remote displays. GDM was written from scratch and
226
does not contain any XDM / X Consortium code.
230
Note that GDM is highly configurable, and many configuration
231
settings can affect security. Issues to be aware of are highlighted
232
in this document and in the GDM Configuration files.
236
For further information about GDM, see the
237
<ulink type="http" url="http://www.gnome.org/projects/gdm/">
238
the GDM project website</ulink>. Please submit any bug reports or
239
enhancement requests to the "gdm" category in
240
<ulink type="http" url="http://bugzilla.gnome.org/">bugzilla.gnome.org</ulink>.
241
You can also send a message to the
242
<address><email>gdm-list@gnome.org</email></address> mail list to
243
discuss any issues or concerns with the GDM program.
247
<sect2 id="stability">
253
The key/value pairs defined in the GDM configuration files and
254
the location of these files are considered "stable" interfaces
255
should only change in ways that are backwards compatible. Note that
256
this includes functionality like the GDM scripts (Init, PreSession,
257
PostSession, PostLogin, XKeepsCrashing, etc.); directory locations
258
(ServAuthDir, etc.), system applications (SoundProgram), etc.
259
Some configuration values depend on OS interfaces may need to be
260
modified to work on a given OS. Typical examples are HaltCommand,
261
RebootCommand, CustomCommands, SuspendCommand, StandardXServer, Xnest,
262
SoundProgram, and the "command" value for each
263
<filename>server-foo</filename>.
267
Command-line interfaces for GDM programs installed to
268
<filename><bin></filename> and <filename><sbin></filename>
269
are considered stable. Refer to your distribution documentation to see
270
if there are any distribution-specific changes to these GDM interfaces
271
and what support exists for them.
275
As of the GDM 2.15 development series, some one-dash arguments are no
276
longer supported. This includes the "-xdmaddress",
277
"-clientaddress", and "-connectionType" arguments
278
used by <command>gdmchooser</command>. These arguments have been
279
changed to now use two dashes.
283
If issues are discovered that break compatibility, please file a bug
284
with an "urgent" priority.
288
<sect2 id="daemonov">
289
<title>The GDM Daemon</title>
292
The GDM daemon is responsible for managing displays on the system.
293
This includes authenticating users, starting the user session, and
294
terminating the user session. GDM is configurable and the ways it can
295
be configured are described in the "Configuring GDM" section
296
of this document. The <filename>Init</filename>,
297
<filename>PostLogin</filename>, <filename>PreSession</filename>,
298
and <filename>PostSession</filename> scripts discussed below are
299
discussed in this "Configuring GDM section".
303
The GDM daemon supports a UNIX domain socket protocol which can be used
304
to control aspects of its behavior and to query information. This
305
protocol is described in the "Controlling GDM" section of
310
GDM can be asked to manage a display a number of ways. Attached
311
displays are always managed when GDM starts and will be restarted when
312
a user's session is finished. Remote displays can be requested via
313
XDMCP, flexible displays via the <command>gdmflexiserver</command>
314
command, and dynamic displays via the <command>gdmdynamic</command>
315
command. Displays that are started on request are not restarted on
320
When the GDM daemon is asked to manage a display, it will fork an
321
X server process, then run the <filename>Init</filename> script as the
322
root user, and start the login GUI dialog as a slave process on the
323
display. GDM can be configured to use either
324
<command>gdmgreeter</command> (the default) or
325
<command>gdmlogin</command> as the GUI dialog program. The
326
<command>gdmlogin</command> program supports accessibility while the
327
<command>gdmgreeter</command> program supports greater themeability.
328
The GUI dialog is run as the unpriviledged "gdm" user/group
329
which is described in the "Security" section below. The GUI
330
dialog communicates with the daemon via a sockets protocol and via
331
standard input/output. The slave, for example passes the username and
332
password information to the GDM daemon via standard input/output so
333
the daemon can handle the actual authentication.
337
The login GUI dialog screen allows the user to select which session
338
they wish to start and which language they wish to use. Sessions are
339
defined by files that end in the .desktop extension and more
340
information about these files can be found in the
341
"Configuration" section. The user enters their name and
342
password and if these successfully authenticate, GDM will start the
343
requested session for the user. It is possible to configure GDM to
344
avoid the authentication process by turning on the Automatic or Timed
345
Login features in the GDM configuration. The login GUI can also be
346
configured to provide additional features to the user, such as the
347
Face Browser; the ability to halt, restart, or suspend the system;
348
and/or edit the login configuration (after entering the root password).
352
GDM, by default, will use Pluggable Authentication Modules (PAM) for
353
authentication, but can also support regular crypt and shadow passwords
354
on legacy systems. After authenticating a user, the daemon runs the
355
<filename>PostLogin</filename> script as root, and forks a slave
356
process to start the requested session. This slave process runs the
357
<filename>PreSession</filename> script as root, sets up the user's
358
environment, and starts the requested session. GDM keeps track of the
359
user's default session and language in the user's
360
<filename>~/.dmrc</filename> and will use these defaults if the user
361
did not pick a session or language in the login GUI. On Solaris, GDM
362
(since version 2.8.0.3) uses the SDTLOGIN interface after user
363
authentication to tell the X server to be restarted as the user instead
364
of as root for added security. When the user's session exits, the GDM
365
daemon will run the <filename>PostSession</filename> script as root.
369
Note that, by default, GDM uses the "gdm" service name for
370
normal login and the "gdm-autologin" service name for
371
automatic login. The <filename>PamStack</filename> configuration
372
option can be used to specify a different service name. For example,
373
if "foo" is specified, then GDM will use the "foo"
374
service name for normal login and "foo-autologin" for
379
For those looking at the code, the gdm_verify_user function in
380
<filename>daemon/verify-pam.c</filename> is used for normal login
381
and the gdm_verify_setup_user function is used for automatic login.
385
<sect2 id="displaytypes">
386
<title>Different Display Types</title>
389
GDM supports three different display types: attached displays,
390
flexible displays, and XDMCP remote displays. The
391
"X Server Definitions" subsection of the
392
"Configuration" section explains how the X server is
393
configured for different displays.
397
Attached (also known as local or static) displays are always started by
398
the daemon, and when they die or are killed, they are restarted. GDM
399
can run as many of these as needed. GDM can also manage displays on
400
which it does not manage a GUI login, thus GDM can be used for
401
supporting X terminals. The "Attached DISPLAY Configuration"
402
subsection of the "Configuration" section describes how
403
attached displays are defined.
407
Flexible (also known as on-demand) displays are only available to users
408
logged on the console. Starting a flexible display will lock the
409
current user session and will show a new login screen over the current
410
running session. If at least one flexible display is already running,
411
and the user requests another, then a dialog will display showing
412
existing flexible displays. The user can choose to switch back to a
413
previous display or start a new flexible display. If the user switches
414
back to a previous display, they will need to enter the password in the
415
lock screen program to return to their session. The GDM configuration
416
file specifies the maximum number of flexible displays allowed on the
421
Flexible displays may be started by running the
422
<command>gdmflexiserver</command> command, or via calling the GDM
423
socket protocol directly. Some lock screen programs provide a button
424
to start a new flexible session. This allows a user to start a new
425
session even if the screen was left locked. The GNOME Fast User
426
Switch applet also uses the socket protocol to provide an applet
427
interface on the GNOME panel for managing user displays quickly.
428
Flexible displays are not restarted when the user session ends.
429
Flexible displays require virtual terminal (VT) support in the kernel,
430
and will not be available if not supported (such as on Solaris).
434
The <filename>FlexibleXServers</filename>,
435
<filename>FirstVT=7</filename>, <filename>VTAllocation</filename>,
436
and <filename>FlexiReapDelayMinutes</filename> configuration settings
437
are used to configure how flexible displays operate.
441
Nested displays are available to users even if not logged in on the
442
console. Nested displays launch a login screen in a window in the
443
user's current session. This can be useful if the user has more
444
than one account on a machine and wishes to login to the other
445
account without disrupting their current session. Nested displays
446
may be started by running the <command>gdmflexiserver -n</command>
447
command or via calling the GDM socket protocol directly. Nested
448
displays require that the X server supports a nested X server command
449
like Xnest or Xephyr. The <filename>Xnest</filename> configuration
450
option is used to configure how nested displays are started.
454
The <command>gdmdynamic</command> is similar to
455
<command>gdmflexiserver</command> in the sense that it allows the
456
user to manage displays dynamically. However displays started with
457
<command>gdmdynamic</command> are treated as attached displays, so
458
they are restarted automatically when the session exits. This
459
command is intended to be used in multi-user server environments
460
(many displays connected to a single server). In other words,
461
this command allows the displays to be managed without hardcoding
462
the display information in the "Attached DISPLAY
463
Configuration" section of the configuration file. This
464
is useful to support the ability of adding new displays to the
465
server without needing to restart GDM, for example.
469
The last display type is the XDMCP remote displays which are described
470
in the next section. Remote hosts can connect to GDM and present the
471
login screen if this is enabled. Some things are different for
472
remote sessions. For example, the Actions menu which allows you to
473
shut down, restart, suspend, or configure GDM are not shown.
484
The GDM daemon can be configured to listen for and manage X Display
485
Manage Protocol (XDMCP) requests from remote displays. By default
486
XDMCP support is turned off, but can be enabled if desired. If GDM is
487
built with TCP Wrapper support, then the daemon will only grant access
488
to hosts specified in the GDM service section in the TCP Wrappers
493
GDM includes several measures making it more resistant to denial of
494
service attacks on the XDMCP service. A lot of the protocol
495
parameters, handshaking timeouts etc. can be fine tuned. The defaults
496
should work for most systems, however. Do not change them unless you
497
know what you are doing.
501
GDM listens to UDP port 177 and will respond to QUERY and
502
BROADCAST_QUERY requests by sending a WILLING packet to the originator.
506
GDM can also be configured to honor INDIRECT queries and present a
507
host chooser to the remote display. GDM will remember the user's
508
choice and forward subsequent requests to the chosen manager. GDM
509
also supports an extension to the protocol which will make it forget
510
the redirection once the user's connection succeeds. This extension
511
is only supported if both daemons are GDM. It is transparent and
512
will be ignored by XDM or other daemons that implement XDMCP.
516
If XDMCP seems to not be working, make sure that all machines are
517
specified in <filename>/etc/hosts</filename>.
521
Refer to the "Security" section for information about
522
security concerns when using XDMCP.
526
<sect2 id="secureremote">
528
Securing Remote Connection Through SSH
531
As explained in the "Security" section, XDMCP does not use
532
any kind of encryption and as such is inherently insecure. As XDMCP
533
uses UDP as a network transport layer, it is not possible to simply
534
secure it through an SSH tunnel.
538
To remedy this problem, GDM can be configured at compilation-time with
539
the option --enable-secureremote, in which case GDM proposes as a
540
built-in session a session called "Secure Remote Connection".
541
Starting such a session allows the user to enter the name or the
542
address of the host on which to connect; provided the said host runs an
543
SSH server, the user then gets connected to the server on which the
544
default X session is started and displayed on the local host.
548
Using this session allows a much more secure network connection and
549
only necessitates to have an SSH server running on the remote host.
553
<sect2 id="gtkgreeter">
554
<title>The GTK+ Greeter</title>
557
The GTK+ Greeter is the default graphical user interface that is
558
presented to the user. The greeter contains a menu at the top, an
559
optional face browser, an optional logo and a text entry widget.
560
This greeter has full accessibility support, and should be used
561
by users with accessibility needs.
565
The text entry field is used for entering logins, passwords,
566
passphrases etc. <command>gdmlogin</command> is controlled by the
567
underlying daemon and is basically stateless. The daemon controls the
568
greeter through a simple protocol where it can ask the greeter for a
569
text string with echo turned on or off. Similarly, the daemon can
570
change the label above the text entry widget to correspond to the
571
value the authentication system wants the user to enter.
575
The menu bar in the top of the greeter enables the user to select the
576
requested session type/desktop environment, select an appropriate
577
locale/language, halt/restart/suspend the computer, configure GDM
578
(given the user knows the root password), change the GTK+ theme, or
579
start an XDMCP chooser.
583
The greeter can optionally display a logo in the login window. The
584
image must be in a format readable to the gdk-pixbuf library (GIF,
585
JPG, PNG, TIFF, XPM and possibly others), and it must be readable to
586
the GDM user. See the <filename>Logo</filename> option in the
587
reference section below for details.
591
<sect2 id="themedgreeter">
592
<title>The Themed Greeter</title>
595
The Themed Greeter is a greeter interface that takes up the whole
596
screen and is very themable. Themes can be selected and new themes
597
can be installed by the configuration application or by setting the
598
<filename>GraphicalTheme</filename> configuration key. The Themed
599
Greeter is much like the GTK+ Greeter in that it is controlled by
600
the underlying daemon, is stateless, and is controlled by the
601
daemon using the same simple protocol.
605
The look and feel of this greeter is really controlled by the theme and
606
so the user interface elements that are present may be different. The
607
only thing that must always be present is the text entry field as
608
described above in the GTK+ Greeter. The theme can include buttons
609
that allow the user to select an appropriate locale/language,
610
halt/restart/suspend the computer, configure GDM (given the user
611
knows the root password), or start an XDMCP chooser.
615
You can always get a menu of available actions by pressing the F10 key.
616
This can be useful if the theme doesn't provide certain buttons when
617
you wish to do some action allowed by the GDM configuration.
621
<sect2 id="facebrowser">
622
<title>The GDM Face Browser</title>
625
GDM supports a face browser which will display a list of users who
626
can login and an icon for each user. Starting with version 2.18.1
627
the <filename>Browser</filename> configuration option must be set
628
to "true" for this function to be available. In previous
629
versions it was only required when using the GTK+ Greeter. When
630
using the Themed Greeter, the Face Browser is only available if the
631
GDM theme includes a "userlist" item type.
635
By default, the face browser is disabled since revealing usernames on
636
the login screen is not appropriate on many systems for security
637
reasons. Also GDM requires some setup to specify which users should
638
be visible. Setup can be done on the "Users" tab in
639
<command>gdmsetup</command>. This feature is most practical to use
640
on a system with a smaller number of users.
644
The icons used by GDM can be installed globally by the sysadmin or can
645
be located in the users' home directories. If installed globally
646
they should be in the <filename><share>/pixmaps/faces/</filename>
647
directory (though this can be configured with the
648
<filename>GlobalFaceDir</filename> configuration option) and the
649
filename should be the name of the user, optionally with a
650
<filename>.png</filename> appended. Face icons placed in the global
651
face directory must be readable to the GDM user. However, the daemon,
652
proxies user pictures to the greeter and thus those do not have be be
653
readable by the "gdm" user, but root.
657
Users may run the <command>gdmphotosetup</command> command to
658
configure the image to use for their userid. This program properly
659
scales the file down if it is larger than the
660
<filename>MaxIconWidth</filename> or
661
<filename>MaxIconHeight</filename> configuration options and places the
662
icon in a file called <filename>~/.face</filename>. Although
663
<command>gdmphotosetup</command> scales user images automatically,
664
this does not guarantee that user images are properly scaled since
665
a user may create their <filename>~/.face</filename> file by hand.
669
GDM will first look for the user's face image in
670
<filename>~/.face</filename>. If not found, it will try
671
<filename>~/.face.icon</filename>. If still not found, it will
672
use the value defined for "face/picture=" in the
673
<filename>~/.gnome2/gdm</filename> file. Lastly, it will try
674
<filename>~/.gnome2/photo</filename> and
675
<filename>~/.gnome/photo</filename> which are deprecated and
676
supported for backwards compatibility.
680
If a user has no defined face image, GDM will use the
681
"stock_person" icon defined in the current GTK+ theme. If no
682
such image is defined, it will fallback to the image specified in the
683
<filename>DefaultFace</filename> configuration option, normally
684
<filename><share>/pixmaps/nobody.png</filename>.
688
Please note that loading and scaling face icons located in user home
689
directories can be a very time-consuming task. Since it not
690
practical to load images over NIS or NFS, GDM does not attempt to
691
load face images from remote home directories. Furthermore, GDM will
692
give up loading face images after 5 seconds of activity and will
693
only display the users whose pictures it has gotten so far. The
694
<filename>Include</filename> configuration option can be used to
695
specify a set of users who should appear on the face browser. As
696
long as the users to include is of a reasonable size, there should
697
not be a problem with GDM being unable to access the face images.
698
To work around such problems, it is recommended to place face images
699
in the directory specified by the <filename>GlobalFaceDir</filename>
700
configuration option.
704
To control the users who get displayed in the face browser, there are
705
a number of configuration options that can be used. If the
706
<filename>IncludeAll</filename> option is set to true, then the
707
password file will be scanned and all users will be displayed. If
708
<filename>IncludeAll</filename> option is set to false, then the
709
<filename>Include</filename> option should contain a list of users
710
separated by commas. Only the users specified will be displayed.
711
Any user listed in the <filename>Exclude</filename> option and users
712
whose UID's is lower than <filename>MinimalUID</filename> will be
713
filtered out regardless of the <filename>IncludeAll</filename>
714
setting. <filename>IncludeAll</filename> is not recommended
715
for systems where the passwords are loaded over a network (such as
716
when NIS is used), since it can be very slow to load more than a
717
small number of users over the network..
721
When the browser is turned on, valid usernames on the computer are
722
inherently exposed to a potential intruder. This may be a bad idea if
723
you do not know who can get to a login screen. This is especially
724
true if you run XDMCP (turned off by default).
729
<title>Logging</title>
732
GDM itself will use syslog to log errors or status. It can also log
733
debugging information, which can be useful for tracking down problems
734
if GDM is not working properly. This can be enabled in the
739
Output from the various X servers is stored in the GDM log directory,
740
which is configurable, but is usually
741
<filename><var>/log/gdm/</filename>. The output from the
742
session can be found in a file called
743
<filename><display>.log</filename>. Four older files are also
744
stored with <filename>.1</filename> through
745
<filename>.4</filename> appended. These will be rotated as new
746
sessions on that display are started. You can use these logs to view
747
what the X server said when it started up.
751
The output from the user session is redirected to
752
<filename>~/.xsession-errors</filename>
753
before even the <filename>PreSession</filename> script is started. So
754
it is not really necessary to redirect this again in the session setup
755
script. As is usually done. If the user session lasted less then
756
10 seconds, GDM assumes that the session crashed and allows the user to
757
view this file in a dialog before returning to the login screen.
758
This way the user can view the session errors from the last session
759
and correct the problem this way.
763
You can suppress the 10 second warning by returning code 66 from the
764
<filename>Xsession</filename>script or from your session binary (the
765
default <filename>Xsession</filename> script propagates those codes
766
back). This is useful if you have some sort of special logins for
767
which it is not an error to return less then 10 seconds later, or if
768
you setup the session to already display some error message and the
769
GDM message would be confusing and redundant.
773
The session output is piped through the GDM daemon and so the
774
<filename>~/.xsession-errors</filename> file is capped at about
775
200 kilobytes by GDM to prevent a possible denial of service attack
776
on the session. An application could perhaps on reading some wrong
777
data print out warnings or errors on the stderr or stdout. This could
778
perhaps fill up the user's home directory making it necessary to log
779
out and back into their session to clear this. This could be
780
especially nasty if quotas are set. GDM also correctly traps the XFSZ
781
signal and stops writing the file, which would lead to killed sessions
782
if the file was redirected in the old fashioned way from the script.
786
Note that some distributors seem to override the
787
<filename>~/.xsession-errors</filename> redirection and do it
788
themselves in their own Xsession script (set by the
789
<filename>BaseXsession</filename> configuration key) which means that
790
GDM will not be able to trap the output and cap this file. You also
791
lose output from the <filename>PreSession</filename> script which can
792
make debugging things harder to figure out as perhaps useful output
793
of what is wrong will not be printed out. See the description of the
794
<filename>BaseXsession</filename> configuration key for more
795
information, especially on how to handle multiple display managers
796
using the same script.
800
Note that if the session is a failsafe session, or if GDM can't open
801
this file for some reason, then a fallback file will be created in the
802
<filename>/tmp</filename> directory named
803
<filename>/tmp/xses-<user>.XXXXXX</filename> where the
804
<filename>XXXXXX</filename> are some random characters.
808
If you run a system with quotas set, it would be good to delete the
809
<filename>~/.xsession-errors</filename> in the
810
<filename>PostSession</filename> script. Such that this log file
811
doesn't unnecessarily stay around.
815
<sect2 id="fileaccess">
816
<title>Accessing Files</title>
819
In general GDM is very reluctant regarding reading/writing of user
820
files (such as the <filename>~/.dmrc</filename>,
821
<filename>~/.face</filename>,
822
<filename>~/.xsession-errors</filename>, and
823
<filename>~/.Xauthority</filename> files). For instance it refuses to
824
access anything but regular files. Links, sockets and devices are
825
ignored. The value of the <filename>RelaxPermissions</filename>
826
parameter determines whether GDM should accept files writable by the
827
user's group or others. These are ignored by default.
831
All operations on user files are done with the effective user id of the
832
user. If the sanity check fails on the user's
833
<filename>.Xauthority</filename> file, a fallback cookie is created in
834
the directory specified by the <filename>UserAuthFBDir</filename>
835
configuration setting (<filename>/tmp</filename> by default).
839
Finally, the sysadmin can specify the maximum file size GDM should
840
accept, and, if the face browser is enabled, a tunable maximum icon
841
size is also enforced. On large systems it is still advised to turn
842
off the face browser for performance reasons. Looking up icons in
843
home directories, scaling and rendering face icons can take a long
848
<sect2 id="performance">
849
<title>GDM Performance</title>
852
To speed performance it is possible to build GDM so that it will
853
preload libraries when GDM first displays a greeter program. This
854
has been shown to speed first time login since these libraries can
855
be loaded into memory while the user types in their username and
860
To use this feature, configure GDM with the
861
<command>--with-prefetch</command> option. This will cause GDM to
862
install the <command>gdmprefetch</command> program to the
863
<filename>libexecdir</filename> directory, install the
864
<filename>gdmprefetchlist</filename> to the
865
<filename><etc>/gdm</filename> directory, and set the
866
<filename>PreFetchProgram</filename> configuration variable so that the
867
<command>gdmprefetch</command> program is called with the default
868
<filename>gdmprefetchlist</filename> file. The default
869
<filename>gdmprefetchlist</filename> file was optimized
870
for a GNOME desktop running on Solaris, so may need fine-tuning on
871
other systems. Alternative prefetchlist files can be contributed
872
to the "gdm" category in
873
<ulink type="http" url="http://bugzilla.gnome.org/">bugzilla.gnome.org</ulink>,
874
so that they can be included in future GDM releases.
879
<sect1 id="security">
880
<title>Security</title>
888
GDM uses PAM for login authentication, though if your machine does not
889
support PAM you can build GDM to work with the password database and
890
the crypt library function.
894
PAM stands for Pluggable Authentication Module, and is used by most
895
programs that request authentication on your computer. It allows the
896
administrator to configure different authentication behavior for
901
Some GDM features (like turning on automatic login) may require that
902
you update your PAM configuration. PAM configuration has different,
903
but similar, interfaces on different operating systems, so check your
904
pam.d or pam.conf man page for details. Be sure that you read the
905
PAM documentation (e.g. pam.d/pam.conf man page) and are comfortable
906
with the security implications of any changes you intend to make to
911
If there is no entry for GDM in your system's PAM configuration file,
912
then features like automatic login may not work. Not having an entry
913
will cause GDM to use default behavior, conservative settings are
914
recommended and probably shipped with your distribution.
918
If you wish to make GDM work with other types of authentication
919
mechanisms (such as a SmartCard), then you should implement this by
920
using a PAM service module for the desired authentication type rather
921
than by trying to modify the GDM code directly. Refer to the PAM
922
documentation on your system. This issue has been discussed on the
923
<address><email>gdm-list@gnome.org</email></address> mail list,
924
so you can refer to the list archives for more information.
928
For example, an effective way to implement such an exotic
929
authentication mechanism would be to have a daemon running
930
on the server listening to the authentication device (e.g.
931
USB key, fingerprint reader, etc.). When the device
932
announces that it has received input, then the daemon can
933
set the <filename>PamStack</filename> configuration value
934
using per-display configuration, and restart the greeter
935
with the PAM stack that works with this device. This avoids
936
needing to hack the display manager code directly to support
941
<sect2 id="utmpwtmp">
947
GDM generates utmp and wtmp User Accounting Database entries upon
948
session login and logout. The utmp database contains user access
949
and accounting information that is accessed by commands such as
950
<command>finger</command>, <command>last</command>,
951
<command>login</command>, and <command>who</command>. The wtmp
952
database contains the history of user access and accounting
953
information for the utmp database.
957
GDM 2.18 and earlier would run the X server <command>sessreg</command>
958
program from the default GDM <command>PreSession</command> and
959
<command>PostSession</command> scripts. Starting with GDM 2.20, GDM
960
interacts with the UTMP and WTMP databases directly and supports the
961
following configuration options.
965
When doing utmp processing, GDM supports configurability on how the
966
ut_line value is set. Programs that access the database assume that
967
this value is an actual device, so GDM will set the device as follows.
968
If the display is attached and has an associated Virtual Terminal (VT)
969
device, then this device will be used. Otherwise, if an attached
970
display in the <command>[servers]</command> specifies a device name,
971
then this value will be used. Otherwise attached displays will default
972
to the <filename>UtmpLineAttached</filename> value in the GDM
973
configuration. Remote displays will default to the
974
<filename>UtmpLineRemote</filename> value in the GDM configuration.
975
Device values must begin with "/dev/".
979
GDM also supports the <filename>UtmpPseudoDevice</filename>
980
configuration option. If this configuration setting is true, then GDM
981
will ensure that the specified device exists and will create a pseudo
982
device if the device does not exist. A pseudo device is a symlink to
983
<filename>/dev/null</filename>. If
984
<filename>UtmpPseudoDevice</filename> is true, and the device does
985
already exist, GDM checks to see if the device is a symlink to
986
<filename>/dev/null</filename>. If so, then GDM will update the access
987
time of the symlink. This ensures that programs that check the access
988
time of the device will get a reasonable value for the last time the
989
device was accessed. If the <filename>UtmpPseudoDevice</filename>
990
configuration option is false, then GDM will only set the ut_line
991
value as specified regardless of whether the device exists or not.
996
<title>The GDM User</title>
999
For security reasons a dedicated user and group id are required for
1000
proper operation! The need to be able to write Xauth files is why user
1001
"nobody" is not appropriate for gdm.
1005
The GDM daemon normally runs as root, as does the slave. However GDM
1006
should also have a dedicated user id and a group id which it uses for
1007
its graphical interfaces such as <command>gdmgreeter</command> and
1008
<command>gdmlogin</command>. These are configured via the
1009
<filename>User</filename> and <filename>Group</filename>
1010
configuration options in the GDM configuration files. The user and
1011
group should be created before running "make install". By
1012
default GDM assumes the user and the group are called "gdm".
1016
This userid is used to run the GDM GUI programs required for login.
