~darkxst/ubuntu/saucy/gdm/lp1212408 : revision 2.1.2

1

<?xml version="1.0" encoding="utf-8"?>

2

<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [

3

<!ENTITY legal SYSTEM "legal.xml">

4

<!ENTITY version "2.20.4">

5

<!ENTITY date "03/10/2008">

6

<!ENTITY mdash "—">

7

<!ENTITY percnt "%">

8

]>

9

10

11

<title>Gnome Display Manager Reference Manual</title>

12

13

14

15

16

17

</revision>

18

</revhistory>

19

20

21

<para>GDM is the GNOME Display Manager, a graphical login program.</para>

22

</abstract>

23

24

25

26

<firstname>Martin</firstname><othername>K.</othername>

27

<surname>Petersen</surname>

28

29

30

</affiliation>

31

</author>

32

33

<firstname>George</firstname><surname>Lebl</surname>

34

35

<address><email>jirka@5z.com</email></address>

36

</affiliation>

37

</author>

38

39

<firstname>Brian</firstname><surname>Cameron</surname>

40

41

<address><email>Brian.Cameron@Sun.COM</email></address>

42

</affiliation>

43

</author>

44

45

<firstname>Bill</firstname><surname>Haneman</surname>

46

47

<address><email>Bill.Haneman@Sun.COM</email></address>

48

</affiliation>

49

</author>

50

</authorgroup>

51

52

<year>1998</year><year>1999</year><holder>Martin K. Petersen</holder>

53

</copyright>

54

55

56

<holder>George Lebl</holder>

57

</copyright>

58

59

60

</copyright>

61

62

<year>2003</year><year>2004</year><holder>Sun Microsystems, Inc.</holder>

63

</copyright><copyright><year>2007</year><holder>David Lodge (dave@cirt.net)</holder></copyright>

64

65

66

<para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation Licence (GFDL), Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You can find a copy of the GFDL at this <ulink type="help" url="ghelp:fdl">link</ulink> or in the file COPYING-DOCS distributed with this manual.</para>

67

<para>This manual is part of a collection of GNOME manuals distributed under the GFDL. If you want to distribute this manual separately from the collection, you can do so by adding a copy of the licence to the manual, as described in section 6 of the licence.</para>

68

69

<para>Many of the names used by companies to distinguish their products and services are claimed as trademarks. Where those names appear in any GNOME documentation, and the members of the GNOME Documentation Project are made aware of those trademarks, then the names are in capital letters or initial capital letters.</para>

70

71

<para>DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT ARE PROVIDED UNDER THE TERMS OF THE GNU FREE DOCUMENTATION LICENCE WITH THE FURTHER UNDERSTANDING THAT: <orderedlist>

72

73

<para>DOCUMENT IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE DOCUMENT OR MODIFIED VERSION OF THE DOCUMENT IS FREE OF DEFECTS MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY, ACCURACY AND PERFORMANCE OF THE DOCUMENT OR MODIFIED VERSION OF THE DOCUMENT IS WITH YOU. SHOULD ANY DOCUMENT OR MODIFIED VERSION PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL WRITER, AUTHOR OR ANY CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENCE. NO USE OF ANY DOCUMENT OR MODIFIED VERSION OF THE DOCUMENT IS AUTHORISED HEREUNDER EXCEPT UNDER THIS DISCLAIMER; AND</para>

74

</listitem>

75

76

<para>UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN TORT (INCLUDING NEGLIGENCE), CONTRACT OR OTHERWISE, SHALL THE AUTHOR, INITIAL WRITER, ANY CONTRIBUTOR OR ANY DISTRIBUTOR OF THE DOCUMENT OR MODIFIED VERSION OF THE DOCUMENT OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR LOSSES ARISING OUT OF OR RELATING TO USE OF THE DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES.</para>

77

</listitem>

78

</orderedlist></para>

79

</legalnotice>

80

81

82

83

84

This manual describes version 2.20.4 of the GNOME Display Manager.

85

It was last updated on 03/10/2008.

86

</releaseinfo>

87

</articleinfo>

88

89

90

<title>Terms and Conventions Used in This Manual</title>

91

92

<para>

93

This manual describes version 2.20.4 of the GNOME Display Manager.

94

It was last updated on 03/10/2008.

95

</para>

96

97

<para>

98

Chooser - A program used to select a remote host for managing a

99

display remotely on the attached display (<command>gdmchooser</command>).

100

</para>

101

102

<para>Configurator - The configuration application (<command>gdmsetup</command>).</para>

103

104

<para>GDM - Gnome Display Manager. Used to describe the software package as a whole. Sometimes also referred to as GDM2.</para>

105

106

<para>gdm - The Gnome Display Manager daemon (<command>gdm</command>).</para>

107

108

<para>Greeter - The graphical login window (<command>gdmlogin</command> or <command>gdmgreeter</command>).</para>

109

110

<para>GTK+ Greeter - The standard login window (<command>gdmlogin</command>).</para>

111

112

<para>PAM - Pluggable Authentication Mechanism</para>

113

114

<para>Themed Greeter - The themable login window ( <command>gdmgreeter</command>).</para>

115

116

<para>XDMCP - X Display Manage Protocol</para>

117

118

<para>Paths that start with a word in angle brackets are relative to the installation prefix. I.e. <filename><share>/pixmaps/</filename> refers to <filename><share>/pixmaps</filename> if GDM was configured with <command>--prefix=/usr</command>. Normally also note that GDM is installed with <command>--sysconfigdir=<etc>/X11</command>, meaning any path to which we refer to as <filename><etc>/gdm/PreSession</filename> usually means <filename><etc/X11>/gdm/PreSession</filename>. Note that for interoperability it is recommended that you use a --prefix of <filename>/usr</filename> and a --sysconfdir of <filename><etc>/X11</filename>.</para>

119

</sect1>

120

121

122

<title>Overview</title>

123

124

125

<title>Introduction</title>

126

127

<para>

128

The Gnome Display Manager (GDM) is a display manager that

129

implements all significant features required for managing

130

attached and remote displays. GDM was written from scratch and

131

does not contain any XDM / X Consortium code.

132

</para>

133

134

<para>

135

Note that GDM is highly configurable, and many configuration

136

settings can affect security. Issues to be aware of are highlighted

137

in this document and in the GDM Configuration files.

138

</para>

139

140

<para>For further information about GDM, see the <ulink type="http" url="http://www.gnome.org/projects/gdm/"> the GDM project website</ulink>. Please submit any bug reports or enhancement requests to the "gdm" category in <ulink type="http" url="http://bugzilla.gnome.org/">bugzilla.gnome.org</ulink>. You can also send a message to the <address><email>gdm-list@gnome.org</email></address> mail list to discuss any issues or concerns with the GDM program.</para>

141

</sect2>

142

143

144

<title>Interface Stability</title>

145

146

<para>

147

The key/value pairs defined in the GDM configuration files and

148

the location of these files are considered "stable" interfaces

149

should only change in ways that are backwards compatible. Note that

150

this includes functionality like the GDM scripts (Init, PreSession,

151

PostSession, PostLogin, XKeepsCrashing, etc.); directory locations

152

(ServAuthDir, etc.), system applications (SoundProgram), etc.

153

Some configuration values depend on OS interfaces may need to be

154

modified to work on a given OS. Typical examples are HaltCommand,

155

RebootCommand, CustomCommands, SuspendCommand, StandardXServer, Xnest,

156

SoundProgram, and the "command" value for each

157

<filename>server-foo</filename>.

158

</para>

159

160

<para>

161

Command-line interfaces for GDM programs installed to

162

163

are considered stable. Refer to your distribution documentation to see

164

if there are any distribution-specific changes to these GDM interfaces

165

and what support exists for them.

166

</para>

167

168

<para>As of the GDM 2.15 development series, some one-dash arguments are no longer supported. This includes the "-xdmaddress", "-clientaddress", and "-connectionType" arguments used by <command>gdmchooser</command>. These arguments have been changed to use two dashes.</para>

169

170

<para>If issues are discovered that break compatibility, please file a bug with an "urgent" priority.</para>

171

</sect2>

172

173

174

<title>The GDM Daemon</title>

175

176

<para>The GDM daemon is responsible for managing displays on the system. This includes authenticating users, starting the user session and terminating the user session. GDM is configurable; the ways it may be configured are described in the "Configuring GDM" section of this document. The <filename>Init</filename>, <filename>PostLogin</filename>, <filename>PreSession</filename> and <filename>PostSession</filename> scripts discussed below are discussed in this "Configuring GDM section".</para>

177

178

<para>The GDM daemon supports a UNIX domain socket protocol which can be used to control aspects of its behavior and to query information. This protocol is described in the "Controlling GDM" section of this document.</para>

179

180

<para>

181

GDM can be asked to manage a display a number of ways. Attached

182

displays are always managed when GDM starts and will be restarted when

183

a user's session is finished. Remote displays can be requested via

184

XDMCP, flexible displays via the <command>gdmflexiserver</command>

185

command, and dynamic displays via the <command>gdmdynamic</command>

186

command. Displays that are started on request are not restarted on

187

session exit.

188

</para>

189

190

<para>When the GDM daemon is asked to manage a display, it will fork an X server process, then run the <filename>Init</filename> script as the root user, and start the login GUI dialogue as a slave process on the display. GDM can be configured to use either <command>gdmgreeter</command> (the default) or <command>gdmlogin</command> as the GUI dialogue program. The <command>gdmlogin</command> program supports accessibility while the <command>gdmgreeter</command> program supports greater themeability. The GUI dialogue is run as the unprivileged "gdm" user/group which is described in the "Security" section below. The GUI dialogue communicates with the daemon via a sockets protocol and via standard input/output. The slave, for example passes the username and password information to the GDM daemon via standard input/output so the daemon can handle the actual authentication.</para>

191

192

<para>The login GUI dialogue screen allows the user to select which session they wish to start and which language they wish to use. Sessions are defined by files that end in the .desktop extension and more information about these files can be found in the "Configuration" section. The user enters their name and password and if these successfully authenticate, GDM will start the requested session for the user. It is possible to configure GDM to avoid the authentication process by turning on the Automatic or Timed Login features in the GDM configuration. The login GUI can also be configured to provide additional features to the user, such as the Face Browser; the ability to halt, restart or suspend the system; and/or edit the login configuration (after entering the root password).</para>

193

194

<para>GDM, by default, will use Pluggable Authentication Modules (PAM) for authentication, but can also support regular crypt and shadow passwords on legacy systems. After authenticating a user, the daemon runs the <filename>PostLogin</filename> script as root, and forks a slave process to start the requested session. This slave process runs the <filename>PreSession</filename> script as root, sets up the user's environment, and starts the requested session. GDM keeps track of the user's default session and language in the user's <filename>~/.dmrc</filename> and will use these defaults if the user did not pick a session or language in the login GUI. On Solaris, GDM (since version 2.8.0.3) uses the SDTLOGIN interface after user authentication to tell the X server to be restarted as the user instead of as root for added security. When the user's session exits, the GDM daemon will run the <filename>PostSession</filename> script as root.</para>

195

196

<para>Note that, by default, GDM uses the "gdm" service name for normal login and the "gdm-autologin" service name for automatic login. The <filename>PamStack</filename> configuration option can be used to specify a different service name. For example, if "foo" is specified, then GDM will use the "foo" service name for normal login and "foo-autologin" for automatic login.</para>

197

198

<para>For those looking at the code, the gdm_verify_user function in <filename>daemon/verify-pam.c</filename> is used for normal login and the gdm_verify_setup_user function is used for automatic login.</para>

199

</sect2>

200

201

202

<title>Different Display Types</title>

203

204

<para>

205

GDM supports three different display types: attached displays,

206

flexible displays, and XDMCP remote displays. The

207

"X Server Definitions" subsection of the

208

"Configuration" section explains how the X server is

209

configured for different displays.

210

</para>

211

212

<para>

213

Attached (also known as local or static) displays are always started by

214

the daemon, and when they die or are killed, they are restarted. GDM

215

can run as many of these as needed. GDM can also manage displays on

216

which it does not manage a GUI login, thus GDM can be used for

217

supporting X terminals. The "Attached DISPLAY Configuration"

218

subsection of the "Configuration" section describes how

219

attached displays are defined.

220

</para>

221

222

<para>

223

Flexible (also known as on-demand) displays are only available to users

224

logged on the console. Starting a flexible display will lock the

225

current user session and will show a new login screen over the current

226

running session. If at least one flexible display is already running,

227

and the user requests another, then a dialog will display showing

228

existing flexible displays. The user can choose to switch back to a

229

previous display or start a new flexible display. If the user switches

230

back to a previous display, they will need to enter the password in the

231

lock screen program to return to their session. The GDM configuration

232

file specifies the maximum number of flexible displays allowed on the

233

system.

234

</para>

235

236

<para>

237

Flexible displays may be started by running the

238

<command>gdmflexiserver</command> command, or via calling the GDM

239

socket protocol directly. Some lock screen programs provide a button

240

to start a new flexible session. This allows a user to start a new

241

session even if the screen was left locked. The GNOME Fast User

242

Switch applet also uses the socket protocol to provide an applet

243

interface on the GNOME panel for managing user displays quickly.

244

Flexible displays are not restarted when the user session ends.

245

Flexible displays require virtual terminal (VT) support in the kernel,

246

and will not be available if not supported (such as on Solaris).

247

</para>

248

249

<para>

250

The <filename>FlexibleXServers</filename>,

251

<filename>FirstVT=7</filename>, <filename>VTAllocation</filename>,

252

and <filename>FlexiReapDelayMinutes</filename> configuration settings

253

are used to configure how flexible displays operate.

254

</para>

255

256

<para>

257

Nested displays are available to users even if not logged in on the

258

console. Nested displays launch a login screen in a window in the

259

user's current session. This can be useful if the user has more

260

than one account on a machine and wishes to login to the other

261

account without disrupting their current session. Nested displays

262

may be started by running the <command>gdmflexiserver -n</command>

263

command or via calling the GDM socket protocol directly. Nested

264

displays require that the X server supports a nested X server command

265

like Xnest or Xephyr. The <filename>Xnest</filename> configuration

266

option is used to configure how nested displays are started.

267

</para>

268

269

<para>

270

The <command>gdmdynamic</command> is similar to

271

<command>gdmflexiserver</command> in the sense that it allows the

272

user to manage displays dynamically. However displays started with

273

<command>gdmdynamic</command> are treated as attached displays, so

274

they are restarted automatically when the session exits. This

275

command is intended to be used in multi-user server environments

276

(many displays connected to a single server). In other words,

277

this command allows the displays to be managed without hardcoding

278

the display information in the "Attached DISPLAY

279

Configuration" section of the configuration file. This

280

is useful to support the ability of adding new displays to the

281

server without needing to restart GDM, for example.

282

</para>

283

284

<para>The last display type is the XDMCP remote displays which are described in the next section. Remote hosts can connect to GDM and present the login screen if this is enabled. Some things are different for remote sessions. For example, the Actions menu which allows you to shut down, restart, suspend, or configure GDM are not shown.</para>

285

286

</sect2>

287

288

289

<title>XDMCP</title>

290

291

<para>The GDM daemon can be configured to listen for and manage X Display Manage Protocol (XDMCP) requests from remote displays. By default XDMCP support is turned off, but can be enabled if desired. If GDM is built with TCP Wrapper support, then the daemon will only grant access to hosts specified in the GDM service section in the TCP Wrappers configuration file.</para>

292

293

<para>GDM includes several measures making it more resistant to denial of service attacks on the XDMCP service. A lot of the protocol parameters, handshaking timeouts etc. can be fine tuned. The defaults should work for most systems, however, do not change them unless you know what you are doing.</para>

294

295

<para>GDM listens to UDP port 177 and will respond to QUERY and BROADCAST_QUERY requests by sending a WILLING packet to the originator.</para>

296

297

<para>GDM can also be configured to honour INDIRECT queries and present a host chooser to the remote display. GDM will remember the user's choice and forward subsequent requests to the chosen manager. GDM also supports an extension to the protocol which will make it forget the redirection once the user's connection succeeds. This extension is only supported if both daemons are GDM. It is transparent and will be ignored by XDM or other daemons that implement XDMCP.</para>

298

299

<para>

300

If XDMCP seems to not be working, make sure that all machines are

301

specified in <filename>/etc/hosts</filename>.

302

</para>

303

304

<para>Refer to the "Security" section for information about security concerns when using XDMCP.</para>

305

</sect2>

306

307

308

<title>Securing Remote Connection Through SSH</title>

309

<para>As explained in the "Security" section, XDMCP does not use any kind of encryption and as such is inherently insecure. As XDMCP uses UDP as a network transport layer, it is not possible to simply secure it through an SSH tunnel.</para>

310

311

<para>

312

To remedy this problem, GDM can be configured at compilation-time with

313

the option --enable-secureremote, in which case GDM proposes as a

314

built-in session a session called "Secure Remote Connection".

315

Starting such a session allows the user to enter the name or the

316

address of the host on which to connect; provided the said host runs an

317

SSH server, the user then gets connected to the server on which the

318

default X session is started and displayed on the local host.

319

</para>

320

321

<para>Using this session allows a much more secure network connection and only necessitates to have an SSH server running on the remote host.</para>

322

</sect2>

323

324

325

<title>The GTK+ Greeter</title>

326

327

<para>The GTK+ Greeter is the default graphical user interface that is presented to the user. The greeter contains a menu at the top, an optional face browser, an optional logo and a text entry widget. This greeter has full accessibility support and should be used by users with accessibility needs.</para>

328

329

<para>The text entry field is used for entering logins, passwords, passphrases etc. <command>gdmlogin</command> is controlled by the underlying daemon and is basically stateless. The daemon controls the greeter through a simple protocol where it can ask the greeter for a text string with echo turned on or off. Similarly, the daemon can change the label above the text entry widget to correspond to the value the authentication system wants the user to enter.</para>

330

331

<para>The menu bar in the top of the greeter enables the user to select the requested session type/desktop environment, select an appropriate locale/language, halt/restart/suspend the computer, configure GDM (given the user knows the root password), change the GTK+ theme or start an XDMCP chooser.</para>

332

333

<para>The greeter can optionally display a logo in the login window. The image must be in a format readable to the gdk-pixbuf library (GIF, JPG, PNG, TIFF, XPM and possibly others), and it must be readable to the GDM user. See the <filename>Logo</filename> option in the reference section below for details.</para>

334

</sect2>

335

336

337

<title>The Themed Greeter</title>

338

339

<para>The Themed Greeter is a greeter interface that takes up the whole screen and is very themable. Themes can be selected and new themes can be installed by the configuration application or by setting the <filename>GraphicalTheme</filename> configuration key. The Themed Greeter is much like the GTK+ Greeter in that it is controlled by the underlying daemon, is stateless, and is controlled by the daemon using the same simple protocol.</para>

340

341

<para>The look and feel of this greeter is really controlled by the theme and so the user interface elements that are present may be different. The only thing that must always be present is the text entry field as described above in the GTK+ Greeter. The theme can include buttons that allow the user to select an appropriate locale/language, halt/restart/suspend the computer, configure GDM (given the user knows the root password) or start an XDMCP chooser.</para>

342

343

<para>You can always get a menu of available actions by pressing the F10 key. This can be useful if the theme doesn't provide certain buttons when you wish to do some action allowed by the GDM configuration.</para>

344

</sect2>

345

346

347

<title>The GDM Face Browser</title>

348

349

<para>

350

GDM supports a face browser which will display a list of users who

351

can login and an icon for each user. Starting with version 2.18.1

352

the <filename>Browser</filename> configuration option must be set

353

to "true" for this function to be available. In previous

354

versions it was only required when using the GTK+ Greeter. When

355

using the Themed Greeter, the Face Browser is only available if the

356

GDM theme includes a "userlist" item type.

357

</para>

358

359

<para>By default, the face browser is disabled since revealing usernames on the login screen is not appropriate on many systems for security reasons. Also GDM requires some setup to specify which users should be visible. Setup can be done on the "Users" tab in <command>gdmsetup</command>. This feature is most practical to use on a system with a smaller number of users.</para>

360

361

<para>The icons used by GDM can be installed globally by the sysadmin or can be located in the users' home directories. If installed globally they should be in the <filename><share>/pixmaps/faces/</filename> directory (though this can be configured with the <filename>GlobalFaceDir</filename> configuration option) and the filename should be the name of the user, optionally with a <filename>.png</filename> appended. Face icons placed in the global face directory must be readable to the GDM user. However, the daemon, proxies user pictures to the greeter and thus those do not have be be readable by the "gdm" user, but root.</para>

362

363

<para>Users may run the <command>gdmphotosetup</command> command to configure the image to use for their userid. This program properly scales the file down if it is larger than the <filename>MaxIconWidth</filename> or <filename>MaxIconHeight</filename> configuration options and places the icon in a file called <filename>~/.face</filename>. Although <command>gdmphotosetup</command> scales user images automatically, this does not guarantee that user images are properly scaled since a user may create their <filename>~/.face</filename> file by hand.</para>

364

365

<para>GDM will first look for the user's face image in <filename>~/.face</filename>. If not found, it will try <filename>~/.face.icon</filename>. If still not found, it will use the value defined for "face/picture=" in the <filename>~/.gnome2/gdm</filename> file. Lastly, it will try <filename>~/.gnome2/photo</filename> and <filename>~/.gnome/photo</filename> which are deprecated and supported for backwards compatibility.</para>

366

367

<para>If a user has no defined face image, GDM will use the "stock_person" icon defined in the current GTK+ theme. If no such image is defined, it will fallback to the image specified in the <filename>DefaultFace</filename> configuration option, normally <filename><share>/pixmaps/nobody.png</filename>.</para>

368

369

<para>Please note that loading and scaling face icons located in user home directories can be a very time-consuming task. Since it not practical to load images over NIS or NFS, GDM does not attempt to load face images from remote home directories. Furthermore, GDM will give up loading face images after 5 seconds of activity and will only display the users whose pictures it has gotten so far. The <filename>Include</filename> configuration option can be used to specify a set of users who should appear on the face browser. As long as the users to include is of a reasonable size, there should not be a problem with GDM being unable to access the face images. To work around such problems, it is recommended to place face images in the directory specified by the <filename>GlobalFaceDir</filename> configuration option.</para>

370

371

<para>To control the users who get displayed in the face browser, there are a number of configuration options that can be used. If the <filename>IncludeAll</filename> option is set to true, then the password file will be scanned and all users will be displayed. If <filename>IncludeAll</filename> option is set to false, then the <filename>Include</filename> option should contain a list of users separated by commas. Only the users specified will be displayed. Any user listed in the <filename>Exclude</filename> option and users whose UID's is lower than <filename>MinimalUID</filename> will be filtered out regardless of the <filename>IncludeAll</filename> setting. <filename>IncludeAll</filename> is not recommended for systems where the passwords are loaded over a network (such as when NIS is used), since it can be very slow to load more than a small number of users over the network..</para>

372

373

<para>When the browser is turned on, valid usernames on the computer are inherently exposed to a potential intruder. This may be a bad idea if you do not know who can get to a login screen. This is especially true if you run XDMCP (turned off by default).</para>

374

</sect2>

375

376

377

<title>Logging</title>

378

379

<para>GDM will use syslog to log errors or status. It can also log debugging information, which can be useful for tracking down problems if GDM is not working properly. This can be enabled in the configuration file.</para>

380

381

<para>Output from the various X servers is stored in the GDM log directory, which is configurable, but is usually <filename><var>/log/gdm/</filename>. The output from the session can be found in a file called <filename><display>.log</filename>. Four older files are also stored with <filename>.1</filename> through <filename>.4</filename> appended. These will be rotated as new sessions on that display are started. You can use these logs to view what the X server said when it started up.</para>

382

383

<para>The output from the user session is redirected to <filename>~/.xsession-errors</filename> before even the <filename>PreSession</filename> script is started. So it is not really necessary to redirect this again in the session setup script. As is usually done. If the user session lasted less then 10 seconds, GDM assumes that the session crashed and allows the user to view this file in a dialogue before returning to the login screen. This way the user can view the session errors from the last session and correct the problem this way.</para>

384

385

<para>You can suppress the 10 second warning by returning code 66 from the <filename>Xsession</filename>script or from your session binary (the default <filename>Xsession</filename> script propagates those codes back). This is useful if you have some sort of special logins for which it is not an error to return less then 10 seconds later, or if you setup the session to already display some error message and the GDM message would be confusing and redundant.</para>

386

387

<para>

388

The session output is piped through the GDM daemon and so the

389

<filename>~/.xsession-errors</filename> file is capped at about

390

200 kilobytes by GDM to prevent a possible denial of service attack

391

on the session. An application could perhaps on reading some wrong

392

data print out warnings or errors on the stderr or stdout. This could

393

perhaps fill up the user's home directory making it necessary to log

394

out and back into their session to clear this. This could be

395

especially nasty if quotas are set. GDM also correctly traps the XFSZ

396

signal and stops writing the file, which would lead to killed sessions

397

if the file was redirected in the old fashioned way from the script.