1017
All functionality that requires root authority is done by the GDM
1018
daemon process. This design ensures that if the GUI programs are
1019
somehow exploited, only the dedicated user privileges are available.
1023
It should however be noted that the GDM user and group have some
1024
privileges that make them somewhat dangerous. For one, they have
1025
access to the X server authorization directory. It must be able to
1026
read and write Xauth keys to <filename><var>/lib/gdm</filename>.
1027
This directory should have root:gdm ownership and 1770 permissions.
1028
Running "make install" will set this directory to these
1029
values. The GDM daemon process will reset this directory to proper
1030
ownership/permissions if it is somehow not set properly.
1034
The danger is that someone who gains the GDM user/group privileges can
1035
then connect to any session. So you should not, under any
1036
circumstances, make this some user/group which may be easy to get
1037
access to, such as the user <filename>nobody</filename>. Users who
1038
gain access to the "gdm" user could also modify the Xauth
1039
keys causing Denial-Of-Service attacks. Also if a person gains the
1040
ability to run programs as the user "gdm", it would be
1041
possible to snoop on running GDM processes, including usernames and
1042
passwords as they are being typed in.
1046
Distributions and system administrators using GDM are expected to setup
1047
the dedicated user properly. It is recommended that this userid be
1048
configured to disallow login and to not have a default shell.
1049
Distributions and system administrators should set up the filesystem to
1050
ensure that the GDM user does not have read or write access to
1056
<title>X Server Authentication Scheme</title>
1059
The X server authorization directory (the
1060
<filename>ServAuthDir</filename>) is used for a host of random
1061
internal data in addition to the X server authorization files, and the
1062
naming is really a relic of history. GDM daemon enforces this
1063
directory to be owned by <filename>root.gdm</filename> with the
1064
permissions of 1770. This way, only root and the GDM group have write
1065
access to this directory, but the GDM group cannot remove the root
1066
owned files from this directory, such as the X server authorization
1071
GDM by default doesn't trust the X server authorization directory and
1072
treats it in the same way as the temporary directory with respect to
1073
creating files. This way someone breaking the GDM user cannot mount
1074
attacks by creating links in this directory. Similarly the X server
1075
log directory is treated safely, but that directory should really be
1076
owned and writable only by root.
1080
GDM only supports the MIT-MAGIC-COOKIE-1 X server authentication
1081
scheme. Normally little is gained from the other schemes, and no
1082
effort has been made to implement them so far. Be especially
1083
careful about using XDMCP because the X server authentication cookie
1084
goes over the wire as clear text. If snooping is possible, then an
1085
attacker could simply snoop your authentication password as you log in,
1086
regardless of the authentication scheme being used. If snooping is
1087
possible and undesirable, then you should use ssh for tunneling an X
1088
connection rather then using XDMCP. You could think of XDMCP as a sort
1089
of graphical telnet, having the same security issues.
1093
On the upside, GDM's random number generation is very conservative and
1094
GDM goes to extraordinary measures to truly get a 128 bit random
1095
number, using hardware random number generators (if available), plus
1096
the current time (in microsecond precision), a 20 byte array of
1097
pseudorandom numbers, process pid's, and other random information
1098
(possibly using <filename>/dev/audio</filename> or
1099
<filename>/dev/mem</filename> if hardware random generators are not
1100
available) to create a large buffer and then run MD5 digest on this.
1101
Obviously, all this work is wasted if you send this cookie over an open
1102
network or store it on an NFS directory (see
1103
<filename>UserAuthDir</filename> configuration key). So be careful
1104
about where you use remote X display.
1108
<sect2 id="firewall">
1109
<title>Firewall Security</title>
1112
Even though GDM tries to outsmart potential attackers trying to take
1113
advantage of XDMCP, it is still advised that you block the XDMCP port
1114
(normally UDP port 177) on your firewall unless you really need it.
1115
GDM guards against DoS (Denial of Service) attacks, but the X protocol
1116
is still inherently insecure and should only be used in controlled
1117
environments. Also each remote connection takes up lots of resources,
1118
so it is much easier to DoS via XDMCP then a webserver.
1122
It is also wise to block all of the X Server ports. These are TCP
1123
ports 6000 + the display number of course) on your firewall. Note that
1124
GDM will use display numbers 20 and higher for flexible on-demand
1129
X is not a very safe protocol for leaving on the net, and XDMCP is
1134
<sect2 id="nfssecurity">
1135
<title>GDM Security With NFS</title>
1138
Note that NFS traffic really goes "over the wire" and thus
1139
can be snooped. When accessing the user's X authorization file
1140
(<filename>~/.Xauthority</filename>), GDM will try to open the file
1141
for reading as root. If it fails, GDM will conclude that it is on an
1142
NFS mount and it will automatically use
1143
<filename>UserAuthFBDir</filename>, which by default is set to
1144
<filename>/tmp</filename>. This behavior can be changed by setting the
1145
<filename>NeverPlaceCookiesOnNFS</filename> in the
1146
<filename>[security]</filename> section to false.
1150
<sect2 id="xdmcpsecurity">
1151
<title>XDMCP Security</title>
1154
Even though your display is protected by cookies, XEvents and thus
1155
keystrokes typed when entering passwords will still go over the wire in
1156
clear text. It is trivial to capture these.
1160
XDMCP is primarily useful for running thin clients such as in terminal
1161
labs. Those thin clients will only ever need the network to access
1162
the server, and so it seems like the best security policy to have
1163
those thin clients on a separate network that cannot be accessed by
1164
the outside world, and can only connect to the server. The only point
1165
from which you need to access outside is the server.
1169
The above sections "X Server Authentication Scheme" and
1170
"Firewall Security" also contain important information about
1171
using XDMCP securely. The next section also discusses how to set up
1172
XDMCP access control.
1176
To workaround the inherent insecurity of XDMCP, gdm proposes a default
1177
built-in session that uses SSH to encrypt the remote connection. See
1178
the section "Securing remote connection through SSH" above.
1182
<sect2 id="xdmcpaccess">
1183
<title>XDMCP Access Control</title>
1186
XDMCP access control is done using TCP wrappers. It is possible to
1187
compile GDM without TCP wrappers however, so you should test your
1188
configuration and verify that they work.
1192
You should use the daemon name <command>gdm</command> in the
1193
<filename><etc>/hosts.allow</filename> and
1194
<filename><etc>/hosts.deny</filename> files. For example to
1195
deny computers from <filename>.evil.domain</filename> from logging in,
1202
to <filename><etc>/hosts.deny</filename>. You may also need
1209
to your <filename><etc>/hosts.allow</filename> if you normally
1210
disallow all services from all hosts. See the
1211
<ulink type="help" url="man:hosts.allow">hosts.allow(5)</ulink> man
1217
<title>RBAC (Role Based Access Control)</title>
1220
If GDM is compiled with RBAC support, then the
1221
<filename>RBACSystemCommandKeys</filename> configuration option can be
1222
used to specify the RBAC key to be used to determine if the user has
1223
authority to use commands. This is supported for the Shutdown,
1224
Reboot, Suspend, and Custom Commands that appear in the GDM greeter
1225
and via the <command>gdmflexiserver</command> QUERY_LOGOUT_ACTION,
1226
SET_LOGOUT_ACTION, and SET_SAFE_LOGOUT_ACTION commands. The greeter
1227
will only display the option if the gdm user (specified by the
1228
<filename>User</filename> configuration option) has permission
1229
via RBAC. Users will only be able to use the
1230
<command>gdmflexiserver</command> commands if the user has
1231
permission via RBAC.
1236
<sect1 id="consolekit">
1237
<title>Support for ConsoleKit</title>
1240
GDM includes support for publishing user login information with the user
1241
and login session accounting framework known as ConsoleKit. ConsoleKit
1242
is able to keep track of all the users currently logged in. In this
1243
respect, it can be used as a replacement for the utmp or utmpx files that
1244
are available on most Unix-like operating systems.
1248
When GDM is about to create a new login process for a user it will call
1249
a privileged method of ConsoleKit in order to open a new session for this
1250
user. At this time GDM also provides ConsoleKit with information about
1251
this user session such as: the user ID, the X11 Display name that will be
1252
associated with the session, the host-name from which the session
1253
originates (useful in the case of an XDMCP session), whether or not this
1254
session is attached, etc. As the entity that initiates the user process,
1255
GDM is in a unique position know and to be trusted to provide these bits
1256
of information about the user session. The use of this privileged method
1257
is restricted by the use of D-Bus system message bus security policy.
1261
In the case where a user with an existing session and has authenticated
1262
at GDM and requests to resume that existing session GDM calls a
1263
privileged method of ConsoleKit to unlock that session. The exact
1264
details of what happens when the session receives this unlock signal is
1265
undefined and session-specific. However, most sessions will unlock a
1266
screensaver in response.
1270
When the user chooses to log out, or if GDM or the session quit
1271
unexpectedly the user session will be unregistered from ConsoleKit.
1275
If support for ConsoleKit is not desired it can be disabled at build
1276
time using the "--with-console-kit=no" option when running
1282
<sect1 id="gdmsetupusage">
1283
<title>Using gdmsetup To Configure GDM</title>
1286
The <command>gdmsetup</command> application can be used to configure GDM.
1287
If you believe running root-owned GUI's causes security risk, then you
1288
would want to always edit the files by hand and not use
1289
<command>gdmsetup</command>. Editing the files by hand is explained in
1290
the "Configuration" section of this document. Note that
1291
<command>gdmsetup</command> does not support changing of all
1292
configuration variables, so it may be necessary to edit the files by
1293
hand for some configurations.
1297
The <command>gdmsetup</command> program has five tabs: Local, Remote,
1298
Accessibility, Security, and Users, described below. In parenthesis is
1299
information about which GDM configuration key is affected by each GUI
1300
choice. Refer to the "Configuration" section of this manual
1301
and the comments in the GDM System Defaults Configuration File for
1302
additional details about each key.
1305
<sect2 id="gdmsetuplocaltab">
1306
<title>Local Tab</title>
1309
The Local tab is used for controlling the appearance of GDM for
1310
attached (also known as local or static) displays. Attached displays
1311
are non-XDMCP remote connections, for example. The choices available
1312
in this tab depend on the setting of the "Style" combobox.
1313
This combobox is used to determine whether the "Plain" or
1314
"Themed" greeter GUI is used. The differences between these
1315
greeter programs are explained in the "Overview" section of
1320
If the "Style" choice is "Plain", then GDM will
1321
use the <command>gdmlogin</command> program as the GUI
1322
(daemon/Greeter). When this choice is selected,
1323
<command>gdmsetup</command> allows the user to select whether the
1324
background is an image or solid color (greeter/BackgroundType). If
1325
image is selected, there is a file selection button to pick the image
1326
file (greeter/BackgroundImage) and a checkbox to scale the image to fit
1327
the screen (greeter/BackgroundImageScaleToFit). If solid color is
1328
selected, there is a button available to allow the color selection
1329
(greeter/BackgroundColor). Also, the user may select the logo image
1330
that appears in gdmlogin (greeter/Logo).
1334
If the "Style" choice is "Plain with face browser",
1335
then the <command>gdmlogin</command> program is used as the GUI
1336
(daemon/Greeter) and the face browser is turned on (greeter/Browser).
1337
The Face Browser is explained in the "Overview" section.
1338
Otherwise, the choices are the same as when the "Style"
1339
choice is "Plain". Additional setup in the Users tab may be
1340
necessary to choose which users appear in the Face Browser.
1344
If the "Style" choice is "Themed", then the
1345
<command>gdmgreeter</command> program is used as the GUI
1346
(daemon/Greeter). When this choice is selected,
1347
<command>gdmsetup</command> allows the user to select the theme to be
1348
used (greeter/GraphicalTheme). Note that the checkbox to the left
1349
of the theme's name must be checked for a theme to be selected.
1350
Information about the theme's author and copyright are shown for the
1351
highlighted theme. The "Remove" button can be used to delete
1352
the highlighted theme. The "Add" button can be used to add
1353
new themes to the system. For a new theme to be added it must be
1354
in tar or compressed tar format. The "Background color"
1355
displayed when GDM starts (and if the theme has transparent elements)
1356
can be selected (greeter/GraphicalThemedColor). The "Theme"
1357
combo box may be set to "Random from selected" to display a
1358
random theme for each login (greeter/GraphicalThemeRand and
1359
greeter/GraphicalThemes). To use random themes, select each theme that
1360
you wish to be displayed. By default this combobox is set to
1361
"Selected only", so that only a single theme may be selected
1366
If the "Style" choice is "Themed with face
1367
browser", then the <command>gdmgreeter</command> program is used
1368
as the GUI (daemon/Greeter) and the face browser is turned on
1369
(greeter/Browser) if supported by the theme. The Face Browser is
1370
explained in the Overview section. Otherwise, the choices are the
1371
same as when the "Style" choice is "Themed".
1372
Additional setup in the Users tab may be necessary to choose which
1373
users appear in the Face Browser.
1377
Regardless of the "Style" choice, the user may also select
1378
whether the Actions menu is visible (greeter/SystemMenu), whether the
1379
Actions menu includes the choice to start <command>gdmsetup</command>
1380
(greeter/ConfigAvailable), and whether the Action menu includes the
1381
choice to start <command>gdmchooser</command> to run a remote XDMCP
1382
login session (greeter/ChooserButton). The welcome message for
1383
attached DISPLAYS may be specified (greeter/DefaultWelcome and
1384
greeter/Welcome). The welcome message may contain the character
1385
sequences described in the "Text Node" subsection of the
1386
"Themed Greeter" section of this manual. These character
1387
sequences allow the welcome message to contain things like the display
1392
<sect2 id="gdmsetupremotetab">
1393
<title>Remote Tab</title>
1396
The Remote tab controls the appearance of the GDM for users logging
1397
in via XDMCP. By default XDMCP is disabled, and users should be
1398
comfortable with the XDMCP-related sections of the Security section
1399
of this document before enabling it. This tab includes a
1400
"Style" combobox which can be used to turn on XDMCP and
1401
control the appearance of GDM for remote users (gui/RemoteGreeter
1402
and xdmcp/Enable). The user may specify to use either the same
1403
greeter as used on the Local tab, or the other Greeter program. If
1404
the Face Browser setting is true on the Local tab, then it will also
1405
be true for the Remote tab. If the Face Browser setting is
1406
false on the Local tab, then it will also be false for the Remote
1407
tab. It is recommended that the "Plain" GUI be used for
1408
remote connections since it is more lightweight and tends to have
1409
better performance across a network.
1413
If Remote login is enabled, then the welcome message for
1414
remote DISPLAYs may be specified (greeter/DefaultRemoteWelcome and
1415
greeter/RemoteWelcome). This welcome message is separate from the
1416
one shown for attached displays defined in the Local tab and can have
1417
a different value. The welcome message may contain the character
1418
sequences described in the "Text Node" subsection of the
1419
"Themed Greeter" section of this manual. These character
1420
sequences allow the welcome message to contain things like the
1421
display or host name.
1425
If the "Style" choice is "Same as Local" and the
1426
local selection is "Plain" or "Plain with face
1427
browser", then the user may select whether background images
1428
should be displayed for remote logins
1429
(greeter/BackgroundRemoteOnlyColor).
1433
If the "Style" choice is enabled and set to a different
1434
value than the Local tab, then the user has the same configuration
1435
choices as found on the Local tab except that the System Menu
1436
choices are not available since this is never available for remote
1437
logins for security purposes.
1441
If Remote login is enabled, there is a "Configure XDMCP"
1442
button which displays a dialog allowing the user to set XDMCP
1443
configuration, including whether indirect requests are honored
1444
(xdmcp/HonorIndirect), UDP port (xdmcp/Port), maximum pending requests
1445
(xdmcp/MaxPending), maximum pending indirect requests
1446
(xmdcp/MaxPendingIndirect), maximum remote sessions
1447
(xdmcp/MaxSessions), maximum wait time (xdmcp/MaxWait), maximum
1448
indirect wait time (xdmcp/MaxWaitIndirect), displays per host
1449
(xdmcp/DisplaysPerHost), and ping interval (xdmcp/PingIntervalSeconds).
1450
The default settings are standard settings and should only be changed
1451
by someone who understands the ramifications of the change.
1455
<sect2 id="gdmsetupaccessibilitytab">
1456
<title>Accessibility Tab</title>
1459
The Accessibility tab is used to turn on Accessibility features in GDM.
1460
"Enable accessible login" (daemon/AddGtkModules and
1461
daemon/GtkModulesList) turns on GDM's gesture listeners which are
1462
explained in the "Accessibility" section of this document.
1463
There is also a checkbox to allow users to change the theme when using
1464
the Plain greeter (gui/AllowGtkThemeChange). This feature allows GDM
1465
users to switch the theme to the HighContrast or LowContrast themes if
1466
needed. The user may also select whether GDM should play a sound when
1467
the login screen is ready, when login is successful and when login has
1468
failed. File chooser buttons are used to select the sound file to be
1469
played, and the "Play" button can be used to sample the
1474
<sect2 id="gdmsetupsecuritytab">
1475
<title>Security Tab</title>
1478
The Security tab allows the user to turn on Automatic and Timed login,
1479
which user is logged in via an automatic or timed login, and the
1480
timed login delay (daemon/AutomaticLoginEnable, daemon/AutomaticLogin,
1481
daemon/TimedLoginEnable, daemon/TimedLogin, and daemon/TimedLoginDelay).
1482
If automatic login is turned on, then the specified user will
1483
immediately log in on reboot without GDM asking for username/password.
1484
If the user logs out of their session, GDM will start and ask for
1485
username and password to log back in. If TimedLogin is turned on, then
1486
GDM will log into the specified user after a specified number of
1487
seconds. The user may enable Timed Login for remote (XDMCP)
1488
connections by checking the "Allow remote timed logins"
1493
On this tab, the user may select whether the system administrator user
1494
can log in, and whether the system administrator user can log in
1495
via remote (XDMCP) connections (security/AllowRoot and
1496
security/AllowRemoteRoot). The user may turn on GDM debug
1497
(debug/Enable) which causes debug messages to be sent to the system
1498
log. Debug should only be used when diagnosing a problem and not be
1499
left on when not needed. The "Deny TCP connections to
1500
X server" choice will disable X forwarding if selected
1501
(security/DisallowTCP). A login retry delay (security/RetryDelay) can
1502
be set to cause GDM to wait a number of seconds after a failed login.
1506
The "Configure X Server" button can be used to specify how
1507
GDM manages each display. The "Servers" combobox shows what
1508
server definitions are available (Standard, Terminal, and Chooser by
1509
default). Refer to the "X Server Definitions" section of
1510
the "Configuration" section for more information about how
1511
to create new Server Definitions.
1515
For any server type, the user may modify the "Server Name"
1516
(server/name), the "Command" (server/command) to be used to
1517
launch the X server, whether the server type will "Launch"
1518
(server/chooser) the greeter or chooser GUI after starting the
1519
X server, whether GDM handles this type (normally only set to false
1520
when logging into a Terminal session type), and whether the session
1521
type supports "Flexible" (server/flexible) sessions.
1525
The "Servers To Start" section shows what server type is
1526
displayed for each display on the machine. Users may click on the
1527
"Add/Modify" button to add a new display to the list or to
1528
modify a selected display. This simply corresponds each physical
1529
display with the Server Definition to be used for managing that
1530
display. The "Remove" button may be used to remove a
1531
display from the list.
1535
<sect2 id="gdmsetupuserstab">
1536
<title>Users Tab</title>
1539
The Users tab controls which users appear in the Face Browser. If the
1540
"Include all users from /etc/password" checkbox is selected,
1541
then all users (with a userid above greeter/MinimalUID and not in the
1542
Exclude list) are displayed. If this checkbox is not selected, then
1543
users must be added to the "Include" list. Users in the
1544
"Exclude" list are never displayed. The "Add" and
1545
"Remove" buttons are used to add a new user to the list or
1546
remove a selected user from the list. The "Apply User
1547
Changes" button must be pressed after the "Include" and
1548
"Exclude" lists have been modified. The left and right
1549
arrow buttons between the "Include" and "Exclude"
1550
lists can be used to move a selected user from one list to the other.
1555
<sect1 id="configuration">
1556
<title>Configuration</title>
1559
GDM has powerful configuration management. System default configuration
1560
is stored in the GDM System Defaults Configuration File and user changes
1561
to the default configuration are stored in the GDM Custom Configuration
1562
File. This allows sysadmins to store the GDM System Defaults
1563
Configuration File on a shared filesystem, so a single file can be used
1564
to control configuration for multiple machines. GDM also supports
1565
per-display configuration for GUI-related keys.
1569
The <command>gdmsetup</command> is a GUI program you can use to edit the
1570
GDM configuration. This program may also be launched directly from the
1571
login screen if the greeter/ConfigAvailable key is set to "true"
1572
Not all keys in the GDM configuration file are supported in the GUI, so
1573
you may need to edit the configuration files by hand to edit these keys.
1574
If you believe running root-owned GUI's causes security risk, then you
1575
would want to always edit the files by hand. This program does not
1576
support setting per-display configuration, so per-display configuration
1577
files must be set up by hand.
1581
Aside from the GDM System Defaults Configuration File, the other GDM
1582
configuration files are located, by default, in the
1583
<filename><etc>/gdm/</filename> folder or its subdirectories.
1584
Note that the location of many configuration files are defined in the
1585
GDM configuration files, so check the GDM System Defaults Configuration
1586
File and the GDM Custom Configuration File if the files are not in the
1587
locations specified in this document.
1591
Listing of the config directory contents:
1607
<filename>locale.alias</filename> is a file which looks much like the
1608
system locale alias but, in fact, is not the same. This is a list
1609
of all languages that may be on your system. All languages are
1610
checked to see if they exist before displaying them in the Language
1611
Selection dialog in the login GUI. Only those that exist are displayed.
1615
<filename>Xsession</filename> is a script which sets up a user session
1616
and then executes the user's choice of session. Note that the session
1617
script is typically started via the <filename>desktop</filename>
1618
file associated with the session the user has picked. Some
1619
sessions may start the user's session via a different mechanism than
1620
the <filename>Xsession</filename> script, so please check the
1621
appropriate <filename>desktop</filename> before assuming a session
1622
startup issue is being caused by this file.
1626
<filename>XKeepsCrashing</filename> is a script which gets run when the
1627
X server keeps crashing and we cannot recover. The shipped default
1628
script will work with most Linux distributions and can run the X
1629
configuration application provided the person on the console knows the
1634
Accessibility modules are configured in the <filename>modules/</filename>
1635
subdirectory, and are a separate topic. Read the default files provided,
1636
they have adequate documentation. Again normally the default install
1637
is given in the files with <filename>factory</filename> in their name,
1638
and those files are not read, they are just there for you so you can
1639
always revert to default config.
1643
Files describing available GDM session follow the freedesktop.org
1644
desktop file specification. The <filename>.desktop</filename>-style
1645
files are installed to <filename><etc>/X11/sessions/</filename>.
1646
This directory is also read by the KDE desktop manager (KDM) for common
1647
configuration. Next the directory
1648
<filename><share>/gdm/BuiltInSessions/</filename> is read for
1649
GDM specific built-in sessions (KDM hardcodes these at time of
1650
this writing). Lastly the default setup will also read
1651
<filename><share>/xsessions/</filename> (which should be
1652
<filename><share>/xsessions/</filename> if you really wish to
1653
cooperate with KDM) where desktop packages can install their session
1654
files. The directories under the <filename><etc></filename> should
1655
be reserved for configuration. The desktop file specification approach
1656
makes it easy for package management systems to install window managers
1657
and different session types without requiring the sysadmin to edit files.
1658
See the <filename>SessionDesktopDir</filename> configuration key for
1659
changing the paths. It used to be that GDM stored its built in
1660
sessions in <filename><etc>/dm/Sessions/</filename> but this is
1661
deprecated as of 2.5.90.0. Note that prior to version 2.4.4.2 only the
1662
<filename><etc>/dm/Sessions/</filename> was being read.
1666
A session can be disabled (if it was installed in
1667
<filename><share>/xsessions/</filename>) by adding an identically
1668
named <filename>.desktop</filename> to one of the directories earlier in
1669
the path (likely <filename><etc>/X11/sessions</filename>) and using
1670
<filename>Hidden=true</filename> in that file.
1674
GDM uses the optional key <filename>X-Gdm-XserverArgs</filename> in
1675
session files to specify additional arguments to be passed to the
1676
X server. For example, the entry
1677
<filename>X-Gdm-XserverArgs=-depth 16</filename> will start the
1678
X server with a color depth of 16 bits. Any such additional arguments
1679
are ignored when using a Nested display (when GDM is launched in a
1683
<sect2 id="scriptdirs">
1684
<title>The Script Directories</title>
1687
In this section we will explain the <filename>Init</filename>,
1688
<filename>PostLogin</filename>, <filename>PreSession</filename> and
1689
<filename>PostSession</filename> directories as they are very similar.
1693
When the X server has been successfully started, GDM will try to run
1694
the script called <filename>Init/<displayname></filename>. I.e.
1695
<filename>Init/:0</filename> for the first attached display. If this
1696
file is not found, GDM will attempt to to run
1697
<filename>Init/<hostname></filename>. I.e.
1698
<filename>Init/somehost</filename>.
1699
If this still is not found, GDM will try
1700
<filename>Init/XDMCP</filename> for all XDMCP logins or
1701
<filename>Init/Flexi</filename> for all on demand flexible
1702
displays. If none of the above were found, GDM will run
1703
<filename>Init/Default</filename>. The script will be run as root and
1704
GDM blocks until it terminates. Use the <filename>Init/*</filename>
1705
script for applications that are supposed to run alongside with the GDM
1706
login window. xconsole for instance. Commands to set the background
1707
etc. go in this file too.
1711
It is up to the sysadmin to decide whether clients started by the Init
1712
script should be killed before starting the user session. This is
1713
controlled with the <filename>KillInitClients</filename> configuration
1718
When the user has been successfully authenticated GDM tries the
1719
scripts in the <filename>PostLogin</filename> directory in the same
1720
manner as for the <filename>Init</filename> directory. This is done
1721
before any session setup is done, and so this would be the script where
1722
you might setup the home directory if you need to (though you should
1723
use the <filename>pam_mount</filename> module if you can for this).
1724
You have the <filename>$USER</filename> and
1725
<filename>$DISPLAY</filename> environment variables set for this
1726
script, and again it is run as root. The script should return 0 on
1727
success as otherwise the user won't be logged in. This is not true for
1728
failsafe session however.
1732
After the user session has been setup from the GDM side of things, GDM
1733
will run the scripts in the <filename>PreSession</filename> directory,
1734
again in the same manner as the <filename>Init</filename> directory.
1735
This script can be used for session management or accounting, for
1736
example. The <filename>$USER</filename> environment variable contains
1737
the login of the authenticated user and <filename>$DISPLAY</filename>
1738
is set to the current display. The script should return 0 on success.
1739
Any other value will cause GDM to terminate the current login process.
1740
This is not true for failsafe sessions however. Also
1741
<filename>$X_SERVERS</filename> environmental variable is set and this
1742
points to a fake generated X servers file for use with the sessreg
1743
accounting application.
1747
After this the base <filename>Xsession</filename> script is run with
1748
the selected session executable as the first argument. This is run as
1749
the user, and really this is the user session. The available session
1750
executables are taken from the <filename>Exec=</filename> line in the
1751
<filename>.desktop</filename> files in the path specified by
1752
<filename>SessionDesktopDir</filename>. Usually this path is
1753
<filename><etc>/X11/sessions/:<etc>/dm/Sessions:/usr/share/xsessions/</filename>.
1754
The first found file is used. The user either picks from these
1755
sessions or GDM will look inside the file <filename>~/.dmrc</filename>
1756
for the stored preference.
1760
This script should really load the user's profile and generally do all
1761
the voodoo that is needed to launch a session. Since many systems
1762
reset the language selections done by GDM, GDM will also set the
1763
<filename>$GDM_LANG</filename> variable to the selected language. You
1764
can use this to reset the language environmental variables after you
1765
run the user's profile. If the user elected to use the system language,
1766
then <filename>$GDM_LANG</filename> is not set.
1770
When the user terminates his session, the
1771
<filename>PostSession</filename> script will be run. Again operation
1772
is similar to <filename>Init</filename>, <filename>PostLogin</filename>
1773
and <filename>PreSession</filename>. Again the script will be run with
1774
root privileges, the slave daemon will block and the
1775
<filename>$USER</filename> environment variable will contain the name
1776
of the user who just logged out and <filename>$DISPLAY</filename> will
1777
be set to the display the user used, however note that the X server for
1778
this display may already be dead and so you shouldn't try to access it.
1779
Also <filename>$X_SERVERS</filename> environmental variable is set and
1780
this points to a fake generated X servers file for use with the sessreg
1781
accounting application.
1785
Note that the <filename>PostSession</filename> script will be run
1786
even when the display fails to respond due to an I/O error or
1787
similar. Thus, there is no guarantee that X applications will work
1788
during script execution.
1792
Except for the <filename>Xsession</filename> script all of these
1793
scripts will also have the environment variable
1794
<filename>$RUNNING_UNDER_GDM</filename> set to
1795
<filename>yes</filename>, so that you could perhaps use similar
1796
scripts for different display managers. The
1797
<filename>Xsession</filename> will always have the
1798
<filename>$GDMSESSION</filename> set to the basename of the
1799
session that the user chose to run without the
1800
<filename>.desktop</filename> extension. In addition
1801
<filename>$DESKTOP_SESSION</filename> is also set to the same value
1802
and in fact this will also be set by KDM in future versions.
1806
Neither of the <filename>Init</filename>,
1807
<filename>PostLogin</filename>, <filename>PreSession</filename> or
1808
<filename>PostSession</filename> scripts are necessary and can be left
1809
out. The <filename>Xsession</filename> script is however required as
1810
well as at least one session <filename>.desktop</filename> file.
1814
<sect2 id="configfile">
1815
<title>The Configuration Files - GDM System Defaults Configuration File
1816
and GDM Custom Configuraiton File</title>
1819
GDM uses two configuration files: the GDM System Defaults Configuration
1820
File (<filename><share>/gdm/defaults.conf</filename>) and the
1821
GDM Custom Configuration File
1822
(<filename><etc>/gdm/custom.conf</filename>). The GDM System
1823
Defaults File contains the default configuration choices for GDM, and
1824
should not be modified by the user. The GDM Custom Configuration File
1825
is where users may specify their custom configuration choices.
1826
If a configuration option is not defined in either file, GDM will
1827
default to the value described in the comments in the GDM System
1828
Defaults Configuration File.
1832
Both configuration files are divided into sections each containing
1833
variables that define the behavior for a specific part of the GDM
1834
suite. Refer to the comments in the GDM System Defaults Configuration
1835
File for additional information about each configuration setting.
1839
GDM also supports per-display configuration for parameters in the
1840
"gui", "greeter" sections of the configuration file
1841
Also the security/PamStack key may be customized per-display.
1842
Per-display configuration is specified by creating a file named
1843
<filename><etc>/gdm/custom.conf<display num></filename>.
1844
In this file the section and keys to use on this display can be
1845
specified. For example, configuration overrides for display
1846
":103" would be stored in the file
1847
<filename><etc>/gdm/custom.conf:0</filename>. Per-display
1848
configuration is supported in GDM 2.14.6 and later.
1852
To change configuration by hand, edit the GDM Custom Configuration File
1853
or per-display configuration file and make sure the keyname=value
1854
pair you want is included in the appropriate section. For example,
1855
to change the value for the "Greeter" key in the
1856
"daemon" section, make sure the daemon section of the GDM
1857
Custom Configuration File or per-display configuration file includes
1858
the "[daemon]" section followed by the key and value
1859
change desired. As in this example:
1864
Greeter=/usr/lib/gdmgreeter
1868
The <command>gdmsetup</command> command can be used to modify the GDM
1869
Custom Configuration File. Note the <command>gdmsetup</command> is
1870
intended to be run as root, so users who feel it is insecure to run
1871
GUI programs as root should edit the configuration files by hand.
1875
The GDM daemon <command>--config</command> argument may instead be used
1876
to specify a different configuration file location. The GDM daemon
1877
must be restarted to change the configuration file being used. Also
1878
when building GDM, the location of the configuration files may be
1879
specified via the <command>--with-defaults-conf</command> and
1880
<command>--with-custom-conf</command> configuration options.
1884
Previous to GDM 2.13.0.4 only the
1885
<filename><etc>/gdm/gdm.conf</filename> existed. For best
1886
backwards compatibility, this file will be used instead of the GDM
1887
Custom Configuration File if it exists on your system. If upgrading
1888
to the new version of GDM, "make install" will check to see
1889
if the <filename><etc>/gdm/gdm.conf</filename> file is different
1890
than the <filename><etc>/gdm/factory-gdm.conf</filename> file.
1891
If so, the <filename><etc>/gdm/gdm.conf</filename> file will be
1892
automatically copied to
1893
<filename><etc>/gdm/custom.conf</filename> to preserve any
1894
configuration changes.
1898
Distributions should edit the GDM System Defaults Configuration File to
1899
establish default configuration values, so that they are preserved as
1900
defaults and not modified by users modifying the GDM Custom
1901
Configuration File. Note that distributions may modify the GDM System
1902
Defaults Configuration File on update to improve usability, security,
1903
etc. So any changes made to this file may be lost.
1907
The GDM System Defaults Configuration File and the GDM Custom
1908
Configuration File follow the standard <filename>.ini</filename> style
1909
configuration file syntax. Keywords in brackets define sections,
1910
strings before an equal sign (=) are variables and the data after
1911
equal sign represents their value. Empty lines or lines starting with
1912
the hash mark (#) are ignored. The graphical configurator will try to
1913
preserve both comments (lines with a hash mark) and the overall
1914
structure of the file so you can intermix using the GUI or hand
1915
editing the configuration file.
1919
The following configuration keys are supported in GDM:
1922
<sect3 id="daemonsection">
1923
<title>Daemon Configuration</title>
1926
<title>[daemon]</title>
1929
<term>AddGtkModules</term>
1931
<synopsis>AddGtkModules=false</synopsis>
1933
If true, then enables <command>gdmgreeter</command> or
1934
<command>gdmlogin</command> to be launched with additional
1935
Gtk+ modules. This is useful when extra features are required
1936
such as accessible login. Note that only "trusted"
1937
modules should be used to minimize security issues.
1940
If true, then the registry daemon
1941
<command>at-spi-registryd</command>
1942
will be launched by <command>gdmgreeter</command> or
1943
<command>gdmlogin</command> starting with version GDM 2.17.
1946
Usually this is used for accessibility modules. The modules
1947
which are loaded are specified with the
1948
<filename>GtkModulesList</filename> key.
1954
<term>AllowLogoutActions</term>
1956
<synopsis>AllowLogoutActions=HALT;REBOOT;SHUTDOWN;SUSPEND;CUSTOM_CMD</synopsis>
1958
Specify which actions are supported by the QUERY_LOGOUT_ACTION,
1959
SET_LOGOUT_ACTION, and SET_SAFE_LOGOUT_ACTION
1960
<command>gdmflexiserver</command> commands. Valid values are
1961
HALT, REBOOT, SHUTDOWN, SUSPEND, and CUSTOM_CMD and these
1962
should be separated by semicolons. This allows certain
1963
options to be disabled if desired. Refer to the related
1964
<filename>SystemCommandsInMenu</filename> and
1965
<filename>RBACSystemCommandKeys</filename> configuration
1972
<term>AlwaysLoginCurrentSession</term>
1974
<synopsis>AlwaysLoginCurrentSession=true</synopsis>
1976
If true, then when the user logs in and already has an
1977
existing session, then they are connected to that session
1978
rather than starting a new session. This only works for
1979
sessions running on VTs (Virtual Terminals) started with
1980
gdmflexiserver, and not with XDMCP. Note that VTs are not
1981
supported on all operating systems.
1987
<term>AutomaticLoginEnable</term>
1989
<synopsis>AutomaticLoginEnable=false</synopsis>
1991
If the user given in AutomaticLogin should be logged in upon
1992
first bootup. No password will be asked. This is useful
1993
for single user workstations where console security is not an
1994
issue and also could be useful for public terminals. Refer
1995
also to <filename>TimedLogin</filename>.
2001
<term>AutomaticLogin</term>
2003
<synopsis>AutomaticLogin=</synopsis>
2005
This user should be automatically logged in on first bootup.
2006
AutomaticLoginEnable must be true and this must be
2007
a valid user for this to happen. "root" can never be
2008
autologged in however and gdm will just refuse to do it even
2013
The following control chars are recognized within the
2018
%% ā the `%' character
2022
%d ā display's name
2026
%h ā display's hostname
2030
Alternatively, the name may end with a vertical bar |, the
2031
pipe symbol. The name is then used as a application to execute
2032
which returns the desired username on standard output. If an
2033
empty or otherwise invalid username is returned, automatic
2034
login is not performed. This feature is typically used when
2035
several remote displays are used as internet kiosks, with a
2036
specific user to automatically login for each display.
2042
<term>BaseXsession</term>
2044
<synopsis>BaseXsession=<etc>/gdm/Xsession</synopsis>
2046
This is the base X session file. When a user logs in, this
2047
script will be run with the selected session as the first
2048
argument. The selected session will be the
2049
<filename>Exec=</filename> from the
2050
<filename>.desktop</filename> file of the session.
2054
If you wish to use the same script for several different
2055
display managers, and wish to have some of the script run only
2056
for GDM, then you can check the presence of the
2057
<filename>GDMSESSION</filename> environmental variable. This
2058
will always be set to the basename of
2059
<filename>.desktop</filename> (without the extension) file that
2060
is being used for this session, and will only be set for GDM
2061
sessions. Previously some scripts were checking for
2062
<filename>GDM_LANG</filename>, but that is only set when the
2063
user picks a non-system default language.
2067
This script should take care of doing the "login" for
2068
the user and so it should source the
2069
<filename><etc>/profile</filename> and friends. The
2070
standard script shipped with GDM sources the files in this
2071
order: <filename><etc>/profile</filename> then
2072
<filename>~/.profile</filename> then
2073
<filename><etc>/xprofile</filename> and finally
2074
<filename>~/.xprofile</filename>. Note that different
2075
distributions may change this however. Sometimes users
2076
personal setup will be in <filename>~/.bash_profile</filename>,
2077
however broken that is.
2083
<term>Chooser</term>
2085
<synopsis>Chooser=<bin>/gdmchooser</synopsis>
2087
Full path and name of the chooser executable followed by
2094
<term>Configurator</term>
2096
<synopsis>Configurator=<bin>/gdmsetup --disable-sound --disable-crash-dialog</synopsis>
2098
The pathname to the configurator binary. If the greeter
2099
<filename>ConfigAvailable</filename> option is set to true then
2100
run this binary when somebody chooses Configuration from the
2101
Actions menu. Of course GDM will first ask for root password
2102
however. And it will never allow this to happen from a remote
2109
<term>ConsoleCannotHandle</term>
2111
<synopsis>ConsoleCannotHandle=am,ar,az,bn,el,fa,gu,hi,ja,ko,ml,mr,pa,ta,zh</synopsis>
2113
These are the languages that the console cannot handle because
2114
of font issues. Here we mean the text console, not X. This
2115
is only used when there are errors to report and we cannot
2122
<term>ConsoleNotify</term>
2124
<synopsis>ConsoleNotify=true</synopsis>
2126
If false, gdm will not display a message dialog on the
2127
console when an error happens.
2133
<term>DefaultPath</term>
2135
<synopsis>DefaultPath=defaultpath (value set by configure)</synopsis>
2137
Specifies the path which will be set in the user's session.
2138
This value will be overridden with the value from
2139
<filename>/etc/default/login</filename> if it contains
2140
"ROOT=<pathname>". If the
2141
<filename>/etc/default/login</filename> file exists, but
2142
contains no value for ROOT, the value as defined in the GDM
2143
configuration will be be used.
2149
<term>DefaultSession</term>
2151
<synopsis>DefaultSession=gnome.desktop</synopsis>
2153
The session that is used by default if the user does not have
2154
a saved preference and has picked 'Last' from the list of
2155
sessions. Note that 'Last' need not be displayed, see
2156
the <filename>ShowLastSession</filename> key.
2163
<term>DisplayInitDir</term>
2165
<synopsis>DisplayInitDir=<etc>/gdm/Init</synopsis>
2167
Directory containing the display init scripts. See the
2168
``The Script Directories'' section for more info.
2174
<term>DisplayLastLogin</term>
2176
<synopsis>DisplayLastLogin=true</synopsis>
2178
If true then the last login information is printed to the user
2179
before being prompted for password. While this gives away some
2180
info on what users are on a system, it on the other hand should
2181
give the user an idea of when they logged in and if it doesn't
2182
seem kosher to them, they can just abort the login and contact
2183
the sysadmin (avoids running malicious startup scripts).
2184
This was added in version 2.5.90.0.
2187
This is for making GDM conformant to CSC-STD-002-85, although
2188
that is purely theoretical now. Someone should read that spec
2189
and ensure that this actually conforms (in addition to other
2191
<filename>http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.html</filename>
2198
<term>DoubleLoginWarning</term>
2200
<synopsis>DoubleLoginWarning=true</synopsis>
2202
If true, GDM will warn the user if they are already logged in
2203
on another virtual terminal. On systems where GDM supports
2204
checking the X virtual terminals, GDM will let the user switch
2205
to the previous login virtual terminal instead of logging in.
2211
<term>DynamicXServers</term>
2213
<synopsis>DynamicXServers=false</synopsis>
2215
If true, the GDM daemon will honor requests to manage
2216
displays via the <filename>/tmp/.gdm_socket</filename>
2217
socket connection. Displays can be created, started,
2218
and deleted with the appropriate commands. The
2219
<filename>gdmdynamic</filename> command is a convenient
2220
method to send these messages.
2226
<term>FailsafeXServer</term>
2228
<synopsis>FailsafeXServer=</synopsis>
2230
An X command line in case we can't start the normal X server.
2231
should probably be some sort of a script that runs an
2232
appropriate low resolution X server that will just work.
2233
This is tried before the <filename>XKeepsCrashing</filename>
2240
<term>FirstVT</term>
2242
<synopsis>FirstVT=7</synopsis>
2244
On systems where GDM supports automatic VT (virtual terminal)
2245
allocation, this is the first vt to try. Usually standard text
2246
logins are run on the lower vts. See also
2247
<filename>VTAllocation</filename>.
2253
<term>FlexibleXServers</term>
2255
<synopsis>FlexibleXServers=5</synopsis>
2257
The maximum number of allowed flexible displays. These are
2258
displays that can be run using the
2259
<filename>/tmp/.gdm_socket</filename> socket connection.
2260
This is used for both full flexible displays and for nested
2261
displays (refer to the <filename>Xnest</filename> configuration
2268
<term>FlexiReapDelayMinutes</term>
2270
<synopsis>FlexiReapDelayMinutes=5</synopsis>
2272
After how many minutes of inactivity at the login screen
2273
should a flexi display be reaped. This is only in effect
2274
before a user logs in. Also it does not affect nested displays
2275
(refer to the <filename>Xnest</filename> configuration
2276
option). To turn off this behavior set this value to 0. This
2277
was added in version 2.5.90.0.
2283
<term>Greeter</term>
2285
<synopsis>Greeter=<bin>/gdmlogin</synopsis>
2287
Full path and name of the greeter executable followed by
2288
optional arguments. This is the greeter used for all displays
2289
except for the XDMCP remote displays. See also
2290
<filename>RemoteGreeter</filename>
2298
<synopsis>Group=gdm</synopsis>
2300
The group name under which <command>gdmlogin</command>,
2301
<command>gdmgreeter</command>,
2302
<command>gdmchooser</command> and the internal
2303
failsafe GTK+ dialogs are run. Also see
2304
<filename>User</filename>. This user will have access to all
2305
the X authorization files, and perhaps to other internal GDM
2306
data and it should not therefore be a user such as nobody, but
2307
rather a dedicated user. The <filename>ServAuthDir</filename>
2308
is owned by this group. The ownership and permissions of
2309
<filename>ServAuthDir</filename> should be
2310
<filename>root.gdm</filename> and 1770.
2316
<term>GtkModulesList</term>
2318
<synopsis>GtkModulesList=module-1:module-2:...</synopsis>
2320
A colon separated list of Gtk+ modules that
2321
<command>gdmgreeter</command> or <command>gdmlogin</command>
2322
will be invoked with if <filename>AddGtkModules</filename> is
2323
true. The format is the same as the standard Gtk+ module
2330
<term>HaltCommand</term>
2332
<synopsis>HaltCommand=<sbin>/shutdown -h now</synopsis>
2334
Full path and arguments to command to be executed when user
2335
selects "Shut Down" from the Actions menu. This can
2336
be a ';' separated list of commands to try. If a value is
2337
missing, the shut down command is not available. Note that the
2338
default for this value is not empty, so to disable
2339
"Shut Down" it must be
2340
set to an empty value.
2346
<term>KillInitClients</term>
2348
<synopsis>KillInitClients=true</synopsis>
2350
Determines whether GDM should kill X clients started by the
2351
init scripts when the user logs in.
2359
<synopsis>LogDir=<var>/log/gdm</synopsis>
2361
Directory containing the log files for the individual displays.
2362
By default this is the same as the ServAuthDir.
2368
<term>PreFetchProgram</term>
2370
<synopsis>PreFetchProgram=command</synopsis>
2372
Program to be run by the GDM greeter/login program when the
2373
initial screen is displayed. The purpose is to provide a hook
2374
where files which will be used after login can be preloaded to
2375
speed performance for the user. The program will be called
2376
once only, the first time a greeter is displayed. The
2377
gdmprefetch command may be used. This utility will load any
2378
libraries passed in on the command line, or if the argument
2379
starts with a "@" character, it will process the file
2380
assuming it is an ASCII file containing a list of libraries,
2381
one per line, and load each library in the file.
2387
<term>PostLoginScriptDir</term>
2389
<synopsis>PostLoginScriptDir=<etc>/gdm/PostLogin</synopsis>
2391
Directory containing the scripts run right after the user logs
2392
in, but before any session setup is done. See the
2393
``The Script Directories'' section for more info.
2399
<term>PostSessionScriptDir</term>
2401
<synopsis>PostSessionScriptDir=<etc>/gdm/PostSession</synopsis>
2403
Directory containing the scripts run after the user logs out.
2404
See the ``The Script Directories'' section for more info.
2410
<term>PreSessionScriptDir</term>
2412
<synopsis>PreSessionScriptDir=<etc>/gdm/PreSession</synopsis>
2414
Directory containing the scripts run before the user logs in.
2415
See the ``The Script Directories'' section for more info.
2421
<term>RBACSystemCommandKeys</term>
2423
<synopsis>RBACSystemCommandKeys</synopsis>
2425
Support RBAC (Role Based Access Control) for system commands
2426
(Shutdown, Reboot, Suspend, etc.). This feature is only
2427
functional if GDM is compiled with RBAC support. Specify the
2428
RBAC key used to determine if the user has permission to use
2429
the action via the QUERY_LOGOUT_ACTION, SET_LOGOUT_ACTION, and
2430
SET_SAFE_LOGOUT_ACTION <command>gdmflexiserver</command>
2431
commands. Valid actions are HALT, REBOOT, SUSPEND, and
2432
CUSTOM_CMD. The greeter will only display the command if the
2433
gdm user (<filename>User</filename> configuration key) has
2434
RBAC permissions to use the action. RBAC keys for multiple
2435
actions can be specified by separating them with semicolons.
2436
The format for each is "Action:RBAC key". If an action is not
2437
specified, it is assumed that all users have permission to use
2438
this action. For example, a valid value for this
2439
configuration option would be
2440
"HALT:key.for.halt;REBOOT:key.for.reboot". Refer to
2441
the related <filename>AllowLogoutActions</filename> and
2442
<filename>SystemCommandsInMenu</filename> configuration
2448
<term>RebootCommand</term>
2450
<synopsis>RebootCommand=<sbin>/shutdown -r now</synopsis>
2452
Full path and optional arguments to the command to be
2453
executed when user selects Restart from the Actions menu. This
2454
can be a ';' separated list of commands to try. If missing,
2455
the restart command is not available. Note that the default
2456
for this value is not empty so to disable restart you must set
2457
this explicitly to an empty value.
2463
<term>RemoteGreeter</term>
2465
<synopsis>RemoteGreeter=<bin>/gdmlogin</synopsis>
2467
Full path and name of the greeter executable followed by
2468
optional arguments. This is used for all remote XDMCP
2469
sessions. It is useful to have the less graphically demanding
2470
greeter here if you use the Themed Greeter for your main
2471
greeter. See also the <filename>Greeter</filename> key.
2477
<term>RootPath</term>
2479
<synopsis>RootPath=defaultpath (value set by configure)</synopsis>
2481
Specifies the path which will be set in the root's
2482
session and the {Init,PostLogin,PreSession,PostSession} scripts
2483
executed by GDM. This value will be overridden with the value
2484
from <filename>/etc/default/login</filename> if it
2485
contains "SUROOT=<pathname>". If the
2486
<filename>/etc/default/login</filename> file exists, but
2487
contains no value for SUROOT, the value as defined in the GDM
2488
configuration will be used.
2494
<term>ServAuthDir</term>
2496
<synopsis>ServAuthDir=<var>/gdm</synopsis>
2498
Directory containing the X authentication files for the
2499
individual displays. Should be owned by
2500
<filename>root.gdm</filename> with permissions 1770, where
2501
<filename>gdm</filename> is the GDM group as defined by the
2502
<filename>Group</filename> option. That is should be owned by
2503
root, with <filename>gdm</filename> group having full write
2504
permissions and the directory should be sticky and others
2505
should have no permission to the directory. This way the GDM
2506
user can't remove files owned by root in that directory, while
2507
still being able to write its own files there. GDM will
2508
attempt to change permissions for you when it's first run if
2509
the permissions are not the above. This directory is also used
2510
for other private files that the daemon needs to store. Other
2511
users should not have any way to get into this directory and
2512
read/change it's contents. Anybody who can read this directory
2513
can connect to any display on this computer.
2519
<term>SessionDesktopDir</term>
2521
<synopsis>SessionDesktopDir=<etc>/X11/sessions/:<etc>/dm/Sessions/:<share>/xsessions/</synopsis>
2523
Directory containing the <filename>.desktop</filename> files
2524
which are the available sessions on the system. Since 2.4.4.2
2525
this is treated like a PATH type variable and the first file
2532
<term>SoundProgram</term>
2534
<synopsis>SoundProgram=<filename><bin>/play</filename> (or <filename><bin>/audioplay</filename> on Solaris)</synopsis>
2536
Application to use when playing a sound. Currently used for
2537
playing the login sound, see the
2538
<filename>SoundOnLoginFile</filename> key. Supported since
2545
<term>StandardXServer</term>
2547
<synopsis>StandardXServer=/dir/to/X (value assigned by configuration file)</synopsis>
2549
Full path and arguments to the standard X server command.
2550
This is used when gdm cannot find any other definition,
2551
and it's used as the default and failsafe fallback in a
2552
number of places. This should be able to run some sort
2559
<term>SuspendCommand</term>
2561
<synopsis>SuspendCommand=</synopsis>
2563
Full path and arguments to command to be executed when
2564
user selects Suspend from the Actions menu. If empty
2565
there is no such menu item. Note that the default for this
2566
value is not empty so to disable suspend you must set this
2567
explicitly to an empty value.
2573
<term>SystemCommandsInMenu</term>
2575
<synopsis>SuspendCommand=HALT;REBOOT;SHUTDOWN;SUSPEND;CUSTOM_CMD</synopsis>
2577
Specify which system commands are available in the greeter
2578
menu. Valid values are HALT, REBOOT, SHUTDOWN, SUSPEND, and
2579
CUSTOM_CMD and these should be separated by semicolons. This
2580
can be useful if you want to disable some options in the menu,
2581
but still have them available to authenticated users via the
2582
SET_LOGOUT_ACTION or SET_SAFE_LOGOUT_ACTION
2583
<command>gdmflexiserver</command> commands. For example, the
2584
GNOME panel uses these commands to provide Shutdown, Reboot,
2585
and Suspend in the application menu. Therefore if you turn
2586
off these options in the greeter, these options can still be
2587
available to users who have authenticated via the GNOME panel.
2588
Refer to the related
2589
<filename>AllowLogoutActions</filename> and
2590
<filename>RBACSystemCommandKeys</filename> configuration
2597
<term>TimedLoginEnable</term>
2599
<synopsis>TimedLoginEnable=false</synopsis>
2601
If the user given in <filename>TimedLogin</filename> should be
2602
logged in after a number of seconds (set with
2603
<filename>TimedLoginDelay</filename>) of inactivity on the
2604
login screen. This is useful for public access terminals or
2605
perhaps even home use. If the user uses the keyboard or
2606
browses the menus, the timeout will be reset to
2607
<filename>TimedLoginDelay</filename> or 30 seconds, whichever
2608
is higher. If the user does not enter a username but just
2609
hits the ENTER key while the login program is requesting the
2610
username, then GDM will assume the user wants to login
2611
immediately as the timed user. Note that no password will be
2612
asked for this user so you should be careful, although if using
2613
PAM it can be configured to require password entry before
2620
<term>TimedLogin</term>
2622
<synopsis>TimedLogin=</synopsis>
2624
This is the user that should be logged in after a specified
2625
number of seconds of inactivity. This can never be
2626
"root" and gdm will refuse to log in root this way.
2627
The same features as for <filename>AutomaticLogin</filename>
2628
are supported. The same control chars and piping to a
2629
application are supported.
2635
<term>TimedLoginDelay</term>
2637
<synopsis>TimedLoginDelay=30</synopsis>
2639
Delay in seconds before the <filename>TimedLogin</filename>
2640
user will be logged in. It must be greater then or equal to 10.