398

</para>

399

400

<para>Note that some distributors seem to override the <filename>~/.xsession-errors</filename> redirection and do it themselves in their own Xsession script (set by the <filename>BaseXsession</filename> configuration key) which means that GDM will not be able to trap the output and cap this file. You also lose output from the <filename>PreSession</filename> script which can make debugging things harder to figure out as perhaps useful output of what is wrong will not be printed out. See the description of the <filename>BaseXsession</filename> configuration key for more information, especially on how to handle multiple display managers using the same script.</para>

401

402

<para>Note that if the session is a failsafe session, or if GDM can't open this file for some reason, then a fallback file will be created in the <filename>/tmp</filename> directory named <filename>/tmp/xses-<user>.XXXXXX</filename> where the <filename>XXXXXX</filename> are some random characters.</para>

403

404

<para>If you run a system with quotas set, it would be a good idea to delete the <filename>~/.xsession-errors</filename> in the <filename>PostSession</filename> script. So that this log file doesn't take up unnecessarily disk space.</para>

405

</sect2>

406

407

408

<title>Accessing Files</title>

409

410

<para>In general GDM is very reluctant regarding reading/writing of user files (such as the <filename>~/.dmrc</filename>, <filename>~/.face</filename>, <filename>~/.xsession-errors</filename>, and <filename>~/.Xauthority</filename> files). For instance it refuses to access anything but regular files. Links, sockets and devices are ignored. The value of the <filename>RelaxPermissions</filename> parameter determines whether GDM should accept files writable by the user's group or others. These are ignored by default.</para>

411

412

<para>All operations on user files are done with the effective user id of the user. If the sanity check fails on the user's <filename>.Xauthority</filename> file, a fallback cookie is created in the directory specified by the <filename>UserAuthFBDir</filename> configuration setting (<filename>/tmp</filename> by default).</para>

413

414

<para>Finally, the sysadmin can specify the maximum file size GDM should accept, and, if the face browser is enabled, a tunable maximum icon size is also enforced. On large systems it is still advised to turn off the face browser for performance reasons. Looking up icons in home directories, scaling and rendering face icons can take a long time.</para>

415

</sect2>

416

417

418

<title>GDM Performance</title>

419

420

<para>To speed performance it is possible to build GDM so that it will preload libraries when GDM first displays a greeter program. This has been shown to speed first time login since these libraries can be loaded into memory while the user types in their username and password.</para>

421

422

<para>To use this feature, configure GDM with the <command>--with-prefetch</command> option. This will cause GDM to install the <command>gdmprefetch</command> program to the <filename>libexecdir</filename> directory, install the <filename>gdmprefetchlist</filename> to the <filename><etc>/gdm</filename> directory, and set the <filename>PreFetchProgram</filename> configuration variable so that the <command>gdmprefetch</command> program is called with the default <filename>gdmprefetchlist</filename> file. The default <filename>gdmprefetchlist</filename> file was optimised for a GNOME desktop running on Solaris, so may need fine-tuning on other systems. Alternative prefetchlist files can be contributed to the "gdm" category in <ulink type="http" url="http://bugzilla.gnome.org/">bugzilla.gnome.org</ulink>, so that they can be included in future GDM releases.</para>

423

</sect2>

424

</sect1>

425

426

427

<title>Security</title>

428

429

430

431

432

<para>GDM uses PAM for login authentication, though if your machine does not support PAM you can build GDM to work with the password database and the crypt library function.</para>

433

434

<para>PAM stands for Pluggable Authentication Modules, and is used by most programs that request authentication on your computer. It allows the administrator to configure different authentication behaviours for different programs.</para>

435

436

<para>Some GDM features (like turning on automatic login) may require that you update your PAM configuration. PAM configuration has different, but similar, interfaces on different operating systems, so check your pam.d or pam.conf man page for details. Be sure that you read the PAM documentation (e.g. pam.d/pam.conf man page) and are comfortable with the security implications of any changes you intend to make to your configuration.</para>

437

438

<para>If there is no entry for GDM in your system's PAM configuration file, then features like automatic login may not work. Not having an entry will cause GDM to use default behavior, conservative settings are recommended and probably shipped with your distribution.</para>

439

440

<para>If you wish to make GDM work with other types of authentication mechanisms (such as a SmartCard), then you should implement this by using a PAM service module for the desired authentication type rather than by trying to modify the GDM code directly. Refer to the PAM documentation on your system. This issue has been discussed on the <address><email>gdm-list@gnome.org</email></address> mail list, so you can refer to the list archives for more information.</para>

441

442

<para>

443

For example, an effective way to implement such an exotic

444

authentication mechanism would be to have a daemon running

445

on the server listening to the authentication device (e.g.

446

USB key, fingerprint reader, etc.). When the device

447

announces that it has received input, then the daemon can

448

set the <filename>PamStack</filename> configuration value

449

using per-display configuration, and restart the greeter

450

with the PAM stack that works with this device. This avoids

451

needing to hack the display manager code directly to support

452

the feature.

453

</para>

454

</sect2>

455

456

457

<title>

458

utmp/wtmp

459

</title>

460

461

<para>

462

GDM generates utmp and wtmp User Accounting Database entries upon

463

session login and logout. The utmp database contains user access

464

and accounting information that is accessed by commands such as

465

<command>finger</command>, <command>last</command>,

466

<command>login</command>, and <command>who</command>. The wtmp

467

database contains the history of user access and accounting

468

information for the utmp database.

469

</para>

470

471

<para>

472

GDM 2.18 and earlier would run the X server <command>sessreg</command>

473

program from the default GDM <command>PreSession</command> and

474

<command>PostSession</command> scripts. Starting with GDM 2.20, GDM

475

interacts with the UTMP and WTMP databases directly and supports the

476

following configuration options.

477

</para>

478

479

<para>

480

When doing utmp processing, GDM supports configurability on how the

481

ut_line value is set. Programs that access the database assume that

482

this value is an actual device, so GDM will set the device as follows.

483

If the display is attached and has an associated Virtual Terminal (VT)

484

device, then this device will be used. Otherwise, if an attached

485

display in the <command>[servers]</command> specifies a device name,

486

then this value will be used. Otherwise attached displays will default

487

to the <filename>UtmpLineAttached</filename> value in the GDM

488

configuration. Remote displays will default to the

489

<filename>UtmpLineRemote</filename> value in the GDM configuration.

490

Device values must begin with "/dev/".

491

</para>

492

493

<para>

494

GDM also supports the <filename>UtmpPseudoDevice</filename>

495

configuration option. If this configuration setting is true, then GDM

496

will ensure that the specified device exists and will create a pseudo

497

device if the device does not exist. A pseudo device is a symlink to

498

<filename>/dev/null</filename>. If

499

<filename>UtmpPseudoDevice</filename> is true, and the device does

500

already exist, GDM checks to see if the device is a symlink to

501

<filename>/dev/null</filename>. If so, then GDM will update the access

502

time of the symlink. This ensures that programs that check the access

503

time of the device will get a reasonable value for the last time the

504

device was accessed. If the <filename>UtmpPseudoDevice</filename>

505

configuration option is false, then GDM will only set the ut_line

506

value as specified regardless of whether the device exists or not.

507

</para>

508

</sect2>

509

510

511

512

513

<para>For security reasons a dedicated user and group id are required for proper operation. The user "nobody" is not appropiate for gdm as the user needs to be able to write Xauth files.</para>

514

515

<para>The GDM daemon normally runs as root, as does the slave. However GDM should also have a dedicated user id and a group id which it uses for its graphical interfaces such as <command>gdmgreeter</command> and <command>gdmlogin</command>. These are configured via the <filename>User</filename> and <filename>Group</filename> configuration options in the GDM configuration files. The user and group should be created before running "make install". By default GDM assumes the user and the group are called "gdm".</para>

516

517

<para>This userid is used to run the GDM GUI programs required for login. All functionality that requires root authority is done by the GDM daemon process. This design ensures that if the GUI programs are somehow exploited, only the dedicated user privileges are available.</para>

518

519

<para>It should however be noted that the GDM user and group have some privileges that make them somewhat dangerous. For one, they have access to the X server authorisation directory. It must be able to read and write Xauth keys to <filename><var>/lib/gdm</filename>. This directory should have root:gdm ownership and 1770 permissions. Running "make install" will set this directory to these values. The GDM daemon process will reset this directory to proper ownership/permissions if it is somehow not set properly.</para>

520

521

<para>The danger is that someone who gains the GDM user/group privileges can then connect to any session. So you should not, under any circumstances, make this a user/group which may be easily accessed, such as the <filename>nobody</filename> user. Users who gain access to the "gdm" user could also modify the Xauth keys causing Denial-Of-Service attacks. If a person gains the ability to run programs as the user "gdm", it would be possible to snoop on running GDM processes, including usernames and passwords as they are being typed in.</para>

522

523

<para>Distributions and system administrators using GDM are expected to set up the dedicated user properly. It is recommended that this userid be configured to not have a default shell or be allowed to login. Distributions and system administrators should set up the filesystem to ensure that the GDM user does not have read or write access to sensitive files.</para>

524

</sect2>

525

526

527

<title>X Server Authentication Scheme</title>

528

529

<para>The X server authorisation directory (the <filename>ServAuthDir</filename>) is used, for legacy reasons, for a host of random internal data in addition to the X server authorisation files. GDM daemon enforces this directory to be owned by <filename>root:gdm</filename> with the permissions of 1770. This way only root and the gdm group have write access to this directory, but the gdm group cannot remove the root owned files from this directory, such as the X server authorisation files.</para>

530

531

<para>GDM, by default, doesn't trust the X server authorisation directory and treats it in the same way as the temporary directory with respect to creating files. This way the daemon cannot be attacked by creating links in this directory. Similarly the X server log directory is treated safely, but that directory should be owned and writable only by root.</para>

532

533

<para>GDM only supports the MIT-MAGIC-COOKIE-1 X server authentication scheme. Normally little is gained from the other schemes, and no effort has been made to implement them so far. Be especially careful about using XDMCP because the X server authentication cookie goes over the wire in clear text. If snooping is possible, then an attacker could simply snoop your authentication cookie as you log in, regardless of the authentication scheme being used. If snooping is possible and undesirable, then you should use ssh for tunneling an X connection rather then using XDMCP. You could think of XDMCP as a sort of graphical telnet, having the same security issues.</para>

534

535

<para>On the upside, GDM's random number generation is very conservative and GDM goes to extraordinary measures to get get a truly random 128 bit number, using hardware random number generators (if available), the current time (in microseconds), a 20 byte array of pseudo-random numbers, process pids and other random information (possibly using <filename>/dev/audio</filename> or <filename>/dev/mem</filename> if hardware random generators are not available) to create a large buffer and then runs an MD5 digest on this. Obviously, all this work is wasted if you send this cookie over an open network or store it on an NFS directory (see the <filename>UserAuthDir</filename> configuration key). So be careful about where you use remote X display.</para>

536

</sect2>

537

538

539

<title>Firewall Security</title>

540

541

<para>Even though GDM tries to outsmart potential attackers trying to take advantage of XDMCP, it is advised that you block the XDMCP port (normally UDP port 177) on your firewall. GDM guards against DoS (Denial of Service) attacks, but the X protocol is still inherently insecure and should only be used in controlled environments. This risk is increased as each remote connection takes up lots of resources, making it much easier to perform a DoS via XDMCP.</para>

542

543

<para>It is also wise to block all of the X Server ports. These are the TCP ports 6000 + the display number of course. Note that GDM will use display numbers 20 and higher for flexible on-demand servers.</para>

544

545

<para>Both X and XDMCP are not safe protocols for public access.</para>

546

</sect2>

547

548

549

<title>GDM Security With NFS</title>

550

551

<para>Note that NFS traffic really goes "over the wire" and can be snooped. When accessing the user's X authorisation file (<filename>~/.Xauthority</filename>), GDM will try to open the file for reading as root. If it fails, GDM will conclude that it is on an NFS mount and it will automatically use <filename>UserAuthFBDir</filename>, which by default is set to <filename>/tmp</filename>. This behaviour can be changed by setting the <filename>NeverPlaceCookiesOnNFS</filename> in the <filename>[security]</filename> section to false.</para>

552

</sect2>

553

554

555

<title>XDMCP Security</title>

556

557

<para>Even though your display is protected by cookies, XEvents and keystrokes typed when entering passwords will still go over the network in clear text. It is trivial to capture these.</para>

558

559

<para>XDMCP is primarily useful for running thin clients, such as in terminal labs. These thin clients will only ever need the network to access the server, so it seems like the best security policy to have those thin clients on a separate network that cannot be accessed by the outside world, and can only connect to the server. The only point from which you need to access outside is the server.</para>

560

561

<para>The above sections "X Server Authentication Scheme" and "Firewall Security" also contain important information about using XDMCP securely. The next section also discusses how to set up XDMCP access control.</para>

562

563

<para>To workaround the inherent insecurity of XDMCP, gdm proposes a default built-in session that uses SSH to encrypt the remote connection. See the section "Securing remote connection through SSH" above.</para>

564

</sect2>

565

566

567

<title>XDMCP Access Control</title>

568

569

<para>XDMCP access control is done using TCP wrappers. It is possible to compile GDM without TCP wrappers, however, so you should test your configuration and verify that they work.</para>

570

571

<para>You should use the daemon name <command>gdm</command> in the <filename><etc>/hosts.allow</filename> and <filename><etc>/hosts.deny</filename> files. For example, to deny computers from <filename>.evil.domain</filename> from logging in, then add</para>

572

573

gdm: .evil.domain

574

</screen>

575

<para>to <filename><etc>/hosts.deny</filename>. You may also need to add</para>

576

577

gdm: .your.domain

578

</screen>

579

<para>to your <filename><etc>/hosts.allow</filename> if you normally disallow all services from all hosts. See the <ulink type="help" url="man:hosts.allow">hosts.allow(5)</ulink> man page for details.</para>

580

</sect2>

581

582

583

<title>RBAC (Role Based Access Control)</title>

584

585

<para>

586

If GDM is compiled with RBAC support, then the

587

<filename>RBACSystemCommandKeys</filename> configuration option can be

588

used to specify the RBAC key to be used to determine if the user has

589

authority to use commands. This is supported for the Shutdown,

590

Reboot, Suspend, and Custom Commands that appear in the GDM greeter

591

and via the <command>gdmflexiserver</command> QUERY_LOGOUT_ACTION,

592

SET_LOGOUT_ACTION, and SET_SAFE_LOGOUT_ACTION commands. The greeter

593

will only display the option if the gdm user (specified by the

594

<filename>User</filename> configuration option) has permission

595

via RBAC. Users will only be able to use the

596

<command>gdmflexiserver</command> commands if the user has

597

permission via RBAC.

598

</para>

599

</sect2>

600

</sect1>

601

602

603

<title>Support for ConsoleKit</title>

604

605

<para>GDM includes support for publishing user login information with the user and login session accounting framework known as ConsoleKit. ConsoleKit is able to keep track of all the users currently logged in. In this respect, it can be used as a replacement for the utmp or utmpx files that are available on most Unix-like operating systems.</para>

606

607

<para>

608

When GDM is about to create a new login process for a user it will call

609

a privileged method of ConsoleKit in order to open a new session for this

610

user. At this time GDM also provides ConsoleKit with information about

611

this user session such as: the user ID, the X11 Display name that will be

612

associated with the session, the host-name from which the session

613

originates (useful in the case of an XDMCP session), whether or not this

614

session is attached, etc. As the entity that initiates the user process,

615

GDM is in a unique position know and to be trusted to provide these bits

616

of information about the user session. The use of this privileged method

617

is restricted by the use of D-Bus system message bus security policy.

618

</para>

619

620

<para>In the case where a user with an existing session and has authenticated at GDM and requests to resume that existing session GDM calls a privileged method of ConsoleKit to unlock that session. The exact details of what happens when the session receives this unlock signal is undefined and session-specific. However, most sessions will unlock a screensaver in response.</para>

621

622

<para>When the user chooses to log out, or if GDM or the session quit unexpectedly the user session will be unregistered from ConsoleKit.</para>

623

624

<para>

625

If support for ConsoleKit is not desired it can be disabled at build

626

time using the "--with-console-kit=no" option when running

627

configure.

628

</para>

629

630

</sect1>

631

632

633

<title>Using gdmsetup To Configure GDM</title>

634

635

<para>The <command>gdmsetup</command> application can be used to configure GDM. If you believe running root-owned GUIs causes a security risk, then you would want to always edit the files by hand and not use <command>gdmsetup</command>. Editing the files by hand is explained in the "Configuration" section of this document. Note that <command>gdmsetup</command> does not support changing of all configuration variables, so it may be necessary to edit the files by hand for some configurations.</para>

636

637

<para>

638

The <command>gdmsetup</command> program has five tabs: Local, Remote,

639

Accessibility, Security, and Users, described below. In parenthesis is

640

information about which GDM configuration key is affected by each GUI

641

choice. Refer to the "Configuration" section of this manual

642

and the comments in the GDM System Defaults Configuration File for

643

additional details about each key.

644

</para>

645

646

647

<title>Local Tab</title>

648

649

<para>

650

The Local tab is used for controlling the appearance of GDM for

651

attached (also known as local or static) displays. Attached displays

652

are non-XDMCP remote connections, for example. The choices available

653

in this tab depend on the setting of the "Style" combobox.

654

This combobox is used to determine whether the "Plain" or

655

"Themed" greeter GUI is used. The differences between these

656

greeter programs are explained in the "Overview" section of

657

this document.

658

</para>

659

660

<para>If the "Style" choice is "Plain", then GDM will use the <command>gdmlogin</command> program as the GUI (daemon/Greeter). When this choice is selected, <command>gdmsetup</command> allows the user to select whether the background is an image or solid colour (greeter/BackgroundType). If image is selected, there is a file selection button to pick the image file (greeter/BackgroundImage) and a checkbox to scale the image to fit the screen (greeter/BackgroundImageScaleToFit). If solid colour is selected, there is a button available to allow the colour selection (greeter/BackgroundColor). Also, the user may select the logo image that appears in gdmlogin (greeter/Logo).</para>

661

662

<para>

663

If the "Style" choice is "Plain with face browser",

664

then the <command>gdmlogin</command> program is used as the GUI

665

(daemon/Greeter) and the face browser is turned on (greeter/Browser).

666

The Face Browser is explained in the "Overview" section.

667

Otherwise, the choices are the same as when the "Style"

668

choice is "Plain". Additional setup in the Users tab may be

669

necessary to choose which users appear in the Face Browser.

670

</para>

671

672

<para>

673

If the "Style" choice is "Themed", then the

674

<command>gdmgreeter</command> program is used as the GUI

675

(daemon/Greeter). When this choice is selected,

676

<command>gdmsetup</command> allows the user to select the theme to be

677

used (greeter/GraphicalTheme). Note that the checkbox to the left

678

of the theme's name must be checked for a theme to be selected.

679

Information about the theme's author and copyright are shown for the

680

highlighted theme. The "Remove" button can be used to delete

681

the highlighted theme. The "Add" button can be used to add

682

new themes to the system. For a new theme to be added it must be

683

in tar or compressed tar format. The "Background color"

684

displayed when GDM starts (and if the theme has transparent elements)

685

can be selected (greeter/GraphicalThemedColor). The "Theme"

686

combo box may be set to "Random from selected" to display a

687

random theme for each login (greeter/GraphicalThemeRand and

688

greeter/GraphicalThemes). To use random themes, select each theme that

689

you wish to be displayed. By default this combobox is set to

690

"Selected only", so that only a single theme may be selected

691

and be used.

692

</para>

693

694

<para>

695

If the "Style" choice is "Themed with face

696

browser", then the <command>gdmgreeter</command> program is used

697

as the GUI (daemon/Greeter) and the face browser is turned on

698

(greeter/Browser) if supported by the theme. The Face Browser is

699

explained in the Overview section. Otherwise, the choices are the

700

same as when the "Style" choice is "Themed".

701

Additional setup in the Users tab may be necessary to choose which

702

users appear in the Face Browser.

703

</para>

704

705

<para>

706

Regardless of the "Style" choice, the user may also select

707

whether the Actions menu is visible (greeter/SystemMenu), whether the

708

Actions menu includes the choice to start <command>gdmsetup</command>

709

(greeter/ConfigAvailable), and whether the Action menu includes the

710

choice to start <command>gdmchooser</command> to run a remote XDMCP

711

login session (greeter/ChooserButton). The welcome message for

712

attached DISPLAYS may be specified (greeter/DefaultWelcome and

713

greeter/Welcome). The welcome message may contain the character

714

sequences described in the "Text Node" subsection of the

715

"Themed Greeter" section of this manual. These character

716

sequences allow the welcome message to contain things like the display

717

or host name.

718

</para>

719

</sect2>

720

721

722

<title>Remote Tab</title>

723

724

<para>

725

The Remote tab controls the appearance of the GDM for users logging

726

in via XDMCP. By default XDMCP is disabled, and users should be

727

comfortable with the XDMCP-related sections of the Security section

728

of this document before enabling it. This tab includes a

729

"Style" combobox which can be used to turn on XDMCP and

730

control the appearance of GDM for remote users (gui/RemoteGreeter

731

and xdmcp/Enable). The user may specify to use either the same

732

greeter as used on the Local tab, or the other Greeter program. If

733

the Face Browser setting is true on the Local tab, then it will also

734

be true for the Remote tab. If the Face Browser setting is

735

false on the Local tab, then it will also be false for the Remote

736

tab. It is recommended that the "Plain" GUI be used for

737

remote connections since it is more lightweight and tends to have

738

better performance across a network.

739

</para>

740

741

<para>

742

If Remote login is enabled, then the welcome message for

743

remote DISPLAYs may be specified (greeter/DefaultRemoteWelcome and

744

greeter/RemoteWelcome). This welcome message is separate from the

745

one shown for attached displays defined in the Local tab and can have

746

a different value. The welcome message may contain the character

747

sequences described in the "Text Node" subsection of the

748

"Themed Greeter" section of this manual. These character

749

sequences allow the welcome message to contain things like the

750

display or host name.

751

</para>

752

753

<para>If the "Style" choice is "Same as Local" and the local selection is "Plain" or "Plain with face browser", then the user may select whether background images should be displayed for remote logins (greeter/BackgroundRemoteOnlyColor).</para>

754

755

<para>If the "Style" choice is enabled and set to a different value than the Local tab, then the user has the same configuration choices as found on the Local tab except that the System Menu choices are not available since this is never available for remote logins for security purposes.</para>

756

757

<para>If remote login is enabled, there is a "Configure XDMCP" button which displays a dialogue allowing the user to set up XDMCP configuration, including whether indirect requests are honoured (xdmcp/HonorIndirect), UDP port (xdmcp/Port), maximum pending requests (xdmcp/MaxPending), maximum pending indirect requests (xmdcp/MaxPendingIndirect), maximum remote sessions (xdmcp/MaxSessions), maximum wait time (xdmcp/MaxWait), maximum indirect wait time (xdmcp/MaxWaitIndirect), displays per host (xdmcp/DisplaysPerHost) and ping interval (xdmcp/PingIntervalSeconds). The default settings are standard settings and should only be changed by someone who understands the ramifications of the change.</para>

758

</sect2>

759

760

761

<title>Accessibility Tab</title>

762

763

<para>The Accessibility tab is used to turn on Accessibility features in GDM. "Enable accessible login" (daemon/AddGtkModules and daemon/GtkModulesList) turns on GDM's gesture listeners which are explained in the "Accessibility" section of this document. There is also a checkbox to allow users to change the theme when using the Plain greeter (gui/AllowGtkThemeChange). This feature allows GDM users to switch the theme to the HighContrast or LowContrast themes if needed. The user may also select whether GDM should play a sound when the login screen is ready, when login is successful and when login has failed. File chooser buttons are used to select the sound file to be played, and the "Play" button can be used to sample the sound.</para>

764

</sect2>

765

766

767

<title>Security Tab</title>

768

769

<para>

770

The Security tab allows the user to turn on Automatic and Timed login,

771

which user is logged in via an automatic or timed login, and the

772

timed login delay (daemon/AutomaticLoginEnable, daemon/AutomaticLogin,

773

daemon/TimedLoginEnable, daemon/TimedLogin, and daemon/TimedLoginDelay).

774

If automatic login is turned on, then the specified user will

775

immediately log in on reboot without GDM asking for username/password.

776

If the user logs out of their session, GDM will start and ask for

777

username and password to log back in. If TimedLogin is turned on, then

778

GDM will log into the specified user after a specified number of

779

seconds. The user may enable Timed Login for remote (XDMCP)

780

connections by checking the "Allow remote timed logins"

781

checkbox.

782

</para>

783

784

<para>

785

On this tab, the user may select whether the system administrator user

786

can log in, and whether the system administrator user can log in

787

via remote (XDMCP) connections (security/AllowRoot and

788

security/AllowRemoteRoot). The user may turn on GDM debug

789

(debug/Enable) which causes debug messages to be sent to the system

790

log. Debug should only be used when diagnosing a problem and not be

791

left on when not needed. The "Deny TCP connections to

792

X server" choice will disable X forwarding if selected

793

(security/DisallowTCP). A login retry delay (security/RetryDelay) can

794

be set to cause GDM to wait a number of seconds after a failed login.

795

</para>

796

797

<para>The "Configure X Server" button can be used to specify how GDM manages each display. The "Servers" combobox shows what server definitions are available (Standard, Terminal, and Chooser by default). Refer to the "X Server Definitions" section of the "Configuration" section for more information about how to create new Server Definitions.</para>

798

799

<para>

800

For any server type, the user may modify the "Server Name"

801

(server/name), the "Command" (server/command) to be used to

802

launch the X server, whether the server type will "Launch"

803

(server/chooser) the greeter or chooser GUI after starting the

804

X server, whether GDM handles this type (normally only set to false

805

when logging into a Terminal session type), and whether the session

806

type supports "Flexible" (server/flexible) sessions.