2648
<synopsis>User=gdm</synopsis>
2650
The username under which <command>gdmlogin</command>,
2651
<command>gdmgreeter</command>,
2652
<command>gdmchooser</command> and the internal
2653
failsafe GTK+ dialogs are run. Also see
2654
<filename>Group</filename>. This user will have access to all
2655
the X authorization files, and perhaps to other internal GDM
2656
data and it should not therefore be a user such as nobody, but
2657
rather a dedicated user.
2663
<term>UserAuthDir</term>
2665
<synopsis>UserAuthDir=</synopsis>
2667
The directory where user's <filename>.Xauthority</filename>
2668
file should be saved. When nothing is specified the user's
2669
home directory is used. This is tilde expanded so you
2670
can set it to things like: <filename>~/authdir/</filename>.
2674
If you do not use the tilde expansion, then the filename
2675
created will be random, like in
2676
<filename>UserAuthFBDir</filename>. This way many users can
2677
have the same authentication directory. For example you might
2678
want to set this to <filename>/tmp</filename> when user has the
2679
home directory on NFS, since you really don't want cookie files
2680
to go over the wire. The users should really have write
2681
privileges to this directory, and this directory should really
2682
be sticky and all that, just like the <filename>/tmp</filename>
2687
Normally if this is the user's home directory GDM will still
2688
refuse to put cookies there if it thinks it is NFS (by testing
2689
root-squashing). This can be changed by setting
2690
<filename>NeverPlaceCookiesOnNFS</filename> in the
2691
<filename>[security]</filename> section to false.
2697
<term>UserAuthFBDir</term>
2699
<synopsis>UserAuthFBDir=/tmp</synopsis>
2701
If GDM fails to update the user's
2702
<filename>.Xauthority</filename> file a fallback cookie is
2703
created in this directory.
2709
<term>UserAuthFile</term>
2711
<synopsis>UserAuthFile=.Xauthority</synopsis>
2713
Name of the file used for storing user cookies.
2719
<term>VTAllocation</term>
2721
<synopsis>VTAllocation=true</synopsis>
2723
On systems where GDM supports automatic VT (virtual terminal)
2724
allocation (currently Linux and FreeBSD only), you can have
2725
GDM automatically append the vt argument to the X server
2726
executable. This way races that come up from each X server
2727
managing it's own vt allocation can be avoided. See also
2728
<filename>FirstVT</filename>.
2734
<term>XKeepsCrashing</term>
2736
<synopsis>XKeepsCrashing=<etc>/gdm/XKeepsCrashing</synopsis>
2738
A script to run in case X keeps crashing. This is for running
2739
An X configuration or whatever else to make the X configuration
2740
work. See the script that came with the distribution for an
2741
example. The distributed <filename>XKeepsCrashing</filename>
2742
script is tested on Red Hat, but may work elsewhere. Your
2743
system integrator should make sure this script is up to date
2744
for your particular system.
2747
In case <filename>FailsafeXServer</filename> is setup, that
2748
will be tried first. and this only used as a backup if even
2749
that X server keeps crashing.
2757
<synopsis>Xnest=<bin>/X11/Xephyr -audit 0</synopsis>
2759
The full path and arguments to the nested X server command,
2760
which can be Xephyr, Xnest, or similar program. This command
2761
is used for starting nested displays allowing the user
2762
to start new login screens in a nested window. Xephyr is
2763
recommended since it works best and better supports modern
2764
X server extensions. Therefore GDM will set the default
2765
configuration to use Xephyr if available. If Xephyr is not
2766
available, then Xnest will be used if it is available.
2772
<term>XnestUnscaledFontPath</term>
2774
<synopsis>XnestUnscaledFontPath=true</synopsis>
2776
Set to true if the nested X server command program supports the
2777
":unscaled" suffix in the FontPath (passed to nested X server
2778
command via the -fp argument). Some Xnest (e.g. Xsun Xnest)
2779
programs do not, and it is necessary to set this to false for
2780
such nested X server commands to work with GDM. Refer to the
2781
<filename>Xnest</filename> configuration option.
2788
<sect3 id="securitysection">
2789
<title>Security Options</title>
2792
<title>[security]</title>
2795
<term>AllowRoot</term>
2797
<synopsis>AllowRoot=true</synopsis>
2799
Allow root (privileged user) to log in through GDM. Set this
2800
to false if you want to disallow such logins.
2803
On systems that support PAM, this parameter is not as useful
2804
as you can use PAM to do the same thing, and in fact do even
2805
more. However it is still followed, so you should probably
2806
leave it true for PAM systems.
2812
<term>AllowRemoteRoot</term>
2814
<synopsis>AllowRemoteRoot=false</synopsis>
2816
Allow root (privileged user) to log in remotely through GDM.
2817
This value should be set to true to allow such logins.
2818
Remote logins are any logins that come in through the XDMCP.
2821
On systems that support PAM, this parameter is not as useful
2822
since you can use PAM to do the same thing, and do even
2826
This value will be overridden and set to false if the
2827
<filename>/etc/default/login</filename> file exists and
2828
contains "CONSOLE=/dev/login", and set to true if the
2829
<filename>/etc/default/login</filename> file exists and
2830
contains any other value or no value for CONSOLE.
2836
<term>AllowRemoteAutoLogin</term>
2838
<synopsis>AllowRemoteAutoLogin=false</synopsis>
2840
Allow the timed login feature to work for remote displays.
2841
In other words, remote connections via XDMCP will be allowed to
2842
log into the "TimedLogin" user after the delay
2843
defined by <filename>TimedLoginDelay</filename>.
2846
Note that this can make a system quite insecure, and thus is
2853
<term>CheckDirOwner</term>
2855
<synopsis>CheckDirOwner=true</synopsis>
2857
By default GDM checks the ownership of the home directories
2858
before writing to them, this prevents security issues in case
2859
of bad setup. However in some instances home directories will
2860
be owned by a different user and in this case it is necessary
2861
to turn this option on. You will also most likely have to
2862
turn the <filename>RelaxPermissions</filename> key to at least
2863
value 1 since in such a scenario home directories are likely
2864
to be group writable. Supported since 2.6.0.4.
2870
<term>SupportAutomount</term>
2872
<synopsis>SupportAutomount=false</synopsis>
2874
By default GDM checks the ownership of the home directories
2875
before writing to them, this prevents security issues in case
2876
of bad setup. However, when home directories are managed by
2877
automounter, they are often not mounted before they are
2878
accessed. This option works around subtleties of Linux
2885
<term>DisallowTCP</term>
2887
<synopsis>DisallowTCP=true</synopsis>
2889
If true, then always append <filename>-nolisten tcp</filename>
2890
to the command line when starting attached X servers, thus
2891
disallowing TCP connection. This is a more secure
2892
configuration if not using remote connections.
2898
<term>NeverPlaceCookiesOnNFS</term>
2900
<synopsis>NeverPlaceCookiesOnNFS=true</synopsis>
2902
Normally if this is true (which is by default), GDM will not
2903
place cookies into the user's home directory if this directory
2904
is on NFS. Well, GDM will consider any filesystem with
2905
root-squashing an NFS filesystem. Sometimes however the remote
2906
file system can have root squashing and be safe (perhaps by
2907
using encryption). In this case set this to 'false'. Note
2908
that this option appeared in version 2.4.4.4 and is ignored in
2915
<term>PasswordRequired</term>
2917
<synopsis>PasswordRequired=false</synopsis>
2919
If true, this will cause PAM_DISALLOW_NULL_AUTHTOK to be
2920
passed as a flag to pam_authenticate and pam_acct_mgmt,
2921
disallowing NULL password. This setting will only take
2922
effect if PAM is being used by GDM. This value will be
2923
overridden with the value from
2924
<filename>/etc/default/login</filename> if it contains
2925
"PASSREQ=[YES|NO]". If the
2926
<filename>/etc/default/login</filename> file exists, but
2927
contains no value for PASSREQ, the value as defined in the GDM
2928
configuration will be used.
2934
<term>RelaxPermissions</term>
2936
<synopsis>RelaxPermissions=0</synopsis>
2938
By default GDM ignores files and directories writable to
2939
other users than the owner.
2943
Changing the value of RelaxPermissions makes it possible to
2944
alter this behavior:
2948
0 - Paranoia option. Only accepts user owned files and
2952
1 - Allow group writable files and directories.
2955
2 - Allow world writable files and directories.
2961
<term>RetryDelay</term>
2963
<synopsis>RetryDelay=1</synopsis>
2965
The number of seconds GDM should wait before reactivating the
2966
entry field after a failed login.
2972
<term>UserMaxFile</term>
2974
<synopsis>UserMaxFile=65536</synopsis>
2976
GDM will refuse to read/write files bigger than this number
2977
(specified in bytes).
2981
In addition to the size check GDM is extremely picky about
2982
accessing files in user directories. It will not follow
2983
symlinks and can optionally refuse to read files and
2984
directories writable by other than the owner. See the
2985
<filename>RelaxPermissions</filename> option for more info.
2990
<term>UtmpLineAttached</term>
2992
<synopsis>UtmpLineAttached=/dev/console (or /dev/dtlocal on Solaris)</synopsis>
2994
When doing Utmp processing for attached displays, GDM sets the
2995
ut_line to the device associated with the Virtual Terminal (VT)
2996
if it is being used. Otherwise, it will use the value
2997
specified with the display in the
2998
<filename>[servers]</filename> section if a value is provided.
2999
If not, then the default value specified in UtmpLineAttached is
3000
used for attached displays. The value can contain
3001
"%d" which is translated to the DISPLAY value or
3002
"%h" which is translated to the hostname. This value
3003
must begin with <filename>/dev/</filename>.
3008
<term>UtmpLineRemote</term>
3010
<synopsis>UtmpLineRemote= (or /dev/dtremote on Solaris)</synopsis>
3012
When doing Utmp processing, GDM sets the ut_line to this value
3013
for remote displays. The value can contain "%d"
3014
which is translated to the DISPLAY value or "%h"
3015
which is translated to the hostname. This value must begin
3016
with <filename>/dev/</filename>.
3021
<term>UtmpPseudoDevice</term>
3023
<synopsis>PseudoDevice=false (or true on Solaris)</synopsis>
3025
If the device associated with a display does not exist, then
3026
GDM will create a symlink to <filename>/dev/null</filename>, or
3027
touch it if it is a symlink to <filename>/dev/null</filename>.
3028
Some programs such as <command>last</command>,
3029
<command>finger</command>, or <command>who</command> access the
3030
utmp database and may assume that the device points to an
3031
actual file. Creating such symlinks ensures that such programs
3039
<sect3 id="xdmcpsection">
3040
<title>XDCMP Support</title>
3043
<title>[xdmcp]</title>
3046
<term>DisplaysPerHost</term>
3048
<synopsis>DisplaysPerHost=1</synopsis>
3050
To prevent attackers from filling up the pending queue, GDM
3051
will only allow one connection for each remote computer. If
3052
you want to provide display services to computers with more
3053
than one screen, you should increase the
3054
<filename>DisplaysPerHost</filename> value accordingly.
3058
Note that the number of attached DISPLAYS allowed is not
3059
limited. Only remote connections via XDMCP are limited by
3060
this configuration option.
3068
<synopsis>Enable=false</synopsis>
3070
Setting this to true enables XDMCP support allowing remote
3071
displays/X terminals to be managed by GDM.
3075
<filename>gdm</filename> listens for requests on UDP port 177.
3076
See the Port option for more information.
3080
If GDM is compiled to support it, access from remote displays
3081
can be controlled using the TCP Wrappers library. The service
3082
name is <filename>gdm</filename>
3090
to your <filename><etc>/hosts.allow</filename>, depending
3091
on your TCP Wrappers configuration. See the
3092
<ulink type="help" url="man:hosts.allow">hosts.allow(5)</ulink>
3093
man page for details.
3097
Please note that XDMCP is not a particularly secure protocol
3098
and that it is a good idea to block UDP port 177 on your
3099
firewall unless you really need it.
3105
<term>EnableProxy</term>
3107
<synopsis>EnableProxy=false</synopsis>
3109
Setting this to true enables support for running XDMCP sessions
3110
on a local proxy X server. This may improve the performance of
3111
XDMCP sessions, especially on high latency networks, as many
3112
X protocol operations can be completed without going over the
3116
Note, however, that this mode will significantly increase the
3117
burden on the machine hosting the XDMCP sessions
3120
See the <filename>FlexiProxy</filename> and
3121
<filename>FlexiProxyDisconnect</filename> options for further
3122
details on how to configure support for this feature.
3128
<term>HonorIndirect</term>
3130
<synopsis>HonorIndirect=true</synopsis>
3132
Enables XDMCP INDIRECT choosing (i.e. remote execution of
3133
<filename>gdmchooser</filename>) for X-terminals which don't
3134
supply their own display browser.
3140
<term>MaxPending</term>
3142
<synopsis>MaxPending=4</synopsis>
3144
To avoid denial of service attacks, GDM has fixed size queue
3145
of pending connections. Only MaxPending displays can start at
3150
Please note that this parameter does *not* limit the number of
3151
remote displays which can be managed. It only limits the number
3152
of displays initiating a connection simultaneously.
3158
<term>MaxPendingIndirect</term>
3160
<synopsis>MaxPendingIndirect=4</synopsis>
3162
GDM will only provide <filename>MaxPendingIndirect</filename>
3163
displays with host choosers simultaneously. If more queries
3164
from different hosts come in, the oldest ones will be
3171
<term>MaxSessions</term>
3173
<synopsis>MaxSessions=16</synopsis>
3175
Determines the maximum number of remote display connections
3176
which will be managed simultaneously. I.e. the total number of
3177
remote displays that can use your host.
3183
<term>MaxWait</term>
3185
<synopsis>MaxWait=30</synopsis>
3187
When GDM is ready to manage a display an ACCEPT packet is sent
3188
to it containing a unique session id which will be used in
3189
future XDMCP conversations.
3193
GDM will then place the session id in the pending queue
3194
waiting for the display to respond with a MANAGE request.
3198
If no response is received within MaxWait seconds, GDM will
3199
declare the display dead and erase it from the pending queue
3200
freeing up the slot for other displays.
3206
<term>MaxWaitIndirect</term>
3208
<synopsis>MaxWaitIndirect=30</synopsis>
3210
The MaxWaitIndirect parameter determines the maximum number of
3211
seconds between the time where a user chooses a host and the
3212
subsequent indirect query where the user is connected to the
3213
host. When the timeout is exceeded, the information about the
3214
chosen host is forgotten and the indirect slot freed up for
3215
other displays. The information may be forgotten earlier if
3216
there are more hosts trying to send indirect queries then
3217
<filename>MaxPendingIndirect</filename>.
3225
<synopsis>Port=177</synopsis>
3227
The UDP port number <filename>gdm</filename> should listen to
3228
for XDMCP requests. Don't change this unless you know what
3235
<term>PingIntervalSeconds</term>
3237
<synopsis>PingIntervalSeconds=15</synopsis>
3239
Interval in which to ping the X server in seconds. If the X
3240
server doesn't return before the next time we ping it, the
3241
connection is stopped and the session ended. This is a
3242
combination of the XDM PingInterval and PingTimeout, but in
3247
Note that GDM in the past used to have a
3248
<filename>PingInterval</filename> configuration key which was
3249
also in minutes. For most purposes you'd want this setting
3250
to be lower then one minute however since in most cases where
3251
XDMCP would be used (such as terminal labs), a lag of more
3252
than 15 or so seconds would really mean that the terminal was
3253
turned off or restarted and you would want to end the session.
3259
<term>ProxyReconnect</term>
3261
<synopsis>FlexiProxyReconnect=</synopsis>
3263
Setting this option enables experimental support for session
3264
migration with XDMCP sessions. This enables users to disconnect
3265
from their session and later reconnect to that same session,
3266
possibly from a different terminal.
3269
In order to use this feature, you must have a nested X server
3270
available which supports disconnecting from its parent X server
3271
and reconnecting to another X server. Currently, the Distributed
3272
Multihead X (DMX) server supports this feature to some extent
3273
and other projects like NoMachine NX are busy implementing it.
3276
This option should be set to the path of a command which will
3277
handle reconnecting the XDMCP proxy to another backend display.
3278
A sample implementation for use with DMX is supplied.
3284
<term>ProxyXServer</term>
3286
<synopsis>ProxyXServer=</synopsis>
3288
The X server command line for a XDMCP proxy. Any nested X
3289
server like Xnest, Xephyr or Xdmx should work fairly well.
3295
<term>Willing</term>
3297
<synopsis>Willing=<etc>/gdm/Xwilling</synopsis>
3299
When the machine sends a WILLING packet back after a QUERY it
3300
sends a string that gives the current status of this server.
3301
The default message is the system ID, but it is possible to
3302
create a script that displays customized message. If this
3303
script doesn't exist or this key is empty the default message
3304
is sent. If this script succeeds and produces some output,
3305
the first line of it's output is sent (and only the first
3306
line). It runs at most once every 3 seconds to prevent
3307
possible denial of service by flooding the machine with QUERY
3315
<sect3 id="commonguioptions">
3316
<title>Common GUI Configuration Options</title>
3319
<title>[gui]</title>
3322
<term>AllowGtkThemeChange</term>
3324
<synopsis>AllowGtkThemeChange=true</synopsis>
3326
If to allow changing the GTK+ (widget) theme from the greeter.
3327
Currently this only affects the standard greeter as the
3328
graphical greeter does not yet have this ability.
3329
The theme will stay in effect on this display until changed
3330
and will affect all the other windows that are put up by GDM.
3331
Supported since 2.5.90.2.
3339
<synopsis>GtkRC=</synopsis>
3341
Path to a <filename>gtkrc</filename> to read when GDM puts up
3342
a window. You should really now use the
3343
<filename>GtkTheme</filename> key for just setting a theme.
3349
<term>GtkTheme</term>
3351
<synopsis>GtkTheme=Default</synopsis>
3353
A name of an installed theme to use by default. It will be
3354
used in the greeter, chooser and all other GUI windows put up
3355
by GDM. Supported since 2.5.90.2.
3361
<term>GtkThemesToAllow</term>
3363
<synopsis>GtkThemesToAllow=all</synopsis>
3365
Comma separated list of themes to allow. These must be the
3366
names of the themes installed in the standard locations for
3367
GTK+ themes. You can also specify 'all' to allow all installed
3368
themes. This is related to the
3369
<filename>AllowGtkThemeChange</filename> key. Supported since
3376
<term>MaxIconWidth</term>
3378
<synopsis>MaxIconWidth=128</synopsis>
3380
Specifies the maximum icon width (in pixels) that the face
3381
browser will display. Icons larger than this will be scaled.
3382
This also affects icons in the XDMCP chooser.
3388
<term>MaxIconHeight</term>
3390
<synopsis>MaxIconHeight=128</synopsis>
3392
Specifies the maximum icon height (in pixels) that the face
3393
browser will display. Icons larger than this will be scaled.
3394
This also affects icons in the XDMCP chooser.
3401
<sect3 id="greetersection">
3402
<title>Greeter Configuration</title>
3405
<title>[greeter]</title>
3408
<term>BackgroundColor</term>
3410
<synopsis>BackgroundColor=#76848F</synopsis>
3412
If the BackgroundType is 2, use this color in the background
3413
of the greeter. Also use it as the back of transparent images
3414
set on the background and if the BackgroundRemoteOnlyColor
3415
is set and this is a remote display.
3416
This only affects the GTK+ Greeter.
3422
<term>BackgroundProgramInitialDelay</term>
3424
<synopsis>BackgroundProgramInitialDelay=30</synopsis>
3426
The background application will be started after at least that
3427
many seconds of inactivity.
3433
<term>RestartBackgroundProgram</term>
3435
<synopsis>RestartBackgroundProgram=true</synopsis>
3437
If set the background application will be restarted when it has
3438
exited, after the delay described below has elapsed. This
3439
option can be useful when you wish to run a screen saver
3440
application when no user is using the computer.
3446
<term>BackgroundProgramRestartDelay</term>
3448
<synopsis>BackgroundProgramRestartDelay=30</synopsis>
3450
The background application will be restarted after at least that
3451
many seconds of inactivity.
3457
<term>BackgroundImage</term>
3459
<synopsis>BackgroundImage=somefile.png</synopsis>
3461
If the BackgroundType is 1, then display this file as the
3462
background in the greeter. This only affects the GTK+
3469
<term>BackgroundProgram</term>
3471
<synopsis>BackgroundProgram=<bin>/xeyes</synopsis>
3473
If set this command will be run in the background while
3474
the login window is being displayed. Note that not all
3475
applications will run this way, since GDM does not usually have
3476
a home directory. You could set up home directory for the
3477
GDM user if you wish to run applications which require it.
3478
This only affects the GTK+ Greeter.
3484
<term>BackgroundRemoteOnlyColor</term>
3486
<synopsis>BackgroundRemoteOnlyColor=true</synopsis>
3488
On remote displays only set the color background. This is to
3489
make network load lighter. The
3490
<filename>BackgroundProgram</filename> is also not run. This
3491
only affects the GTK+ Greeter.
3497
<term>BackgroundScaleToFit</term>
3499
<synopsis>BackgroundScaleToFit=true</synopsis>
3501
Scale background image to fit the screen. This only affects
3508
<term>BackgroundType</term>
3510
<synopsis>BackgroundType=2</synopsis>
3512
The type of background to set. 0 is none, 1 is image and color,
3513
2 is color and 3 is image. This only affects the GTK+ Greeter.
3519
<term>Browser</term>
3521
<synopsis>Browser=true</synopsis>
3523
Set to true to enable the face browser. See the
3524
``The GTK+ Greeter'' section for more information on the
3525
face browser. This option only works for the GTK+ Greeter.
3526
For the Themed Greeter, the face browser is enabled by
3527
choosing a theme which includes a face browser
3533
<term>ChooserButton</term>
3535
<synopsis>ChooserButton=true</synopsis>
3537
If true, add a chooser button to the Actions menu that will
3538
restart the current X server with a chooser. XDMCP does not
3539
need to be enabled on the local computer for this to work.
3545
<term>ConfigAvailable</term>
3547
<synopsis>ConfigAvailable=false</synopsis>
3549
If true, allows the configurator to be run from the greeter.
3550
Note that the user will need to type in the root password
3551
before the configurator will be started. This is set to
3552
false by default for additional security. See the
3553
<filename>Configurator</filename> option in the daemon
3560
<term>DefaultFace</term>
3562
<synopsis>DefaultFace=<share>/pixmaps/nophoto.png</synopsis>
3564
If a user has no defined face image, GDM will use the
3565
"stock_person" icon defined in the current GTK+
3566
theme. If no such image is defined, the image specified by
3567
<filename>DefaultFace</filename> will be used. The image must
3568
be in a gdk-pixbuf supported format and the file must be
3569
readable to the GDM user.
3575
<term>Include</term>
3577
<synopsis>Include=</synopsis>
3579
Comma separated list of users to be included in the face
3580
browser and in the <command>gdmsetup</command> selection list
3581
for Automatic/Timed login.
3582
See also <filename>Exclude</filename>,
3583
<filename>IncludeAll</filename>, and
3584
<filename>MinimalUID</filename>.
3590
<term>Exclude</term>
3592
<synopsis>Exclude=bin,daemon,adm,lp,sync,shutdown,halt,mail,...</synopsis>
3594
Comma separated list of users to be excluded from the face
3595
browser and from the <command>gdmsetup</command> selection list
3596
for Automatic/Timed login. Excluded users will still be able to
3597
log in, but will have to type their username.
3598
See also <filename>Include</filename>,
3599
<filename>IncludeAll</filename>, and
3600
<filename>MinimalUID</filename>.
3606
<term>IncludeAll</term>
3608
<synopsis>IncludeAll=false</synopsis>
3610
By default, an empty include list means display no users.
3611
By setting IncludeAll to true, the password file will be
3612
scanned and all users will be displayed aside from users
3613
excluded via the Exclude setting and user ID's less than
3614
MinimalUID. Scanning the password file can be slow on
3615
systems with large numbers of users and this feature should
3616
not be used in such environments.
3617
See also <filename>Include</filename>,
3618
<filename>Exclude</filename>, and
3619
<filename>MinimalUID</filename>.
3625
<term>GlobalFaceDir</term>
3627
<synopsis>GlobalFaceDir=<share>/pixmaps/faces/</synopsis>
3629
Systemwide directory for face files. The sysadmin can place
3630
icons for users here without touching their homedirs. Faces are
3631
named after their users' logins.
3635
I.e. <filename><GlobalFaceDir>/johndoe</filename> would
3636
contain the face icon for the user ``johndoe''. No image format
3637
extension should be specified.
3641
The face images must be stored in gdk-pixbuf supported formats
3642
and they must be readable for the GDM user.
3646
A user's own icon file will always take precedence over the
3647
sysadmin provided one.
3653
<term>GraphicalTheme</term>
3655
<synopsis>GraphicalTheme=circles</synopsis>
3657
The graphical theme that the Themed Greeter should use. it
3658
should refer to a directory in the theme directory set by
3659
<filename>GraphicalThemeDir</filename>.
3665
<term>GraphicalThemes</term>
3667
<synopsis>GraphicalThemes=circles</synopsis>
3669
The graphical themes that the Themed Greeter should use is the
3670
Mode is set on Random Themes. This is a "/:"
3671
delimited list. It should refer to a directory in the theme
3672
directory set by <filename>GraphicalThemeDir</filename>. This
3673
is only used if <filename>GraphicalThemeRand</filename> is set
3680
<term>GraphicalThemeRand</term>
3682
<synopsis>GraphicalThemeRand=false</synopsis>
3684
Whether the graphical greeter will use Only One Theme or Random
3685
Theme mode. Only One Theme mode uses themes listed by
3686
<filename>GraphicalTheme</filename>, Random Themes mode uses
3687
themes listed by <filename>GraphicalThemes</filename>. A value
3688
of false sets greeter to use Only One Theme mode, a value of
3689
true sets the greeter to use Random Theme mode.
3695
<term>GraphicalThemeDir</term>
3697
<synopsis>GraphicalThemeDir=<share>/gdm/themes/</synopsis>
3699
The directory where themes for the Themed Greeter are
3706
<term>GraphicalThemedColor</term>
3708
<synopsis>GraphicalThemedColor=#76848F</synopsis>
3710
Use this color in the background of the Themed Greeter.
3711
This only affects the Themed Greeter.
3717
<term>InfoMsgFile</term>
3719
<synopsis>InfoMsgFile=/path/to/infofile</synopsis>
3721
If present and /path/to/infofile specifies an existing and
3722
readable text file (e.g. <etc>/infomsg.txt) the contents
3723
of the file will be displayed in a modal dialog box before the
3724
user is allowed to login. This works both with the standard
3725
and the themable greeters.
3731
<term>InfoMsgFont</term>
3733
<synopsis>InfoMsgFont=fontspec</synopsis>
3735
If present and InfoMsgFile (see above) is used, this specifies
3736
the font to use when displaying the contents of the InfoMsgFile
3737
text file. For example fontspec could be Sans 24 to get a
3738
sans serif font of size 24 points.