807

</para>

808

809

<para>The "Servers To Start" section shows what server type is displayed for each display on the machine. Users may click on the "Add/Modify" button to add a new display to the list or to modify a selected display. This simply corresponds each physical display with the Server Definition to be used for managing that display. The "Remove" button may be used to remove a display from the list.</para>

810

</sect2>

811

812

813

<title>Users Tab</title>

814

815

<para>The Users tab controls which users appear in the Face Browser. If the "Include all users from /etc/password" checkbox is selected, then all users (with a userid above greeter/MinimalUID and not in the Exclude list) are displayed. If this checkbox is not selected, then users must be added to the "Include" list. Users in the "Exclude" list are never displayed. The "Add" and "Remove" buttons are used to add a new user to the list or remove a selected user from the list. The "Apply User Changes" button must be pressed after the "Include" and "Exclude" lists have been modified. The left and right arrow buttons between the "Include" and "Exclude" lists can be used to move a selected user from one list to the other.</para>

816

</sect2>

817

</sect1>

818

819

820

<title>Configuration</title>

821

822

<para>

823

GDM has powerful configuration management. System default configuration

824

is stored in the GDM System Defaults Configuration File and user changes

825

to the default configuration are stored in the GDM Custom Configuration

826

File. This allows sysadmins to store the GDM System Defaults

827

Configuration File on a shared filesystem, so a single file can be used

828

to control configuration for multiple machines. GDM also supports

829

per-display configuration for GUI-related keys.

830

</para>

831

832

<para>The <command>gdmsetup</command> is a GUI program you can use to edit the GDM configuration. This program may also be launched directly from the login screen if the greeter/ConfigAvailable key is set to "true" Not all keys in the GDM configuration file are supported in the GUI, so you may need to edit the configuration files by hand to edit these keys. If you believe running root-owned GUI's causes security risk, then you would want to always edit the files by hand. This program does not support setting per-display configuration, so per-display configuration files must be set up by hand.</para>

833

834

<para>

835

Aside from the GDM System Defaults Configuration File, the other GDM

836

configuration files are located, by default, in the

837

<filename><etc>/gdm/</filename> folder or its subdirectories.

838

Note that the location of many configuration files are defined in the

839

GDM configuration files, so check the GDM System Defaults Configuration

840

File and the GDM Custom Configuration File if the files are not in the

841

locations specified in this document.

842

</para>

843

844

<para>

845

Listing of the config directory contents:

846

</para>

847

848

849

custom.conf

850

locale.alias

851

Xsession

852

XKeepsCrashing

853

modules/

854

Init/

855

PostLogin/

856

PreSession/

857

PostSession/

858

</screen>

859

860

<para>

861

<filename>locale.alias</filename> is a file which looks much like the

862

system locale alias but, in fact, is not the same. This is a list

863

of all languages that may be on your system. All languages are

864

checked to see if they exist before displaying them in the Language

865

Selection dialog in the login GUI. Only those that exist are displayed.

866

</para>

867

868

<para><filename>Xsession</filename> is a script which sets up a user session and then executes the user's choice of session. Note that the session script is typically started via the <filename>desktop</filename> file associated with the session the user has picked. Some sessions may start the user's session via a different mechanism than the <filename>Xsession</filename> script, so please check the appropriate <filename>desktop</filename> before assuming a session startup issue is being caused by this file.</para>

869

870

<para><filename>XKeepsCrashing</filename> is a script which gets run when the X server keeps crashing and we cannot recover. The shipped default script will work with most Linux distributions and can run the X configuration application provided the person on the console knows the root password.</para>

871

872

<para>Accessibility modules are configured in the <filename>modules/</filename> subdirectory, and are a separate topic. Read the default files provided, they have adequate documentation. Again normally the default install is given in the files with <filename>factory</filename> in their name, and those files are not read, they are just there for you so you can always revert to default config.</para>

873

874

<para>

875

Files describing available GDM session follow the freedesktop.org

876

desktop file specification. The <filename>.desktop</filename>-style

877

files are installed to <filename><etc>/X11/sessions/</filename>.

878

This directory is also read by the KDE desktop manager (KDM) for common

879

configuration. Next the directory

880

<filename><share>/gdm/BuiltInSessions/</filename> is read for

881

GDM specific built-in sessions (KDM hardcodes these at time of

882

this writing). Lastly the default setup will also read

883

<filename><share>/xsessions/</filename> (which should be

884

<filename><share>/xsessions/</filename> if you really wish to

885

cooperate with KDM) where desktop packages can install their session

886

files. The directories under the <filename><etc></filename> should

887

be reserved for configuration. The desktop file specification approach

888

makes it easy for package management systems to install window managers

889

and different session types without requiring the sysadmin to edit files.

890

See the <filename>SessionDesktopDir</filename> configuration key for

891

changing the paths. It used to be that GDM stored its built in

892

sessions in <filename><etc>/dm/Sessions/</filename> but this is

893

deprecated as of 2.5.90.0. Note that prior to version 2.4.4.2 only the

894

<filename><etc>/dm/Sessions/</filename> was being read.

895

</para>

896

897

<para>A session can be disabled (if it was installed in <filename><share>/xsessions/</filename>) by adding an identically named <filename>.desktop</filename> to one of the directories earlier in the path (likely <filename><etc>/X11/sessions</filename>) and using <filename>Hidden=true</filename> in that file.</para>

898

899

<para>

900

GDM uses the optional key <filename>X-Gdm-XserverArgs</filename> in

901

session files to specify additional arguments to be passed to the

902

X server. For example, the entry

903

<filename>X-Gdm-XserverArgs=-depth 16</filename> will start the

904

X server with a color depth of 16 bits. Any such additional arguments

905

are ignored when using a Nested display (when GDM is launched in a

906

window).

907

</para>

908

909

910

<title>The Script Directories</title>

911

912

<para>In this section we will explain the <filename>Init</filename>, <filename>PostLogin</filename>, <filename>PreSession</filename> and <filename>PostSession</filename> directories as they are very similar.</para>

913

914

<para>

915

When the X server has been successfully started, GDM will try to run

916

the script called <filename>Init/<displayname></filename>. I.e.

917

<filename>Init/:0</filename> for the first attached display. If this

918

file is not found, GDM will attempt to to run

919

<filename>Init/<hostname></filename>. I.e.

920

<filename>Init/somehost</filename>.

921

If this still is not found, GDM will try

922

<filename>Init/XDMCP</filename> for all XDMCP logins or

923

<filename>Init/Flexi</filename> for all on demand flexible

924

displays. If none of the above were found, GDM will run

925

<filename>Init/Default</filename>. The script will be run as root and

926

GDM blocks until it terminates. Use the <filename>Init/*</filename>

927

script for applications that are supposed to run alongside with the GDM

928

login window. xconsole for instance. Commands to set the background

929

etc. go in this file too.

930

</para>

931

932

<para>It is up to the sysadmin to decide whether clients started by the Init script should be killed before starting the user session. This is controlled with the <filename>KillInitClients</filename> configuration option.</para>

933

934

<para>When the user has been successfully authenticated GDM tries the scripts in the <filename>PostLogin</filename> directory in the same manner as for the <filename>Init</filename> directory. This is done before any session setup is done, and so this would be the script where you might setup the home directory if you need to (though you should use the <filename>pam_mount</filename> module if you can for this). You have the <filename>$USER</filename> and <filename>$DISPLAY</filename> environment variables set for this script, and again it is run as root. The script should return 0 on success as otherwise the user won't be logged in. This is not true for failsafe session however.</para>

935

936

<para>

937

After the user session has been setup from the GDM side of things, GDM

938

will run the scripts in the <filename>PreSession</filename> directory,

939

again in the same manner as the <filename>Init</filename> directory.

940

This script can be used for session management or accounting, for

941

example. The <filename>$USER</filename> environment variable contains

942

the login of the authenticated user and <filename>$DISPLAY</filename>

943

is set to the current display. The script should return 0 on success.

944

Any other value will cause GDM to terminate the current login process.

945

This is not true for failsafe sessions however. Also

946

<filename>$X_SERVERS</filename> environmental variable is set and this

947

points to a fake generated X servers file for use with the sessreg

948

accounting application.

949

</para>

950

951

<para>After this the base <filename>Xsession</filename> script is run with the selected session executable as the first argument. This is run as the user, and really this is the user session. The available session executables are taken from the <filename>Exec=</filename> line in the <filename>.desktop</filename> files in the path specified by <filename>SessionDesktopDir</filename>. Usually this path is <filename><etc>/X11/sessions/:<etc>/dm/Sessions:/usr/share/xsessions/</filename>. The first found file is used. The user either picks from these sessions or GDM will look inside the file <filename>~/.dmrc</filename> for the stored preference.</para>

952

953

<para>This script should really load the user's profile and generally do all the voodoo that is needed to launch a session. Since many systems reset the language selections done by GDM, GDM will also set the <filename>$GDM_LANG</filename> variable to the selected language. You can use this to reset the language environmental variables after you run the user's profile. If the user elected to use the system language, then <filename>$GDM_LANG</filename> is not set.</para>

954

955

<para>When the user terminates his session, the <filename>PostSession</filename> script will be run. Again operation is similar to <filename>Init</filename>, <filename>PostLogin</filename> and <filename>PreSession</filename>. Again the script will be run with root privileges, the slave daemon will block and the <filename>$USER</filename> environment variable will contain the name of the user who just logged out and <filename>$DISPLAY</filename> will be set to the display the user used, however note that the X server for this display may already be dead and so you shouldn't try to access it. Also <filename>$X_SERVERS</filename> environmental variable is set and this points to a fake generated X servers file for use with the sessreg accounting application.</para>

956

957

<para>Note that the <filename>PostSession</filename> script will be run even when the display fails to respond due to an I/O error or similar. Thus, there is no guarantee that X applications will work during script execution.</para>

958

959

<para>Except for the <filename>Xsession</filename> script all of these scripts will also have the environment variable <filename>$RUNNING_UNDER_GDM</filename> set to <filename>yes</filename>, so that you could perhaps use similar scripts for different display managers. The <filename>Xsession</filename> will always have the <filename>$GDMSESSION</filename> set to the basename of the session that the user chose to run without the <filename>.desktop</filename> extension. In addition <filename>$DESKTOP_SESSION</filename> is also set to the same value and in fact this will also be set by KDM in future versions.</para>

960

961

<para>Neither of the <filename>Init</filename>, <filename>PostLogin</filename>, <filename>PreSession</filename> or <filename>PostSession</filename> scripts are necessary and can be left out. The <filename>Xsession</filename> script is however required as well as at least one session <filename>.desktop</filename> file.</para>

962

</sect2>

963

964

965

<title>The Configuration Files - GDM System Defaults Configuration File

966

and GDM Custom Configuraiton File</title>

967

968

<para>

969

GDM uses two configuration files: the GDM System Defaults Configuration

970

File (<filename><share>/gdm/defaults.conf</filename>) and the

971

GDM Custom Configuration File

972

(<filename><etc>/gdm/custom.conf</filename>). The GDM System

973

Defaults File contains the default configuration choices for GDM, and

974

should not be modified by the user. The GDM Custom Configuration File

975

is where users may specify their custom configuration choices.

976

If a configuration option is not defined in either file, GDM will

977

default to the value described in the comments in the GDM System

978

Defaults Configuration File.

979

</para>

980

981

<para>

982

Both configuration files are divided into sections each containing

983

variables that define the behavior for a specific part of the GDM

984

suite. Refer to the comments in the GDM System Defaults Configuration

985

File for additional information about each configuration setting.

986

</para>

987

988

<para>

989

GDM also supports per-display configuration for parameters in the

990

"gui", "greeter" sections of the configuration file

991

Also the security/PamStack key may be customized per-display.

992

Per-display configuration is specified by creating a file named

993

<filename><etc>/gdm/custom.conf<display num></filename>.

994

In this file the section and keys to use on this display can be

995

specified. For example, configuration overrides for display

996

":103" would be stored in the file

997

<filename><etc>/gdm/custom.conf:0</filename>. Per-display

998

configuration is supported in GDM 2.14.6 and later.

999

</para>

1000

1001

<para>

1002

To change configuration by hand, edit the GDM Custom Configuration File

1003

or per-display configuration file and make sure the keyname=value

1004

pair you want is included in the appropriate section. For example,

1005

to change the value for the "Greeter" key in the

1006

"daemon" section, make sure the daemon section of the GDM

1007

Custom Configuration File or per-display configuration file includes

1008

the "[daemon]" section followed by the key and value

1009

change desired. As in this example:

1010

</para>

1011

1012

1013

[daemon]

1014

Greeter=/usr/lib/gdmgreeter

1015

</screen>

1016

1017

<para>

1018

The <command>gdmsetup</command> command can be used to modify the GDM

1019

Custom Configuration File. Note the <command>gdmsetup</command> is

1020

intended to be run as root, so users who feel it is insecure to run

1021

GUI programs as root should edit the configuration files by hand.

1022

</para>

1023

1024

<para>

1025

The GDM daemon <command>--config</command> argument may instead be used

1026

to specify a different configuration file location. The GDM daemon

1027

must be restarted to change the configuration file being used. Also

1028

when building GDM, the location of the configuration files may be

1029

specified via the <command>--with-defaults-conf</command> and

1030

<command>--with-custom-conf</command> configuration options.

1031

</para>

1032

1033

<para>

1034

Previous to GDM 2.13.0.4 only the

1035

<filename><etc>/gdm/gdm.conf</filename> existed. For best

1036

backwards compatibility, this file will be used instead of the GDM

1037

Custom Configuration File if it exists on your system. If upgrading

1038

to the new version of GDM, "make install" will check to see

1039

if the <filename><etc>/gdm/gdm.conf</filename> file is different

1040

than the <filename><etc>/gdm/factory-gdm.conf</filename> file.

1041

If so, the <filename><etc>/gdm/gdm.conf</filename> file will be

1042

automatically copied to

1043

<filename><etc>/gdm/custom.conf</filename> to preserve any

1044

configuration changes.

1045

</para>

1046

1047

<para>

1048

Distributions should edit the GDM System Defaults Configuration File to

1049

establish default configuration values, so that they are preserved as

1050

defaults and not modified by users modifying the GDM Custom

1051

Configuration File. Note that distributions may modify the GDM System

1052

Defaults Configuration File on update to improve usability, security,

1053

etc. So any changes made to this file may be lost.

1054

</para>

1055

1056

<para>

1057

The GDM System Defaults Configuration File and the GDM Custom

1058

Configuration File follow the standard <filename>.ini</filename> style

1059

configuration file syntax. Keywords in brackets define sections,

1060

strings before an equal sign (=) are variables and the data after

1061

equal sign represents their value. Empty lines or lines starting with

1062

the hash mark (#) are ignored. The graphical configurator will try to

1063

preserve both comments (lines with a hash mark) and the overall

1064

structure of the file so you can intermix using the GUI or hand

1065

editing the configuration file.

1066

</para>

1067

1068

<para>

1069

The following configuration keys are supported in GDM:

1070

</para>

1071

1072

1073

<title>Daemon Configuration</title>

1074

1075

1076

<title>[daemon]</title>

1077

1078

1079

<term>AddGtkModules</term>

1080

1081

<synopsis>AddGtkModules=false</synopsis>

1082

<para>If true, then enables <command>gdmgreeter</command> or <command>gdmlogin</command> to be launched with additional Gtk+ modules. This is useful when extra features are required such as accessible login. Note that only "trusted" modules should be used to minimise security issues.</para>

1083

<para>If true, then the registry daemon <command>at-spi-registryd</command> will be launched by <command>gdmgreeter</command> or <command>gdmlogin</command> starting with version GDM 2.17.</para>

1084

<para>Usually this is used for accessibility modules. The modules which are loaded are specified with the <filename>GtkModulesList</filename> key.</para>

1085

</listitem>

1086

</varlistentry>

1087

1088

1089

<term>AllowLogoutActions</term>

1090

1091

<synopsis>AllowLogoutActions=HALT;REBOOT;SHUTDOWN;SUSPEND;CUSTOM_CMD</synopsis>

1092

<para>

1093

Specify which actions are supported by the QUERY_LOGOUT_ACTION,

1094

SET_LOGOUT_ACTION, and SET_SAFE_LOGOUT_ACTION

1095

<command>gdmflexiserver</command> commands. Valid values are

1096

HALT, REBOOT, SHUTDOWN, SUSPEND, and CUSTOM_CMD and these

1097

should be separated by semicolons. This allows certain

1098

options to be disabled if desired. Refer to the related

1099

<filename>SystemCommandsInMenu</filename> and

1100

<filename>RBACSystemCommandKeys</filename> configuration

1101

options.

1102

</para>

1103

</listitem>

1104

</varlistentry>

1105

1106

1107

<term>AlwaysLoginCurrentSession</term>

1108

1109

<synopsis>AlwaysLoginCurrentSession=true</synopsis>

1110

<para>If true, then when the user logs in and already has an existing session, then they are connected to that session rather than starting a new session. This only works for sessions running on VTs (Virtual Terminals) started with gdmflexiserver, and not with XDMCP. Note that VTs are not supported on all operating systems.</para>

1111

</listitem>

1112

</varlistentry>

1113

1114

1115

<term>AutomaticLoginEnable</term>

1116

1117

<synopsis>AutomaticLoginEnable=false</synopsis>

1118

<para>

1119

If the user given in AutomaticLogin should be logged in upon

1120

first bootup. No password will be asked. This is useful

1121

for single user workstations where console security is not an

1122

issue and also could be useful for public terminals. Refer

1123

also to <filename>TimedLogin</filename>.

1124

</para>

1125

</listitem>

1126

</varlistentry>

1127

1128

1129

<term>AutomaticLogin</term>

1130

1131

<synopsis>AutomaticLogin=</synopsis>

1132

<para>This user should be automatically logged in on first bootup. AutomaticLoginEnable must be true and this must be a valid user for this to happen. "root" can never be autologged in however and gdm will just refuse to do it even if you set it up.</para>

1133

1134

<para>The following control chars are recognised within the specified name:</para>

1135

1136

<para>

1137

%% — the `%' character

1138

</para>

1139

1140

<para>

1141

%d — display's name

1142

</para>

1143

1144

<para>

1145

%h — display's hostname

1146

</para>

1147

1148

<para>Alternatively, the name may end with a vertical bar |, the pipe symbol. The name is then used as a application to execute which returns the desired username on standard output. If an empty or otherwise invalid username is returned, automatic login is not performed. This feature is typically used when several remote displays are used as internet kiosks, with a specific user to automatically login for each display.</para>

1149

</listitem>

1150

</varlistentry>

1151

1152

1153

<term>BaseXsession</term>

1154

1155

<synopsis>BaseXsession=<etc>/gdm/Xsession</synopsis>

1156

<para>This is the base X session file. When a user logs in, this script will be run with the selected session as the first argument. The selected session will be the <filename>Exec=</filename> from the <filename>.desktop</filename> file of the session.</para>

1157

1158

<para>If you wish to use the same script for several different display managers, and wish to have some of the script run only for GDM, then you can check the presence of the <filename>GDMSESSION</filename> environmental variable. This will always be set to the basename of <filename>.desktop</filename> (without the extension) file that is being used for this session, and will only be set for GDM sessions. Previously some scripts were checking for <filename>GDM_LANG</filename>, but that is only set when the user picks a non-system default language.</para>

1159

1160

<para>This script should take care of doing the "login" for the user and so it should source the <filename><etc>/profile</filename> and friends. The standard script shipped with GDM sources the files in this order: <filename><etc>/profile</filename> then <filename>~/.profile</filename> then <filename><etc>/xprofile</filename> and finally <filename>~/.xprofile</filename>. Note that different distributions may change this however. Sometimes users personal setup will be in <filename>~/.bash_profile</filename>, however broken that is.</para>

1161

</listitem>

1162

</varlistentry>

1163

1164

1165

<term>Chooser</term>

1166

1167

<synopsis>Chooser=<bin>/gdmchooser</synopsis>

1168

<para>Full path and name of the chooser executable followed by optional arguments.</para>

1169

</listitem>

1170

</varlistentry>

1171

1172

1173

<term>Configurator</term>

1174

1175

<synopsis>Configurator=<bin>/gdmsetup --disable-sound --disable-crash-dialog</synopsis>

1176

<para>The pathname to the configurator binary. If the greeter <filename>ConfigAvailable</filename> option is set to true then run this binary when somebody chooses Configuration from the Actions menu. GDM will first ask for root password however. And it will never allow this to happen from a remote display.</para>

1177

</listitem>

1178

</varlistentry>

1179

1180

1181

<term>ConsoleCannotHandle</term>

1182

1183

<synopsis>ConsoleCannotHandle=am,ar,az,bn,el,fa,gu,hi,ja,ko,ml,mr,pa,ta,zh</synopsis>

1184

<para>These are the languages that the console cannot handle because of font issues. Here we mean the text console, not X. This is only used when there are errors to report and we cannot start X.</para>

1185

</listitem>

1186

</varlistentry>

1187

1188

1189

<term>ConsoleNotify</term>

1190

1191

<synopsis>ConsoleNotify=true</synopsis>

1192

<para>If false, gdm will not display a message dialogue on the console when an error happens.</para>

1193

</listitem>

1194

</varlistentry>

1195

1196

1197

<term>DefaultPath</term>

1198

1199

<synopsis>DefaultPath=defaultpath (value set by configure)</synopsis>

1200

<para>Specifies the path which will be set in the user's session. This value will be overridden with the value from <filename>/etc/default/login</filename> if it contains "ROOT=<pathname>". If the <filename>/etc/default/login</filename> file exists, but contains no value for ROOT, the value as defined in the GDM configuration will be be used.</para>

1201

</listitem>

1202

</varlistentry>

1203

1204

1205

<term>DefaultSession</term>

1206

1207

<synopsis>DefaultSession=gnome.desktop</synopsis>

1208

<para>The session that is used by default if the user does not have a saved preference and has picked 'Last' from the list of sessions. Note that 'Last' need not be displayed, see the <filename>ShowLastSession</filename> key.</para>

1209

</listitem>

1210

</varlistentry>

1211

1212

1213

1214

<term>DisplayInitDir</term>

1215

1216

<synopsis>DisplayInitDir=<etc>/gdm/Init</synopsis>

1217

<para>Directory containing the display init scripts. See the ``The Script Directories'' section for more info.</para>

1218

</listitem>

1219

</varlistentry>

1220

1221

1222

<term>DisplayLastLogin</term>

1223

1224

<synopsis>DisplayLastLogin=true</synopsis>

1225

<para>If true then the last login information is printed to the user before being prompted for password. While this gives away some info on what users are on a system, it on the other hand should give the user an idea of when they logged in and if it doesn't seem kosher to them, they can just abort the login and contact the sysadmin (avoids running malicious startup scripts). This was added in version 2.5.90.0.</para>

1226

<para>This is for making GDM conformant to CSC-STD-002-85, although that is purely theoretical now. Someone should read that spec and ensure that this actually conforms (in addition to other places in GDM). See <filename>http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.html</filename> for more info.</para>

1227

</listitem>

1228

</varlistentry>

1229

1230

1231

<term>DoubleLoginWarning</term>

1232

1233

<synopsis>DoubleLoginWarning=true</synopsis>

1234

<para>If true, GDM will warn the user if they are already logged in on another virtual terminal. On systems where GDM supports checking the X virtual terminals, GDM will let the user switch to the previous login virtual terminal instead of logging in.</para>

1235

</listitem>

1236

</varlistentry>

1237

1238

1239

<term>DynamicXServers</term>

1240

1241

<synopsis>DynamicXServers=false</synopsis>

1242

<para>If true, the GDM daemon will honour requests to manage displays via the <filename>/tmp/.gdm_socket</filename> socket connection. Displays can be created, started, and deleted with the appropriate commands. The <filename>gdmdynamic</filename> command is a convenient method to send these messages.</para>

1243

</listitem>

1244

</varlistentry>

1245

1246

1247

<term>FailsafeXServer</term>

1248

1249

<synopsis>FailsafeXServer=</synopsis>

1250

<para>An X command line in case we can't start the normal X server. should probably be some sort of a script that runs an appropriate low resolution X server that will just work. This is tried before the <filename>XKeepsCrashing</filename> script is run.</para>

1251

</listitem>

1252

</varlistentry>

1253

1254

1255

<term>FirstVT</term>

1256

1257

<synopsis>FirstVT=7</synopsis>

1258

<para>On systems where GDM supports automatic VT (virtual terminal) allocation, this is the first vt to try. Usually standard text logins are run on the lower vts. See also <filename>VTAllocation</filename>.</para>

1259

</listitem>

1260

</varlistentry>

1261

1262

1263

<term>FlexibleXServers</term>

1264

1265

<synopsis>FlexibleXServers=5</synopsis>

1266

<para>

1267

The maximum number of allowed flexible displays. These are

1268

displays that can be run using the

1269

<filename>/tmp/.gdm_socket</filename> socket connection.

1270

This is used for both full flexible displays and for nested

1271

displays (refer to the <filename>Xnest</filename> configuration

1272

option).

1273

</para>

1274

</listitem>

1275

</varlistentry>

1276

1277

1278

<term>FlexiReapDelayMinutes</term>

1279

1280

<synopsis>FlexiReapDelayMinutes=5</synopsis>

1281

<para>

1282

After how many minutes of inactivity at the login screen

1283

should a flexi display be reaped. This is only in effect

1284

before a user logs in. Also it does not affect nested displays

1285

(refer to the <filename>Xnest</filename> configuration

1286

option). To turn off this behavior set this value to 0. This

1287

was added in version 2.5.90.0.