3739
This works both with the standard and the themable greeters.
3746
<term>LocaleFile</term>
3748
<synopsis>LocaleFile=<etc>/gdm/locale.alias</synopsis>
3750
File in format similar to the GNU locale format with entries
3751
for all supported languages on the system. The format is
3752
described above or in a comment inside that file.
3758
<term>LockPosition</term>
3760
<synopsis>LockPosition=true</synopsis>
3762
If true the position of the login window of the GTK+
3763
Greeter cannot be changed even if the title bar is turned on.
3771
<synopsis>Logo=<share>/pixmaps/gnome-logo-large.png</synopsis>
3773
Image file to display in the logo box. The file must be
3774
in a gdk-pixbuf supported format and it must be readable by
3775
the GDM user. If no file is specified the logo feature
3777
This only affects the GTK+ Greeter.
3783
<term>ChooserButtonLogo</term>
3785
<synopsis>ChooserButtonLogo=<share>/pixmaps/gnome-logo-large.png</synopsis>
3787
Image file to display in the file chooser button in
3788
<command>gdmsetup</command>. This key is modified by
3789
<command>gdmsetup</command> and should not be manually
3790
modified by the user. This only affects the Login Window
3791
Preferences (<command>gdmsetup</command>).
3797
<term>MinimalUID</term>
3799
<synopsis>MinimalUID=100</synopsis>
3801
The minimal UID that GDM should consider a user. All
3802
users with a lower UID will be excluded from the face browser.
3803
See also <filename>Include</filename>,
3804
<filename>Exclude</filename>, and
3805
<filename>IncludeAll</filename>.
3811
<term>PositionX</term>
3813
<synopsis>PositionX=200</synopsis>
3815
The horizontal position of the login window of the GTK+
3822
<term>PositionY</term>
3824
<synopsis>PositionY=100</synopsis>
3826
The vertical position of the login window of the GTK+
3835
<synopsis>Quiver=true</synopsis>
3837
Controls whether <command>gdmlogin</command> should
3838
shake the display when an incorrect username/password is
3840
This only affects the GTK+ Greeter.
3846
<term>DefaultRemoteWelcome</term>
3848
<synopsis>DefaultRemoteWelcome=true</synopsis>
3850
If set to true, the value "Welcome to %n" is used for
3851
the <filename>RemoteWelcome</filename>. This value is
3852
translated into the appropriate language for the user. If set
3853
to false, the <filename>RemoteWelcome</filename> setting is
3854
used. This string can use the same special character sequences
3855
as explained in the "Text Node" section of the
3856
"Themed Greeter" chapter. This explains the meaning
3863
<term>RemoteWelcome</term>
3865
<synopsis>RemoteWelcome=Welcome to %n</synopsis>
3867
Controls which text to display next to the logo image in the
3868
greeter for remote XDMCP sessions. The same expansion is
3869
done here as in the <filename>Welcome</filename> string.
3870
This string can use the same special character sequences as
3871
explained in the "Text Node" section of the
3872
"Themed Greeter" chapter.
3879
<term>RunBackgroundProgramAlways</term>
3881
<synopsis>RunBackgroundProgramAlways=false</synopsis>
3883
If this is true then the background application is run always,
3884
otherwise it is only run when the
3885
<filename>BackgroundType</filename> is 0 (None)
3886
This only affects the GTK+ Greeter.
3892
<term>SetPosition</term>
3894
<synopsis>SetPosition=true</synopsis>
3896
If true the position of the login window of the GTK+ Greeter
3897
is determined by <filename>PositionX</filename>
3898
/ <filename>PositionY</filename>.
3904
<term>ShowGnomeFailsafeSession</term>
3906
<synopsis>ShowGnomeFailsafeSession=true</synopsis>
3908
Should the greeter show the Gnome Failsafe session in th
3915
<term>ShowLastSession</term>
3917
<synopsis>ShowLastSession=true</synopsis>
3919
Should the greeter show the 'Last' session in the session list.
3920
If this is off, then GDM is in the so called 'switchdesk' mode
3921
which for example Red Hat uses. That is, the users can't pick
3922
the last session and will just then get the default session
3923
(see <filename>DefaultSession</filename>) unless then pick
3924
something else for this session only. So if this is off, this
3925
really circumvents saving of the last session.
3931
<term>ShowXtermFailsafeSession</term>
3933
<synopsis>ShowXtermFailsafeSession=true</synopsis>
3935
Should the greeter show the Xterm Failsafe session in the
3942
<term>SoundOnLogin</term>
3944
<synopsis>SoundOnLogin=true</synopsis>
3946
If true, the greeter will play a sound or beep when it is
3947
ready for a login. See also the
3948
<filename>SoundOnLoginFile</filename> key.
3949
Supported since 2.5.90.0.
3955
<term>SoundOnLoginSuccess</term>
3957
<synopsis>SoundOnLoginSuccess=true</synopsis>
3959
If true, the greeter will play a sound after a successful login
3960
attempt. See also the
3961
<filename>SoundOnLoginSuccessFile</filename> key.
3967
<term>SoundOnLoginFailure</term>
3969
<synopsis>SoundOnLoginFailure=true</synopsis>
3971
If true, the greeter will play a sound after a failed login
3972
attempt. See also the
3973
<filename>SoundOnLoginFailureFile</filename> key.
3979
<term>SoundOnLoginFile</term>
3981
<synopsis>SoundOnLoginFile=/path/to/sound.wav</synopsis>
3983
The file that will be played using the specified sound
3984
application (by default that is
3985
<filename>/usr/bin/play</filename>) instead of a beep when the
3986
greeter is ready for a login. See also the
3987
<filename>SoundOnLogin</filename> key and the
3988
<filename>SoundProgram</filename> key. Supported since
3995
<term>SoundOnLoginSuccessFile</term>
3997
<synopsis>SoundOnLoginSuccessFile=/path/to/sound.wav</synopsis>
3999
The file that will be played using the specified sound
4000
application (by default that is
4001
<filename>/usr/bin/play</filename>) after a successful login
4002
attempt. See also the <filename>SoundOnLoginSuccess</filename>
4003
key and the <filename>SoundProgram</filename> key.
4009
<term>SoundOnLoginFailureFile</term>
4011
<synopsis>SoundOnLoginFailureFile=/path/to/sound.wav</synopsis>
4013
The file that will be played using the specified sound
4014
application (by default that is
4015
<filename>/usr/bin/play</filename>) after a failed login
4016
attempt. See also the <filename>SoundOnLoginFailure</filename>
4017
key and the <filename>SoundProgram</filename> key.
4023
<term>SystemMenu</term>
4025
<synopsis>SystemMenu=true</synopsis>
4027
Turns the Actions menu (which used to be called System menu) on
4028
or off. If this is off then one of the actions will be
4029
available anywhere. These actions include Shutdown, Restart,
4030
Configure, XDMCP chooser and such. All of those can however
4031
be turned off individually. Shutdown, Restart and Suspend can
4032
be turned off by just setting the corresponding keys to empty.
4033
Note that the actions menu is only shown on attached displays.
4034
It would not be safe or even desirable on remote logins, so you
4035
do not have to worry about remote users having these privileges.
4039
Note that if this is off none of the actions will be available
4040
even if a theme for a graphical greeter mistakenly shows them.
4041
Also note that sometimes a graphical theme may not show all
4042
the available actions as buttons and you may have to press
4043
F10 to see the menu.
4049
<term>TitleBar</term>
4051
<synopsis>TitleBar=true</synopsis>
4053
Display the title bar in the greeter.
4054
This only affects the GTK+ Greeter.
4060
<term>Use24Clock</term>
4062
<synopsis>Use24Clock=auto</synopsis>
4064
Select the use of 24 hour clock. Some locales do not
4065
support 12 hour format (like Finnish, that is
4066
<filename>fi_FI</filename>), and in those locales this
4067
setting has no effect at all.
4070
Possible values are "auto" (default),
4071
"true", and "false". If this is set to
4072
"auto" or left empty, then time format is chosen from
4073
locale settings. Locale settings are based on the language in
4074
use, thus it is changed by setting environment variables
4075
LANGUAGE (GNU extension), LANG, LC_MESSAGES or LC_ALL in the
4076
GDM's runtime environment. Priorities between the mentioned
4077
environment variables can be found from your system's
4084
<term>UseCirclesInEntry</term>
4086
<synopsis>UseCirclesInEntry=false</synopsis>
4088
Use circles instead of asterisks in the password entry.
4089
This may not work with all fonts however.
4095
<term>UseInvisibleInEntry</term>
4097
<synopsis>UseInvisibleInEntry=false</synopsis>
4099
Do not show any visual feedback is the password entry.
4100
This is the standard in console and xdm. Settings this
4101
option discards the <filename>UseCirclesInEntry</filename>
4108
<term>DefaultWelcome</term>
4110
<synopsis>DefaultWelcome=true</synopsis>
4112
If set to true, the value "Welcome" is used for the
4113
<filename>Welcome</filename>. This value is translated
4114
into the appropriate language for the user. If set to
4115
false, the <filename>Welcome</filename> setting is used.
4121
<term>Welcome</term>
4123
<synopsis>Welcome=Welcome</synopsis>
4125
Controls which text to display next to the logo image in the
4126
standard greeter. The following control chars are supported:
4130
%% ā the `%' character
4134
%d ā display's hostname
4138
%h ā Fully qualified hostname
4142
%m ā machine (processor type)
4146
%n ā Nodename (i.e. hostname without .domain)
4150
%r ā release (OS version)
4154
%s ā sysname (i.e. OS)
4158
This string is only used for attached displays. For remote
4159
XDMCP displays we use <filename>RemoteWelcome</filename>.
4163
In the Themed Greeter the location of this text depends on
4164
the theme. Unless the theme uses the stock welcome string
4165
somewhere this string will not be displayed at all.
4172
<term>XineramaScreen</term>
4174
<synopsis>XineramaScreen=0</synopsis>
4176
If the Xinerama extension is active the login window will be
4177
centered on this physical screen (use 0 for the first screen,
4178
1 for the second...).
4185
<sect3 id="choosersection">
4186
<title>XDCMP Chooser Options</title>
4189
<title>[chooser]</title>
4192
<term>AllowAdd</term>
4194
<synopsis>AllowAdd=true</synopsis>
4196
If true, allow the user to add arbitrary hosts to the chooser.
4197
This way the user could connect to any host that responds to
4198
XDMCP queries from the chooser.
4204
<term>Broadcast</term>
4206
<synopsis>Broadcast=true</synopsis>
4208
If true, the chooser will broadcast a query to the local
4209
network and collect responses. This way the chooser will
4210
always show all available managers on the network. If you
4211
need to add some hosts not local to this network, or if you
4212
don't want to use a broadcast, you can list them explicitly
4213
in the <filename>Hosts</filename> key.
4219
<term>Multicast</term>
4221
<synopsis>Multicast=true</synopsis>
4223
If true and IPv6 is enabled, the chooser will send a multicast
4224
query to the local network and collect responses from the hosts
4225
who have joined multicast group. If you don't want to send a
4226
multicast, you can specify IPv6 address in the <filename>Hosts
4227
</filename> key. The host will respond if it is listening to
4228
XDMCP requests and IPv6 is enabled there.
4234
<term>MulticastAddr</term>
4236
<synopsis>MulticastAddr=ff02::1</synopsis>
4238
This is the Link-local Multicast address and is hardcoded here.
4244
<term>DefaultHostImage</term>
4246
<synopsis>DefaultHostImage=<share>/pixmaps/nohost.png</synopsis>
4248
File name for the default host icon. This image will be
4249
displayed if no icon is specified for a given host. The
4250
file must be in a gdk-pixbuf supported format and it must be
4251
readable for the GDM user.
4257
<term>HostImageDir</term>
4259
<synopsis>HostImageDir=<share>/hosts</synopsis>
4261
Repository for host icon files. The sysadmin can place icons
4262
for remote hosts here and they will appear in
4263
<filename>gdmchooser</filename>.
4267
The file name must match the fully qualified name (FQDN) for
4268
the host. The icons must be stored in gdk-pixbuf supported
4269
formats and they must be readable to the GDM user.
4278
<synopsis>Hosts=host1,host2</synopsis>
4280
The hosts which should be listed in the chooser. The chooser
4281
will only list them if they respond. This is done in addition
4282
to broadcast (if <filename>Broadcast</filename> is set), so you
4283
need not list hosts on the local network. This is useful if
4284
your networking setup doesn't allow all hosts to be reachable
4285
by a broadcast packet.
4291
<term>ScanTime</term>
4293
<synopsis>ScanTime=4</synopsis>
4295
Specifies how many seconds the chooser should wait for
4296
replies to its BROADCAST_QUERY. Really this is only the time
4297
in which we expect a reply. We will still add hosts to the
4298
list even if they reply after this time.
4305
<sect3 id="debugsection">
4306
<title>Debug Configuration</title>
4309
<title>[debug]</title>
4314
<synopsis>Enable=false</synopsis>
4316
Setting to true sends debug ouput to the syslog. This can be
4317
useful for tracking down problems with GDM. This output
4318
tends to be verbose so should not be turned on for general
4325
<term>Gestures</term>
4327
<synopsis>Gestures=false</synopsis>
4329
Setting to true sends debug ouput concerning the accessibility
4330
gesture listeners to the syslog. This can be useful for
4331
tracking down problems with them not working properly. This
4332
output tends to be verbose so should not be turned on for
4340
<sect3 id="customcmdsection">
4341
<title>Custom Commands</title>
4344
You can create up to 10 different commands. Gaps between command
4345
numbers are allowed and their relative positioning within the
4346
section and with respect to each other is not important as long as
4347
they conform to the permitted range of [0-9].
4352
<title>[customcommand]</title>
4355
<term>CustomCommand[0-9]</term>
4357
<synopsis>CustomCommand[0-9]=</synopsis>
4359
Full path and arguments to command to be executed when user
4360
selects <filename>n-th</filename> "Custom Command"
4361
from the Actions menu. This can be a ';' separated list of
4362
commands to try. If the value is empty or missing, then the
4363
custom command is not available. By default this value is not
4364
enabled, so to enable "Custom Command" it must be
4365
set to a nonempty value. [0-9] represents the
4366
<filename>CustomCommand</filename> suffix and can be an
4367
integer between 0 and 9.
4373
<term>CustomCommandIsPersistent[0-9]</term>
4375
<synopsis>CustomCommandIsPersistent[0-9]=</synopsis>
4377
Specifies if <filename>n-th</filename> "Custom
4378
Command" will appear outside the login manager, for
4379
example on the desktop through the Log Out/Shut Down dialogs.
4380
If not specified the default value is "false". This
4381
option is only valid if corresponding
4382
<filename>CustomCommand</filename> is defined. [0-9] represents
4383
<filename>CustomCommand</filename> suffix and can be an integer
4390
<term>CustomCommandLabel[0-9]</term>
4392
<synopsis>CustomCommandLabel[0-9]=</synopsis>
4394
Specifies the stock label that will be displayed on the
4395
<filename>n-th</filename> "Custom Command"
4396
buttons and menu items. If not specified the default value is
4397
"Custom_[0-9]". This option is only valid if
4398
corresponding <filename>CustomCommand</filename> is defined.
4399
[0-9] represents <filename>CustomCommand</filename> suffix
4400
and can be an integer between 0 and 9. This option can't contain
4401
any semicolon characters (i.e. ";").
4407
<term>CustomCommandLRLabel[0-9]</term>
4409
<synopsis>CustomCommandLRLabel[0-9]=</synopsis>
4411
Specifies the stock label that will be displayed on the
4412
<filename>n-th</filename> "Custom Command"
4413
list items and radio buttons. If not specified the default
4414
value is "Execute custom command _[0-9]". This
4415
option is only valid if corresponding
4416
<filename>CustomCommand</filename> is defined. [0-9]
4417
represents <filename>CustomCommand</filename> suffix and
4418
can be an integer between 0 and 9.
4424
<term>CustomCommandNoRestart[0-9]</term>
4426
<synopsis>CustomCommandNoRestart[0-9]=</synopsis>
4428
Specifies if gdm will be stopped/restarted once
4429
<filename>n-th</filename> "Custom Command"
4430
has been executed. If not specified the default value is
4431
"false". This option is only valid if corresponding
4432
<filename>CustomCommand</filename> is defined. [0-9]
4433
represents <filename>CustomCommand</filename> suffix and
4434
can be an integer between 0 and 9. In addition when
4435
corresponding <filename>CustomCommandIsPersistent</filename>
4436
is set to true, setting CustomCommandNoRestart to false will
4437
place corresponding <filename>CustomCommand</filename> in the
4438
Shut Down dialog set of actions, setting it to true will place
4440
<filename>CustomCommand</filename> in the Log Out dialog set of
4447
<term>CustomCommandText[0-9]</term>
4449
<synopsis>CustomCommandText[0-9]=</synopsis>
4451
Specifies the message that will be displayed on the warning
4452
dialog box once <filename>n-th</filename>
4453
"Custom Command" button/menu item/radio button/list
4454
item has been activated. If not specified the default value is
4455
"Are you sure?". This option is only valid if
4456
corresponding <filename>CustomCommand</filename> is defined.
4457
[0-9] represents <filename>CustomCommand</filename> suffix and
4458
can be an integer between 0 and 9.
4464
<term>CustomCommandTooltip[0-9]</term>
4466
<synopsis>CustomCommandTooltip[0-9]=</synopsis>
4468
Specifies the message that will be displayed on tooltips for
4469
<filename>n-th</filename> "Custom Command"
4470
entries. If not specified the default value is "Execute
4471
custom command [0-9]". This option is only valid if
4472
corresponding <filename>CustomCommand</filename> is defined.
4473
[0-9] represents <filename>CustomCommand</filename> suffix and
4474
can be an integer between 0 and 9.
4481
<sect3 id="xserverdefs">
4482
<title>X Server Definitions</title>
4485
GDM needs to be provided with information about each X servers that
4486
will be used. You can have as many different definitions as you wish,
4487
each identified with a unique name. The name
4488
<filename>Standard</filename> is required. If you do not specify
4489
this server, GDM will assume default values for a 'Standard' server
4490
and the path given by <filename>daemon/StandardXServer</filename>.
4491
<filename>Standard</filename> is used as the default,
4492
in situations when no other server has been defined.
4496
Servers are defined by sections named <filename>server-</filename>
4497
followed by the identifier of this server. This should be a simple
4498
ASCII string with no spaces. The GUI configuration program allows
4499
users to edit the servers defined in the GDM configuration files
4500
but currently does not allow adding or deleting entries. Like
4501
normal configuration options, <filename>server-</filename>
4502
sections in the <filename><etc>/gdm/custom.conf</filename>
4503
file override values in the
4504
<filename><share>/gdm/defaults.conf</filename> file. In other
4505
words, if a <filename>server-Standard</filename> section is defined
4506
in <filename><etc>/gdm/custom.conf</filename>, then that
4507
will be used and the section in the
4508
<filename><share>/gdm/defaults.conf</filename> file will be
4513
<title>[server-Standard]</title>
4518
<synopsis>name=Standard server</synopsis>
4520
The name that will be displayed to the user.
4526
<term>command</term>
4528
<synopsis>command=/path/to/X</synopsis>
4530
The command to execute, with full path to the binary of the X
4531
server, and any extra arguments needed. Normally it is not
4532
necessary to add a <filename>-nolisten tcp</filename> argument
4533
since the addition of this argument is controlled by the
4534
<filename>DisallowTCP</filename> GDM configuration option.
4540
<term>flexible</term>
4542
<synopsis>flexible=true</synopsis>
4544
Indicates if this server is available as a choice when a
4545
user wishes to run a flexible, on demand server.
4551
<term>handled</term>
4553
<synopsis>handled=true</synopsis>
4555
Indicates that GDM should run the login window on this server
4556
and allow a user to log in. If set to false, then GDM will
4557
just run this server and wait for it to terminate. This can be
4558
useful to run an X terminal using GDM. When this is done you
4559
should normally also add <filename>-terminate</filename> to the
4560
command line of the server to make the server terminate after
4561
each session. Otherwise the control of the slave will never
4562
come back to GDM and, for example, soft restarts won't work.
4563
This is because GDM assumes there is a login in progress for
4564
the entire time this server is active.
4570
<term>chooser</term>
4572
<synopsis>chooser=false</synopsis>
4574
Indicates that GDM should instead of a login window run a
4575
chooser on this window and allow the user to choose which
4582
<term>priority</term>
4584
<synopsis>priority=0</synopsis>
4586
Indicates that the X server should be started at a
4587
different process priority. Values can be any integer
4588
value accepted by the setpriority C library function
4589
(normally between -20 and 20) with 0 being the default.
4590
For highly interactive applications, -5 yields good
4591
responsiveness. The default value is 0 and the
4592
setpriority function is not called if the value is 0.
4599
<sect3 id="attacheddisplayconfig">
4600
<title>Attached DISPLAY Configuration</title>
4603
The attached (also known as local or static) display configuration
4604
specifies what displays should be always managed by GDM. GDM will
4605
restart the X server on the display if it dies, for example. There
4606
may be as many attached displays that are managed as you wish.
4607
Typically each display is associated with a real display. On a
4608
typical single-display machine this section would only contain one
4609
key <filename>0</filename> that corresponds to DISPLAY
4610
<filename>:0</filename>.
4614
The GUI configuration program allows users to edit the attached
4615
display configuration defined in the GDM configuration files
4616
and allows the user to add or delete entries. Like normal
4617
configuration options, the <filename>[servers]</filename>
4618
section in the <filename><etc>/gdm/custom.conf</filename>
4619
file overrides values in the
4620
<filename><share>/gdm/defaults.conf</filename> file.
4624
<title>[servers]</title>
4627
<term><display number></term>
4629
<synopsis>0=Standard [device=/dev/foo]</synopsis>
4632
The key cooresponds to the DISPLAY to be managed, so that
4633
key <filename>0</filename> cooresponds to DISPLAY
4634
<filename>:0</filename>. On a multi-display machine you
4635
can configure GDM to manage a login program on other displays
4636
by adding additional keys. For example, adding key
4637
<filename>1</filename> would cause GDM to manage DISPLAY
4638
<filename>:1</filename>.
4642
The first word of the value corresponds to a X server
4643
definition in the "X Server Definitions" section
4644
of the configuration file. For example, the following entry
4645
means that DISPLAY <filename>:0</filename> will start an X
4646
server as defined in the
4647
<filename>[server-Standard]</filename> section:
4656
The first word of the value can also be set to the string
4657
"inactive" to indicate that this DISPLAY should not
4658
be managed. This can be used in the GDM Custom Configuration
4659
File to turn off a DISPLAY that is defined in the GDM System
4660
Defaults Configuration File.
4664
The optional device argument is used to specify the device that
4665
is associated with the DISPLAY. When using Virtual Terminals
4666
(VT), this value is ignored and GDM will use the correct
4667
device name associated with the VT. If not using VT, then GDM
4668
will use the value specified by this optional argument. If
4669
the device argument is not defined, then GDM will use the
4670
default setting for attached displays defined in the
4671
<filename>UtmpLineAttached</filename> configuration section.
4672
For the main display (typically DISPLAY
4673
<filename>:0</filename>), <filename>/dev/console</filename> is
4674
a reasonable value. For other displays it is probably best
4675
to not include this argument unless you know the specific
4676
device associated with the DISPLAY. The device value can
4677
contain "%d" which is translated to the DISPLAY value
4678
or "%h" which is translated to the hostname.
4686
<sect2 id="userconfig">
4687
<title>Per User Configuration</title>
4690
There are some per user configuration settings that control how GDM
4691
behaves. GDM is picky about the file ownership and permissions of
4692
the user files it will access, and will ignore files if they are not
4693
owned by the user or files that have group/world write permission.
4694
It will also ignore the user if the user's $HOME directory is not
4695
owned by the user or if the user's $HOME directory has group/world
4696
write permission. files must also be smaller than the
4697
<filename>UserMaxFile</filename> value as defined in the GDM
4698
configuration. If it seems that GDM is not properly accessing
4699
user configuration settings, the problem is most likely
4700
caused by one of these checks failing.
4704
First there is the <filename>~/.dmrc</filename> file. In
4705
theory this file should be shared between GDM and KDM, so users only
4706
have to configure things once. This is a standard
4707
<filename>.ini</filename> style configuration file. It has one section
4708
called <filename>[Desktop]</filename> which has two keys:
4709
<filename>Session</filename> and <filename>Language</filename>.
4713
The <filename>Session</filename> key specifies the basename of the
4714
session <filename>.desktop</filename> file that the user wishes to
4715
normally use (without the <filename>.desktop</filename> extension, in
4716
other words). The <filename>Language</filename> key specifies the
4717
language that the user wishes to use by default. If either of these
4718
keys is missing, the system default is used. The file would normally
4725
Language=cs_CZ.UTF-8
4729
Normally GDM will write this file when the user logs in for the first
4730
time, and rewrite it if the user chooses to change their default values
4731
on a subsequent login.
4735
If the GDM Face Browser is turned on, then the file
4736
<filename>$HOME/.face</filename> is accessed. This file should be a
4737
standard image that GTK+ can read, such as PNG or JPEG. It also must
4738
be smaller than the <filename>MaxIconWidth</filename> and
4739
<filename>MaxIconHeight</filename> values defined in the GDM
4740
configuration or it will be ignored. Users can run the
4741
<command>gdmphotosetup</command> program to specify a face image
4742
and it will copy the file to the <filename>$HOME/.face</filename>
4743
location and scale it so its longest dimension is not larger than the
4744
<filename>MaxIconWidth</filename> or <filename>MaxIconHeight</filename>
4745
values. <command>gdmphotosetup</command> takes care to not change
4746
the aspect ratio of the image.
4750
Face images can also be placed in the global face directory, which is
4751
specified by the <filename>GlobalFaceDir</filename> configuration
4752
option ( normally <filename><share>/pixmaps/faces/</filename>)
4753
and the filename should be the name of the user, optionally with a
4754
<filename>.png</filename>, <filename>.jpg</filename>, etc. appended.
4759
<sect1 id="controlling">
4760
<title>Controlling GDM</title>
4763
You can control GDM behavior during runtime in several different ways.
4764
You can either run certain commands, or you can talk to GDM using either
4765
a unix socket protocol, or a FIFO protocol.
4768
<sect2 id="commands">
4769
<title>Commands</title>
4772
To stop GDM, you can either send the TERM signal to the main daemon or
4773
run the <command>gdm-stop</command> command which is in the
4774
<filename><sbin>/</filename> directory. To restart GDM, you can
4775
either send the HUP signal to the main daemon or run the
4776
<command>gdm-restart</command> command which is also in the
4777
<filename><sbin>/</filename> directory. To restart GDM but only
4778
after all the users have logged out, you can either send the USR1
4779
signal to the main daemon or run the
4780
<command>gdm-safe-restart</command> command which is in the
4781
<filename><sbin>/</filename> directory as well.