1288

</para>

1289

</listitem>

1290

</varlistentry>

1291

1292

1293

<term>Greeter</term>

1294

1295

<synopsis>Greeter=<bin>/gdmlogin</synopsis>

1296

<para>Full path and name of the greeter executable followed by optional arguments. This is the greeter used for all displays except for the XDMCP remote displays. See also <filename>RemoteGreeter</filename></para>

1297

</listitem>

1298

</varlistentry>

1299

1300

1301

<term>Group</term>

1302

1303

<synopsis>Group=gdm</synopsis>

1304

<para>The group name under which <command>gdmlogin</command>, <command>gdmgreeter</command>, <command>gdmchooser</command> and the internal failsafe GTK+ dialogues are run. Also see <filename>User</filename>. This user will have access to all the X authorisation files, and perhaps to other internal GDM data and it should not be a user such as nobody, but a dedicated user. The <filename>ServAuthDir</filename> is owned by this group. The ownership and permissions of <filename>ServAuthDir</filename> should be <filename>root:gdm</filename> and 1770.</para>

1305

</listitem>

1306

</varlistentry>

1307

1308

1309

<term>GtkModulesList</term>

1310

1311

<synopsis>GtkModulesList=module-1:module-2:...</synopsis>

1312

<para>A colon separated list of Gtk+ modules that <command>gdmgreeter</command> or <command>gdmlogin</command> will be invoked with if <filename>AddGtkModules</filename> is true. The format is the same as the standard Gtk+ module interface.</para>

1313

</listitem>

1314

</varlistentry>

1315

1316

1317

<term>HaltCommand</term>

1318

1319

<synopsis>HaltCommand=<sbin>/shutdown -h now</synopsis>

1320

<para>Full path and arguments to command to be executed when user selects "Shut Down" from the Actions menu. This can be a ';' separated list of commands to try. If a value is missing, the shut down command is not available. Note that the default for this value is not empty, so to disable "Shut Down" it must be set to an empty value.</para>

1321

</listitem>

1322

</varlistentry>

1323

1324

1325

<term>KillInitClients</term>

1326

1327

<synopsis>KillInitClients=true</synopsis>

1328

<para>Determines whether GDM should kill X clients started by the init scripts when the user logs in.</para>

1329

</listitem>

1330

</varlistentry>

1331

1332

1333

<term>LogDir</term>

1334

1335

<synopsis>LogDir=<var>/log/gdm</synopsis>

1336

<para>Directory containing the log files for the individual displays. By default this is the same as the ServAuthDir.</para>

1337

</listitem>

1338

</varlistentry>

1339

1340

1341

<term>PreFetchProgram</term>

1342

1343

<synopsis>PreFetchProgram=command</synopsis>

1344

<para>Program to be run by the GDM greeter/login program when the initial screen is displayed. The purpose is to provide a hook where files which will be used after login can be preloaded to speed performance for the user. The program will be called once only, the first time a greeter is displayed. The gdmprefetch command may be used. This utility will load any libraries passed in on the command line, or if the argument starts with a "@" character, it will process the file assuming it is an ASCII file containing a list of libraries, one per line, and load each library in the file.</para>

1345

</listitem>

1346

</varlistentry>

1347

1348

1349

<term>PostLoginScriptDir</term>

1350

1351

<synopsis>PostLoginScriptDir=<etc>/gdm/PostLogin</synopsis>

1352

<para>Directory containing the scripts run right after the user logs in, but before any session setup is done. See the ``The Script Directories'' section for more info.</para>

1353

</listitem>

1354

</varlistentry>

1355

1356

1357

<term>PostSessionScriptDir</term>

1358

1359

<synopsis>PostSessionScriptDir=<etc>/gdm/PostSession</synopsis>

1360

<para>Directory containing the scripts run after the user logs out. See the ``The Script Directories'' section for more info.</para>

1361

</listitem>

1362

</varlistentry>

1363

1364

1365

<term>PreSessionScriptDir</term>

1366

1367

<synopsis>PreSessionScriptDir=<etc>/gdm/PreSession</synopsis>

1368

<para>Directory containing the scripts run before the user logs in. See the ``The Script Directories'' section for more info.</para>

1369

</listitem>

1370

</varlistentry>

1371

1372

1373

<term>RBACSystemCommandKeys</term>

1374

1375

<synopsis>RBACSystemCommandKeys</synopsis>

1376

<para>

1377

Support RBAC (Role Based Access Control) for system commands

1378

(Shutdown, Reboot, Suspend, etc.). This feature is only

1379

functional if GDM is compiled with RBAC support. Specify the

1380

RBAC key used to determine if the user has permission to use

1381

the action via the QUERY_LOGOUT_ACTION, SET_LOGOUT_ACTION, and

1382

SET_SAFE_LOGOUT_ACTION <command>gdmflexiserver</command>

1383

commands. Valid actions are HALT, REBOOT, SUSPEND, and

1384

CUSTOM_CMD. The greeter will only display the command if the

1385

gdm user (<filename>User</filename> configuration key) has

1386

RBAC permissions to use the action. RBAC keys for multiple

1387

actions can be specified by separating them with semicolons.

1388

The format for each is "Action:RBAC key". If an action is not

1389

specified, it is assumed that all users have permission to use

1390

this action. For example, a valid value for this

1391

configuration option would be

1392

"HALT:key.for.halt;REBOOT:key.for.reboot". Refer to

1393

the related <filename>AllowLogoutActions</filename> and

1394

<filename>SystemCommandsInMenu</filename> configuration

1395

options.

1396

</para>

1397

</listitem>

1398

</varlistentry>

1399

1400

<term>RebootCommand</term>

1401

1402

<synopsis>RebootCommand=<sbin>/shutdown -r now</synopsis>

1403

<para>Full path and optional arguments to the command to be executed when user selects Restart from the Actions menu. This can be a ';' separated list of commands to try. If missing, the restart command is not available. Note that the default for this value is not empty so to disable restart you must set this explicitly to an empty value.</para>

1404

</listitem>

1405

</varlistentry>

1406

1407

1408

<term>RemoteGreeter</term>

1409

1410

<synopsis>RemoteGreeter=<bin>/gdmlogin</synopsis>

1411

<para>Full path and name of the greeter executable followed by optional arguments. This is used for all remote XDMCP sessions. It is useful to have the less graphically demanding greeter here if you use the Themed Greeter for your main greeter. See also the <filename>Greeter</filename> key.</para>

1412

</listitem>

1413

</varlistentry>

1414

1415

1416

<term>RootPath</term>

1417

1418

<synopsis>RootPath=defaultpath (value set by configure)</synopsis>

1419

<para>Specifies the path which will be set in root's session and the {Init,PostLogin,PreSession,PostSession} scripts executed by GDM. This value will be overridden with the value from <filename>/etc/default/login</filename> if it contains "SUROOT=<pathname>". If the <filename>/etc/default/login</filename> file exists, but contains no value for SUROOT, the value as defined in the GDM configuration will be used.</para>

1420

</listitem>

1421

</varlistentry>

1422

1423

1424

<term>ServAuthDir</term>

1425

1426

<synopsis>ServAuthDir=<var>/gdm</synopsis>

1427

<para>Directory containing the X authentication files for the individual displays. Should be owned by <filename>root:gdm</filename> with permissions 1770, where <filename>gdm</filename> is the GDM group as defined by the <filename>Group</filename> option. That is should be owned by root, with <filename>gdm</filename> group having full write permissions and the directory should be sticky and others should have no permission to the directory. This way the GDM user can't remove files owned by root in that directory, while still being able to write its own files there. GDM will attempt to change permissions for you when it's first run if the permissions are not the above. This directory is also used for other private files that the daemon needs to store. Other users should not have any way to get into this directory and read/change it's contents. Anybody who can read this directory can connect to any display on this computer.</para>

1428

</listitem>

1429

</varlistentry>

1430

1431

1432

<term>SessionDesktopDir</term>

1433

1434

<synopsis>SessionDesktopDir=<etc>/X11/sessions/:<etc>/dm/Sessions/:<share>/xsessions/</synopsis>

1435

<para>Directory containing the <filename>.desktop</filename> files which are the available sessions on the system. Since 2.4.4.2 this is treated like a PATH type variable and the first file found is used.</para>

1436

</listitem>

1437

</varlistentry>

1438

1439

1440

<term>SoundProgram</term>

1441

1442

<synopsis>SoundProgram=<filename><bin>/play</filename> (or <filename><bin>/audioplay</filename> on Solaris)</synopsis>

1443

<para>Application to use when playing a sound. Currently used for playing the login sound, see the <filename>SoundOnLoginFile</filename> key. Supported since 2.5.90.0.</para>

1444

</listitem>

1445

</varlistentry>

1446

1447

1448

<term>StandardXServer</term>

1449

1450

<synopsis>StandardXServer=/dir/to/X (value assigned by configuration file)</synopsis>

1451

<para>Full path and arguments to the standard X server command. This is used when gdm cannot find any other definition, and it's used as the default and failsafe fallback in a number of places. This should be able to run some sort of X server.</para>

1452

</listitem>

1453

</varlistentry>

1454

1455

1456

<term>SuspendCommand</term>

1457

1458

<synopsis>SuspendCommand=</synopsis>

1459

<para>Full path and arguments to command to be executed when user selects Suspend from the Actions menu. If empty there is no such menu item. Note that the default for this value is not empty so to disable suspend you must set this explicitly to an empty value.</para>

1460

</listitem>

1461

</varlistentry>

1462

1463

1464

<term>SystemCommandsInMenu</term>

1465

1466

<synopsis>SuspendCommand=HALT;REBOOT;SHUTDOWN;SUSPEND;CUSTOM_CMD</synopsis>

1467

<para>

1468

Specify which system commands are available in the greeter

1469

menu. Valid values are HALT, REBOOT, SHUTDOWN, SUSPEND, and

1470

CUSTOM_CMD and these should be separated by semicolons. This

1471

can be useful if you want to disable some options in the menu,

1472

but still have them available to authenticated users via the

1473

SET_LOGOUT_ACTION or SET_SAFE_LOGOUT_ACTION

1474

<command>gdmflexiserver</command> commands. For example, the

1475

GNOME panel uses these commands to provide Shutdown, Reboot,

1476

and Suspend in the application menu. Therefore if you turn

1477

off these options in the greeter, these options can still be

1478

available to users who have authenticated via the GNOME panel.

1479

Refer to the related

1480

<filename>AllowLogoutActions</filename> and

1481

<filename>RBACSystemCommandKeys</filename> configuration

1482

options.

1483

</para>

1484

</listitem>

1485

</varlistentry>

1486

1487

1488

<term>TimedLoginEnable</term>

1489

1490

<synopsis>TimedLoginEnable=false</synopsis>

1491

<para>If the user given in <filename>TimedLogin</filename> should be logged in after a number of seconds (set with <filename>TimedLoginDelay</filename>) of inactivity on the login screen. This is useful for public access terminals or perhaps even home use. If the user uses the keyboard or browses the menus, the timeout will be reset to <filename>TimedLoginDelay</filename> or 30 seconds, whichever is higher. If the user does not enter a username but just hits the ENTER key while the login program is requesting the username, then GDM will assume the user wants to login immediately as the timed user. Note that no password will be asked for this user so you should be careful, although if using PAM it can be configured to require password entry before allowing login.</para>

1492

</listitem>

1493

</varlistentry>

1494

1495

1496

<term>TimedLogin</term>

1497

1498

<synopsis>TimedLogin=</synopsis>

1499

<para>This is the user that should be logged in after a specified number of seconds of inactivity. This can never be "root" and gdm will refuse to log in root this way. The same features as for <filename>AutomaticLogin</filename> are supported. The same control chars and piping to a application are supported.</para>

1500

</listitem>

1501

</varlistentry>

1502

1503

1504

<term>TimedLoginDelay</term>

1505

1506

<synopsis>TimedLoginDelay=30</synopsis>

1507

<para>Delay in seconds before the <filename>TimedLogin</filename> user will be logged in. It must be greater then or equal to 10.</para>

1508

</listitem>

1509

</varlistentry>

1510

1511

1512

1513

1514

1515

<para>The username under which <command>gdmlogin</command>, <command>gdmgreeter</command>, <command>gdmchooser</command> and the internal failsafe GTK+ dialogues are run. Also see <filename>Group</filename>. This user will have access to all the X authorisation files, and other internal GDM data; it should not be a user such as nobody, but a dedicated user.</para>

1516

</listitem>

1517

</varlistentry>

1518

1519

1520

<term>UserAuthDir</term>

1521

1522

<synopsis>UserAuthDir=</synopsis>

1523

<para>The directory where user's <filename>.Xauthority</filename> file should be saved. When nothing is specified the user's home directory is used. This is tilde expanded so you can set it to things like: <filename>~/authdir/</filename>.</para>

1524

1525

<para>If you do not use the tilde expansion, then the filename created will be random, like in <filename>UserAuthFBDir</filename>. This way many users can have the same authentication directory. For example you might want to set this to <filename>/tmp</filename> when user has the home directory on NFS, since you really don't want cookie files to go over the wire. The users should really have write privileges to this directory, and this directory should really be sticky and all that, just like the <filename>/tmp</filename> directory.</para>

1526

1527

<para>Normally if this is the user's home directory GDM will still refuse to put cookies there if it thinks it is NFS (by testing root-squashing). This can be changed by setting <filename>NeverPlaceCookiesOnNFS</filename> in the <filename>[security]</filename> section to false.</para>

1528

</listitem>

1529

</varlistentry>

1530

1531

1532

<term>UserAuthFBDir</term>

1533

1534

<synopsis>UserAuthFBDir=/tmp</synopsis>

1535

<para>If GDM fails to update the user's <filename>.Xauthority</filename> file a fallback cookie is created in this directory.</para>

1536

</listitem>

1537

</varlistentry>

1538

1539

1540

<term>UserAuthFile</term>

1541

1542

<synopsis>UserAuthFile=.Xauthority</synopsis>

1543

<para>Name of the file used for storing user cookies.</para>

1544

</listitem>

1545

</varlistentry>

1546

1547

1548

<term>VTAllocation</term>

1549

1550

<synopsis>VTAllocation=true</synopsis>

1551

<para>On systems where GDM supports automatic VT (virtual terminal) allocation (currently Linux and FreeBSD only), you can have GDM automatically append the vt argument to the X server executable. This way races that come up from each X server managing it's own vt allocation can be avoided. See also <filename>FirstVT</filename>.</para>

1552

</listitem>

1553

</varlistentry>

1554

1555

1556

<term>XKeepsCrashing</term>

1557

1558

<synopsis>XKeepsCrashing=<etc>/gdm/XKeepsCrashing</synopsis>

1559

<para>A script to run in case X keeps crashing. This is for running An X configuration or whatever else to make the X configuration work. See the script that came with the distribution for an example. The distributed <filename>XKeepsCrashing</filename> script is tested on Red Hat, but may work elsewhere. Your system integrator should make sure this script is up to date for your particular system.</para>

1560

<para>In case <filename>FailsafeXServer</filename> is setup, that will be tried first. and this only used as a backup if even that X server keeps crashing.</para>

1561

</listitem>

1562

</varlistentry>

1563

1564

1565

<term>Xnest</term>

1566

1567

<synopsis>Xnest=<bin>/X11/Xephyr -audit 0</synopsis>

1568

<para>

1569

The full path and arguments to the nested X server command,

1570

which can be Xephyr, Xnest, or similar program. This command

1571

is used for starting nested displays allowing the user

1572

to start new login screens in a nested window. Xephyr is

1573

recommended since it works best and better supports modern

1574

X server extensions. Therefore GDM will set the default

1575

configuration to use Xephyr if available. If Xephyr is not

1576

available, then Xnest will be used if it is available.

1577

</para>

1578

</listitem>

1579

</varlistentry>

1580

1581

1582

<term>XnestUnscaledFontPath</term>

1583

1584

<synopsis>XnestUnscaledFontPath=true</synopsis>

1585

<para>

1586

Set to true if the nested X server command program supports the

1587

":unscaled" suffix in the FontPath (passed to nested X server

1588

command via the -fp argument). Some Xnest (e.g. Xsun Xnest)

1589

programs do not, and it is necessary to set this to false for

1590

such nested X server commands to work with GDM. Refer to the

1591

<filename>Xnest</filename> configuration option.

1592

</para>

1593

</listitem>

1594

</varlistentry>

1595

</variablelist>

1596

</sect3>

1597

1598

1599

<title>Security Options</title>

1600

1601

1602

<title>[security]</title>

1603

1604

1605

<term>AllowRoot</term>

1606

1607

<synopsis>AllowRoot=true</synopsis>

1608

<para>Allow root (privileged user) to log in through GDM. Set this to false if you want to disallow such logins.</para>

1609

<para>On systems that support PAM, this parameter is not as useful as you can use PAM to do the same thing, and in fact do even more. However it is still followed, so you should probably leave it true for PAM systems.</para>

1610

</listitem>

1611

</varlistentry>

1612

1613

1614

<term>AllowRemoteRoot</term>

1615

1616

<synopsis>AllowRemoteRoot=false</synopsis>

1617

<para>Allow root (privileged user) to log in remotely through GDM. This value should be set to true to allow such logins. Remote logins are any logins that come in through the XDMCP.</para>

1618

<para>On systems that support PAM, this parameter is not as useful since you can use PAM to do the same thing, and do even more.</para>

1619

<para>This value will be overridden and set to false if the <filename>/etc/default/login</filename> file exists and contains "CONSOLE=/dev/login", and set to true if the <filename>/etc/default/login</filename> file exists and contains any other value or no value for CONSOLE.</para>

1620

</listitem>

1621

</varlistentry>

1622

1623

1624

<term>AllowRemoteAutoLogin</term>

1625

1626

<synopsis>AllowRemoteAutoLogin=false</synopsis>

1627

<para>

1628

Allow the timed login feature to work for remote displays.

1629

In other words, remote connections via XDMCP will be allowed to

1630

log into the "TimedLogin" user after the delay

1631

defined by <filename>TimedLoginDelay</filename>.

1632

</para>

1633

<para>Note that this can make a system quite insecure, and thus is off by default.</para>

1634

</listitem>

1635

</varlistentry>

1636

1637

1638

<term>CheckDirOwner</term>

1639

1640

<synopsis>CheckDirOwner=true</synopsis>

1641

<para>By default GDM checks the ownership of the home directories before writing to them, this prevents security issues in case of bad setup. However in some instances home directories will be owned by a different user and in this case it is necessary to turn this option on. You will also most likely have to turn the <filename>RelaxPermissions</filename> key to at least value 1 since in such a scenario home directories are likely to be group writable. Supported since 2.6.0.4.</para>

1642

</listitem>

1643

</varlistentry>

1644

1645

1646

<term>SupportAutomount</term>

1647

1648

<synopsis>SupportAutomount=false</synopsis>

1649

<para>By default GDM checks the ownership of the home directories before writing to them, this prevents security issues in case of bad setup. However, when home directories are managed by automounter, they are often not mounted before they are accessed. This option works around subtleties of Linux automounter.</para>

1650

</listitem>

1651

</varlistentry>

1652

1653

1654

<term>DisallowTCP</term>

1655

1656

<synopsis>DisallowTCP=true</synopsis>

1657

<para>

1658

If true, then always append <filename>-nolisten tcp</filename>

1659

to the command line when starting attached X servers, thus

1660

disallowing TCP connection. This is a more secure

1661

configuration if not using remote connections.

1662

</para>

1663

</listitem>

1664

</varlistentry>

1665

1666

1667

<term>NeverPlaceCookiesOnNFS</term>

1668

1669

<synopsis>NeverPlaceCookiesOnNFS=true</synopsis>

1670

<para>Normally if this is true (which is by default), GDM will not place cookies into the user's home directory if this directory is on NFS. GDM will consider any filesystem with root-squashing an NFS filesystem. Sometimes however the remote file system can have root squashing and be safe (perhaps by using encryption). In this case set this to 'false'. Note that this option appeared in version 2.4.4.4 and is ignored in previous versions.</para>

1671

</listitem>

1672

</varlistentry>

1673

1674

1675

<term>PasswordRequired</term>

1676

1677

<synopsis>PasswordRequired=false</synopsis>

1678

<para>If true, this will cause PAM_DISALLOW_NULL_AUTHTOK to be passed as a flag to pam_authenticate and pam_acct_mgmt, disallowing NULL password. This setting will only take effect if PAM is being used by GDM. This value will be overridden with the value from <filename>/etc/default/login</filename> if it contains "PASSREQ=[YES|NO]". If the <filename>/etc/default/login</filename> file exists, but contains no value for PASSREQ, the value as defined in the GDM configuration will be used.</para>

1679

</listitem>

1680

</varlistentry>

1681

1682

1683

<term>RelaxPermissions</term>

1684

1685

<synopsis>RelaxPermissions=0</synopsis>

1686

<para>By default GDM ignores files and directories writable to other users than the owner.</para>

1687

1688

<para>Changing the value of RelaxPermissions makes it possible to alter this behavior:</para>

1689

1690

<para>0 - Paranoia option. Only accepts user owned files and directories.</para>

1691

<para>1 - Allow group writable files and directories.</para>

1692

<para>2 - Allow world writable files and directories.</para>

1693

</listitem>

1694

</varlistentry>

1695

1696

1697

<term>RetryDelay</term>

1698

1699

<synopsis>RetryDelay=1</synopsis>

1700

<para>The number of seconds GDM should wait before reactivating the entry field after a failed login.</para>

1701

</listitem>

1702

</varlistentry>

1703

1704

1705

<term>UserMaxFile</term>

1706

1707

<synopsis>UserMaxFile=65536</synopsis>

1708

<para>GDM will refuse to read/write files bigger than this number (specified in bytes).</para>

1709

1710

<para>In addition to the size check GDM is extremely picky about accessing files in user directories. It will not follow symlinks and can optionally refuse to read files and directories writable by other than the owner. See the <filename>RelaxPermissions</filename> option for more info.</para>

1711

</listitem>

1712

</varlistentry>

1713

1714

<term>UtmpLineAttached</term>

1715

1716

<synopsis>UtmpLineAttached=/dev/console (or /dev/dtlocal on Solaris)</synopsis>

1717

<para>

1718

When doing Utmp processing for attached displays, GDM sets the

1719

ut_line to the device associated with the Virtual Terminal (VT)

1720

if it is being used. Otherwise, it will use the value

1721

specified with the display in the

1722

<filename>[servers]</filename> section if a value is provided.

1723

If not, then the default value specified in UtmpLineAttached is

1724

used for attached displays. The value can contain

1725

"%d" which is translated to the DISPLAY value or

1726

"%h" which is translated to the hostname. This value

1727

must begin with <filename>/dev/</filename>.

1728

</para>

1729

</listitem>

1730

</varlistentry>

1731

1732

<term>UtmpLineRemote</term>

1733

1734

<synopsis>UtmpLineRemote= (or /dev/dtremote on Solaris)</synopsis>

1735

<para>

1736

When doing Utmp processing, GDM sets the ut_line to this value

1737

for remote displays. The value can contain "%d"

1738

which is translated to the DISPLAY value or "%h"

1739

which is translated to the hostname. This value must begin

1740

with <filename>/dev/</filename>.

1741

</para>

1742

</listitem>

1743

</varlistentry>

1744

1745

<term>UtmpPseudoDevice</term>

1746

1747

<synopsis>PseudoDevice=false (or true on Solaris)</synopsis>

1748

<para>

1749

If the device associated with a display does not exist, then

1750

GDM will create a symlink to <filename>/dev/null</filename>, or

1751

touch it if it is a symlink to <filename>/dev/null</filename>.

1752

Some programs such as <command>last</command>,

1753

<command>finger</command>, or <command>who</command> access the

1754

utmp database and may assume that the device points to an

1755

actual file. Creating such symlinks ensures that such programs

1756

work properly.

1757

</para>

1758

</listitem>

1759

</varlistentry>

1760

</variablelist>

1761

</sect3>

1762

1763

1764

<title>XDCMP Support</title>

1765

1766

1767

<title>[xdmcp]</title>

1768

1769

1770

<term>DisplaysPerHost</term>

1771

1772

<synopsis>DisplaysPerHost=1</synopsis>

1773

<para>To prevent attackers from filling up the pending queue, GDM will only allow one connection for each remote computer. If you want to provide display services to computers with more than one screen, you should increase the <filename>DisplaysPerHost</filename> value accordingly.</para>

1774

1775

<para>

1776

Note that the number of attached DISPLAYS allowed is not

1777

limited. Only remote connections via XDMCP are limited by

1778

this configuration option.

1779

</para>

1780

</listitem>

1781

</varlistentry>

1782

1783

1784

<term>Enable</term>

1785

1786

<synopsis>Enable=false</synopsis>

1787

<para>Setting this to true enables XDMCP support allowing remote displays/X terminals to be managed by GDM.</para>

1788

1789

<para><filename>gdm</filename> listens for requests on UDP port 177. See the Port option for more information.</para>

1790

1791

<para>If GDM is compiled to support it, access from remote displays can be controlled using the TCP Wrappers library. The service name is <filename>gdm</filename></para>

1792

1793

<para>You should add <screen>

1794

gdm:.my.domain

1795

</screen> to your <filename><etc>/hosts.allow</filename>, depending on your TCP Wrappers configuration. See the <ulink type="help" url="man:hosts.allow">hosts.allow(5)</ulink> man page for details.</para>

1796

1797

<para>Please note that XDMCP is not a particularly secure protocol and that it is a good idea to block UDP port 177 on your firewall unless you really need it.</para>

1798

</listitem>

1799

</varlistentry>

1800

1801

1802

<term>EnableProxy</term>

1803

1804

<synopsis>EnableProxy=false</synopsis>

1805

<para>Setting this to true enables support for running XDMCP sessions on a local proxy X server. This may improve the performance of XDMCP sessions, especially on high latency networks, as many X protocol operations can be completed without going over the network.</para>

1806

<para>Note, however, that this mode will significantly increase the burden on the machine hosting the XDMCP sessions</para>

1807

<para>See the <filename>FlexiProxy</filename> and <filename>FlexiProxyDisconnect</filename> options for further details on how to configure support for this feature.</para>

1808

</listitem>

1809

</varlistentry>

1810

1811

1812

<term>HonorIndirect</term>

1813

1814

<synopsis>HonorIndirect=true</synopsis>

1815

<para>Enables XDMCP INDIRECT choosing (i.e. remote execution of <filename>gdmchooser</filename>) for X-terminals which don't supply their own display browser.</para>

1816

</listitem>

1817

</varlistentry>

1818

1819

1820

<term>MaxPending</term>

1821

1822

<synopsis>MaxPending=4</synopsis>

1823

<para>To avoid denial of service attacks, GDM has fixed size queue of pending connections. Only MaxPending displays can start at the same time.</para>

1824

1825

<para>Please note that this parameter does *not* limit the number of remote displays which can be managed. It only limits the number of displays initiating a connection simultaneously.</para>

1826

</listitem>

1827

</varlistentry>

1828

1829

1830

<term>MaxPendingIndirect</term>

1831

1832

<synopsis>MaxPendingIndirect=4</synopsis>

1833

<para>GDM will only provide <filename>MaxPendingIndirect</filename> displays with host choosers simultaneously. If more queries from different hosts come in, the oldest ones will be forgotten.</para>

1834

</listitem>

1835

</varlistentry>

1836

1837

1838

<term>MaxSessions</term>

1839

1840

<synopsis>MaxSessions=16</synopsis>

1841

<para>Determines the maximum number of remote display connections which will be managed simultaneously. I.e. the total number of remote displays that can use your host.</para>

1842

</listitem>

1843

</varlistentry>

1844

1845

1846

<term>MaxWait</term>

1847

1848

<synopsis>MaxWait=30</synopsis>

1849

<para>When GDM is ready to manage a display an ACCEPT packet is sent to it containing a unique session id which will be used in future XDMCP conversations.</para>

1850

1851

<para>GDM will then place the session id in the pending queue waiting for the display to respond with a MANAGE request.</para>

1852

1853

<para>If no response is received within MaxWait seconds, GDM will declare the display dead and erase it from the pending queue freeing up the slot for other displays.</para>

1854

</listitem>

1855

</varlistentry>

1856

1857

1858

<term>MaxWaitIndirect</term>

1859

1860

<synopsis>MaxWaitIndirect=30</synopsis>

1861

<para>The MaxWaitIndirect parameter determines the maximum number of seconds between the time where a user chooses a host and the subsequent indirect query where the user is connected to the host. When the timeout is exceeded, the information about the chosen host is forgotten and the indirect slot freed up for other displays. The information may be forgotten earlier if there are more hosts trying to send indirect queries then <filename>MaxPendingIndirect</filename>.</para>

1862

</listitem>

1863

</varlistentry>

1864

1865

1866

1867

1868

1869

<para>The UDP port number <filename>gdm</filename> should listen to for XDMCP requests. Don't change this unless you know what you are doing.</para>

1870

</listitem>

1871

</varlistentry>

1872

1873

1874

<term>PingIntervalSeconds</term>

1875

1876

<synopsis>PingIntervalSeconds=15</synopsis>

1877

<para>Interval in which to ping the X server in seconds. If the X server doesn't return before the next time we ping it, the connection is stopped and the session ended. This is a combination of the XDM PingInterval and PingTimeout, but in seconds.</para>

1878

1879

<para>Note that GDM in the past used to have a <filename>PingInterval</filename> configuration key which was also in minutes. For most purposes you'd want this setting to be lower then one minute however since in most cases where XDMCP would be used (such as terminal labs), a lag of more than 15 or so seconds would really mean that the terminal was turned off or restarted and you would want to end the session.</para>

1880

</listitem>

1881

</varlistentry>

1882

1883

1884

<term>ProxyReconnect</term>

1885

1886

<synopsis>FlexiProxyReconnect=</synopsis>

1887

<para>Setting this option enables experimental support for session migration with XDMCP sessions. This enables users to disconnect from their session and later reconnect to that same session, possibly from a different terminal.</para>

1888

<para>In order to use this feature, you must have a nested X server available which supports disconnecting from its parent X server and reconnecting to another X server. Currently, the Distributed Multihead X (DMX) server supports this feature to some extent and other projects like NoMachine NX are busy implementing it.</para>

1889

<para>This option should be set to the path of a command which will handle reconnecting the XDMCP proxy to another backend display. A sample implementation for use with DMX is supplied.</para>

1890

</listitem>

1891

</varlistentry>

1892

1893

1894

<term>ProxyXServer</term>

1895

1896

<synopsis>ProxyXServer=</synopsis>

1897

<para>

1898

The X server command line for a XDMCP proxy. Any nested X

1899

server like Xnest, Xephyr or Xdmx should work fairly well.

1900

</para>

1901

</listitem>

1902

</varlistentry>

1903

1904

1905

<term>Willing</term>

1906

1907

<synopsis>Willing=<etc>/gdm/Xwilling</synopsis>

1908

<para>When the machine sends a WILLING packet back after a QUERY it sends a string that gives the current status of this server. The default message is the system ID, but it is possible to create a script that displays customised message. If this script doesn't exist or this key is empty the default message is sent. If this script succeeds and produces some output, the first line of it's output is sent (and only the first line). It runs at most once every 3 seconds to prevent possible denial of service by flooding the machine with QUERY packets.</para>

1909

</listitem>

1910

</varlistentry>

1911

</variablelist>

1912

</sect3>

1913

1914

1915

<title>Common GUI Configuration Options</title>

1916

1917

1918

1919

1920

1921

<term>AllowGtkThemeChange</term>

1922

1923

<synopsis>AllowGtkThemeChange=true</synopsis>

1924

<para>If to allow changing the GTK+ (widget) theme from the greeter. Currently this only affects the standard greeter as the graphical greeter does not yet have this ability. The theme will stay in effect on this display until changed and will affect all the other windows that are put up by GDM. Supported since 2.5.90.2.</para>

1925

</listitem>

1926

</varlistentry>

1927

1928

1929

<term>GtkRC</term>

1930

1931

<synopsis>GtkRC=</synopsis>

1932

<para>Path to a <filename>gtkrc</filename> to read when GDM puts up a window. You should really now use the <filename>GtkTheme</filename> key for just setting a theme.</para>

1933

</listitem>

1934

</varlistentry>

1935

1936

1937

<term>GtkTheme</term>

1938

1939

<synopsis>GtkTheme=Default</synopsis>

1940

<para>A name of an installed theme to use by default. It will be used in the greeter, chooser and all other GUI windows put up by GDM. Supported since 2.5.90.2.</para>

1941

</listitem>

1942

</varlistentry>

1943

1944

1945

<term>GtkThemesToAllow</term>

1946

1947

<synopsis>GtkThemesToAllow=all</synopsis>

1948

<para>Comma separated list of themes to allow. These must be the names of the themes installed in the standard locations for GTK+ themes. You can also specify 'all' to allow all installed themes. This is related to the <filename>AllowGtkThemeChange</filename> key. Supported since 2.5.90.2.</para>

1949

</listitem>

1950

</varlistentry>

1951

1952

1953

<term>MaxIconWidth</term>

1954

1955

<synopsis>MaxIconWidth=128</synopsis>

1956

<para>Specifies the maximum icon width (in pixels) that the face browser will display. Icons larger than this will be scaled. This also affects icons in the XDMCP chooser.</para>

1957

</listitem>

1958

</varlistentry>

1959

1960

1961

<term>MaxIconHeight</term>

1962

1963

<synopsis>MaxIconHeight=128</synopsis>

1964

<para>Specifies the maximum icon height (in pixels) that the face browser will display. Icons larger than this will be scaled. This also affects icons in the XDMCP chooser.</para>

1965

</listitem>

1966

</varlistentry>

1967

</variablelist>

1968

</sect3>

1969

1970

1971

<title>Greeter Configuration</title>

1972

1973

1974

<title>[greeter]</title>

1975

1976

1977

<term>BackgroundColor</term>

1978

1979

<synopsis>BackgroundColor=#76848F</synopsis>

1980

<para>If the BackgroundType is 2, use this colour in the background of the greeter. Also use it as the back of transparent images set on the background and if the BackgroundRemoteOnlyColor is set and this is a remote display. This only affects the GTK+ Greeter.</para>

1981

</listitem>

1982

</varlistentry>

1983

1984

1985

<term>BackgroundProgramInitialDelay</term>

1986

1987

<synopsis>BackgroundProgramInitialDelay=30</synopsis>

1988

<para>The background application will be started after at least that many seconds of inactivity.</para>

1989

</listitem>

1990

</varlistentry>

1991

1992

1993

<term>RestartBackgroundProgram</term>

1994

1995

<synopsis>RestartBackgroundProgram=true</synopsis>

1996

<para>If set the background application will be restarted when it has exited, after the delay described below has elapsed. This option can be useful when you wish to run a screen saver application when no user is using the computer.</para>

1997

</listitem>

1998

</varlistentry>

1999

2000

2001

<term>BackgroundProgramRestartDelay</term>

2002

2003

<synopsis>BackgroundProgramRestartDelay=30</synopsis>

2004

<para>The background application will be restarted after at least that many seconds of inactivity.</para>

2005

</listitem>

2006

</varlistentry>

2007

2008

2009

<term>BackgroundImage</term>

2010

2011

<synopsis>BackgroundImage=somefile.png</synopsis>

2012

<para>If the BackgroundType is 1, then display this file as the background in the greeter. This only affects the GTK+ Greeter.</para>

2013

</listitem>

2014

</varlistentry>

2015

2016

2017

<term>BackgroundProgram</term>

2018

2019

<synopsis>BackgroundProgram=<bin>/xeyes</synopsis>

2020

<para>If set this command will be run in the background while the login window is being displayed. Note that not all applications will run this way, since GDM does not usually have a home directory. You could set up home directory for the GDM user if you wish to run applications which require it. This only affects the GTK+ Greeter.</para>

2021

</listitem>

2022

</varlistentry>

2023

2024

2025

<term>BackgroundRemoteOnlyColor</term>

2026

2027

<synopsis>BackgroundRemoteOnlyColor=true</synopsis>

2028

<para>On remote displays only set the colour background. This is to make network load lighter. The <filename>BackgroundProgram</filename> is also not run. This only affects the GTK+ Greeter.</para>

2029

</listitem>

2030

</varlistentry>

2031

2032

2033

<term>BackgroundScaleToFit</term>

2034

2035

<synopsis>BackgroundScaleToFit=true</synopsis>

2036

<para>Scale background image to fit the screen. This only affects the GTK+ Greeter.</para>

2037

</listitem>

2038

</varlistentry>

2039

2040

2041

<term>BackgroundType</term>

2042

2043

<synopsis>BackgroundType=2</synopsis>

2044

<para>The type of background to set. 0 is none, 1 is image and colour, 2 is colour and 3 is image. This only affects the GTK+ Greeter.</para>

2045

</listitem>

2046

</varlistentry>

2047

2048

2049

<term>Browser</term>

2050

2051

<synopsis>Browser=true</synopsis>

2052

<para>Set to true to enable the face browser. See the ``The GTK+ Greeter'' section for more information on the face browser. This option only works for the GTK+ Greeter. For the Themed Greeter, the face browser is enabled by choosing a theme which includes a face browser</para>

2053

</listitem>

2054

</varlistentry>

2055

2056

2057

<term>ChooserButton</term>

2058

2059

<synopsis>ChooserButton=true</synopsis>

2060

<para>If true, add a chooser button to the Actions menu that will restart the current X server with a chooser. XDMCP does not need to be enabled on the local computer for this to work.</para>

2061

</listitem>

2062

</varlistentry>

2063

2064

2065

<term>ConfigAvailable</term>

2066

2067

<synopsis>ConfigAvailable=false</synopsis>

2068

<para>If true, allows the configurator to be run from the greeter. Note that the user will need to type in the root password before the configurator will be started. This is set to false by default for additional security. See the <filename>Configurator</filename> option in the daemon section.</para>

2069

</listitem>

2070

</varlistentry>

2071

2072

2073

<term>DefaultFace</term>

2074

2075

<synopsis>DefaultFace=<share>/pixmaps/nophoto.png</synopsis>

2076

<para>If a user has no defined face image, GDM will use the "stock_person" icon defined in the current GTK+ theme. If no such image is defined, the image specified by <filename>DefaultFace</filename> will be used. The image must be in a gdk-pixbuf supported format and the file must be readable to the GDM user.</para>

2077

</listitem>

2078

</varlistentry>

2079

2080

2081

<term>Include</term>

2082

2083

<synopsis>Include=</synopsis>

2084

<para>Comma separated list of users to be included in the face browser and in the <command>gdmsetup</command> selection list for Automatic/Timed login. See also <filename>Exclude</filename>, <filename>IncludeAll</filename>, and <filename>MinimalUID</filename>.</para>

2085

</listitem>

2086

</varlistentry>

2087

2088

2089

<term>Exclude</term>

2090

2091

<synopsis>Exclude=bin,daemon,adm,lp,sync,shutdown,halt,mail,...</synopsis>

2092

<para>Comma separated list of users to be excluded from the face browser and from the <command>gdmsetup</command> selection list for Automatic/Timed login. Excluded users will still be able to log in, but will have to type their username. See also <filename>Include</filename>, <filename>IncludeAll</filename>, and <filename>MinimalUID</filename>.</para>

2093

</listitem>

2094

</varlistentry>

2095

2096

2097

<term>IncludeAll</term>

2098

2099

<synopsis>IncludeAll=false</synopsis>

2100

<para>By default, an empty include list means display no users. By setting IncludeAll to true, the password file will be scanned and all users will be displayed aside from users excluded via the Exclude setting and user ID's less than MinimalUID. Scanning the password file can be slow on systems with large numbers of users and this feature should not be used in such environments. See also <filename>Include</filename>, <filename>Exclude</filename>, and <filename>MinimalUID</filename>.</para>

2101

</listitem>

2102

</varlistentry>

2103

2104

2105

<term>GlobalFaceDir</term>

2106

2107

<synopsis>GlobalFaceDir=<share>/pixmaps/faces/</synopsis>

2108

<para>Systemwide directory for face files. The sysadmin can place icons for users here without touching their homedirs. Faces are named after their users' logins.</para>

2109

2110

<para>I.e. <filename><GlobalFaceDir>/johndoe</filename> would contain the face icon for the user ``johndoe''. No image format extension should be specified.</para>

2111

2112

<para>The face images must be stored in gdk-pixbuf supported formats and they must be readable for the GDM user.</para>

2113

2114

<para>A user's own icon file will always take precedence over the sysadmin provided one.</para>

2115

</listitem>

2116

</varlistentry>

2117

2118

2119

<term>GraphicalTheme</term>

2120

2121

<synopsis>GraphicalTheme=circles</synopsis>

2122

<para>The graphical theme that the Themed Greeter should use. it should refer to a directory in the theme directory set by <filename>GraphicalThemeDir</filename>.</para>

2123

</listitem>

2124

</varlistentry>

2125

2126

2127

<term>GraphicalThemes</term>

2128

2129

<synopsis>GraphicalThemes=circles</synopsis>

2130

<para>The graphical themes that the Themed Greeter should use is the Mode is set on Random Themes. This is a "/:" delimited list. It should refer to a directory in the theme directory set by <filename>GraphicalThemeDir</filename>. This is only used if <filename>GraphicalThemeRand</filename> is set to true.</para>

2131

</listitem>

2132

</varlistentry>

2133

2134

2135

<term>GraphicalThemeRand</term>

2136

2137

<synopsis>GraphicalThemeRand=false</synopsis>

2138

<para>Whether the graphical greeter will use Only One Theme or Random Theme mode. Only One Theme mode uses themes listed by <filename>GraphicalTheme</filename>, Random Themes mode uses themes listed by <filename>GraphicalThemes</filename>. A value of false sets greeter to use Only One Theme mode, a value of true sets the greeter to use Random Theme mode.</para>

2139

</listitem>

2140

</varlistentry>

2141

2142

2143

<term>GraphicalThemeDir</term>

2144

2145

<synopsis>GraphicalThemeDir=<share>/gdm/themes/</synopsis>

2146

<para>The directory where themes for the Themed Greeter are installed.</para>

2147

</listitem>

2148

</varlistentry>

2149

2150

2151

<term>GraphicalThemedColor</term>

2152

2153

<synopsis>GraphicalThemedColor=#76848F</synopsis>

2154

<para>Use this colour in the background of the Themed Greeter. This only affects the Themed Greeter.</para>

2155

</listitem>

2156

</varlistentry>

2157

2158

2159

<term>InfoMsgFile</term>

2160

2161

<synopsis>InfoMsgFile=/path/to/infofile</synopsis>

2162

<para>If present and /path/to/infofile specifies an existing and readable text file (e.g. <etc>/infomsg.txt) the contents of the file will be displayed in a modal dialogue box before the user is allowed to login. This works both with the standard and the themable greeters.</para>

2163

</listitem>

2164

</varlistentry>

2165

2166

2167

<term>InfoMsgFont</term>

2168

2169

<synopsis>InfoMsgFont=fontspec</synopsis>

2170

<para>If present and InfoMsgFile (see above) is used, this specifies the font to use when displaying the contents of the InfoMsgFile text file. For example fontspec could be Sans 24 to get a sans serif font of size 24 points. This works both with the standard and the themable greeters.</para>

2171

</listitem>

2172

</varlistentry>

2173

2174

2175

2176

<term>LocaleFile</term>

2177

2178

<synopsis>LocaleFile=<etc>/gdm/locale.alias</synopsis>

2179

<para>File in format similar to the GNU locale format with entries for all supported languages on the system. The format is described above or in a comment inside that file.</para>

2180

</listitem>

2181

</varlistentry>

2182

2183

2184

<term>LockPosition</term>

2185

2186

<synopsis>LockPosition=true</synopsis>

2187

<para>If true the position of the login window of the GTK+ Greeter cannot be changed even if the title bar is turned on.</para>

2188

</listitem>

2189

</varlistentry>

2190

2191

2192

2193

2194

<synopsis>Logo=<share>/pixmaps/gnome-logo-large.png</synopsis>

2195

<para>Image file to display in the logo box. The file must be in a gdk-pixbuf supported format and it must be readable by the GDM user. If no file is specified the logo feature is disabled. This only affects the GTK+ Greeter.</para>

2196

</listitem>

2197

</varlistentry>

2198

2199

2200

<term>ChooserButtonLogo</term>

2201

2202

<synopsis>ChooserButtonLogo=<share>/pixmaps/gnome-logo-large.png</synopsis>

2203

<para>Image file to display in the file chooser button in <command>gdmsetup</command>. This key is modified by <command>gdmsetup</command> and should not be manually modified by the user. This only affects the login window preferences (<command>gdmsetup</command>).</para>

2204

</listitem>

2205

</varlistentry>

2206

2207

2208

<term>MinimalUID</term>

2209

2210

<synopsis>MinimalUID=100</synopsis>

2211

<para>The minimal UID that GDM should consider a user. All users with a lower UID will be excluded from the face browser. See also <filename>Include</filename>, <filename>Exclude</filename>, and <filename>IncludeAll</filename>.</para>

2212

</listitem>

2213

</varlistentry>

2214

2215

2216

<term>PositionX</term>

2217

2218

<synopsis>PositionX=200</synopsis>

2219

<para>The horizontal position of the login window of the GTK+ Greeter.</para>

2220

</listitem>

2221

</varlistentry>

2222

2223

2224

<term>PositionY</term>

2225

2226

<synopsis>PositionY=100</synopsis>

2227

<para>The vertical position of the login window of the GTK+ Greeter.</para>

2228

</listitem>

2229

</varlistentry>

2230

2231

2232

<term>Quiver</term>

2233

2234

<synopsis>Quiver=true</synopsis>

2235

<para>Controls whether <command>gdmlogin</command> should shake the display when an incorrect username/password is entered. This only affects the GTK+ Greeter.</para>

2236

</listitem>

2237

</varlistentry>

2238

2239

2240

<term>DefaultRemoteWelcome</term>

2241

2242

<synopsis>DefaultRemoteWelcome=true</synopsis>

2243

<para>If set to true, the value "Welcome to %n" is used for the <filename>RemoteWelcome</filename>. This value is translated into the appropriate language for the user. If set to false, the <filename>RemoteWelcome</filename> setting is used. This string can use the same special character sequences as explained in the "Text Node" section of the "Themed Greeter" chapter. This explains the meaning of "%n".</para>

2244

</listitem>

2245

</varlistentry>

2246

2247

2248

<term>RemoteWelcome</term>

2249

2250

<synopsis>RemoteWelcome=Welcome to %n</synopsis>

2251

<para>Controls which text to display next to the logo image in the greeter for remote XDMCP sessions. The same expansion is done here as in the <filename>Welcome</filename> string. This string can use the same special character sequences as explained in the "Text Node" section of the "Themed Greeter" chapter. chapter.</para>

2252

</listitem>

2253

</varlistentry>

2254

2255

2256

<term>RunBackgroundProgramAlways</term>

2257

2258

<synopsis>RunBackgroundProgramAlways=false</synopsis>

2259

<para>If this is true then the background application is run always, otherwise it is only run when the <filename>BackgroundType</filename> is 0 (None) This only affects the GTK+ Greeter.</para>

2260

</listitem>

2261

</varlistentry>

2262

2263

2264

<term>SetPosition</term>

2265

2266

<synopsis>SetPosition=true</synopsis>

2267

<para>If true the position of the login window of the GTK+ Greeter is determined by <filename>PositionX</filename> / <filename>PositionY</filename>.</para>

2268

</listitem>

2269

</varlistentry>

2270

2271

2272

<term>ShowGnomeFailsafeSession</term>

2273

2274

<synopsis>ShowGnomeFailsafeSession=true</synopsis>

2275

<para>Should the greeter show the Gnome Failsafe session in th sessions list.</para>

2276

</listitem>

2277

</varlistentry>

2278

2279

2280

<term>ShowLastSession</term>

2281

2282

<synopsis>ShowLastSession=true</synopsis>

2283

<para>Should the greeter show the 'Last' session in the session list. If this is off, then GDM is in the so called 'switchdesk' mode which, for example, Red Hat uses. That is, the users can't pick the last session and will just then get the default session (see <filename>DefaultSession</filename>) unless then pick something else for this session only. So if this is off, this really circumvents saving of the last session.</para>

2284

</listitem>

2285

</varlistentry>

2286

2287

2288

<term>ShowXtermFailsafeSession</term>

2289

2290

<synopsis>ShowXtermFailsafeSession=true</synopsis>

2291

<para>Should the greeter show the Xterm Failsafe session in the sessions list.</para>

2292

</listitem>

2293

</varlistentry>

2294

2295

2296

<term>SoundOnLogin</term>

2297

2298

<synopsis>SoundOnLogin=true</synopsis>

2299

<para>If true, the greeter will play a sound or beep when it is ready for a login. See also the <filename>SoundOnLoginFile</filename> key. Supported since 2.5.90.0.</para>

2300

</listitem>

2301

</varlistentry>

2302

2303

2304

<term>SoundOnLoginSuccess</term>

2305

2306

<synopsis>SoundOnLoginSuccess=true</synopsis>

2307

<para>If true, the greeter will play a sound after a successful login attempt. See also the <filename>SoundOnLoginSuccessFile</filename> key.</para>

2308

</listitem>

2309

</varlistentry>

2310

2311

2312

<term>SoundOnLoginFailure</term>

2313

2314

<synopsis>SoundOnLoginFailure=true</synopsis>

2315

<para>If true, the greeter will play a sound after a failed login attempt. See also the <filename>SoundOnLoginFailureFile</filename> key.</para>

2316

</listitem>

2317

</varlistentry>

2318

2319

2320

<term>SoundOnLoginFile</term>

2321

2322

<synopsis>SoundOnLoginFile=/path/to/sound.wav</synopsis>

2323

<para>The file that will be played using the specified sound application (by default that is <filename>/usr/bin/play</filename>) instead of a beep when the greeter is ready for a login. See also the <filename>SoundOnLogin</filename> key and the <filename>SoundProgram</filename> key. Supported since 2.5.90.0.</para>

2324

</listitem>

2325

</varlistentry>

2326

2327

2328

<term>SoundOnLoginSuccessFile</term>

2329

2330

<synopsis>SoundOnLoginSuccessFile=/path/to/sound.wav</synopsis>

2331

<para>The file that will be played using the specified sound application (by default that is <filename>/usr/bin/play</filename>) after a successful login attempt. See also the <filename>SoundOnLoginSuccess</filename> key and the <filename>SoundProgram</filename> key.</para>

2332

</listitem>

2333

</varlistentry>

2334

2335

2336

<term>SoundOnLoginFailureFile</term>

2337

2338

<synopsis>SoundOnLoginFailureFile=/path/to/sound.wav</synopsis>

2339

<para>The file that will be played using the specified sound application (by default that is <filename>/usr/bin/play</filename>) after a failed login attempt. See also the <filename>SoundOnLoginFailure</filename> key and the <filename>SoundProgram</filename> key.</para>

2340

</listitem>

2341

</varlistentry>

2342

2343

2344

<term>SystemMenu</term>

2345

2346

<synopsis>SystemMenu=true</synopsis>

2347

<para>

2348

Turns the Actions menu (which used to be called System menu) on

2349

or off. If this is off then one of the actions will be

2350

available anywhere. These actions include Shutdown, Restart,

2351

Configure, XDMCP chooser and such. All of those can however

2352

be turned off individually. Shutdown, Restart and Suspend can

2353

be turned off by just setting the corresponding keys to empty.