4785
The <command>gdmflexiserver</command> command can be used to start
4786
new flexible (on demand) displays if your system supports virtual
4787
terminals. This command will normally lock the current session with a
4788
screensaver so that the user can safely walk away from the computer and
4789
let someone else log in. If more that two flexible displays have
4790
started <command>gdmflexiserver</command> will display a pop-up dialog
4791
allowing the user to select which session to continue. The user will
4792
normally have to enter a password to return to the session. On session
4793
exit the system will return to the previous virtual terminal. Run
4794
<command>gdmflexiserver --help</command> to get a listing of possible
4799
<sect2 id="fifoprot">
4800
<title>The FIFO protocol</title>
4803
GDM also provides a FIFO called <filename>.gdmfifo</filename> in the
4804
<filename>ServAuthDir</filename> directory
4805
(usually <filename><var>/gdm/.gdmfifo</filename>). You must be
4806
root to use this protocol, and it is mostly used for internal GDM
4807
chatter. It is a very simple protocol where you just echo a command on
4808
a single line to this file. It can be used to tell GDM things such as
4809
restart, suspend the computer, or restart all X servers next time it has
4810
a chance (which would be useful from an X configuration application).
4814
Full and up to date documentation of the commands and their use is
4815
contained in the GDM source tree in the file
4816
<filename>daemon/gdm.h</filename>. Look for the defines starting with
4817
<filename>GDM_SOP_</filename>. The commands which require the
4818
pid of the slave as an argument are the ones that are really used for
4819
internal communication of the slave with the master and should not be
4824
<sect2 id="socketprot">
4825
<title>Socket Protocol</title>
4828
GDM provides a unix domain socket for communication at
4829
<filename>/tmp/.gdm_socket</filename>. Using this you can check if
4830
GDM is running, the version of the daemon, the current displays that
4831
are running and who is logged in on them, and if GDM supports it on
4832
your operating system, also the virtual terminals of all the console
4833
logins. The <command>gdmflexiserver</command> command uses this
4834
protocol, for example, to launch flexible (on-demand) displays.
4838
gdmflexiserver accepts the following commands with the --command
4854
GET_CUSTOM_CONFIG_FILE
4859
QUERY_CUSTOM_CMD_LABELS
4860
QUERY_CUSTOM_CMD_NO_RESTART_STATUS
4862
RELEASE_DYNAMIC_DISPLAYS
4863
REMOVE_DYNAMIC_DISPLAY
4866
SET_SAFE_LOGOUT_ACTION
4873
These are described in detail below, including required arguments,
4874
response format, and return codes.
4877
<sect3 id="adddynamic">
4878
<title>ADD_DYNAMIC_DISPLAY</title>
4880
ADD_DYNAMIC_DISPLAY: Create a new server definition that will
4881
run on the specified display leaving, it
4882
in DISPLAY_CONFIG state.
4883
Supported since: 2.8.0.0
4884
Arguments: <display to run on>=<server>
4885
Where <server> is either a configuration named in the
4886
GDM configuration or a literal command name.
4889
ERROR <err number> <english error description>
4891
2 = Existing display
4892
3 = No server string
4893
4 = Display startup failure
4894
100 = Not authenticated
4895
200 = Dynamic Displays not allowed
4900
<sect3 id="allservers">
4901
<title>ALL_SERVERS</title>
4903
ALL_SERVERS: List all displays, including console, remote, xnest.
4904
This can, for example, be useful to figure out if
4905
the display you are on is managed by the gdm daemon,
4906
by seeing if it is in the list. It is also somewhat
4907
like the 'w' command but for graphical sessions.
4908
Supported since: 2.4.2.96
4911
OK <server>;<server>;...
4913
<server> is <display>,<logged in user>
4915
<logged in user> can be empty in case no one logged in yet
4917
ERROR <err number> <english error description>
4919
200 = Too many messages
4924
<sect3 id="attachedservers">
4925
<title>ATTACHED_SERVERS</title>
4927
ATTACHED_SERVERS: List all attached displays. Doesn't list XDMCP
4928
and xnest non-attached displays.
4929
Note: This command used to be named CONSOLE_SERVERS,
4930
which is still recognized for backwards
4931
compatibility. The optional pattern argument
4932
is supported as of version 2.8.0.0.
4933
Supported since: 2.2.4.0
4934
Arguments: <pattern> (optional)
4935
With no argument, all attached displays are returned. The optional
4936
<pattern> is a string that may contain glob characters '*', '?', and
4937
'[]'. Only displays that match the pattern will be returned.
4939
OK <server>;<server>;...
4941
<server> is <display>,<logged in user>,<vt or xnest
4944
<logged in user> can be empty in case no one logged
4945
in yet, and <vt> can be -1 if it's not known or not
4946
supported (on non-Linux for example). If the display is an
4947
xnest display and is a console one (that is, it is an xnest
4948
inside another console display) it is listed and instead of
4949
vt, it lists the parent display in standard form.
4951
ERROR <err number> <english error description>
4953
200 = Too many messages
4958
<sect3 id="authlocal">
4959
<title>AUTH_LOCAL</title>
4961
AUTH_LOCAL: Setup this connection as authenticated for
4962
FLEXI_SERVER. Because all full blown
4963
(non-nested) displays can be started only from
4964
users logged into attached displays, and here GDM
4965
assumes only users logged in from GDM. They must
4966
pass the xauth MIT-MAGIC-COOKIE-1 that they were
4967
passed before the connection is authenticated.
4968
Note: The AUTH LOCAL command requires the
4969
--authenticate option, although only
4970
FLEXI XSERVER uses this currently.
4971
Note: Since 2.6.0.6 you can also use a global
4972
<ServAuthDir>/.cookie, which works for all
4973
authentication except for SET_LOGOUT_ACTION and
4974
QUERY_LOGOUT_ACTION and SET_SAFE_LOGOUT_ACTION
4975
which require a logged in display.
4976
Supported since: 2.2.4.0
4977
Arguments: <xauth cookie>
4978
<xauth cookie> is in hex form with no 0x prefix
4981
ERROR <err number> <english error description>
4983
100 = Not authenticated
4984
200 = Too many messages
4990
<title>CLOSE</title>
4992
CLOSE: Close sockets connection
4993
Supported since: 2.2.4.0
4999
<sect3 id="flexixnest">
5000
<title>FLEXI_XNEST</title>
5002
FLEXI_XNEXT: Start a new flexible nested display.
5003
Note: Supported on older version from 2.2.4.0, later
5004
2.2.4.2, but since 2.3.90.4 you must supply 4
5005
arguments or ERROR 100 will be returned. This
5006
will start the nested X server command using
5007
the XAUTHORITY file supplied and as the uid
5008
same as the owner of that file (and same as
5009
you supply). You must also supply the cookie as
5010
the third argument for this display, to prove
5011
that you indeed are this user. Also this file
5012
must be readable ONLY by this user, that is
5013
have a mode of 0600. If this all is not met,
5014
ERROR 100 is returned.
5015
Note: The cookie should be the MIT-MAGIC-COOKIE-1,
5016
the first one GDM can find in the XAUTHORITY
5017
file for this display. If that's not what you
5018
use you should generate one first. The cookie
5019
should be in hex form.
5020
Supported since: 2.3.90.4
5021
Arguments: <display to run on> <uid of requesting user>
5022
<xauth cookie for the display> <xauth file>
5025
ERROR <err number> <english error description>
5027
1 = No more flexi servers
5031
5 = Xnest can't connect
5032
6 = No server binary
5033
100 = Not authenticated
5034
200 = Too many messages
5039
<sect3 id="flexixnestuser">
5040
<title>FLEXI_XNEST_USER</title>
5042
FLEXI_XNEST_USER: Start a new flexible nested display and
5043
initialize the greeter with the given username.
5044
Note: This is a variant of the FLEXI_XNEST command.
5045
Note: The cookie should be the MIT-MAGIC-COOKIE-1,
5046
the first one GDM can find in the XAUTHORITY
5047
file for this display. If that's not what you
5048
use you should generate one first. The cookie
5049
should be in hex form.
5050
Supported since: 2.17.7
5051
Arguments: <username> <display to run on> <uid of requesting
5052
user> <xauth cookie for the display> <xauth file>
5055
ERROR <err number> <english error description>
5057
1 = No more flexi servers
5061
5 = Xnest can't connect
5062
6 = No server binary
5063
100 = Not authenticated
5064
200 = Too many messages
5069
<sect3 id="flexixserver">
5070
<title>FLEXI_XSERVER</title>
5072
FLEXI_XSERVER: Start a new X flexible display. Only supported on
5073
connection that passed AUTH_LOCAL
5074
Supported since: 2.2.4.0
5075
Arguments: <xserver type>
5076
If no arguments, starts the standard X server
5079
ERROR <err number> <english error description>
5081
1 = No more flexi servers
5085
6 = No server binary
5086
100 = Not authenticated
5087
200 = Too many messages
5092
<sect3 id="flexixserveruser">
5093
<title>FLEXI_XSERVER_USER</title>
5095
FLEXI_XSERVER_USER: Start a new X flexible display and initialize the
5096
greeter with the given username. Only supported on
5097
connection that passed AUTH_LOCAL
5098
Supported since: 2.17.7
5099
Arguments: <username> <xserver type>
5100
If no server type specified, starts the standard X server
5103
ERROR <err number> <english error description>
5105
1 = No more flexi servers
5109
6 = No server binary
5110
100 = Not authenticated
5111
200 = Too many messages
5116
<sect3 id="getconfig">
5117
<title>GET_CONFIG</title>
5119
GET_CONFIG: Get configuration value for key. Useful so
5120
that other applications can request configuration
5121
information from GDM. Any key defined as GDM_KEY_*
5122
in gdm-daemon-config-keys.h is supported. Starting with version
5123
2.13.0.2, translated keys (such as
5124
"greeter/GdmWelcome[cs]" are supported via GET_CONFIG.
5125
Also starting with version 2.13.0.2 it is no longer necessary to
5126
include the default value (i.e. you can use key
5127
"greeter/IncludeAll" instead of having to use
5128
"greeter/IncludeAll=false".
5129
Supported since: 2.6.0.9
5130
Arguments: <key>
5133
ERROR <err number> <english error description>
5135
50 = Unsupported key
5136
200 = Too many messages
5141
<sect3 id="getconfigfile">
5142
<title>GET_CONFIG_FILE</title>
5144
GET_CONFIG_FILE: Get config file location being used by
5145
the daemon. If the GDM daemon was started
5146
with the --config option, it will return
5147
the value passed in via the argument.
5148
Supported since: 2.8.0.2
5151
OK <full path to GDM configuration file>
5152
ERROR <err number> <english error description>
5154
200 = Too many messages
5159
<sect3 id="getcustomconfigfile">
5160
<title>GET_CUSTOM_CONFIG_FILE</title>
5162
GET_CUSTOM_CONFIG_FILE: Get custom config file location being
5164
Supported since: 2.14.0.0
5167
OK <full path to GDM custom configuration file>
5168
ERROR <err number> <english error description>
5171
200 = Too many messages
5176
<sect3 id="getserverdetails">
5177
<title>GET_SERVER_DETAILS</title>
5179
GET_SERVER_DETAILS: Get detail information for a specific server.
5180
Supported since: 2.13.0.4
5181
Arguments: <server> <key>
5183
NAME - Returns the server name
5184
COMMAND - Returns the server command
5185
FLEXIBLE - Returns "true" if flexible, "false"
5187
CHOOSABLE - Returns "true" if choosable, "false"
5189
HANDLED - Returns "true" if handled, "false"
5191
CHOOSER - Returns "true" if chooser, "false"
5193
PRIORITY - Returns process priority
5196
ERROR <err number> <english error description>
5198
1 = Server not found
5200
50 = Unsupported key
5201
200 = Too many messages
5206
<sect3 id="getserverlist">
5207
<title>GET_SERVER_LIST</title>
5209
GET_SERVER_LIST: Get a list of the server sections from
5210
the configuration file.
5211
Supported since: 2.13.0.4
5214
OK <value>;<value>;...
5215
ERROR <err number> <english error description>
5217
1 = No servers found
5218
200 = Too many messages
5223
<sect3 id="greeterpids">
5224
<title>GREETERPIDS</title>
5226
GREETERPIDS: List all greeter pids so that one can send HUP
5227
to them for config rereading. Of course one
5228
must be root to do that.
5229
Supported since: 2.3.90.2
5232
OK <pid>;<pid>;...
5233
ERROR <err number> <english error description>
5235
200 = Too many messages
5240
<sect3 id="querylogoutaction">
5241
<title>QUERY_LOGOUT_ACTION</title>
5243
QUERY_LOGOUT_ACTION: Query which logout actions are possible
5244
Only supported on connections that passed
5246
Supported since: 2.5.90.0
5248
OK <action>;<action>;...
5249
Where action is one of HALT, REBOOT, SUSPEND or CUSTOM_CMD[0-9].
5250
An empty list can also be returned if no action is possible.
5251
A '!' is appended to an action if it was already set with
5252
SET_LOGOUT_ACTION or SET_SAFE_LOGOUT_ACTION. Note that
5253
SET_LOGOUT_ACTION has precedence over
5254
SET_SAFE_LOGOUT_ACTION.
5255
ERROR <err number> <english error description>
5257
100 = Not authenticated
5258
200 = Too many messages
5263
<sect3 id="querycustomcmdlabels">
5264
<title>QUERY_CUSTOM_CMD_LABELS</title>
5266
QUERY_CUSTOM_CMD_LABELS: Query labels belonging to exported custom
5267
commands Only supported on connections that
5269
Supported since: 2.5.90.0
5271
OK <label1>;<label2>;...
5272
Where labelX is one of the labels belonging to CUSTOM_CMDX
5273
(where X in [0,GDM_CUSTOM_COMMAND_MAX)). An empty list can
5274
also be returned if none of the custom commands are exported
5275
outside login manager (no CustomCommandIsPersistent options
5277
ERROR <err number> <english error description>
5279
100 = Not authenticated
5280
200 = Too many messages
5285
<sect3 id="querycustomcmdnorestartstatus">
5286
<title>QUERY_CUSTOM_CMD_NO_RESTART_STATUS</title>
5288
QUERY_CUSTOM_CMD_NO_RESTART_STATUS: Query NoRestart config options
5289
for each of custom commands Only
5290
supported on connections that
5292
Supported since: 2.5.90.0
5295
Where each bit of the status represents NoRestart value for
5296
each of the custom commands.
5297
bit on (1): NoRestart = true,
5298
bit off (0): NoRestart = false.
5299
ERROR <err number> <english error description>
5301
100 = Not authenticated
5302
200 = Too many messages
5307
<sect3 id="queryvt">
5308
<title>QUERY_VT</title>
5310
QUERY_VT: Ask the daemon about which VT we are currently on.
5311
This is useful for logins which don't own
5312
/dev/console but are still console logins. Only
5313
supported on Linux currently, other places will
5314
just get ERROR 8. This is also the way to query
5315
if VT support is available in the daemon in the
5316
first place. Only supported on connections that
5318
Supported since: 2.5.90.0
5321
OK <vt number>
5322
ERROR <err number> <english error description>
5324
8 = Virtual terminals not supported
5325
100 = Not authenticated
5326
200 = Too many messages
5331
<sect3 id="releasedynamic">
5332
<title>RELEASE_DYNAMIC_DISPLAYS</title>
5334
RELEASE_DYNAMIC_DISPLAYS: Release dynamic displays currently in
5335
DISPLAY_CONFIG state
5336
Supported since: 2.8.0.0
5337
Arguments: <display to release>
5340
ERROR <err number> <english error description>
5342
1 = Bad display number
5343
100 = Not authenticated
5344
200 = Dynamic Displays not allowed
5349
<sect3 id="removedynamic">
5350
<title>REMOVE_DYNAMIC_DISPLAY</title>
5352
REMOVE_DYNAMIC_DISPLAY: Remove a dynamic display, killing the server
5353
and purging the display configuration
5354
Supported since: 2.8.0.0
5355
Arguments: <display to remove>
5358
ERROR <err number> <english error description>
5360
1 = Bad display number
5361
100 = Not authenticated
5362
200 = Dynamic Displays not allowed
5367
<sect3 id="serverbusy">
5368
<title>SERVER_BUSY</title>
5370
SERVER_BUSY: Returns true if half or more of the daemon's sockets
5371
are busy, false otherwise. Used by slave programs
5372
which want to ensure they do not overwhelm the
5374
Supported since: 2.13.0.8
5378
ERROR <err number> <english error description>
5380
200 = Too many messages
5385
<sect3 id="setlogoutaction">
5386
<title>SET_LOGOUT_ACTION</title>
5388
SET_LOGOUT_ACTION: Tell the daemon to halt/restart/suspend after
5389
slave process exits. Only supported on
5390
connections that passed AUTH_LOCAL.
5391
Supported since: 2.5.90.0
5392
Arguments: <action>
5393
NONE Set exit action to 'none'
5394
HALT Set exit action to 'halt'
5395
REBOOT Set exit action to 'reboot'
5396
SUSPEND Set exit action to 'suspend'
5397
CUSTOM_CMD[0-9] Set exit action to 'custom command [0-9]'
5400
ERROR <err number> <english error description>
5402
7 = Unknown logout action, or not available
5403
100 = Not authenticated
5404
200 = Too many messages
5409
<sect3 id="setsafelogoutaction">
5410
<title>SET_SAFE_LOGOUT_ACTION</title>
5412
SET_SAFE_LOGOUT_ACTION: Tell the daemon to halt/restart/suspend
5413
after everybody logs out. If only one
5414
person logs out, then this is obviously
5415
the same as the SET_LOGOUT_ACTION. Note
5416
that SET_LOGOUT_ACTION has precedence
5417
over SET_SAFE_LOGOUT_ACTION if it is set
5418
to something other then NONE. If no one
5419
is logged in, then the action takes effect
5420
effect immediately. Only supported on
5421
connections that passed AUTH_LOCAL.
5422
Supported since: 2.5.90.0
5423
Arguments: <action>
5424
NONE Set exit action to 'none'
5425
HALT Set exit action to 'halt'
5426
REBOOT Set exit action to 'reboot'
5427
SUSPEND Set exit action to 'suspend'
5428
CUSTOM_CMD[0-9] Set exit action to 'custom command [0-9]'
5431
ERROR <err number> <english error description>
5433
7 = Unknown logout action, or not available
5434
100 = Not authenticated
5435
200 = Too many messages
5441
<title>SET_VT</title>
5443
SET_VT: Change to the specified virtual terminal.
5444
This is useful for logins which don't own /dev/console
5445
but are still console logins. Only supported on Linux
5446
currently, other places will just get ERROR 8.
5447
Only supported on connections that passed AUTH_LOCAL.
5448
Supported since: 2.5.90.0
5449
Arguments: <vt>
5452
ERROR <err number> <english error description>
5454
8 = Virtual terminals not supported
5455
9 = Invalid virtual terminal number
5456
100 = Not authenticated
5457
200 = Too many messages
5462
<sect3 id="updateconfig">
5463
<title>UPDATE_CONFIG</title>
5465
UPDATE_CONFIG: Tell the daemon to re-read a key from the
5466
GDM configuration file. Any user can request
5467
that values are re-read but the daemon will
5468
only do so if the file has been modified
5469
since GDM first read the file. Only users
5470
who can change the GDM configuration file
5471
(normally writable only by the root user) can
5472
actually modify the GDM configuration. This
5473
command is useful to cause the GDM to update
5474
itself to recognize a change made to the GDM
5475
configuration file by the root user.
5477
Starting with version 2.13.0.0, all GDM keys are
5478
supported except for the following:
5481
daemon/ConsoleNotify
5488
daemon/UserAuthFBDir
5490
GDM also supports the following Psuedokeys:
5492
xdmcp/PARAMETERS (2.3.90.2) updates the following:
5496
xdmcp/DisplaysPerHost
5498
xdmcp/MaxPendingIndirect
5499
xdmcp/MaxWaitIndirect
5500
xdmcp/PingIntervalSeconds (only affects new connections)
5502
xservers/PARAMETERS (2.13.0.4) updates the following:
5503
all [server-foo] sections.
5505
Supported keys for previous versions of GDM:
5507
security/AllowRoot (2.3.90.2)
5508
security/AllowRemoteRoot (2.3.90.2)
5509
security/AllowRemoteAutoLogin (2.3.90.2)
5510
security/RetryDelay (2.3.90.2)
5511
security/DisallowTCP (2.4.2.0)
5512
daemon/Greeter (2.3.90.2)
5513
daemon/RemoteGreeter (2.3.90.2)
5514
xdmcp/Enable (2.3.90.2)
5515
xdmcp/Port (2.3.90.2)
5516
daemon/TimedLogin (2.3.90.3)
5517
daemon/TimedLoginEnable (2.3.90.3)
5518
daemon/TimedLoginDelay (2.3.90.3)
5519
greeter/SystemMenu (2.3.90.3)
5520
greeter/ConfigAvailable (2.3.90.3)
5521
greeter/ChooserButton (2.4.2.0)
5522
greeter/SoundOnLoginFile (2.5.90.0)
5523
daemon/AddGtkModules (2.5.90.0)
5524
daemon/GtkModulesList (2.5.90.0)
5525
Supported since: 2.3.90.2
5526
Arguments: <key>
5527
<key> is just the base part of the key such as
5528
"security/AllowRemoteRoot"
5531
ERROR <err number> <english error description>
5533
50 = Unsupported key
5534
200 = Too many messages
5539
<sect3 id="queryversion">
5540
<title>VERSION</title>
5542
VERSION: Query GDM version
5543
Supported since: 2.2.4.0
5546
GDM <gdm version>
5547
ERROR <err number> <english error description>
5548
200 = Too many messages
5555
<!-- ============= GDM Commands ============================= -->
5557
<sect1 id="binaries">
5558
<title>GDM Commands</title>
5560
<sect2 id="bindir_binaries">
5561
<title>GDM User Commands</title>
5564
The GDM package provides the following different commands in
5565
<filename>bindir</filename> intended to be used by the end-user:
5568
<sect3 id="gdmxnestchoosercommandline">
5569
<title><command>gdmXnestchooser</command> and
5570
<command>gdmXnest</command> Command Line Options</title>
5573
The <command>gdmXnestchooser</command> command automatically gets
5574
the correct display number, sets up access, and runs the nested
5575
X server command with the "-indirect localhost" argument.
5576
This provides an XDMCP chooser program. You can also supply as an
5577
argument the hostname whose chooser should be displayed, so
5578
<command>gdmXnestchooser somehost</command> will run the XDMCP
5579
chooser from host <command>somehost</command> inside a nested
5580
X server session. You can make this command do a direct query
5581
instead by passing the <command>-d</command> option as well. In
5582
addition to the following options, this command also supports
5583
standard GNOME options.
5587
<title><command>gdmXnestchooser</command> Command Line Options</title>
5590
<term>-x, --xnest=STRING</term>
5593
Nested X server command line, default is defined by the
5594
<filename>Xnest</filename> configuration option.
5600
<term>-o, --xnest-extra-options=OPTIONS</term>
5603
Extra options for nested X server, default is no options.
5609
<term>-n, --no-query</term>
5612
Just run nested X server, no query (no chooser)
5618
<term>-d, --direct</term>
5621
Do direct query instead of indirect (chooser)
5627
<term>-B, --broadcast</term>
5630
Run broadcast instead of indirect (chooser)
5636
<term>-b, --background</term>
5645
<term>--no-gdm-check</term>
5648
Don't check for running GDM
5655
<sect3 id="gdmflexichoosercommandline">
5656
<title><command>gdmflexichooser</command> Command Line Options</title>
5659
The <command>gdmflexiserver</command> command provides three
5660
features. It can be used to run flexible (on demand) X displays,
5661
to run a flexible display via nested X server, and to send commands to
5662
the GDM daemon process.
5666
Starting a flexible X display will normally lock the current session
5667
with a screensaver and will redisplay the GDM login screen so a second
5668
user can log in. This feature is only available on systems that
5669
support virtual terminals and have them enabled. This feature is
5670
useful if you are logged in as user A, and user B wants to log in
5671
quickly but user A does not wish to log out. The X server takes
5672
care of the virtual terminal switching so it works transparently.
5673
If there is more than one running display defined with flexible=true,
5674
then the user is shown a dialog that displays the currently running
5675
sessions. The user can then pick which session to continue and will
5676
normally have to enter the password to unlock the screen.
5680
Nested displays works on systems that do not support virtual
5681
terminals. This option starts a flexible display in a window in the
5682
current session. This does not lock the current session, so is not
5683
as secure as a flexible server started via virtual terminals.
5687
The <command>gdmflexiserver --command</command> option provides a way
5688
to send commands to the GDM daemon and can be used to debug problems
5689
or to change the GDM configuration.
5693
In addition to the following options,
5694
<command>gdmflexiserver</command> also supports standard GNOME
5699
<title><command>gdmflexichooser</command> Command Line Options</title>
5702
<term>-c, --command=COMMAND</term>
5705
Send the specified protocol command to GDM
5711
<term>-n, --xnest</term>
5714
Start a flexible X display in Nested mode
5720
<term>-l, --no-lock</term>
5723
Do not lock current screen
5729
<term>-d, --debug</term>
5732
Turns on debugging output which gets sent to syslog. Same as
5733
turning on debug in the configuration file.
5739
<term>-a, --authenticate</term>
5742
Authenticate before running --command
5748
<term>-s, --startnew</term>
5751
Starts a new flexible display without displaying a dialog
5752
asking the user if they wish to continue any existing
5760
<sect3 id="gdmdynamiccommandline">
5761
<title><command>gdmdynamic</command> Command Line Options</title>
5764
<command>gdmdynamic</command> allows the management of displays in a
5765
dynamic fashion. It is typically used in environments where it is not
5766
possible to list the possible displays in the GDM configuration files.
5767
The <command>gdmdynamic</command> command can be used to create a new
5768
display on a particular display number, run all newly created displays,
5769
or remove a display. The <command>gdmdynamic</command> command can also
5770
be used to list all attached displays or only those attached displays
5771
that match a pattern. The -a option is used to add a display, the -r
5772
option is used to run (or release) a display, the -d option is used to
5773
delete a display, and the -l option lists existing displays. Only one
5774
of these four options can be specified at a time, so in the life cycle
5775
of a particular display, the command will be run once to add, again to
5776
release (run) the display, and finally to delete when the session is to
5781
This program is designed to manage multiple simultaneous requests and
5782
tries to avoid flooding the daemon with requests. If the sockets
5783
connection is busy, it will sleep and retry a certain number of times
5784
that can be tuned with the -s and -t options.
5788
<title><command>gdmdynamic</command> Command Line Options</title>
5791
<term>-a display=server</term>
5794
Add a new display configuration, leaving it in the DISPLAY_CONFIG
5796
<command>"-a 2=StandardServerTwo"</command>
5797
<command>"-a 3=/usr/X11R6/bin/X -dev /dev/fb2"</command>
5800
The display will not actually be started until the display is released
5801
by calling <command>gdmdynamic</command> again with the -r option.