2354

Note that the actions menu is only shown on attached displays.

2355

It would not be safe or even desirable on remote logins, so you

2356

do not have to worry about remote users having these privileges.

2357

</para>

2358

2359

<para>Note that if this is off none of the actions will be available even if a theme for a graphical greeter mistakenly shows them. Also note that sometimes a graphical theme may not show all the available actions as buttons and you may have to press F10 to see the menu.</para>

2360

</listitem>

2361

</varlistentry>

2362

2363

2364

<term>TitleBar</term>

2365

2366

<synopsis>TitleBar=true</synopsis>

2367

<para>Display the title bar in the greeter. This only affects the GTK+ Greeter.</para>

2368

</listitem>

2369

</varlistentry>

2370

2371

2372

<term>Use24Clock</term>

2373

2374

<synopsis>Use24Clock=auto</synopsis>

2375

<para>Select the use of 24 hour clock. Some locales do not support 12 hour format (like Finnish, that is <filename>fi_FI</filename>), and in those locales this setting has no effect at all.</para>

2376

<para>Possible values are "auto" (default), "true", and "false". If this is set to "auto" or left empty, then time format is chosen from locale settings. Locale settings are based on the language in use, thus it is changed by setting environment variables LANGUAGE (GNU extension), LANG, LC_MESSAGES or LC_ALL in the GDM's runtime environment. Priorities between the mentioned environment variables can be found from your system's C library manual.</para>

2377

</listitem>

2378

</varlistentry>

2379

2380

2381

<term>UseInvisibleInEntry</term>

2382

2383

<synopsis>UseInvisibleInEntry=false</synopsis>

2384

<para>Do not show any visual feedback is the password entry. This is the standard in console and xdm. Settings this option discards the <filename>UseCirclesInEntry</filename> option.</para>

2385

</listitem>

2386

</varlistentry>

2387

2388

2389

<term>DefaultWelcome</term>

2390

2391

<synopsis>DefaultWelcome=true</synopsis>

2392

<para>If set to true, the value "Welcome" is used for the <filename>Welcome</filename>. This value is translated into the appropriate language for the user. If set to false, the <filename>Welcome</filename> setting is used.</para>

2393

</listitem>

2394

</varlistentry>

2395

2396

2397

<term>Welcome</term>

2398

2399

<synopsis>Welcome=Welcome</synopsis>

2400

<para>Controls which text to display next to the logo image in the standard greeter. The following control chars are supported:</para>

2401

2402

<para>

2403

%% — the `%' character

2404

</para>

2405

2406

<para>

2407

%d — display's hostname

2408

</para>

2409

2410

<para>

2411

%h — Fully qualified hostname

2412

</para>

2413

2414

<para>

2415

%m — machine (processor type)

2416

</para>

2417

2418

<para>

2419

%n — Nodename (i.e. hostname without .domain)

2420

</para>

2421

2422

<para>

2423

%r — release (OS version)

2424

</para>

2425

2426

<para>

2427

%s — sysname (i.e. OS)

2428

</para>

2429

2430

<para>

2431

This string is only used for attached displays. For remote

2432

XDMCP displays we use <filename>RemoteWelcome</filename>.

2433

</para>

2434

2435

<para>In the Themed Greeter the location of this text depends on the theme. Unless the theme uses the stock welcome string somewhere this string will not be displayed at all.</para>

2436

2437

</listitem>

2438

</varlistentry>

2439

2440

2441

<term>XineramaScreen</term>

2442

2443

<synopsis>XineramaScreen=0</synopsis>

2444

<para>If the Xinerama extension is active the login window will be centered on this physical screen (use 0 for the first screen, 1 for the second...).</para>

2445

</listitem>

2446

</varlistentry>

2447

</variablelist>

2448

</sect3>

2449

2450

2451

<title>XDCMP Chooser Options</title>

2452

2453

2454

<title>[chooser]</title>

2455

2456

2457

<term>AllowAdd</term>

2458

2459

<synopsis>AllowAdd=true</synopsis>

2460

<para>If true, allow the user to add arbitrary hosts to the chooser. This way the user could connect to any host that responds to XDMCP queries from the chooser.</para>

2461

</listitem>

2462

</varlistentry>

2463

2464

2465

<term>Broadcast</term>

2466

2467

<synopsis>Broadcast=true</synopsis>

2468

<para>If true, the chooser will broadcast a query to the local network and collect responses. This way the chooser will always show all available managers on the network. If you need to add some hosts not local to this network, or if you don't want to use a broadcast, you can list them explicitly in the <filename>Hosts</filename> key.</para>

2469

</listitem>

2470

</varlistentry>

2471

2472

2473

<term>Multicast</term>

2474

2475

<synopsis>Multicast=true</synopsis>

2476

<para>If true and IPv6 is enabled, the chooser will send a multicast query to the local network and collect responses from the hosts who have joined multicast group. If you don't want to send a multicast, you can specify IPv6 address in the <filename>Hosts </filename> key. The host will respond if it is listening to XDMCP requests and IPv6 is enabled there.</para>

2477

</listitem>

2478

</varlistentry>

2479

2480

2481

<term>MulticastAddr</term>

2482

2483

<synopsis>MulticastAddr=ff02::1</synopsis>

2484

<para>This is the Link-local Multicast address and is hardcoded here.</para>

2485

</listitem>

2486

</varlistentry>

2487

2488

2489

<term>DefaultHostImage</term>

2490

2491

<synopsis>DefaultHostImage=<share>/pixmaps/nohost.png</synopsis>

2492

<para>File name for the default host icon. This image will be displayed if no icon is specified for a given host. The file must be in a gdk-pixbuf supported format and it must be readable for the GDM user.</para>

2493

</listitem>

2494

</varlistentry>

2495

2496

2497

<term>HostImageDir</term>

2498

2499

<synopsis>HostImageDir=<share>/hosts</synopsis>

2500

<para>Repository for host icon files. The sysadmin can place icons for remote hosts here and they will appear in <filename>gdmchooser</filename>.</para>

2501

2502

<para>The file name must match the fully qualified name (FQDN) for the host. The icons must be stored in gdk-pixbuf supported formats and they must be readable to the GDM user.</para>

2503

2504

</listitem>

2505

</varlistentry>

2506

2507

2508

<term>Hosts</term>

2509

2510

<synopsis>Hosts=host1,host2</synopsis>

2511

<para>The hosts which should be listed in the chooser. The chooser will only list them if they respond. This is done in addition to broadcast (if <filename>Broadcast</filename> is set), so you need not list hosts on the local network. This is useful if your networking setup doesn't allow all hosts to be reachable by a broadcast packet.</para>

2512

</listitem>

2513

</varlistentry>

2514

2515

2516

<term>ScanTime</term>

2517

2518

<synopsis>ScanTime=4</synopsis>

2519

<para>Specifies how many seconds the chooser should wait for replies to its BROADCAST_QUERY. Really this is only the time in which we expect a reply. We will still add hosts to the list even if they reply after this time.</para>

2520

</listitem>

2521

</varlistentry>

2522

</variablelist>

2523

</sect3>

2524

2525

2526

<title>Debug Configuration</title>

2527

2528

2529

<title>[debug]</title>

2530

2531

2532

<term>Enable</term>

2533

2534

<synopsis>Enable=false</synopsis>

2535

<para>Setting to true sends debug ouput to the syslog. This can be useful for tracking down problems with GDM. This output tends to be verbose so should not be turned on for general use.</para>

2536

</listitem>

2537

</varlistentry>

2538

2539

2540

<term>Gestures</term>

2541

2542

<synopsis>Gestures=false</synopsis>

2543

<para>Setting to true sends debug ouput concerning the accessibility gesture listeners to the syslog. This can be useful for tracking down problems with them not working properly. This output tends to be verbose so should not be turned on for general use.</para>

2544

</listitem>

2545

</varlistentry>

2546

</variablelist>

2547

</sect3>

2548

2549

2550

<title>Custom Commands</title>

2551

2552

<para>You can create up to 10 different commands. Gaps between command numbers are allowed and their relative positioning within the section and with respect to each other is not important as long as they conform to the permitted range of [0-9].</para>

2553

2554

2555

<title>[customcommand]</title>

2556

2557

2558

<term>CustomCommand[0-9]</term>

2559

2560

<synopsis>CustomCommand[0-9]=</synopsis>

2561

<para>Full path and arguments to command to be executed when user selects the <filename>n-th</filename> "Custom Command" from the Actions menu. This can be a ';' separated list of commands to try. If the value is empty or missing, then the custom command is not available. By default this value is not enabled, so to enable "Custom Command" it must be set to a nonempty value. [0-9] represents the <filename>CustomCommand</filename> suffix and can be an integer between 0 and 9.</para>

2562

</listitem>

2563

</varlistentry>

2564

2565

2566

<term>CustomCommandIsPersistent[0-9]</term>

2567

2568

<synopsis>CustomCommandIsPersistent[0-9]=</synopsis>

2569

<para>Specifies if the <filename>n-th</filename> "Custom Command" will appear outside the login manager, for example on the desktop through the Log Out/Shut Down dialogues. If not specified the default value is "false". This option is only valid if corresponding <filename>CustomCommand</filename> is defined. [0-9] represents <filename>CustomCommand</filename> suffix and can be an integer between 0 and 9.</para>

2570

</listitem>

2571

</varlistentry>

2572

2573

2574

<term>CustomCommandLabel[0-9]</term>

2575

2576

<synopsis>CustomCommandLabel[0-9]=</synopsis>

2577

<para>Specifies the stock label that will be displayed on the <filename>n-th</filename> "Custom Command" buttons and menu items. If not specified the default value is "Custom_[0-9]". This option is only valid if the corresponding <filename>CustomCommand</filename> is defined. [0-9] represents the <filename>CustomCommand</filename> suffix and can be an integer between 0 and 9. This option can't contain any semicolon characters (i.e. ";").</para>

2578

</listitem>

2579

</varlistentry>

2580

2581

2582

<term>CustomCommandLRLabel[0-9]</term>

2583

2584

<synopsis>CustomCommandLRLabel[0-9]=</synopsis>

2585

<para>Specifies the stock label that will be displayed on the <filename>n-th</filename> "Custom Command" list items and radio buttons. If not specified the default value is "Execute custom command _[0-9]". This option is only valid if the corresponding <filename>CustomCommand</filename> is defined. [0-9] represents the <filename>CustomCommand</filename> suffix and can be an integer between 0 and 9.</para>

2586

</listitem>

2587

</varlistentry>

2588

2589

2590

<term>CustomCommandNoRestart[0-9]</term>

2591

2592

<synopsis>CustomCommandNoRestart[0-9]=</synopsis>

2593

<para>Specifies if gdm will be stopped/restarted once the <filename>n-th</filename> "Custom Command" has been executed. If not specified the default value is "false". This option is only valid if the corresponding <filename>CustomCommand</filename> is defined. [0-9] represents the <filename>CustomCommand</filename> suffix and can be an integer between 0 and 9. When the corresponding <filename>CustomCommandIsPersistent</filename> is set to true, setting CustomCommandNoRestart to false will place the corresponding <filename>CustomCommand</filename> in the Shut Down dialogue set of actions. Setting it to true will place the corresponding <filename>CustomCommand</filename> in the Log Out dialogue set of actions.</para>

2594

</listitem>

2595

</varlistentry>

2596

2597

2598

<term>CustomCommandText[0-9]</term>

2599

2600

<synopsis>CustomCommandText[0-9]=</synopsis>

2601

<para>Specifies the message that will be displayed on the warning dialogue box once the <filename>n-th</filename> "Custom Command" button/menu item/radio button/list item has been activated. If not specified the default value is "Are you sure?". This option is only valid if the corresponding <filename>CustomCommand</filename> is defined. [0-9] represents the <filename>CustomCommand</filename> suffix and can be an integer between 0 and 9.</para>

2602

</listitem>

2603

</varlistentry>

2604

2605

2606

<term>CustomCommandTooltip[0-9]</term>

2607

2608

<synopsis>CustomCommandTooltip[0-9]=</synopsis>

2609

<para>Specifies the message that will be displayed on tooltips for <filename>n-th</filename> "Custom Command" entries. If not specified the default value is "Execute custom command [0-9]". This option is only valid if corresponding <filename>CustomCommand</filename> is defined. [0-9] represents <filename>CustomCommand</filename> suffix and can be an integer between 0 and 9.</para>

2610

</listitem>

2611

</varlistentry>

2612

</variablelist>

2613

</sect3>

2614

2615

2616

<title>X Server Definitions</title>

2617

2618

<para>

2619

GDM needs to be provided with information about each X servers that

2620

will be used. You can have as many different definitions as you wish,

2621

each identified with a unique name. The name

2622

<filename>Standard</filename> is required. If you do not specify

2623

this server, GDM will assume default values for a 'Standard' server

2624

and the path given by <filename>daemon/StandardXServer</filename>.

2625

<filename>Standard</filename> is used as the default,

2626

in situations when no other server has been defined.

2627

</para>

2628

2629

<para>Servers are defined by sections named <filename>server-</filename> followed by the identifier of this server. This should be a simple ASCII string with no spaces. The GUI configuration program allows users to edit the servers defined in the GDM configuration files but currently does not allow adding or deleting entries. Like normal configuration options, <filename>server-</filename> sections in the <filename><etc>/gdm/custom.conf</filename> file override values in the <filename><share>/gdm/defaults.conf</filename> file. In other words, if a <filename>server-Standard</filename> section is defined in <filename><etc>/gdm/custom.conf</filename>, then that will be used and the section in the <filename><share>/gdm/defaults.conf</filename> file will be ignored.</para>

2630

2631

2632

<title>[server-Standard]</title>

2633

2634

2635

2636

2637

<synopsis>name=Standard server</synopsis>

2638

<para>The name that will be displayed to the user.</para>

2639

</listitem>

2640

</varlistentry>

2641

2642

2643

<term>command</term>

2644

2645

<synopsis>command=/path/to/X</synopsis>

2646

<para>

2647

The command to execute, with full path to the binary of the X

2648

server, and any extra arguments needed. Normally it is not

2649

necessary to add a <filename>-nolisten tcp</filename> argument

2650

since the addition of this argument is controlled by the

2651

<filename>DisallowTCP</filename> GDM configuration option.

2652

</para>

2653

</listitem>

2654

</varlistentry>

2655

2656

2657

<term>flexible</term>

2658

2659

<synopsis>flexible=true</synopsis>

2660

<para>Indicates if this server is available as a choice when a user wishes to run a flexible, on demand server.</para>

2661

</listitem>

2662

</varlistentry>

2663

2664

2665

<term>handled</term>

2666

2667

<synopsis>handled=true</synopsis>

2668

<para>Indicates that GDM should run the login window on this server and allow a user to log in. If set to false, then GDM will just run this server and wait for it to terminate. This can be useful to run an X terminal using GDM. When this is done you should normally also add <filename>-terminate</filename> to the command line of the server to make the server terminate after each session. Otherwise the control of the slave will never come back to GDM and, for example, soft restarts won't work. This is because GDM assumes there is a login in progress for the entire time this server is active.</para>

2669

</listitem>

2670

</varlistentry>

2671

2672

2673

<term>chooser</term>

2674

2675

<synopsis>chooser=false</synopsis>

2676

<para>Indicates that GDM should run a chooser on this window, instead of a login window, and allow the user to choose which server to log into.</para>

2677

</listitem>

2678

</varlistentry>

2679

2680

2681

<term>priority</term>

2682

2683

<synopsis>priority=0</synopsis>

2684

<para>Indicates that the X server should be started at a different process priority. Values can be any integer value accepted by the setpriority C library function (normally between -20 and 20) with 0 being the default. For highly interactive applications, -5 yields good responsiveness. The default value is 0 and the setpriority function is not called if the value is 0.</para>

2685

</listitem>

2686

</varlistentry>

2687

</variablelist>

2688

</sect3>

2689

2690

2691

<title>Attached DISPLAY Configuration</title>

2692

2693

<para>

2694

The attached (also known as local or static) display configuration

2695

specifies what displays should be always managed by GDM. GDM will

2696

restart the X server on the display if it dies, for example. There

2697

may be as many attached displays that are managed as you wish.

2698

Typically each display is associated with a real display. On a

2699

typical single-display machine this section would only contain one

2700

key <filename>0</filename> that corresponds to DISPLAY

2701

<filename>:0</filename>.

2702

</para>

2703

2704

<para>

2705

The GUI configuration program allows users to edit the attached

2706

display configuration defined in the GDM configuration files

2707

and allows the user to add or delete entries. Like normal

2708

configuration options, the <filename>[servers]</filename>

2709

section in the <filename><etc>/gdm/custom.conf</filename>

2710

file overrides values in the

2711

<filename><share>/gdm/defaults.conf</filename> file.

2712

</para>

2713

2714

2715

<title>[servers]</title>

2716

2717

2718

2719

2720

<synopsis>0=Standard [device=/dev/foo]</synopsis>

2721

2722

<para>

2723

The key cooresponds to the DISPLAY to be managed, so that

2724

key <filename>0</filename> cooresponds to DISPLAY

2725

<filename>:0</filename>. On a multi-display machine you

2726

can configure GDM to manage a login program on other displays

2727

by adding additional keys. For example, adding key

2728

<filename>1</filename> would cause GDM to manage DISPLAY

2729

<filename>:1</filename>.

2730

</para>

2731

2732

<para>

2733

The first word of the value corresponds to a X server

2734

definition in the "X Server Definitions" section

2735

of the configuration file. For example, the following entry

2736

means that DISPLAY <filename>:0</filename> will start an X

2737

server as defined in the

2738

<filename>[server-Standard]</filename> section:

2739

</para>

2740

2741

2742

[servers]

2743

0=Standard

2744

</screen>

2745

2746

<para>

2747

The first word of the value can also be set to the string

2748

"inactive" to indicate that this DISPLAY should not

2749

be managed. This can be used in the GDM Custom Configuration

2750

File to turn off a DISPLAY that is defined in the GDM System

2751

Defaults Configuration File.

2752

</para>

2753

2754

<para>

2755

The optional device argument is used to specify the device that

2756

is associated with the DISPLAY. When using Virtual Terminals

2757

(VT), this value is ignored and GDM will use the correct

2758

device name associated with the VT. If not using VT, then GDM

2759

will use the value specified by this optional argument. If

2760

the device argument is not defined, then GDM will use the

2761

default setting for attached displays defined in the

2762

<filename>UtmpLineAttached</filename> configuration section.

2763

For the main display (typically DISPLAY

2764

<filename>:0</filename>), <filename>/dev/console</filename> is

2765

a reasonable value. For other displays it is probably best

2766

to not include this argument unless you know the specific

2767

device associated with the DISPLAY. The device value can

2768

contain "%d" which is translated to the DISPLAY value

2769

or "%h" which is translated to the hostname.

2770

</para>

2771

</listitem>

2772

</varlistentry>

2773

</variablelist>

2774

</sect3>

2775

</sect2>

2776

2777

2778

<title>Per User Configuration</title>

2779

2780

<para>There are some per user configuration settings that control how GDM behaves. GDM is picky about the file ownership and permissions of the user files it will access, and will ignore files if they are not owned by the user or files that have group/world write permissions. It will also ignore the user if the user's $HOME directory is not owned by the user or if the user's $HOME directory has group/world write permissions. Files must also be smaller than the <filename>UserMaxFile</filename> value as defined in the GDM configuration. If GDM is not properly accessing user configuration settings, the problem is most likely caused by one of these checks failing.</para>

2781

2782

<para>First there is the <filename>~/.dmrc</filename> file. In theory this file should be shared between GDM and KDM, so users only have to configure things once. This is a standard <filename>.ini</filename> style configuration file. It has one section called <filename>[Desktop]</filename> which has two keys: <filename>Session</filename> and <filename>Language</filename>.</para>

2783

2784

<para>The <filename>Session</filename> key specifies the basename of the session <filename>.desktop</filename> file that the user wishes to normally use (without the <filename>.desktop</filename> extension, in other words). The <filename>Language</filename> key specifies the language that the user wishes to use by default. If either of these keys is missing, the system default is used. The file would normally look as follows:</para>

2785

2786

2787

[Desktop]

2788

Session=gnome

2789

Language=cs_CZ.UTF-8

2790

</screen>

2791

2792

<para>Normally GDM will write this file when the user logs in for the first time, and rewrite it if the user chooses to change their default values on a subsequent login.</para>

2793

2794

<para>

2795

If the GDM Face Browser is turned on, then the file

2796

<filename>$HOME/.face</filename> is accessed. This file should be a

2797

standard image that GTK+ can read, such as PNG or JPEG. It also must

2798

be smaller than the <filename>MaxIconWidth</filename> and

2799

<filename>MaxIconHeight</filename> values defined in the GDM

2800

configuration or it will be ignored. Users can run the

2801

<command>gdmphotosetup</command> program to specify a face image

2802

and it will copy the file to the <filename>$HOME/.face</filename>

2803

location and scale it so its longest dimension is not larger than the

2804

<filename>MaxIconWidth</filename> or <filename>MaxIconHeight</filename>

2805

values. <command>gdmphotosetup</command> takes care to not change

2806

the aspect ratio of the image.

2807

</para>

2808

2809

<para>Face images can also be placed in the global face directory, which is specified by the <filename>GlobalFaceDir</filename> configuration option ( normally <filename><share>/pixmaps/faces/</filename>) and the filename should be the name of the user, optionally with a <filename>.png</filename>, <filename>.jpg</filename>, etc. appended.</para>

2810

</sect2>

2811

</sect1>

2812

2813

2814

<title>Controlling GDM</title>

2815

2816

<para>You can control GDM behaviour during runtime in several different ways: you can run certain commands or you can talk to GDM using either a unix socket protocol or a FIFO protocol.</para>

2817

2818

2819

<title>Commands</title>

2820

2821

<para>To stop GDM, you can either send the TERM signal to the main daemon or run the <command>gdm-stop</command> command which is in the <filename><sbin>/</filename> directory. To restart GDM, you can either send the HUP signal to the main daemon or run the <command>gdm-restart</command> command which is also in the <filename><sbin>/</filename> directory. To restart GDM only after all the users have logged out, you can either send the USR1 signal to the main daemon or run the <command>gdm-safe-restart</command> command which is in the <filename><sbin>/</filename> directory as well.</para>

2822

2823

<para>The <command>gdmflexiserver</command> command can be used to start new flexible (on demand) displays if your system supports virtual terminals. This command will normally lock the current session with a screensaver so that the user can safely walk away from the computer and let someone else log in. If more that two flexible displays have been started <command>gdmflexiserver</command> will display a pop-up dialogue allowing the user to select which session to continue. The user will normally have to enter a password to return to the session. On session exit, the system will return to the previous virtual terminal. Run <command>gdmflexiserver --help</command> to get a listing of possible options.</para>

2824

</sect2>

2825

2826

2827

<title>The FIFO protocol</title>

2828

2829

<para>GDM also provides a FIFO called <filename>.gdmfifo</filename> in the <filename>ServAuthDir</filename> directory (usually <filename><var>/gdm/.gdmfifo</filename>). You must be root to use this protocol, and it is mostly used for internal GDM chatter. It is a very simple protocol where you just echo a command on a single line to this file. It can be used to tell GDM things such as restart, suspend the computer, or restart all X servers next time it has a chance (which would be useful from an X configuration application).</para>

2830

2831

<para>Full and up to date documentation of the commands and their use is contained in the GDM source tree in the file <filename>daemon/gdm.h</filename>. Look for the defines starting with <filename>GDM_SOP_</filename>. The commands which require the pid of the slave as an argument are the ones that are really used for internal communication of the slave with the master and should not be used.</para>

2832

</sect2>

2833

2834

2835

<title>Socket Protocol</title>

2836

2837

<para>GDM provides a unix domain socket for communication at <filename>/tmp/.gdm_socket</filename>. Using this you can check if GDM is running, the version of the daemon, the current displays that are running and who is logged in on them, and if GDM supports it on your operating system, also the virtual terminals of all the console logins. The <command>gdmflexiserver</command> command uses this protocol, for example, to launch flexible (on-demand) displays.</para>

2838

2839

<para>gdmflexiserver accepts the following commands with the --command option:</para>

2840

2841

2842

ADD_DYNAMIC_DISPLAY

2843

ALL_SERVERS

2844

ATTACHED_SERVERS

2845

AUTH_LOCAL

2846

CLOSE

2847

FLEXI_XNEST

2848

FLEXI_XNEST_USER

2849

FLEXI_XSERVER

2850

FLEXI_XSERVER_USER

2851

GET_CONFIG

2852

GET_CONFIG_FILE

2853

GET_CUSTOM_CONFIG_FILE

2854

GET_SERVER_LIST

2855

GET_SERVER_DETAILS

2856

GREETERPIDS

2857

QUERY_LOGOUT_ACTION

2858

QUERY_CUSTOM_CMD_LABELS

2859

QUERY_CUSTOM_CMD_NO_RESTART_STATUS

2860

QUERY_VT

2861

RELEASE_DYNAMIC_DISPLAYS

2862

REMOVE_DYNAMIC_DISPLAY

2863

SERVER_BUSY

2864

SET_LOGOUT_ACTION

2865

SET_SAFE_LOGOUT_ACTION

2866

SET_VT

2867

UPDATE_CONFIG

2868

VERSION

2869

</screen>

2870

2871

<para>These are described in detail below, including required arguments, response format, and return codes.</para>

2872

2873

2874

<title>ADD_DYNAMIC_DISPLAY</title>

2875

2876

ADD_DYNAMIC_DISPLAY: Create a new server definition that will

2877

run on the specified display leaving, it

2878

in DISPLAY_CONFIG state.

2879

Supported since: 2.8.0.0

2880

Arguments: <display to run on>=<server>

2881

Where <server> is either a configuration named in the

2882

GDM configuration or a literal command name.

2883

Answers:

2884

OK <display>

2885

ERROR <err number> <english error description>

2886

0 = Not implemented

2887

2 = Existing display

2888

3 = No server string

2889

4 = Display startup failure

2890

100 = Not authenticated

2891

200 = Dynamic Displays not allowed

2892

999 = Unknown error

2893

</screen>

2894

</sect3>

2895

2896

2897

<title>ALL_SERVERS</title>

2898

2899

ALL_SERVERS: List all displays, including console, remote, xnest.

2900

This can, for example, be useful to figure out if

2901

the display you are on is managed by the gdm daemon,

2902

by seeing if it is in the list. It is also somewhat

2903

like the 'w' command but for graphical sessions.

2904

Supported since: 2.4.2.96

2905

Arguments: None

2906

Answers:

2907

OK <server>;<server>;...

2908

2909

2910

2911

<logged in user> can be empty in case no one logged in yet

2912

2913

ERROR <err number> <english error description>

2914

0 = Not implemented

2915

200 = Too many messages

2916

999 = Unknown error

2917

</screen>

2918

</sect3>

2919

2920

2921

<title>ATTACHED_SERVERS</title>

2922

2923

ATTACHED_SERVERS: List all attached displays. Doesn't list XDMCP

2924

and xnest non-attached displays.

2925

Note: This command used to be named CONSOLE_SERVERS,

2926

which is still recognized for backwards

2927

compatibility. The optional pattern argument

2928

is supported as of version 2.8.0.0.

2929

Supported since: 2.2.4.0

2930

Arguments: <pattern> (optional)

2931

With no argument, all attached displays are returned. The optional

2932

<pattern> is a string that may contain glob characters '*', '?', and

2933

'[]'. Only displays that match the pattern will be returned.

2934

Answers:

2935

OK <server>;<server>;...

2936

2937

<server> is <display>,<logged in user>,<vt or xnest

2938

display>

2939

2940

<logged in user> can be empty in case no one logged

2941

in yet, and <vt> can be -1 if it's not known or not

2942

supported (on non-Linux for example). If the display is an

2943

xnest display and is a console one (that is, it is an xnest

2944

inside another console display) it is listed and instead of

2945

vt, it lists the parent display in standard form.

2946

2947

ERROR <err number> <english error description>

2948

0 = Not implemented

2949

200 = Too many messages

2950

999 = Unknown error

2951

</screen>

2952

</sect3>

2953

2954

2955

<title>AUTH_LOCAL</title>

2956

2957

AUTH_LOCAL: Setup this connection as authenticated for

2958

FLEXI_SERVER. Because all full blown

2959

(non-nested) displays can be started only from

2960

users logged into attached displays, and here GDM

2961

assumes only users logged in from GDM. They must

2962

pass the xauth MIT-MAGIC-COOKIE-1 that they were

2963

passed before the connection is authenticated.

2964

Note: The AUTH LOCAL command requires the

2965

--authenticate option, although only

2966

FLEXI XSERVER uses this currently.

2967

Note: Since 2.6.0.6 you can also use a global

2968

<ServAuthDir>/.cookie, which works for all

2969

authentication except for SET_LOGOUT_ACTION and

2970

QUERY_LOGOUT_ACTION and SET_SAFE_LOGOUT_ACTION

2971

which require a logged in display.

2972

Supported since: 2.2.4.0

2973

Arguments: <xauth cookie>

2974

<xauth cookie> is in hex form with no 0x prefix

2975

Answers:

2976

OK

2977

ERROR <err number> <english error description>

2978

0 = Not implemented

2979

100 = Not authenticated

2980

200 = Too many messages

2981

999 = Unknown error

2982

</screen>

2983

</sect3>

2984

2985

2986

<title>CLOSE</title>

2987

2988

CLOSE: Close sockets connection

2989

Supported since: 2.2.4.0

2990

Arguments: None

2991

Answers: None

2992

</screen>

2993

</sect3>

2994

2995

2996

<title>FLEXI_XNEST</title>

2997

2998

FLEXI_XNEXT: Start a new flexible nested display.

2999

Note: Supported on older version from 2.2.4.0, later

3000

2.2.4.2, but since 2.3.90.4 you must supply 4

3001

arguments or ERROR 100 will be returned. This

3002

will start the nested X server command using

3003

the XAUTHORITY file supplied and as the uid

3004

same as the owner of that file (and same as

3005

you supply). You must also supply the cookie as

3006

the third argument for this display, to prove

3007

that you indeed are this user. Also this file

3008

must be readable ONLY by this user, that is

3009

have a mode of 0600. If this all is not met,

3010

ERROR 100 is returned.

3011

Note: The cookie should be the MIT-MAGIC-COOKIE-1,

3012

the first one GDM can find in the XAUTHORITY

3013

file for this display. If that's not what you

3014

use you should generate one first. The cookie

3015

should be in hex form.

3016

Supported since: 2.3.90.4

3017

Arguments: <display to run on> <uid of requesting user>

3018

3019

Answers:

3020

OK <display>

3021

ERROR <err number> <english error description>

3022

0 = Not implemented

3023

1 = No more flexi servers

3024

2 = Startup errors

3025

3 = X failed

3026

4 = X too busy

3027

5 = Xnest can't connect

3028

6 = No server binary

3029

100 = Not authenticated

3030

200 = Too many messages

3031

999 = Unknown error

3032

</screen>

3033

</sect3>

3034

3035

3036

<title>FLEXI_XNEST_USER</title>

3037

3038

FLEXI_XNEST_USER: Start a new flexible nested display and

3039

initialize the greeter with the given username.

3040

Note: This is a variant of the FLEXI_XNEST command.

3041

Note: The cookie should be the MIT-MAGIC-COOKIE-1,

3042

the first one GDM can find in the XAUTHORITY

3043

file for this display. If that's not what you

3044

use you should generate one first. The cookie

3045

should be in hex form.

3046

Supported since: 2.17.7

3047

Arguments: <username> <display to run on> <uid of requesting

3048

user> <xauth cookie for the display> <xauth file>

3049

Answers:

3050

OK <display>

3051

ERROR <err number> <english error description>

3052

0 = Not implemented

3053

1 = No more flexi servers

3054

2 = Startup errors

3055

3 = X failed

3056

4 = X too busy

3057

5 = Xnest can't connect

3058

6 = No server binary

3059

100 = Not authenticated

3060

200 = Too many messages

3061

999 = Unknown error

3062

</screen>

3063

</sect3>

3064

3065

3066

<title>FLEXI_XSERVER</title>

3067

3068

FLEXI_XSERVER: Start a new X flexible display. Only supported on

3069

connection that passed AUTH_LOCAL

3070

Supported since: 2.2.4.0

3071

Arguments: <xserver type>

3072

If no arguments, starts the standard X server

3073

Answers:

3074

OK <display>

3075

ERROR <err number> <english error description>

3076

0 = Not implemented

3077

1 = No more flexi servers

3078

2 = Startup errors

3079

3 = X failed

3080

4 = X too busy

3081

6 = No server binary

3082

100 = Not authenticated

3083

200 = Too many messages

3084

999 = Unknown error

3085

</screen>

3086

</sect3>

3087

3088

3089

<title>FLEXI_XSERVER_USER</title>

3090

3091

FLEXI_XSERVER_USER: Start a new X flexible display and initialise the

3092

greeter with the given username. Only supported on

3093

connection that passed AUTH_LOCAL

3094

Supported since: 2.17.7

3095

Arguments: <username> <xserver type>

3096

If no server type specified, starts the standard X server

3097

Answers:

3098

OK <display>

3099

ERROR <err number> <english error description>

3100

0 = Not implemented

3101

1 = No more flexi servers

3102

2 = Startup errors

3103

3 = X failed

3104

4 = X too busy

3105

6 = No server binary

3106

100 = Not authenticated

3107

200 = Too many messages

3108

999 = Unknown error

3109

</screen>

3110

</sect3>

3111

3112

3113

<title>GET_CONFIG</title>

3114

3115

GET_CONFIG: Get configuration value for key. Useful so

3116

that other applications can request configuration

3117

information from GDM. Any key defined as GDM_KEY_*

3118

in gdm-daemon-config-keys.h is supported. Starting with version

3119

2.13.0.2, translated keys (such as

3120

"greeter/GdmWelcome[cs]" are supported via GET_CONFIG.

3121

Also starting with version 2.13.0.2 it is no longer necessary to

3122

include the default value (i.e. you can use key

3123

"greeter/IncludeAll" instead of having to use

3124

"greeter/IncludeAll=false".

3125

Supported since: 2.6.0.9

3126

Arguments: <key>

3127

Answers:

3128

OK <value>

3129

ERROR <err number> <english error description>

3130

0 = Not implemented

3131

50 = Unsupported key

3132

200 = Too many messages

3133

999 = Unknown error

3134

</screen>

3135

</sect3>

3136

3137

3138

<title>GET_CONFIG_FILE</title>

3139

3140

GET_CONFIG_FILE: Get configuration file location being used by

3141

the daemon. If the GDM daemon was started

3142

with the --config option, it will return

3143

the value passed in via the argument.

3144

Supported since: 2.8.0.2

3145

Arguments: None

3146

Answers:

3147

OK <full path to GDM configuration file>

3148

ERROR <err number> <english error description>

3149

0 = Not implemented

3150

200 = Too many messages

3151

999 = Unknown error

3152

</screen>

3153

</sect3>

3154

3155

3156

<title>GET_CUSTOM_CONFIG_FILE</title>

3157

3158

GET_CUSTOM_CONFIG_FILE: Get custom configuration file location being

3159

used by the daemon.

3160

Supported since: 2.14.0.0

3161

Arguments: None

3162

Answers:

3163

OK <full path to GDM custom configuration file>

3164

ERROR <err number> <english error description>

3165

0 = Not implemented

3166

1 = File not found

3167

200 = Too many messages

3168

999 = Unknown error

3169

</screen>

3170

</sect3>

3171

3172

3173

<title>GET_SERVER_DETAILS</title>

3174

3175

GET_SERVER_DETAILS: Get detail information for a specific server.

3176

Supported since: 2.13.0.4

3177

Arguments: <server> <key>

3178

Key values include:

3179

NAME - Returns the server name

3180

COMMAND - Returns the server command

3181

FLEXIBLE - Returns "true" if flexible, "false"

3182

otherwise

3183

CHOOSABLE - Returns "true" if choosable, "false"

3184

otherwise

3185

HANDLED - Returns "true" if handled, "false"

3186

otherwise

3187

CHOOSER - Returns "true" if chooser, "false"

3188

otherwise

3189

PRIORITY - Returns process priority

3190

Answers:

3191

OK <value>

3192

ERROR <err number> <english error description>

3193

0 = Not implemented

3194

1 = Server not found

3195

2 = Key not valid

3196

50 = Unsupported key

3197

200 = Too many messages

3198

999 = Unknown error

3199

</screen>

3200

</sect3>

3201

3202

3203

<title>GET_SERVER_LIST</title>

3204

3205

GET_SERVER_LIST: Get a list of the server sections from

3206

the configuration file.

3207

Supported since: 2.13.0.4

3208

Arguments: None

3209

Answers:

3210

OK <value>;<value>;...

3211

ERROR <err number> <english error description>

3212

0 = Not implemented

3213

1 = No servers found

3214

200 = Too many messages

3215

999 = Unknown error

3216

</screen>

3217

</sect3>

3218

3219

3220

<title>GREETERPIDS</title>

3221

3222

GREETERPIDS: List all greeter pids so that one can send HUP

3223

to them for config re-reading. Of course one

3224

must be root to do that.

3225

Supported since: 2.3.90.2

3226

Arguments: None

3227

Answers:

3228

OK <pid>;<pid>;...

3229

ERROR <err number> <english error description>

3230

0 = Not implemented

3231

200 = Too many messages

3232

999 = Unknown error

3233

</screen>

3234

</sect3>

3235

3236

3237

<title>QUERY_LOGOUT_ACTION</title>

3238

3239

QUERY_LOGOUT_ACTION: Query which logout actions are possible

3240

Only supported on connections that passed

3241

AUTH_LOCAL.

3242

Supported since: 2.5.90.0

3243

Answers:

3244

OK <action>;<action>;...

3245

Where action is one of HALT, REBOOT, SUSPEND or CUSTOM_CMD[0-9].

3246

An empty list can also be returned if no action is possible.

3247

A '!' is appended to an action if it was already set with

3248

SET_LOGOUT_ACTION or SET_SAFE_LOGOUT_ACTION. Note that

3249

SET_LOGOUT_ACTION has precedence over

3250

SET_SAFE_LOGOUT_ACTION.

3251

ERROR <err number> <english error description>

3252

0 = Not implemented

3253

100 = Not authenticated

3254

200 = Too many messages

3255

999 = Unknown error

3256

</screen>

3257

</sect3>

3258

3259

3260

<title>QUERY_CUSTOM_CMD_LABELS</title>

3261

3262

QUERY_CUSTOM_CMD_LABELS: Query labels belonging to exported custom

3263

commands Only supported on connections that

3264

passed AUTH_LOCAL.

3265

Supported since: 2.5.90.0

3266

Answers:

3267

OK <label1>;<label2>;...

3268

Where labelX is one of the labels belonging to CUSTOM_CMDX

3269

(where X in [0,GDM_CUSTOM_COMMAND_MAX)). An empty list can

3270

also be returned if none of the custom commands are exported

3271

outside login manager (no CustomCommandIsPersistent options

3272

are set to true).

3273

ERROR <err number> <english error description>

3274

0 = Not implemented

3275

100 = Not authenticated

3276

200 = Too many messages

3277

999 = Unknown error

3278

</screen>

3279

</sect3>

3280

3281

3282

<title>QUERY_CUSTOM_CMD_NO_RESTART_STATUS</title>

3283

3284

QUERY_CUSTOM_CMD_NO_RESTART_STATUS: Query NoRestart config options

3285

for each of custom commands Only

3286

supported on connections that

3287

passed AUTH_LOCAL.

3288

Supported since: 2.5.90.0

3289

Answers:

3290

OK <status>

3291

Where each bit of the status represents NoRestart value for

3292

each of the custom commands.

3293

bit on (1): NoRestart = true,

3294

bit off (0): NoRestart = false.

3295

ERROR <err number> <english error description>

3296

0 = Not implemented

3297

100 = Not authenticated

3298

200 = Too many messages

3299

999 = Unknown error

3300

</screen>

3301

</sect3>

3302

3303

3304

<title>QUERY_VT</title>

3305

3306

QUERY_VT: Ask the daemon about which VT we are currently on.

3307

This is useful for logins which don't own

3308

/dev/console but are still console logins. Only

3309

supported on Linux currently, other places will

3310

just get ERROR 8. This is also the way to query

3311

if VT support is available in the daemon in the

3312

first place. Only supported on connections that

3313

passed AUTH_LOCAL.

3314

Supported since: 2.5.90.0

3315

Arguments: None

3316

Answers:

3317

OK <vt number>

3318

ERROR <err number> <english error description>

3319

0 = Not implemented

3320

8 = Virtual terminals not supported

3321

100 = Not authenticated

3322

200 = Too many messages

3323

999 = Unknown error

3324

</screen>

3325

</sect3>

3326

3327

3328

<title>RELEASE_DYNAMIC_DISPLAYS</title>

3329

3330

RELEASE_DYNAMIC_DISPLAYS: Release dynamic displays currently in

3331

DISPLAY_CONFIG state

3332

Supported since: 2.8.0.0

3333

Arguments: <display to release>

3334

Answers:

3335

OK <display>

3336

ERROR <err number> <english error description>

3337

0 = Not implemented

3338

1 = Bad display number

3339

100 = Not authenticated

3340

200 = Dynamic Displays not allowed

3341

999 = Unknown error

3342

</screen>

3343

</sect3>

3344

3345

3346

<title>REMOVE_DYNAMIC_DISPLAY</title>

3347

3348

REMOVE_DYNAMIC_DISPLAY: Remove a dynamic display, killing the server

3349

and purging the display configuration

3350

Supported since: 2.8.0.0

3351

Arguments: <display to remove>

3352

Answers:

3353

OK <display>

3354

ERROR <err number> <english error description>

3355

0 = Not implemented

3356

1 = Bad display number

3357

100 = Not authenticated

3358

200 = Dynamic Displays not allowed

3359

999 = Unknown error

3360

</screen>

3361

</sect3>

3362

3363

3364

<title>SERVER_BUSY</title>

3365

3366

SERVER_BUSY: Returns true if half or more of the daemon's sockets

3367

are busy, false otherwise. Used by slave programs

3368

which want to ensure they do not overwhelm the

3369

sever.

3370

Supported since: 2.13.0.8

3371

Arguments: None

3372

Answers:

3373

OK <value>

3374

ERROR <err number> <english error description>

3375

0 = Not implemented

3376

200 = Too many messages

3377

999 = Unknown error

3378

</screen>

3379

</sect3>

3380

3381

3382

<title>SET_LOGOUT_ACTION</title>

3383

3384

SET_LOGOUT_ACTION: Tell the daemon to halt/restart/suspend after

3385

slave process exits. Only supported on

3386

connections that passed AUTH_LOCAL.

3387

Supported since: 2.5.90.0

3388

Arguments: <action>

3389

NONE Set exit action to 'none'

3390

HALT Set exit action to 'halt'

3391

REBOOT Set exit action to 'reboot'

3392

SUSPEND Set exit action to 'suspend'

3393

CUSTOM_CMD[0-9] Set exit action to 'custom command [0-9]'

3394

Answers:

3395

OK

3396

ERROR <err number> <english error description>

3397

0 = Not implemented

3398

7 = Unknown logout action, or not available

3399

100 = Not authenticated

3400

200 = Too many messages

3401

999 = Unknown error

3402

</screen>

3403

</sect3>

3404

3405

3406

<title>SET_SAFE_LOGOUT_ACTION</title>

3407

3408

SET_SAFE_LOGOUT_ACTION: Tell the daemon to halt/restart/suspend

3409

after everybody logs out. If only one

3410

person logs out, then this is obviously

3411

the same as the SET_LOGOUT_ACTION. Note

3412

that SET_LOGOUT_ACTION has precedence

3413

over SET_SAFE_LOGOUT_ACTION if it is set

3414

to something other then NONE. If no one

3415

is logged in, then the action takes effect

3416

effect immediately. Only supported on

3417

connections that passed AUTH_LOCAL.

3418

Supported since: 2.5.90.0

3419

Arguments: <action>

3420

NONE Set exit action to 'none'

3421

HALT Set exit action to 'halt'

3422

REBOOT Set exit action to 'reboot'

3423

SUSPEND Set exit action to 'suspend'

3424

CUSTOM_CMD[0-9] Set exit action to 'custom command [0-9]'

3425

Answers:

3426

OK

3427

ERROR <err number> <english error description>

3428

0 = Not implemented

3429

7 = Unknown logout action, or not available

3430

100 = Not authenticated

3431

200 = Too many messages

3432

999 = Unknown error

3433

</screen>

3434

</sect3>

3435

3436

3437

3438

3439

SET_VT: Change to the specified virtual terminal.

3440

This is useful for logins which don't own /dev/console

3441

but are still console logins. Only currently supported

3442

on Linux, other systems will just get ERROR 8.

3443

Only supported on connections that passed AUTH_LOCAL.

3444

Supported since: 2.5.90.0

3445

Arguments: <vt>

3446

Answers:

3447

OK

3448

ERROR <err number> <english error description>

3449

0 = Not implemented

3450

8 = Virtual terminals not supported

3451

9 = Invalid virtual terminal number

3452

100 = Not authenticated

3453

200 = Too many messages

3454

999 = Unknown error

3455

</screen>

3456

</sect3>

3457

3458

3459

<title>UPDATE_CONFIG</title>

3460

3461

UPDATE_CONFIG: Tell the daemon to re-read a key from the

3462

GDM configuration file. Any user can request

3463

that values are re-read but the daemon will

3464

only do so if the file has been modified

3465

since GDM first read the file. Only users

3466

who can change the GDM configuration file

3467

(normally writable only by the root user) can

3468

actually modify the GDM configuration. This

3469

command is useful to cause the GDM to update

3470

itself to recognise a change made to the GDM

3471

configuration file by the root user.

3472

3473

Starting with version 2.13.0.0, all GDM keys are

3474

supported except for the following:

3475

3476

daemon/PidFile

3477

daemon/ConsoleNotify

3478

daemon/User

3479

daemon/Group

3480

daemon/LogDir

3481

daemon/ServAuthDir

3482

daemon/UserAuthDir

3483

daemon/UserAuthFile

3484

daemon/UserAuthFBDir

3485

3486

GDM also supports the following Psuedokeys:

3487

3488

xdmcp/PARAMETERS (2.3.90.2) updates the following:

3489

xdmcp/MaxPending

3490

xdmcp/MaxSessions

3491

xdmcp/MaxWait

3492

xdmcp/DisplaysPerHost

3493

xdmcp/HonorIndirect

3494

xdmcp/MaxPendingIndirect

3495

xdmcp/MaxWaitIndirect

3496

xdmcp/PingIntervalSeconds (only affects new connections)

3497

3498

xservers/PARAMETERS (2.13.0.4) updates the following:

3499

all [server-foo] sections.

3500

3501

Supported keys for previous versions of GDM:

3502

3503

security/AllowRoot (2.3.90.2)

3504

security/AllowRemoteRoot (2.3.90.2)

3505

security/AllowRemoteAutoLogin (2.3.90.2)

3506

security/RetryDelay (2.3.90.2)

3507

security/DisallowTCP (2.4.2.0)

3508

daemon/Greeter (2.3.90.2)

3509

daemon/RemoteGreeter (2.3.90.2)

3510

xdmcp/Enable (2.3.90.2)

3511

xdmcp/Port (2.3.90.2)

3512

daemon/TimedLogin (2.3.90.3)

3513

daemon/TimedLoginEnable (2.3.90.3)

3514

daemon/TimedLoginDelay (2.3.90.3)

3515

greeter/SystemMenu (2.3.90.3)

3516

greeter/ConfigAvailable (2.3.90.3)

3517

greeter/ChooserButton (2.4.2.0)

3518

greeter/SoundOnLoginFile (2.5.90.0)

3519

daemon/AddGtkModules (2.5.90.0)

3520

daemon/GtkModulesList (2.5.90.0)

3521

Supported since: 2.3.90.2

3522

Arguments: <key>

3523

<key> is just the base part of the key such as

3524

"security/AllowRemoteRoot"

3525

Answers:

3526

OK

3527

ERROR <err number> <english error description>

3528

0 = Not implemented

3529

50 = Unsupported key

3530

200 = Too many messages

3531

999 = Unknown error

3532

</screen>

3533

</sect3>

3534

3535

3536

<title>VERSION</title>

3537

3538

VERSION: Query GDM version

3539

Supported since: 2.2.4.0

3540

Arguments: None

3541

Answers:

3542

GDM <gdm version>

3543

ERROR <err number> <english error description>

3544

200 = Too many messages

3545

999 = Unknown error

3546

</screen>

3547

</sect3>

3548

</sect2>

3549

</sect1>

3550

3551

3552

3553

3554

<title>GDM Commands</title>

3555

3556

3557

<title>GDM User Commands</title>

3558

3559

<para>The GDM package provides the following different commands in <filename>bindir</filename> intended to be used by the end-user:</para>

3560

3561

3562

<title><command>gdmXnestchooser</command> and <command>gdmXnest</command> Command Line Options</title>

3563

3564

<para>

3565

The <command>gdmXnestchooser</command> command automatically gets

3566

the correct display number, sets up access, and runs the nested

3567

X server command with the "-indirect localhost" argument.

3568

This provides an XDMCP chooser program. You can also supply as an

3569

argument the hostname whose chooser should be displayed, so

3570

<command>gdmXnestchooser somehost</command> will run the XDMCP

3571

chooser from host <command>somehost</command> inside a nested

3572

X server session. You can make this command do a direct query

3573

instead by passing the <command>-d</command> option as well. In

3574

addition to the following options, this command also supports

3575

standard GNOME options.

3576

</para>

3577

3578

3579

<title><command>gdmXnestchooser</command> Command Line Options</title>

3580

3581

3582

<term>-x, --xnest=STRING</term>

3583

3584

<para>

3585

Nested X server command line, default is defined by the

3586

<filename>Xnest</filename> configuration option.

3587

</para>

3588

</listitem>

3589

</varlistentry>

3590

3591

3592

<term>-o, --xnest-extra-options=OPTIONS</term>

3593

3594

<para>

3595

Extra options for nested X server, default is no options.

3596

</para>

3597

</listitem>

3598

</varlistentry>

3599

3600

3601

<term>-n, --no-query</term>

3602

3603

<para>

3604

Just run nested X server, no query (no chooser)

3605

</para>

3606

</listitem>

3607

</varlistentry>

3608

3609

3610

<term>-d, --direct</term>

3611

3612

<para>Do direct query instead of indirect (chooser)</para>

3613

</listitem>

3614

</varlistentry>

3615

3616

3617

<term>-B, --broadcast</term>

3618

3619

<para>Run broadcast instead of indirect (chooser)</para>

3620

</listitem>

3621

</varlistentry>

3622

3623

3624

<term>-b, --background</term>

3625

3626

<para>Run in background</para>

3627

</listitem>

3628

</varlistentry>

3629

3630

3631

<term>--no-gdm-check</term>

3632

3633

<para>Don't check for running GDM</para>

3634

</listitem>

3635

</varlistentry>

3636

</variablelist>

3637

</sect3>

3638

3639

3640

<title><command>gdmflexichooser</command> Command Line Options</title>

3641

3642

<para>

3643

The <command>gdmflexiserver</command> command provides three

3644

features. It can be used to run flexible (on demand) X displays,

3645

to run a flexible display via nested X server, and to send commands to

3646

the GDM daemon process.