5810
Release (run) all displays waiting in the DISPLAY_CONFIG state.
5816
<term>-d display</term>
5819
Delete a display, killing the X server and purging the
5820
display configuration. For example, "-d 3".
5826
<term>-l [pattern]</term>
5829
List displays via the ATTACHED_SERVERS
5830
<command>gdmflexiserver</command> command. Without a pattern
5831
lists all attached displays. With a pattern will match using
5832
glob characters '*', '?', and '[]'. For example:
5833
<command>"-l Standard*"</command>
5834
<command>"-l *Xorg*"</command>
5843
Verbose mode. Prints diagnostic messages.
5853
Background mode. Fork child to do the work and return immediately.
5859
<term>-t RETRY</term>
5862
If the daemon socket is busy, <command>gdmdynamic</command> will
5863
retry to open the connection the specified RETRY number of times.
5864
Default value is 15.
5870
<term>-s SLEEP</term>
5873
If the daemon socket is busy, <command>gdmdynamic</command> will
5874
sleep an amount of time between retries. A random number of
5875
seconds 0-5 is added to the SLEEP value to help ensure that
5876
multiple calls to gdmdynamic do not all try to restart at the
5877
same time. A SLEEP value of zero causes the sleep time to be
5878
1 second. Default value is 8 seconds.
5886
<sect3 id="gdmphotosetupcommandline">
5887
<title><command>gdmphotosetup</command> Command Line Options</title>
5890
Allows the user to select an image that will be used as the user's
5891
photo by GDM's face browser, if enabled by GDM. The selected file
5892
is stored as <filename>~/.face</filename>. This command accepts
5893
standard GNOME options.
5897
<sect3 id="gdmthemetestercommandline">
5898
<title><command>gdmthemetester</command> Command Line Options</title>
5901
<command>gdmthemetester</command> takes two parameters. The first
5902
parameter specifies the environment and the second parameter
5903
specifies the path name or the name of a theme to view.
5905
This is a tool for viewing a theme outside of GDM. It is useful for
5906
testing or viewing themes. <command>gdmthemetester</command> requires
5907
that the system support <command>gdmXnest</command>.
5909
Note that themes can display differently depending on the theme's
5910
"Show mode". <command>gdmthemetester</command> allows
5911
viewing the themes in different modes via the environment option.
5912
Valid environment values and their meanings follow:
5915
console - In console mode.
5916
console-timed - In console non-flexi mode.
5917
flexi - In flexi mode.
5918
xdmcp - In remote (XDMCP) mode.
5919
remote-flexi - In remote (XDMCP) & flexi mode.
5925
<sect2 id="sbindir_binaries">
5926
<title>GDM Root User Commands</title>
5929
The GDM package provides the following different commands in
5930
<filename>sbindir</filename> intended to be used by the root user:
5933
<sect3 id="gdmcommandline">
5934
<title><command>gdm</command> and <command>gdm-binary</command>
5935
Command Line Options</title>
5938
The <command>gdm</command> command is really just a script which
5939
runs the <command>gdm-binary</command>, passing along any options.
5940
Before launching <command>gdm-binary</command>, the gdm wrapper script
5941
will source the <filename><etc>/profile</filename> file to set
5942
the standard system environment variables. In order to better support
5943
internationalization, it will also set the LC_MESSAGES environment
5944
variable to LANG if neither LC_MESSAGES or LC_ALL are set. If you
5945
really need to set some additional environment before launching GDM,
5946
you can do so in this script.
5950
<title><command>gdm</command> and <command>gdm-binary</command>
5951
Command Line Options</title>
5957
Gives a brief overview of the command line options.
5963
<term>--nodaemon</term>
5966
If this option is specified, then GDM does not fork into the
5967
background when run. You can also use a single-dash version,
5968
"-nodaemon" for compatibility with other display
5975
<term>--no-console</term>
5978
Tell the daemon that it should not run anything on the console.
5979
This means that none of the attached servers from the
5980
<filename>[servers]</filename> section will be started, and the
5981
console will not be used for communicating errors to the user.
5982
An empty <filename>[servers]</filename> section automatically
5983
implies this option.
5989
<term>--config=CONFIGFILE</term>
5992
Specify an alternative configuration file.
5998
<term>--preserve-ld-vars</term>
6001
When clearing the environment internally, preserve all variables
6002
starting with LD_. This is mostly for debugging purposes.
6008
<term>--version</term>
6011
Print the version of the GDM daemon.
6017
<term>--wait-for-go</term>
6020
If started with this option, gdm will init, but only start the
6021
first attached display and then wait for a GO message in the
6022
fifo protocol. No greeter will be shown until the GO message
6023
is sent. Also flexiserver requests will be denied and XDMCP
6024
will not be started until GO is given. This is useful for
6025
initialization scripts which wish to start X early, but where
6026
you don't yet want the user to start logging in. So the script
6027
would send the GO to the fifo once it is ready and GDM will
6028
then continue. This functionality was added in version
6036
<sect3 id="gdmsetupcommandline">
6037
<title><command>gdmsetup</command> Command Line Options</title>
6040
<command>gdmsetup</command> runs a graphical application for modifying
6041
the GDM configuration file. Normally on systems that support
6042
the PAM userhelper, this is setup such that when you run
6043
<command>gdmsetup</command> as an ordinary user, it will first
6044
ask you for your root password before starting. Otherwise, this
6045
application may only be run as root. This application supports
6046
standard GNOME options.
6050
<sect3 id="gdmrestartcommandline">
6051
<title><command>gdm-restart</command> Command Line Options</title>
6054
<command>gdm-restart</command> stops and restarts GDM by sending
6055
the GDM daemon a HUP signal. This command will immediately terminate
6056
all sessions and log out users currently logged in with GDM.
6060
<sect3 id="gdmsaferestartcommandline">
6061
<title><command>gdm-safe-restart</command> Command Line Options</title>
6064
<command>gdm-safe-restart</command> stops and restarts GDM by
6065
sending the GDM daemon a USR1 signal. GDM will be restarted as soon
6066
as all users log out.
6070
<sect3 id="gdmstopcommandline">
6071
<title><command>gdm-stop</command> Command Line Options</title>
6074
<command>gdm-stop</command> stops GDM by sending the GDM daemon
6080
<sect2 id="libexecdir_binaries">
6081
<title>GDM Internal Commands</title>
6084
The GDM package provides the following different commands in
6085
<filename>libexecdir</filename> intended to be used by the gdm
6089
<sect3 id="gdmgreeterlogincommandline">
6090
<title><command>gdmchooser</command> and <command>gdmlogin</command>
6091
Command Line Options</title>
6094
The <command>gdmgreeter</command> and <command>gdmlogin</command>
6095
are two different login applications, either can be used by GDM.
6096
<command>gdmgreeter</command> is themeable with GDM themes while
6097
<command>gdmlogin</command> is themable with GTK+ themes. These
6098
applications are normally executed by the GDM daemon. Both commands
6099
support standard GNOME options.
6103
<sect3 id="gdmchoosercommandline">
6104
<title><command>gdmchooser</command> Command Line Options</title>
6107
The <command>gdmchooser</command> is the XDMCP chooser application.
6108
The <command>gdmchooser</command> is normally executed by the GDM
6109
daemon. It supports the following options for XDM compatibility.
6110
This command supports standard GNOME options.
6114
<title><command>gdmchooser</command> Command Line Options</title>
6117
<term>--xdmaddress=SOCKET</term>
6120
Socket for XDM communication.
6126
<term>--clientaddress=ADDRESS</term>
6129
Client address to return in response to XDM. This option is for
6130
running gdmchooser with XDM, and is not used within GDM.
6136
<term>--connectionType=TYPE</term>
6139
Connection type to return in response to XDM. This option is for
6140
running gdmchooser with XDM, and is not used within GDM.
6147
<sect3 id="gdm-ssh-session">
6148
<title><command>gdm-ssh-session</command></title>
6151
The <command>gdm-ssh-session</command> is normally executed by the
6152
GDM daemon when starting a secure remote connection through ssh.
6153
It does not take any options.
6159
<!-- ============= Theme manual ============================= -->
6161
<sect1 id="thememanual">
6162
<title>Themed Greeter</title>
6165
This section describes the creation of themes for the Themed
6166
Greeter. For examples including screenshots, see the standard installed
6167
themes and the themes from
6168
<ulink type="http" url="http://art.gnome.org/themes/gdm_greeter/">
6169
the theme website</ulink>.
6172
<sect2 id="themeover">
6173
<title>Theme Overview</title>
6176
GDM Themes can be created by creating an XML file that follows the
6177
specification in gui/greeter/greeter.dtd. Theme files are stored
6179
<filename><share>/gdm/themes/<theme_name></filename>.
6180
Usually this would be under <filename>/usr/share</filename>. The theme
6181
directory should contain a file called
6182
<filename>GdmGreeterTheme.desktop</filename> which has similar format
6183
to other .desktop files and looks like:
6191
Description=Theme with blue circles
6192
Author=Bond, James Bond
6193
Copyright=(c) 2002 Bond, James Bond
6194
Screenshot=screenshot.png
6198
The Name, Description, Author and Copyright fields can be translated
6199
just like the other <filename>.desktop</filename>files. All the files
6200
that are mentioned should be in the theme directory itself. The
6201
Screenshot field points to a file which should be a 200x150 screenshot
6202
of the theme in action (it is OK not to have one, but it makes it nicer
6203
for user). The Greeter field points to an XML file that contains the
6204
description of the theme. The description will be given later.
6208
Once a theme is installed, it can be tested with the
6209
<command>gdmthemetester</command> program. This program assumes that
6210
the X server supports a nested server command. This command takes two
6211
arguments, first the environment that should be used. The environment
6212
can be one of the following values: console, console-timed, flexi,
6213
remote-flexi, or xdmcp. The "console" option tests the
6214
theme as it would be shown on an attached display. The
6215
"console-timed" option tests the theme as it would be shown
6216
on an attached display with timed login enabled. The "flexi"
6217
option tests the theme as it would be shown on an attached flexible
6218
display (such as started via Xnest). Finally, the "xdmcp"
6219
option tests the theme as it would be shown for remote XDMCP
6220
displays. The second argument is the theme name. For example, to
6221
test how the circles theme would look in XDMP remote display mode,
6222
you would run the following command:
6226
<command>gdmthemetester xdmcp circles</command>
6230
When developing a theme, make sure to test all the environments, and
6231
make sure to test how the caps lock warning looks by pressing the caps
6232
lock key. Running <command>gdmthemetester</command> is also a good way
6233
to take screenshots of GDM themes. Simply take a screenshot of the
6234
theme running in the nested display window. This can be done in GNOME
6235
by focusing the nested login window and pressing Alt-PrintScreen.
6239
Once a theme has been fully tested, then make a tarball that contains
6240
the directory as it would be insatlled to the
6241
<filename><share>/gdm/themes</filename> directory. This is
6242
the standard format for distributing GDM themes.
6246
<sect2 id="descofthemeformat">
6247
<title>Detailed Description of Theme XML format</title>
6249
<sect3 id="greetertag">
6250
<title>greeter tag</title>
6253
The GDM theme format is specified in XML format contained
6254
within a <greeter> tag. You may specify a GTK+ theme to
6255
be used with this theme by using the gtk-theme element in the
6256
greeter tag as in the following example.
6260
<?xml version="1.0" encoding="UTF-8"?>
6261
<!DOCTYPE greeter SYSTEM "greeter.dtd">
6262
<greeter gtk-theme="Crux">
6268
Contained within the greeter tag can be the nodes described
6269
in the next sections of this document. Some of these nodes are
6270
containers (box nodes, rect item nodes) which can be used to
6271
organize how to display the nodes that the user sees and interacts
6272
with (such as button, pixmap and entry item nodes).
6276
<sect3 id="boxnodes">
6277
<title>Box Nodes</title>
6280
Box nodes are container nodes for item nodes. Box nodes are
6281
specified as follows:
6283
<box orientation="alignment" min-width="num"
6284
xpadding="num" ypadding="num" spacing="num"
6285
homogeneous="bool">
6287
Where "num" means number and bool means either
6288
"true" or "false" The alignment value can be
6289
either "horizontal" or "vertical". If you leave
6290
any property off it will default to zero or "false" in
6291
case of "homogeneous" and "vertical" for the
6296
If the box is homogeneous then the children are allocated equal
6301
The "min-width" must be specified in pixels. Obviously
6302
there is also a corresponding "min-height" property as
6307
<sect3 id="fixednodes">
6308
<title>Fixed Nodes</title>
6311
Fixed is a container that has its children scattered about
6312
laid out with precise coordinates. The size of this container
6313
is the biggest rectangle that contains all the children. Fixed
6314
has no extra properties and so you just use:
6318
Then you put other items with proper position nodes inside this.
6322
The "toplevel" node is really just like a fixed node.
6326
<sect3 id="itemnodes">
6327
<title>Item Nodes</title>
6330
A GDM Theme is created by specifying a hierarchy of item and box
6331
nodes. Item nodes can have the following value for
6340
A button field. This field uses a GTK+ button. It is also
6341
possible to make a "rect" item act like a button by setting
6342
its button element to true. However it is better to use
6343
GTK+ buttons in GDM themes since these are accessible to
6344
users with disabilities. Also, GTK+ buttons can be
6345
themed. This feature is supported in GDM 2.14.6 and later.
6363
A text label. Must have a "text" node to specify the
6373
A face browser widget. Only useful if the face browser is
6374
enabled via the configuration.
6383
An pixmap image in a format that gdk-pixbuf supports like
6384
PNG, JPEG, Tiff, etc...)
6402
Scaled Vector Graphic image.
6411
<item type="label">
6413
Items can specify ID values which gives them a specific look and feel
6414
or formatting. Furthermore you can customize the login process by
6415
adding custom widgets with custom id's for some items (currently only
6420
Entry items can have id values as follows:
6425
<term>user-pw-entry</term>
6428
Entry field for userid and password entry. This is the field
6429
used for responses for the PAM/GDM questions (Username,
6437
List items by default display as lists, but the
6438
combo="true" attribute can be used to specify combo box
6439
style (combo style supported since GDM 2.16.2). Some predefined
6440
lists may be included in a theme by using the following id values.
6441
Customized lists may also be defined, which are explained below.
6446
<term>session</term>
6449
A list of available sessions, which allows the user to pick
6450
the session to use. Supported since GDM 2.16.2.
6458
<term>language</term>
6461
A list of available languages, which allows the user to pick
6462
the language to use. Supported since GDM 2.16.2.
6470
<term>userlist</term>
6473
A Face Browser list, so that users can pick their username
6474
by clicking on this instead of typing. This obviously exposes
6475
the usernames to viewers of the login screen, and is not
6476
recommended for users who feel that this reduces security.
6477
The face browser does not support combo box style.
6485
<term>userlist-rect</term>
6488
This id can be specified for the <rect> object containing
6489
the userlist and if the userlist is empty then this rectangle
6490
will not be shown. This allows the theme to define something
6491
like an area with a different color and/or alpha to surround
6492
the userlist, but only if there are users to display.
6493
Supported since 2.16.2.
6500
Furthermore, you can have an arbitrary id (I'd recommend starting
6501
the id with 'custom' not to conflict with future additions to this
6502
spec) and ask extra information of the user. See the section
6507
Label items can have id values as follows:
6515
Label that displays the date and time.
6521
<term>pam-prompt</term>
6524
Label that displays the PAM prompt. This is the prompt that PAM
6525
uses to ask for username, password, etc...
6531
<term>pam-error</term>
6534
Label that displayst PAM/GDM error messages. Such as when user
6541
<term>pam-error-logo</term>
6544
An image that will be displayed only when a pam-error message
6545
is being displayed. This is useful for displaying an
6546
"Attention" icon, for example. This feature is
6547
supported in GDM 2.14.6 and later.
6553
<term>pam-message</term>
6556
Label that displays the PAM message. These are messages that
6557
PAM/GDM gives about state of the account, help about the
6558
prompts and other information.
6564
<term>timed-label</term>
6567
Label that displays timed login information.
6574
Rectangles can have id values as follows:
6579
<term>caps-lock-warning</term>
6582
Displays an icon that shows if the
6583
CAPS LOCK key is depressed. This rectangle
6584
will be hidden/shown appropriately
6591
If an item is of type rect, the item can be a button. Buttons
6592
must also include a "button" value as follows:
6594
<item type="rect" id="disconnect_button" button="true">.
6599
Possible values for button ids are as follows.
6604
<term>chooser_button</term>
6607
Runs the XDMCP chooser.
6613
<term>config_button</term>
6616
Runs the GDM configuration application.
6622
<term>custom_cmd_button[0-9]</term>
6625
Runs the <filename>n-th</filename> custom command.
6631
<term>disconnect_button</term>
6634
Disconnect from remote session.
6640
<term>language_button</term>
6643
Displays the language selection dialog.
6649
<term>halt_button</term>
6652
Halt (shuts down) the system.
6658
<term>reboot_button</term>
6667
<term>session_button</term>
6670
List and select from available sessions.
6676
<term>suspend_button</term>
6685
<term>system_button</term>
6688
Perform halt/restart/suspend/etc. options (if allowed by GDM
6689
configuration). Also allows user to run configurator if user
6690
enters root password (again if allowed by GDM configuration).
6691
This is usually now labeled Actions, and referred to as the
6699
By default, the GDM login screen will disappear after authentication.
6700
This can result in flicker between the login screen and the session.
6701
The "background" property allows users to specify what
6702
elements of the theme are the background image. When used, this
6703
will cause GDM to remove all non-background items from the display
6704
and render the remaining "background" items to the root
6705
window. This can be used to create a smooth transition between the
6706
login screen and the session. For example, if the GDM theme and the
6707
session use the same background, then this will make the background
6712
Item nodes may specify a "background" property which can be
6713
set to "true" or "false" (not setting this
6714
property is equivalent to "false"), as follows:
6718
<item type="rect" background="true">
6719
<normal file="background.svg"/>
6720
<pos x="0" y="0" width="100%" height="-75"/>
6725
If no item node has "background" property set, then the
6726
background is not modified when greeter exits.
6730
To use a different background for login transition than the one
6731
used for login, the theme should specify two item nodes (which
6732
could contain pixmaps or svg images, for example). The item
6733
which corresponds to the greeter background should not have the
6734
"background" property while the item which corresponds
6735
to the transition background should have the "background"
6736
property. For instance :
6739
<?xml version="1.0" encoding="UTF-8"?>
6740
<!DOCTYPE greeter SYSTEM "greeter.dtd">
6743
<item type="rect" background="true">
6744
<normal file="background_for_login.svg"/>
6745
<pos x="0" y="0" width="100%" height="100%"/>
6747
<item type="rect">
6748
<normal file="background_for_greeter.svg"/>
6749
<pos x="0" y="0" width="100%" height="100%"/>
6756
<sect3 id="positionnodes">
6757
<title>Position Node</title>
6760
Each item can specify its position and size via the "pos"
6763
<pos x="0" y="4" width="100%" height="100%"/>
6768
Both position and size can be given in percent and it will be taken
6769
as the percentage of the size of the current container. For toplevel
6770
items it's the percentage of the whole screen.
6774
For x and y, you can also specify a negative position which means
6775
position from the right or bottom edge. But this only applies with
6776
absolute coordinates. With percentage you can specify negative
6777
position and it will be still from the same edge.
6781
The position also specifies the anchor of the item, this can be
6783
"s" "sw" "w" and "nw" or
6784
"center" which stand for the different edges/corners or
6785
"center" for center. For example:
6787
<pos x="10%" y="50%" anchor="w" width="80%" height="95"/>
6792
If the item contains a box, you can specify width and height to be
6793
"box" to mean that they are supposed to be the width and
6794
height of the box, that is the items in the box plus the padding.
6798
If the item contains an SVG image, you can specify width and height
6799
to be "scale" to mean that the SVG image should be scaled
6800
to fit the requested area.
6804
You can also specify an "expand" property to either be
6805
"true" or false. If true then the child will be expanded
6806
in the box as much as possible (that is it will be given more space
6811
There are two extra properties you can specify (as of 2.4.4.3) for
6812
labels (and labels only). The first is "max-width" which
6813
will specify the maximum width of the label in pixels. And the
6814
second is "max-screen-percent-width" which specifies the
6815
maximum percentage of the screen width that the label can occupy.
6816
By default no label will occupy more then 90% of the screen by width.
6819
<item type="label">
6820
<pos x="10%" max-screen-percent-width="50%"/>
6825
<sect3 id="shownodes">
6826
<title>Show Node</title>
6829
Some items may only display in certain modes, like when doing a
6830
remote display. Multiple values can be specified and must be
6831
separated with commas. The following values are possible:
6835
<filename>console</filename> - In console mode.
6838
<filename>console-fixed</filename> - In console non-flexi mode.
6841
<filename>console-flexi</filename> - In console & flexi mode.
6844
<filename>flexi</filename> - In flexi mode.
6847
<filename>remote</filename> - In remote mode.
6850
<filename>remote-flexi</filename> - In remote & flexi mode.
6856
<show modes="flexi,remote"/>
6861
You can also specify the "type" value to indicate that
6862
certain items should only be displayed if the type is true. Valid
6863
values include the following:
6867
<filename>chooser</filename>, if ChooserButton is set to
6868
"true" in the GDM configuration.
6871
<filename>config</filename>, if ConfigAvailable is set to
6872
"true" in the GDM configuration.
6875
<filename>custom_cmd[0-9]</filename>, if <filename>n-th</filename>
6876
CustomCommand is specified in the GDM configuration.
6879
<filename>halt</filename>, if HaltDaemon is specified in
6880
the GDM configuration.
6883
<filename>reboot</filename>, if RebootCommand is specified in
6884
the GDM configuration.
6887
<filename>suspend</filename>, if SuspendCommand is specified in
6888
the GDM configuration.
6891
<filename>system</filename>, if SystemMenu is specified in
6892
the GDM configuration.
6895
<filename>timed</filename>, if TimedLoginEnabled is set to
6896
"true" in the GDM configuration.
6902
<show modes="console" type="system"/>
6907
Alternatively, you can specify a "min-screen-width" or
6908
"min-screen-height" value to indicate that certain
6909
items should only be displayed if the screen resolution is the
6910
at least the given required size.
6916
<show min-screen-height="768"/>
6921
Note that if SystemMenu is off then the halt, restart, suspend,
6922
chooser and config choices will not be shown, so this is a global
6923
toggle for them all. See some of the standard themes for how the
6924
show modes are used.
6928
<sect3 id="noractprenodes">
6929
<title>Normal/Active/Prelight Nodes</title>
6932
Depending on the item type (except for userlist - refer to Color node
6933
below), it can specify its color, font, or image via the following
6938
<filename>normal</filename> - normal state.
6941
<filename>active</filename> - when the item has active focus.
6944
<filename>prelight</filename> - when the mouse is hovering over the
6949
When item is "rect" (alpha can be omitted and defaults to
6952
<normal color="#ffffff" alpha="0.0">
6957
When item is "label"
6959
<normal color="#ffffff" font="Sans 14"/>
6964
When the item type is "pixmap" or "SVG", then the
6965
normal, active, and prelight tags specify the images to use as
6968
<normal file="picture.png" tint="#dddddd"/>
6973
Note that relative pathnames are assumed to be in the same
6974
directory as the theme <filename>.xml</filename> file in
6975
<filename><share>/gdm/themes/<theme_name></filename>.
6979
Note that alternative image file can be specified using the altfile[n]
6980
property. GDM will use the last valid image filename specified.
6983
<normal file="picture.png" altfile1="distribution-blah-image.png" altfile2="distribution-foo-image.png"/>
6985
If <filename>distribution-foo-image.png</filename> is a valid image
6986
filename it will be used. Otherwise distribution-blah-image.png will
6987
be used if valid. This feature supported since 2.16.3.
6992
<sect3 id="listcoloronodes">
6993
<title>Face Browser Icon/Label Color Nodes</title>
6996
If the item type is of userlist, then the background color for the
6997
icon and label can be set separately via the the following tag:
7002
<color iconcolor="#dddddd" labelcolor="#ffffff"/>
7007
<sect3 id="textnodes">
7008
<title>Text Node</title>
7011
Text tags are used by labels. They can be used to display
7012
localized text as follows (if the "xml:lang" attribute is
7013
omitted, the C locale is assumed):
7015
<text xml:lang="fr">Option</text>
7020
You can include pango markup in the text nodes for labels, however
7021
you must encode it. So for example to have the label of
7022
"foo<sup>bar</sup>", you must type:
7024
<text>"foo<sup>bar</sup>"</text>
7029
Text nodes can contain the following special character sequences
7030
which will be translated as follows:
7034
%% - A literal % character
7037
%c - Clock time. Only labels with the "clock" id will
7038
update automatically every second. Other labels will contain a
7042
%d - Display name (DISPLAY environment variable)
7045
%h - Hostname (gethostname output)
7048
%m - Machine name (uname.machine output)
7051
%n - Node name (uname.nodename output)
7054
%o - Domain name (getdomainname output)
7057
%r - Release name (uname.release output)
7060
%s - System name (uname.sysname output)
7063
%t - Current timed delay value from configuration file (0 if off)
7064
followed by the word "seconds" if value is greater than 1
7065
or the word "second" if the value is 1. This character
7066
sequence is intended to be only used internally to display the
7067
"timed-label" message, which is automatically updated every
7071
%u - Timed username value from configuration file (empty if off)
7072
This character sequence is intended to be only used internally to
7073
display the "timed-label" message, which is automatically
7074
updated every second.
7077
\n - Carriage return
7080
_ - An underscore causes the following character to be underlined.
7081
If it precedes a % character sequence, the string that replaces the
7082
character sequence is underlined.
7086
<sect3 id="stocklabels">
7087
<title>Stock node</title>
7090
Certain common localized labels can be specified via the stock
7091
tags. The "text" tag is ignored if the "stock"
7092
tag is used. You should really use the stock labels rather then
7093
just putting all the translations into the themes. This gives
7094
faster load times and likely better translations. The following
7099
<filename>cancel</filename>, _("_Cancel"
7102
<filename>caps-lock-warning</filename>,
7103
_("Caps Lock is on."
7106
<filename>chooser</filename>, _("Remote Login via _XDMCP"
7109
<filename>config</filename>, _("_Configure"
7112
<filename>custom_cmd[0-9]</filename>, getting label from config file
7115
<filename>disconnect</filename>, _("D_isconnect"
7118
<filename>halt</filename>, _("Shut _Down"
7121
<filename>language</filename>, _("_Language"
7124
<filename>ok</filename>, _("_OK"
7127
<filename>options</filename>, _("_Options"
7130
<filename>quit</filename>, _("_Quit"
7133
<filename>reboot</filename>, _("_Restart"
7136
<filename>session</filename>, _("_Session"
7139
<filename>startagain</filename>, _("_Start Again"
7142
<filename>suspend</filename>, _("Sus_pend"
7145
<filename>system</filename>, _("_Actions"
7149
<filename>timed-label</filename>,
7150
_("User %u will login in %t"
7153
<filename>username-label</filename>, _("Username:"
7156
<filename>welcome-label</filename>, _("Welcome to %n"
7162
<stock type="welcome-label">
7167
<sect3 id="customwidgetry">
7168
<title>Custom Widgetry</title>
7171
Currently there is one item which is customizable and this is
7172
the list item. If you need to ask the user extra things, such as
7173
to pick from a list of places to log into, or set of custom login
7174
sessions you can setup the list item and add listitem children that
7175
describe the choices. Each listitem must have an id and a text
7176
child. The choice will be recorded in the file
7177
<filename><ServAuthDir>/<display>.GreeterInfo</filename>
7178
as <filename><list id>=<listitem id></filename>.
7182
For example suppose we are on display :0,
7183
<filename>ServAuthDir</filename> is
7184
<filename><var>/lib/gdm</filename> and we have the following in the
7189
<item type="list" id="custom-config">
7190
<pos anchor="nw" x="1" y="1" height="200" width="100">
7191
<listitem id="foo">
7192
<text>Foo</text>
7194
<listitem id="bar">
7195
<text>Bar</text>
7201
Then if the user chooses 'Foo' then
7202
<filename><var>/lib/gdm/:0.GreeterInfo</filename> will contain:
7211
<sect1 id="accessibility">
7212
<title>Accessibility</title>
7214
GDM supports "Accessible Login", allowing users to log into
7215
their desktop session even if they cannot easily use the screen, mouse,
7216
or keyboard in the usual way. Accessible Technology (AT) programs
7217
such as <command>GOK</command> (on-screen keyboard) and
7218
<command>orca</command> (magnifier and text-to-speech) are supported.
7219
The "GTK+ Greeter" best supports accessibility, so it is
7220
recommended for accessibility support. The "Themed Greeter"
7221
supports some accessibility features and may be usable by some users.
7222
But some AT programs, such as <command>GOK</command>, do not yet work
7223
with the "Themed Greeter".
7227
Accessibility is enabled by specifying the "GTK+ Greeter"
7228
in the "Local" tab for the console display and specifying
7229
the "GTK+ Greeter" in the "Remote" tab for
7230
remote displays. Or you can modify the <filename>Greeter</filename>
7231
and <filename>RemoteGreeter</filename> configuration options by hand
7232
to be <command>/usr/lib/gdmlogin</command>.
7236
The GDM greeter programs support the ability to launch AT's at login
7237
time via configurable "gestures". These gestures can be
7238
defined to be standard keyboard hotkeys, switch device event, or
7239
mouse motion events. When using the "GTK+ Greeter", the
7240
user may also change the visual appearance of the login UI. For
7241
example, to use a higher-contrast color scheme for better visibility.
7245
Note that <command>gdmsetup</command> does not yet work with
7246
accessibility, so that users who require AT programs should only
7247
configure GDM by editing the ASCII files directly.
7250
<sect2 id="accessibilityconfig">
7251
<title>Accessibility Configuration</title>
7254
In order to enable Accessible Login, the system administrator must
7255
make some changes to the default login configuration by manually
7256
modifying three human-readable configuration files, stored in
7257
the GDM Custom Configuration File, AccessKeyMouseEvents File, and
7258
AccessDwellMouseEvents File. The AccessKeyMouseEvents and
7259
AccessDwellMouseEvents contain reasonable default gestures for
7260
launching <command>GOK</command> and <command>orca</command>, but
7261
some users may require these gestures to be configured to best
7262
meet their needs. For example, shorter or longer duration for
7263
holding down a button or hotkey might make the login experience
7264
more usable for some users. Also, additional AT programs may be
7265
added to the configuration file if needed.
7268
<sect3 id="accessibilitytheming">
7269
<title>Accessibile Theming</title>
7272
If using the "GTK+ Greeter" users can easily
7273
switch the color and contrast scheme of the dialog. To do this,
7274
ensure the <filename>AllowGtkThemeChange</filename> parameter in
7275
the GDM configuration is set to "true". This should
7276
be the default value. When true, the "Standard
7277
Greeter" contains a menu allowing the user to change to a
7278
different GTK+ theme. The <filename>GtkThemesToAllow</filename>
7279
configuration choice can also be used to limit the choices
7280
available as desired. For example:
7284
GtkThemesToAllow=HighContrast,HighContrastInverse
7288
If using the "Themed Greeter" there may be suitable
7289
GDM themes available that provide needed color and contrast
7290
schemes, but these are not yet shipped with the GDM program.
7291
Some distributions may ship such themes. There is not yet any
7292
mechanism to switch between themes in the "Themed
7293
Greeter", so if an accessible theme is required by one
7294
user, then all users would need to use the same theme.
7298
<sect3 id="accessibilityatprograms">
7299
<title>AT Program Support</title>
7302
To enable user to launch AT such as the <command>GOK</command>
7303
or <command>orca</command>, the
7304
<filename>AddGtkModules</filename> parameter in the GDM
7305
configuration must be set to "true".
7306
Also the <filename>GtkModulesList</filename> parameter must be
7307
uncommented and set as follows:
7311
GtkModulesList=gail:atk-bridge:/usr/lib/gtk-2.0/modules/libdwellmouselistener:/usr/lib/gtk-2.0/modules/libkeymouselistener
7315
This causes all GDM GUI programs to be run with the appropriate
7316
GTK modules for launching AT programs. The use of assistive
7317
technologies and the atk-bridge module requires the registry
7318
daemon, <command>at-spi-registryd</command>, to be running.
7319
This is handled by the GDM GUI starting with version 2.17.
7323
System administrators may wish to load only the minimum subset
7324
of these modules which is required to support their user base.
7325
The "libkeymouselistener" provides hotkey and switch
7326
gesture support while the "libdwellmouselistener"
7327
provides mouse motion gesture support. If your user base only
7328
requires one or the other, it is only necessary to include the
7329
gesture listener that is needed. Also, some AT programs may not
7330
require gail or atk-bridge. If you find the AT programs you
7331
need works fine without including these, then they may be
7332
omitted. Note that some AT programs work with a reduced feature
7333
set if gail and/or atk-bridge are not present. However, for
7334
general accessibility use, including all four is suitable.
7338
Once "keymouselistener" and/or
7339
"dwellmouselistener" have been added to the
7340
<filename>AddGtkModules</filename> loaded by GDM, then you may
7341
need to modiify the gesture configurations to meet your user's
7342
needs. Default gestures are provided for launching
7343
<command>GOK</command> and <command>orca</command>, but it is
7344
recommended to modify these gestures so they work best for your
7345
user base. These gesture associations are contained in files
7346
<filename>AccessKeyMouseEvents</filename> and
7347
<filename>AccessDwellMouseEvents</filename>, respectively. Both
7348
files are located in the
7349
<filename><etc>/gdm/modules</filename> directory. The
7350
gesture configuration format is described in the comment section
7351
of the two configuration files.
7355
The AccessKeyMouseEvents file controls the keymouselistener
7356
Gesture Listener and is used to define key-press, mouse button,
7357
or XInput device sequences that can be used to launch
7358
applications needed for accessibility. In order to reduce the
7359
likelihood of unintentional launch, these "gestures"
7360
may be associated with multiple switch presses and/or minimum
7361
durations. Note that the XKB extension is needed for key
7362
gestures to work, so you may need to add +xkb to your X server
7363
command line for gestures to work properly. The X server command
7364
line is specified in the GDM configuration file in the
7365
<filename>server-foo</filename> sections.
7369
The DwellKeyMouseEvents file controls the dwellmouselistner and
7370
supports gestures that involve the motion of a pointing device
7371
such as the system mouse of an alternative pointing device such
7372
as a head pointer or trackball may also be defined. Motion
7373
gestures are defined as "crossing events" into and out
7374
of the login dialog window. If the
7375
"dwellmouselistener" gesture listener is loaded, then
7376
alternative pointing devices are temporarily "latched"
7377
to the core pointer, such that motion from alternative devices
7378
results in movement of the onscreen pointer. All gestures are
7379
specified by the same syntax; that is, there is no distinction
7380
between a "core mouse" gesture and motion from an
7381
alternate input device.
7385
On some operating systems, it is necessary to make sure that the
7386
GDM user is a member of the "audio" group for AT
7387
programs that require audio output (such as text-to-speech) to
7392
Currently GDM does not remember what accessible technology
7393
programs have been started when switching applications. So if
7394
the user switches between the login program and the chooser, for
7395
example, then it is necessary for the user to redo the gesture.
7396
Users may need to also set up their default session so that the
7397
assistive technologies required are started automatically (or
7398
have appropriate key-bindings defined to start them) after the
7399
user session has started.
7403
<sect3 id="accessibilitytroubleshooting">
7404
<title>AT Troubleshooting</title>
7407
There are some common issues that cause users to have problems
7408
getting the gesture listeners to work. It is recommended that
7409
people use GDM version 2.18.0 or later for best results.
7413
Some older X servers have a bug which causes detectable
7414
autorepeat to fail when XEVIE is enabled (which happens when
7415
atk-bridge is included as a GTK Module). This bug causes key
7416
gestures with a duration greater than 0 to always fail. A
7417
workaround is to simply redefine all key gestures so they have
7418
zero length duration, or upgrade your X server.
7422
Some versions of <command>GOK</command> and
7423
<command>orca</command> will not launch unless the
7424
"gdm" user has a writable home directory. This has
7425
been fixed in GNOME 2.18, but if using an older version of
7426
GNOME, then making sure that the GDM user has a writable home
7427
directory should make these programs functional.
7431
If you see an hourglass cursor when you complete a gesture but
7432
the program does not start, then this indicates that the gesture
7433
was received, but that there was a problem starting the program.
7434
Most likely the issue may be the lack of a writable gdm home
7439
Also note that some input devices require X server configuration
7440
before GDM will recognize them.
7444
<sect3 id="accessibilitysound">
7445
<title>Accessibility Login Sound Configuration</title>
7448
By default, GDM requires a media application such as
7449
"play" to be present to play sounds for successful or
7450
failed login. GDM defaults
7451
the location of this application to
7452
<filename><bin>/play</filename> (or
7453
<filename><bin>/audioplay</filename> on Solaris. This can
7454
be changed via the <filename>SoundProgram</filename> GDM
7455
configuration option. Typically most text-to-speech programs
7456
(such as <command>orca</command>) use a separate mechanism to
7457
play audio, so this configuration setting is not needed for
7464
<sect1 id="solaris">
7465
<title>Solaris Specific Features</title>
7467
<sect2 id="solarisusing">
7468
<title>Using GDM on Solaris</title>
7471
GDM is not yet the default login program on Solaris. If you wish
7472
to switch to using GDM, then you need to turn off CDE login and
7473
start the GDM service. Note that turning off or disabiling CDE
7474
login will cause any running sessions to immediately exit, and any
7475
unsaved data will be lost. Only run these commands if you are
7476
sure there is no unsaved data in your running sessions. It would
7477
be best to run these commands from console login, or a Failsafe
7478
Terminal rather than from a running GUI session. The first step
7479
is to run the following command to see if CDE login is running as
7488
If the <command>svcs</command> command responds that this
7489
service is enabled, then run this command to disable CDE login:
7493
svcadm disable cde-login
7497
If the <command>svcs</command> command responds that this pattern
7498
doesn't match any instances, then run these commands to stop
7503
/usr/dt/config/dtconfig -d
7504
Either reboot, or kill any running dtlogin processes.
7508
At this point you will be presented with a console login. Login
7509
as root, and run the following command. If on Solaris 10 the
7510
servicename is "gdm2-login", if on Solaris Nevada the
7511
servicename is "gdm".
7515
svcadm enable servicename
7519
<sect2 id="solarisconfiguration">
7520
<title>Solaris Configuration</title>
7522
On Solaris, the following configuration is recommended.
7523
This turns on IPv6 and also turns on PreFetch for
7524
performance benefit.
7527
./autogen.sh --prefix=/usr --sysconfdir=/etc/X11 --localstatedir=/var
7528
--libexecdir=/usr/lib --enable-ipv6=yes --with-at-bindir=/usr/sfw/bin
7529
--with-prefetch --with-post-path=/usr/openwin/bin --with-pam-prefix=/etc
7530
--with-lang-file=/etc/default/init
7535
Configuring GDM with the
7536
"--with-post-path=/usr/openwin/bin" on Solaris is
7537
recommended for accessing X server programs.
7541
<sect2 id="solarislogindevperm">
7542
<title>Solaris /etc/logindevperm</title>
7544
GDM supports /etc/logindevperm, but only on Solaris 10 and
7545
higher. Refer to the logindevperm.4 man page for more
7550
To make /etc/logindevperm functionality work on Solaris 9 or
7551
earlier you would have to hack the GDM PreSession and
7552
PostSession script to chmod the device permissions directly. In
7553
other words, if /etc/logindevperm had a listing like this:
7557
/dev/console 0600 /dev/sound/* # audio devices
7561
Then the PreSession script would need to be modified to chown
7562
/dev/console to the user:group who is logging into the console
7563
and ensure whatever permissions is specified in /etc/logindevperm
7564
(0600 for the line above). Then in the PostSession script chmod
7565
the device back to root:root and ensure 0600 this time (do not
7566
use the value in the /etc/logindevperm file). Linux uses a
7567
different mechanism for managing device permissions, so this
7568
extra scripting is not needed.
7572
<sect2 id="solarisautomaticlogin">
7573
<title>Solaris Automatic Login</title>
7575
Automatic login does not work on Solaris 10 and earlier because
7576
PAM is not configured to support this feature by default.
7577
Automatic login is a GDM feature that is not enabled by default,
7578
so you would only notice this problem if you try to make use of
7579
it. Turning this feature on causes your computer to login to a
7580
specified username on startup without asking for username
7581
and password. This is an insecure way to set up your
7586
If using Solaris 10 or lower, then you need to compile the
7587
pam_allow.c code provided with the GDM release and install it
7588
to /usr/lib/security (or provide the full path in /etc/pam.conf)
7589
and ensure it is owned by uid 0 and not group or world writable.
7593
The following are reasonable pam.conf values for turning on
7594
automatic login in GDM. Make sure to read the PAM documentation
7595
(e.g. pam.d/pam.conf man page) and be comfortable with the
7596
security implications of any changes you intend to make to
7601
gdm-autologin auth required pam_unix_cred.so.1
7602
gdm-autologin auth sufficient pam_allow.so.1
7603
gdm-autologin account sufficient pam_allow.so.1
7604
gdm-autologin session sufficient pam_allow.so.1
7605
gdm-autologin password sufficient pam_allow.so.1
7609
The above setup will cause no lastlog entry to be generated. If
7610
a lastlog entry is desired, then use the following for session:
7614
gdm-autologin session required pam_unix_session.so.1
7618
<sect2 id="solarisrbac">
7619
<title>Solaris RBAC support for Shutdown, Reboot, and Suspend</title>
7622
Starting with GDM 2.19, GDM supports RBAC (Role Based
7623
Access Control) for enabling the system commands (Shutdown,
7624
Reboot, Suspend, etc.) that appear in the greeter system
7625
menu and via the <command>gdmflexiserver</command>
7626
QUERY_LOGOUT_ACTION, SET_LOGOUT_ACTION, and
7627
SET_SAFE_LOGOUT_ACTION commands.
7631
On Solaris GDM has the following value specified for the
7632
<filename>RBACSystemCommandKeys</filename> configuration
7637
HALT:solaris.system.shutdown;REBOOT:solaris.system.shutdown
7641
This will cause the SHUTDOWN and REBOOT features to only be
7642
enabled for users who have RBAC authority. In other words,
7643
those users who have the "solaris.system.shutdown"
7644
authorization name specified. The GDM greeter will only
7645
display these options if the gdm user (specified in the
7646
<filename>User</filename> configuration option, "gdm" by
7647
default) has such RBAC permissions.
7651
Therefore, add the "solaris.system.shutdown"
7652
authorization name to the <filename>/etc/user_attr</filename>
7653
for all users who should have authority to shutdown and
7654
reboot the system. If you want these options to appear in
7655
the greeter program, also add this authorization name to
7656
the gdm user. If you don't want to use RBAC, then you may
7657
unset the <filename>RBACSystemCommandKeys</filename> GDM
7658
configuration key, and this will make the system commands
7659
available for all users. Refer to the
7660
<filename>user_attr</filename> man page for more information
7661
about setting RBAC privileges.
7665
Note that on Solaris there are two programs that can be used
7666
to shutdown the system. These are GDM and
7667
<command>gnome-sys-suspend</command>.
7668
<command>gnome-sys-suspend</command> is a GUI front-end for
7669
the <command>sys-suspend</command>.
7673
If GDM is being used as the login program and the user has
7674
RBAC permissions to shutdown the machine (or RBAC support
7675
is disabled in GDM), then the GNOME panel
7676
"Shut Down.." option will use GDM to shutdown, reboot,
7677
and suspend the machine. This is a bit nicer than using
7678
<command>gnome-sys-suspend</command> since GDM will wait until
7679
the user session has finished (including running the
7680
PostSession script, etc.) before running the
7681
shutdown/reboot/suspend command. Also the
7682
<command>gnome-sys-suspend</command> command is less functional
7683
since it does not support a reboot option, only shutdown and
7688
If GDM is not being used to manage shutdown, reboot, and
7689
suspend; then the GNOME panel uses
7690
<command>gnome-sys-suspend</command> when you select the
7691
"Shut Down..." option from the application menu.
7692
If the pop-up that appears when you select this only
7693
shows the suspend and shutdown options, then you are
7694
likely using <command>gnome-sys-suspend</command>. If
7695
you are using this, then refer to the
7696
<command>sys-suspend</command> man page for information
7697
about how to configure it. Or consider using GDM and
7698
configuring it to provide these options.
7702
<sect2 id="solarisother">
7703
<title>Other Solaris Features</title>
7705
GDM supports a few features specific to Solaris, as follows:
7709
GDM supports Solaris Auditing if running on Solaris 10 or
7710
higher. GDM should not be used if auditing is needed and
7711
running Solaris 9 or older.
7715
GDM supports a security feature which causes the X server to
7716
run as the user instead of as the root user. GDM must be using
7717
PAM for this feature to be enabled, which is the normal case
7718
for Solaris. This second feature has the side-effect of
7719
causing the X server to always restart between sessions, which
7720
disables the AlwaysRestartServer configuration option.
7724
Solaris supports the <filename>/etc/default/login</filename>
7725
interface, which affects the <filename>DefaultPath</filename>,
7726
<filename>RootPath</filename>,
7727
<filename>PasswordRequired</filename>, and
7728
<filename>AllowRemoteRoot</filename> options as described in the
7729
"Configuration" section.
7734
<sect1 id="exampleconf">
7735
<title>Example Configurations</title>
7737
<sect2 id="customcommand">
7738
<title>Defining Custom Commands</title>
7741
Suppose you want to add a custom command to the GDM menu that will give
7742
you the opportunity to boot into other operating system such as Windoze.
7743
Just add the following options into the
7744
<filename>[customcommand]</filename> section of the GDM configuration
7749
CustomCommand0=/sbin/rebootwindoze;/usr/local/sbin/rebootwindoze
7750
CustomCommandLabel0=_Windoze
7751
CustomCommandLRLabel0=Reboot into _Windoze
7752
CustomCommandText0=Are you sure you want to restart the computer into Windoze?
7753
CustomCommandTooltip0=Restarts the computer into Windoze
7754
CustomCommandIsPersistent0=true
7757
CustomCommand0 specifies two commands separated by a semicolon:
7758
<filename>/sbin/rebootwindoze</filename> and
7759
<filename>/usr/local/sbin/rebootwindoze</filename>. GDM will use
7760
the first valid command in the list. This allows different
7761
commands for different operating systems to be included.
7764
Note, that besides being able to customise this option to reboot into
7765
different operating systems you can also use it to define your own
7766
custom behaviours that you wish to run from the GDM menu. Suppose you
7767
want to give users the opportunity to run system update scripts from the
7768
login screen. Add the following options into the
7769
<filename>[customcommand]</filename> section of your GDM configuration
7774
CustomCommand0=/sbin/updatesystem;/usr/local/sbin/updatesystem
7775
CustomCommandLabel0=_Update Me
7776
CustomCommandLRLabel0=Update the system
7777
CustomCommandText0=Are you sure you want to update the system software?
7778
CustomCommandTooltip0=Updates the system
7779
CustomCommandNoRestart0=true
7784
Both custom commands could be defined as follows.
7788
CustomCommand0=/sbin/rebootwindoze;/usr/local/sbin/rebootwindoze
7789
CustomCommandLabel0=_Windoze
7790
CustomCommandLRLabel0=Reboot into _Windoze
7791
CustomCommandText0=Are you sure you want to restart the computer into Windoze?
7792
CustomCommandTooltip0=Restarts the computer into Windoze
7793
CustomCommandIsPersistent0=true
7795
CustomCommand1=/sbin/updatesystem;/usr/local/sbin/updatesystem
7796
CustomCommandLabel1=_Update Me
7797
CustomCommandLRLabel1=Update the system
7798
CustomCommandText1=Are you sure you want to update the system software?
7799
CustomCommandTooltip1=Updates the system
7800
CustomCommandNoRestart1=true
7805
There can be up to 10 custom commands numbered 0-9.
7809
CustomCommand0=/sbin/rebootwindoze;/usr/local/sbin/rebootwindoze
7810
CustomCommandLabel0=_Windoze
7811
CustomCommandLRLabel0=Reboot into _Windoze
7812
CustomCommandText0=Are you sure you want to restart the computer into Windoze?
7813
CustomCommandTooltip0=Restarts the computer into Windoze
7814
CustomCommandIsPersistent0=true
7816
CustomCommand1=/sbin/updatesystem;/usr/local/sbin/updatesystem
7817
CustomCommandLabel1=_Update Me
7818
CustomCommandLRLabel1=Update the system
7819
CustomCommandText1=Are you sure you want to update the system software?
7820
CustomCommandTooltip1=Updates the system
7821
CustomCommandNoRestart1=true
7823
CustomCommand3=/sbin/do_something
7828
CustomCommand4=/sbin/do_something_else
7837
<sect1 id="troubleshooting">
7838
<title>Troubleshooting</title>
7841
This section discusses helpful tips for getting GDM working. In general,
7842
if you have a problem using GDM, you can submit a bug to the
7844
<ulink type="http" url="http://bugzilla.gnome.org/">bugzilla.gnome.org</ulink>
7845
or send an email to the
7846
<address><email>gdm-list@gnome.org</email></address> mail list.
7850
If GDM is failing to work properly, it is always a good idea to include
7851
debug information. Use the <command>gdmsetup</command> command to turn
7852
on debug ("Enable debug messages to system log" checkbox in the
7853
"Security" tab), then use GDM to the point where it fails, and
7854
include the GDM output sent to your system log
7855
(<filename><var>/log/messages</filename> or
7856
<filename><var>/adm/messages</filename> depending on your operating
7857
system). Since the system log can be large, please only include the GDM
7858
debug information and do not sent the entire file. If you do not see any
7859
GDM syslog output, you may need to configure syslog (see syslog.3c man
7864
You should not leave debug on after collecting data. It will clutter your
7865
syslog and slow system performance.
7868
<sect2 id="wontstart">
7869
<title>GDM Will Not Start</title>
7872
There are a many problems that can cause GDM to fail to start, but
7873
this section will discuss a few common problems and how to approach
7874
tracking down a problem with GDM starting. Some problems will
7875
cause GDM to respond with an error message or dialog when it tries
7876
to start, but it can be difficult to track down problems when GDM
7881
First make sure that the X server is configured properly. The
7882
GDM configuration file contains a command in the [server-Standard]
7883
section that is used for starting the X server. Verify that this
7884
command works on your system. Running this command from the
7885
console should start the X server. If it fails, then the problem
7886
is likely with your X server configuration. Refer to your X server
7887
error log for an idea of what the problem may be. The problem may
7888
also be that your X server requires different command-line options.
7889
If so, then modify the X server command in the GDM configuration file
7890
so that it is correct for your system.
7894
Another common problem is that the GDM greeter program is having
7895
trouble starting. This can happen, for example, if GDM cannot find
7896
a needed library or other resource. Try starting the X server and
7897
a terminal program, set the shell environment variable
7898
DOING_GDM_DEVELOPMENT=1 and run
7899
<command><lib>/gdmlogin</command>
7900
or <command><lib>/gdmgreeter</command>. Any error messages
7901
echoed to the terminal will likely highlight the problem. Also,
7902
turning on debug and checking the output sent to the system log
7903
will often highlight the problem.
7907
Also make sure that the <filename>/tmp</filename> directory has
7908
reasonable ownership and permissions, and that the machine's file
7909
system is not full. These problems will cause GDM to fail to start.
7913
<sect2 id="notaccessfile">
7914
<title>GDM Will Not Access User Settings</title>
7917
GDM saves user settings, such as your default session and default
7918
language, in the <filename>~/.dmrc</filename>. Other files, such
7919
as the user's <filename>~/.Xauthority</filename> file will also
7920
affect login. GDM, by default, is strict about how it tries to
7921
access files in the user's home directory, and will ignore the file if
7922
they do not conform to certain rules. You can use the
7923
<filename>RelaxPermissions</filename> configuration option to
7924
make GDM less strict about how it accesses files in the user's
7925
home directory, or correct the permissions issues that cause GDM
7926
to ignore the file. This is discussed in detail described in the
7927
"File Access" section of the "Overview".
7932
<!-- ============= Application License ============================= -->
7934
<sect1 id="license">
7935
<title>License</title>
7937
This program is free software; you can redistribute it and/or
7938
modify it under the terms of the <ulink type="help" url="gnome-help:gpl">
7939
<citetitle>GNU General Public License</citetitle></ulink> as
7940
published by the Free Software Foundation;
7941
either version 2 of the License, or (at your option) any later
7945
This program is distributed in the hope that it will be useful, but
7946
WITHOUT ANY WARRANTY; without even the implied warranty of
7947
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
7948
<citetitle>GNU General Public License</citetitle> for more details.
7951
A copy of the <citetitle>GNU General Public License</citetitle> is
7952
included as an appendix to the <citetitle>GNOME Users
7953
Guide</citetitle>. You may also obtain a copy of the
7954
<citetitle>GNU General Public License</citetitle> from the Free
7955
Software Foundation by visiting <ulink type="http" url="http://www.fsf.org">their Web site</ulink> or by writing to
7957
Free Software Foundation, Inc.
7958
<street>51 Franklin Street, Fifth Floor</street>
7959
<city>Boston</city>, <state>MA</state> <postcode>02110-1301</postcode>
7960
<country>USA</country>
7965
<!-- Keep this comment at the end of the file
7970
sgml-minimize-attributes:nil
7971
sgml-always-quote-attributes:t
7974
sgml-parent-document:nil
7975
sgml-exposed-tags:nil
7976
sgml-local-catalogs:nil
7977
sgml-local-ecat-files:nil