3647

</para>

3648

3649

<para>Starting a flexible X display will normally lock the current session with a screensaver and will redisplay the GDM login screen so a second user can log in. This feature is only available on systems that support virtual terminals and have them enabled. This feature is useful if you are logged in as user A and user B wants to log in quickly but user A does not wish to log out. The X server takes care of the virtual terminal switching so it works transparently. If there is more than one running display defined with flexible=true, then the user is shown a dialogue that displays the currently running sessions. The user can then pick which session to continue and will normally have to enter the password to unlock the screen.</para>

3650

3651

<para>

3652

Nested displays works on systems that do not support virtual

3653

terminals. This option starts a flexible display in a window in the

3654

current session. This does not lock the current session, so is not

3655

as secure as a flexible server started via virtual terminals.

3656

</para>

3657

3658

<para>The <command>gdmflexiserver --command</command> option provides a way to send commands to the GDM daemon and can be used to debug problems or to change the GDM configuration.</para>

3659

3660

<para>In addition to the following options, <command>gdmflexiserver</command> also supports standard GNOME options.</para>

3661

3662

3663

<title><command>gdmflexichooser</command> Command Line Options</title>

3664

3665

3666

<term>-c, --command=COMMAND</term>

3667

3668

<para>Send the specified protocol command to GDM</para>

3669

</listitem>

3670

</varlistentry>

3671

3672

3673

<term>-n, --xnest</term>

3674

3675

<para>

3676

Start a flexible X display in Nested mode

3677

</para>

3678

</listitem>

3679

</varlistentry>

3680

3681

3682

3683

3684

<para>Do not lock current screen</para>

3685

</listitem>

3686

</varlistentry>

3687

3688

3689

<term>-d, --debug</term>

3690

3691

<para>Turns on debugging output which gets sent to syslog. Same as turning on debug in the configuration file.</para>

3692

</listitem>

3693

</varlistentry>

3694

3695

3696

<term>-a, --authenticate</term>

3697

3698

<para>Authenticate before running --command</para>

3699

</listitem>

3700

</varlistentry>

3701

3702

3703

<term>-s, --startnew</term>

3704

3705

<para>Starts a new flexible display without displaying a dialogue asking the user if they wish to continue any existing sessions.</para>

3706

</listitem>

3707

</varlistentry>

3708

</variablelist>

3709

</sect3>

3710

3711

3712

<title><command>gdmdynamic</command> Command Line Options</title>

3713

3714

<para>

3715

<command>gdmdynamic</command> allows the management of displays in a

3716

dynamic fashion. It is typically used in environments where it is not

3717

possible to list the possible displays in the GDM configuration files.

3718

The <command>gdmdynamic</command> command can be used to create a new

3719

display on a particular display number, run all newly created displays,

3720

or remove a display. The <command>gdmdynamic</command> command can also

3721

be used to list all attached displays or only those attached displays

3722

that match a pattern. The -a option is used to add a display, the -r

3723

option is used to run (or release) a display, the -d option is used to

3724

delete a display, and the -l option lists existing displays. Only one

3725

of these four options can be specified at a time, so in the life cycle

3726

of a particular display, the command will be run once to add, again to

3727

release (run) the display, and finally to delete when the session is to

3728

be terminated.

3729

</para>

3730

3731

<para>

3732

This program is designed to manage multiple simultaneous requests and

3733

tries to avoid flooding the daemon with requests. If the sockets

3734

connection is busy, it will sleep and retry a certain number of times

3735

that can be tuned with the -s and -t options.

3736

</para>

3737

3738

3739

<title><command>gdmdynamic</command> Command Line Options</title>

3740

3741

3742

<term>-a display=server</term>

3743

3744

<para>Add a new display configuration, leaving it in the DISPLAY_CONFIG state. For example, <command>"-a 2=StandardServerTwo"</command><command>"-a 3=/usr/X11R6/bin/X -dev /dev/fb2"</command></para>

3745

<para>The display will not actually be started until the display is released by calling <command>gdmdynamic</command> again with the -r option.</para>

3746

</listitem>

3747

</varlistentry>

3748

3749

3750

3751

3752

<para>Release (run) all displays waiting in the DISPLAY_CONFIG state.</para>

3753

</listitem>

3754

</varlistentry>

3755

3756

3757

<term>-d display</term>

3758

3759

<para>Delete a display, killing the X server and purging the display configuration. For example, "-d 3".</para>

3760

</listitem>

3761

</varlistentry>

3762

3763

3764

<term>-l [pattern]</term>

3765

3766

<para>List displays via the ATTACHED_SERVERS <command>gdmflexiserver</command> command. Without a pattern lists all attached displays. With a pattern will match using glob characters '*', '?', and '[]'. For example: <command>"-l Standard*"</command><command>"-l *Xorg*"</command></para>

3767

</listitem>

3768

</varlistentry>

3769

3770

3771

3772

3773

<para>

3774

Verbose mode. Prints diagnostic messages.

3775

to GDM.

3776

</para>

3777

</listitem>

3778

</varlistentry>

3779

3780

3781

3782

3783

<para>Background mode. Fork child to do the work and return immediately.</para>

3784

</listitem>

3785

</varlistentry>

3786

3787

3788

<term>-t RETRY</term>

3789

3790

<para>If the daemon socket is busy, <command>gdmdynamic</command> will retry to open the connection the specified RETRY number of times. The default value is 15.</para>

3791

</listitem>

3792

</varlistentry>

3793

3794

3795

<term>-s SLEEP</term>

3796

3797

<para>If the daemon socket is busy, <command>gdmdynamic</command> will sleep an amount of time between retries. A random number of seconds between 0 and 5 is added to the SLEEP value to help ensure that multiple calls to gdmdynamic do not all try to restart at the same time. A SLEEP value of zero causes the sleep time to be 1 second. The default value is 8 seconds.</para>

3798

</listitem>

3799

</varlistentry>

3800

3801

</variablelist>

3802

</sect3>

3803

3804

3805

<title><command>gdmphotosetup</command> Command Line Options</title>

3806

3807

<para>Allows the user to select an image that will be used as the user's photo by GDM's face browser, if enabled by GDM. The selected file is stored as <filename>~/.face</filename>. This command accepts the standard GNOME options.</para>

3808

</sect3>

3809

3810

3811

<title><command>gdmthemetester</command> Command Line Options</title>

3812

3813

<para><command>gdmthemetester</command> takes two parameters. The first parameter specifies the environment and the second parameter specifies the path name or the name of a theme to view. This is a tool for viewing a theme outside of GDM. It is useful for testing or viewing themes. <command>gdmthemetester</command> requires that the system support <command>gdmXnest</command>. Note that themes can display differently depending on the theme's "Show mode". <command>gdmthemetester</command> allows viewing the themes in different modes via the environment option. Valid environment values and their meanings follow: <screen>

3814

console - In console mode.

3815

console-timed - In console non-flexi mode.

3816

flexi - In flexi mode.

3817

xdmcp - In remote (XDMCP) mode.

3818

remote-flexi - In remote (XDMCP) & flexi mode.

3819

</screen></para>

3820

</sect3>

3821

</sect2>

3822

3823

3824

<title>GDM Root User Commands</title>

3825

3826

<para>The GDM package provides the following different commands in <filename>sbindir</filename> intended to be used by the root user:</para>

3827

3828

3829

<title><command>gdm</command> and <command>gdm-binary</command> Command Line Options</title>

3830

3831

<para>The <command>gdm</command> command is a script which runs the <command>gdm-binary</command>, passing any options. Before launching <command>gdm-binary</command>, the gdm wrapper script will source the <filename><etc>/profile</filename> file to set the standard system environment variables. In order to better support internationalisation, it will also set the LC_MESSAGES environment variable to LANG if neither LC_MESSAGES or LC_ALL are set. If you need to set some additional environment variables before launching GDM, you can do so in this script.</para>

3832

3833

3834

<title><command>gdm</command> and <command>gdm-binary</command> Command Line Options</title>

3835

3836

3837

3838

3839

<para>Gives a brief overview of the command line options.</para>

3840

</listitem>

3841

</varlistentry>

3842

3843

3844

<term>--nodaemon</term>

3845

3846

<para>If this option is specified, then GDM does not fork into the background when run. You can also use a single-dash version, "-nodaemon" for compatibility with other display managers.</para>

3847

</listitem>

3848

</varlistentry>

3849

3850

3851

<term>--no-console</term>

3852

3853

<para>

3854

Tell the daemon that it should not run anything on the console.

3855

This means that none of the attached servers from the

3856

<filename>[servers]</filename> section will be started, and the

3857

console will not be used for communicating errors to the user.

3858

An empty <filename>[servers]</filename> section automatically

3859

implies this option.

3860

</para>

3861

</listitem>

3862

</varlistentry>

3863

3864

3865

<term>--config=CONFIGFILE</term>

3866

3867

<para>Specify an alternative configuration file.</para>

3868

</listitem>

3869

</varlistentry>

3870

3871

3872

<term>--preserve-ld-vars</term>

3873

3874

<para>When clearing the environment internally, preserve all variables starting with LD_. This is mostly for debugging purposes.</para>

3875

</listitem>

3876

</varlistentry>

3877

3878

3879

<term>--version</term>

3880

3881

<para>Print the version of the GDM daemon.</para>

3882

</listitem>

3883

</varlistentry>

3884

3885

3886

3887

3888

<para>

3889

If started with this option, gdm will init, but only start the

3890

first attached display and then wait for a GO message in the

3891

fifo protocol. No greeter will be shown until the GO message

3892

is sent. Also flexiserver requests will be denied and XDMCP

3893

will not be started until GO is given. This is useful for

3894

initialization scripts which wish to start X early, but where

3895

you don't yet want the user to start logging in. So the script

3896

would send the GO to the fifo once it is ready and GDM will

3897

then continue. This functionality was added in version

3898

2.5.90.0.

3899

</para>

3900

</listitem>

3901

</varlistentry>

3902

</variablelist>

3903

</sect3>

3904

3905

3906

<title><command>gdmsetup</command> Command Line Options</title>

3907

3908

<para><command>gdmsetup</command> runs a graphical application for modifying the GDM configuration file. Normally on systems that support the PAM user helper, this is set up such that when you run <command>gdmsetup</command> as an ordinary user, it will first ask you for your root password before starting. Otherwise, this application may only be run as root. This application supports standard GNOME options.</para>

3909

</sect3>

3910

3911

3912

<title><command>gdm-restart</command> Command Line Options</title>

3913

3914

<para><command>gdm-restart</command> stops and restarts GDM by sending the GDM daemon a HUP signal. This command will immediately terminate all sessions and log out users currently logged in with GDM.</para>

3915

</sect3>

3916

3917

3918

<title><command>gdm-safe-restart</command> Command Line Options</title>

3919

3920

<para><command>gdm-safe-restart</command> stops and restarts GDM by sending the GDM daemon a USR1 signal. GDM will be restarted as soon as all users log out.</para>

3921

</sect3>

3922

3923

3924

<title><command>gdm-stop</command> Command Line Options</title>

3925

3926

<para><command>gdm-stop</command> stops GDM by sending the GDM daemon a TERM signal.</para>

3927

</sect3>

3928

</sect2>

3929

3930

3931

<title>GDM Internal Commands</title>

3932

3933

<para>The GDM package provides the following different commands in <filename>libexecdir</filename> intended to be used by the gdm daemon process.</para>

3934

3935

3936

<title><command>gdmchooser</command> and <command>gdmlogin</command> Command Line Options</title>

3937

3938

<para>The <command>gdmgreeter</command> and <command>gdmlogin</command> are two different login applications, either can be used by GDM. <command>gdmgreeter</command> is themeable with GDM themes while <command>gdmlogin</command> is themable with GTK+ themes. These applications are normally executed by the GDM daemon. Both commands support standard GNOME options.</para>

3939

</sect3>

3940

3941

3942

<title><command>gdmchooser</command> Command Line Options</title>

3943

3944

<para>

3945

The <command>gdmchooser</command> is the XDMCP chooser application.

3946

The <command>gdmchooser</command> is normally executed by the GDM

3947

daemon. It supports the following options for XDM compatibility.

3948

This command supports standard GNOME options.

3949

</para>

3950

3951

3952

<title><command>gdmchooser</command> Command Line Options</title>

3953

3954

3955

<term>--xdmaddress=SOCKET</term>

3956

3957

<para>Socket for XDM communication.</para>

3958

</listitem>

3959

</varlistentry>

3960

3961

3962

<term>--clientaddress=ADDRESS</term>

3963

3964

<para>Client address to return in response to XDM. This option is for running gdmchooser with XDM, and is not used within GDM.</para>

3965

</listitem>

3966

</varlistentry>

3967

3968

3969

<term>--connectionType=TYPE</term>

3970

3971

<para>Connection type to return in response to XDM. This option is for running gdmchooser with XDM, and is not used within GDM.</para>

3972

</listitem>

3973

</varlistentry>

3974

</variablelist>

3975

</sect3>

3976

3977

3978

<title><command>gdm-ssh-session</command></title>

3979

3980

<para>The <command>gdm-ssh-session</command> is normally executed by the GDM daemon when starting a secure remote connection through ssh. It does not take any options.</para>

3981

</sect3>

3982

</sect2>

3983

</sect1>

3984

3985

3986

3987

3988

<title>Themed Greeter</title>

3989

3990

<para>This section describes the creation of themes for the Themed Greeter. For examples including screenshots, see the standard installed themes and the themes from <ulink type="http" url="http://art.gnome.org/themes/gdm_greeter/"> the theme website</ulink>.</para>

3991

3992

3993

<title>Theme Overview</title>

3994

3995

<para>GDM Themes can be created by creating an XML file that follows the specification in gui/greeter/greeter.dtd. Theme files are stored in the directory <filename><share>/gdm/themes/<theme_name></filename>. Usually this would be under <filename>/usr/share</filename>. The theme directory should contain a file called <filename>GdmGreeterTheme.desktop</filename> which has similar format to other .desktop files and looks like:</para>

3996

3997

3998

[GdmGreeterTheme]

3999

Encoding=UTF-8

4000

Greeter=circles.xml

4001

Name=Circles

4002

Description=Theme with blue circles

4003

Author=Bond, James Bond

4004

4005

Screenshot=screenshot.png

4006

</screen>

4007

4008

<para>The Name, Description, Author and Copyright fields can be translated just like the other <filename>.desktop</filename>files. All the files that are mentioned should be in the theme directory itself. The Screenshot field points to a file which should be a 200x150 screenshot of the theme in action (it is OK not to have one, but it makes it nicer for user). The Greeter field points to an XML file that contains the description of the theme. The description will be given later.</para>

4009

4010

<para>

4011

Once a theme is installed, it can be tested with the

4012

<command>gdmthemetester</command> program. This program assumes that

4013

the X server supports a nested server command. This command takes two

4014

arguments, first the environment that should be used. The environment

4015

can be one of the following values: console, console-timed, flexi,

4016

remote-flexi, or xdmcp. The "console" option tests the

4017

theme as it would be shown on an attached display. The

4018

"console-timed" option tests the theme as it would be shown

4019

on an attached display with timed login enabled. The "flexi"

4020

option tests the theme as it would be shown on an attached flexible

4021

display (such as started via Xnest). Finally, the "xdmcp"

4022

option tests the theme as it would be shown for remote XDMCP

4023

displays. The second argument is the theme name. For example, to

4024

test how the circles theme would look in XDMP remote display mode,

4025

you would run the following command:

4026

</para>

4027

4028

4029

<command>gdmthemetester xdmcp circles</command>

4030

</screen>

4031

4032

<para>

4033

When developing a theme, make sure to test all the environments, and

4034

make sure to test how the caps lock warning looks by pressing the caps

4035

lock key. Running <command>gdmthemetester</command> is also a good way

4036

to take screenshots of GDM themes. Simply take a screenshot of the

4037

theme running in the nested display window. This can be done in GNOME

4038

by focusing the nested login window and pressing Alt-PrintScreen.

4039

</para>

4040

4041

<para>

4042

Once a theme has been fully tested, then make a tarball that contains

4043

the directory as it would be insatlled to the

4044

<filename><share>/gdm/themes</filename> directory. This is

4045

the standard format for distributing GDM themes.

4046

</para>

4047

</sect2>

4048

4049

4050

<title>Detailed Description of Theme XML format</title>

4051

4052

4053

<title>greeter tag</title>

4054

4055

<para>The GDM theme format is specified in XML format contained within a <greeter> tag. You may specify a GTK+ theme to be used with this theme by using the gtk-theme element in the greeter tag as in the following example.</para>

4056

4057

4058

<?xml version="1.0" encoding="UTF-8"?>

4059

<!DOCTYPE greeter SYSTEM "greeter.dtd">

4060

4061

[...]

4062

</greeter>

4063

</screen>

4064

4065

<para>Contained within the greeter tag can be the nodes described in the next sections of this document. Some of these nodes are containers (box nodes, rect item nodes) which can be used to organize how to display the nodes that the user sees and interacts with (such as button, pixmap and entry item nodes).</para>

4066

</sect3>

4067

4068

4069

<title>Box Nodes</title>

4070

4071

<para>Box nodes are container nodes for item nodes. Box nodes are specified as follows: <screen>

4072

<box orientation="alignment" min-width="num"

4073

xpadding="num" ypadding="num" spacing="num"

4074

homogeneous="bool">

4075

</screen> Where "num" means number and bool means either "true" or "false" The alignment value can be either "horizontal" or "vertical". If you leave any property off it will default to zero or "false" in case of "homogeneous" and "vertical" for the orientation.</para>

4076

4077

<para>If the box is homogeneous then the children are allocated equal amount of space.</para>

4078

4079

<para>The "min-width" must be specified in pixels. Obviously there is also a corresponding "min-height" property as well.</para>

4080

</sect3>

4081

4082

4083

<title>Fixed Nodes</title>

4084

4085

<para>Fixed is a container that has its children scattered about laid out with precise co-ordinates. The size of this container is the largest rectangle that contains all the children. Fixed has no extra properties and so you just use: <screen>

4086

<fixed>

4087

</screen> Then you put other items with proper position nodes inside this.</para>

4088

4089

<para>The "toplevel" node is really just like a fixed node.</para>

4090

</sect3>

4091

4092

4093

<title>Item Nodes</title>

4094

4095

<para>A GDM Theme is created by specifying a hierarchy of item and box nodes. Item nodes can have the following value for "type":</para>

4096

4097

4098

4099

<term>button</term>

4100

4101

<para>A button field. This field uses a GTK+ button. It is also possible to make a "rect" item act like a button by setting its button element to true. However it is better to use GTK+ buttons in GDM themes since these are accessible to users with disabilities. Also, GTK+ buttons can be themed. This feature is supported in GDM 2.14.6 and later.</para>

4102

</listitem>

4103

</varlistentry>

4104

4105

4106

<term>entry</term>

4107

4108

<para>Text entry field.</para>

4109

</listitem>

4110

</varlistentry>

4111

4112

4113

<term>label</term>

4114

4115

<para>A text label. Must have a "text" node to specify the text.</para>

4116

</listitem>

4117

</varlistentry>

4118

4119

4120

4121

4122

<para>A face browser widget. Only useful if the face browser is enabled via the configuration.</para>

4123

</listitem>

4124

</varlistentry>

4125

4126

4127

<term>pixmap</term>

4128

4129

<para>An pixmap image in a format that gdk-pixbuf supports like PNG, JPEG, Tiff, etc...)</para>

4130

</listitem>

4131

</varlistentry>

4132

4133

4134

4135

4136

<para>Rectangle.</para>

4137

</listitem>

4138

</varlistentry>

4139

4140

4141

4142

4143

<para>Scaled Vector Graphic image.</para>

4144

</listitem>

4145

</varlistentry>

4146

</variablelist>

4147

4148

<para>For example: <screen>

4149

4150

</screen> Items can specify ID values which gives them a specific look and feel or formatting. Furthermore you can customise the login process by adding custom widgets with custom id's for some items (currently only the list item)</para>

4151

4152

<para>Entry items can have id values as follows:</para>

4153

4154

4155

4156

<term>user-pw-entry</term>

4157

4158

<para>Entry field for userid and password entry. This is the field used for responses for the PAM/GDM questions (Username, Password, etc..).</para>

4159

</listitem>

4160

</varlistentry>

4161

</variablelist>

4162

4163

<para>List items by default display as lists, but the combo="true" attribute can be used to specify combo box style (combo style supported since GDM 2.16.2). Some predefined lists may be included in a theme by using the following id values. Customised lists may also be defined, which are explained below.</para>

4164

4165

4166

4167

<term>session</term>

4168

4169

<para>A list of available sessions, which allows the user to pick the session to use. Supported since GDM 2.16.2.</para>

4170

</listitem>

4171

</varlistentry>

4172

</variablelist>

4173

4174

4175

4176

<term>language</term>

4177

4178

<para>A list of available languages, which allows the user to pick the language to use. Supported since GDM 2.16.2.</para>

4179

</listitem>

4180

</varlistentry>

4181

</variablelist>

4182

4183

4184

4185

<term>userlist</term>

4186

4187

<para>A Face Browser list, so that users can pick their username by clicking on this instead of typing. This obviously exposes the usernames to viewers of the login screen, and is not recommended for users who feel that this reduces security. The face browser does not support combo box style.</para>

4188

</listitem>

4189

</varlistentry>

4190

</variablelist>

4191

4192

4193

4194

<term>userlist-rect</term>

4195

4196

<para>This id can be specified for the <rect> object containing the userlist and if the userlist is empty then this rectangle will not be shown. This allows the theme to define something like an area with a different colour and/or alpha to surround the userlist, but only if there are users to display. Supported since 2.16.2.</para>

4197

</listitem>

4198

</varlistentry>

4199

</variablelist>

4200

4201

<para>Furthermore, you can have an arbitrary id (I'd recommend starting the id with 'custom' not to conflict with future additions to this spec) and ask extra information of the user. See the section 'Custom Widgetry'</para>

4202

4203

<para>Label items can have id values as follows:</para>

4204

4205

4206

4207

<term>clock</term>

4208

4209

<para>Label that displays the date and time.</para>

4210

</listitem>

4211

</varlistentry>

4212

4213

4214

<term>pam-prompt</term>

4215

4216

<para>Label that displays the PAM prompt. This is the prompt that PAM uses to ask for username, password, etc...</para>

4217

</listitem>

4218

</varlistentry>

4219

4220

4221

<term>pam-error</term>

4222

4223

<para>Label that displayst PAM/GDM error messages. Such as when user can't log in.</para>

4224

</listitem>

4225

</varlistentry>

4226

4227

4228

<term>pam-error-logo</term>

4229

4230

<para>An image that will be displayed only when a pam-error message is being displayed. This is useful for displaying an "Attention" icon, for example. This feature is supported in GDM 2.14.6 and later.</para>

4231

</listitem>

4232

</varlistentry>

4233

4234

4235

<term>pam-message</term>

4236

4237

<para>Label that displays the PAM message. These are messages that PAM/GDM gives about state of the account, help about the prompts and other information.</para>

4238

</listitem>

4239

</varlistentry>

4240

4241

4242

<term>timed-label</term>

4243

4244

<para>Label that displays timed login information.</para>

4245

</listitem>

4246

</varlistentry>

4247

</variablelist>

4248

4249

<para>Rectangles can have id values as follows:</para>

4250

4251

4252

4253

<term>caps-lock-warning</term>

4254

4255

<para>Displays an icon that shows if the CAPS LOCK key is depressed. This rectangle will be hidden/shown appropriately</para>

4256

</listitem>

4257

</varlistentry>

4258

</variablelist>

4259

4260

<para>If an item is of type rect, the item can be a button. Buttons must also include a "button" value as follows: <screen>

4261

<item type="rect" id="disconnect_button" button="true">.

4262

</screen></para>

4263

4264

<para>Possible values for button ids are as follows.</para>

4265

4266

4267

4268

<term>chooser_button</term>

4269

4270

<para>Runs the XDMCP chooser.</para>

4271

</listitem>

4272

</varlistentry>

4273

4274

4275

<term>config_button</term>

4276

4277

<para>Runs the GDM configuration application.</para>

4278

</listitem>

4279

</varlistentry>

4280

4281

4282

<term>custom_cmd_button[0-9]</term>

4283

4284

<para>Runs the <filename>n-th</filename> custom command.</para>

4285

</listitem>

4286

</varlistentry>

4287

4288

4289

<term>disconnect_button</term>

4290

4291

<para>Disconnect from remote session.</para>

4292

</listitem>

4293

</varlistentry>

4294

4295

4296

<term>language_button</term>

4297

4298

<para>Displays the language selection dialogue.</para>

4299

</listitem>

4300

</varlistentry>

4301

4302

4303

<term>halt_button</term>

4304

4305

<para>Halt (shuts down) the system.</para>

4306

</listitem>

4307

</varlistentry>

4308

4309

4310

<term>reboot_button</term>

4311

4312

<para>Restart the system.</para>

4313

</listitem>

4314

</varlistentry>

4315

4316

4317

<term>session_button</term>

4318

4319

<para>List and select from available sessions.</para>

4320

</listitem>

4321

</varlistentry>

4322

4323

4324

<term>suspend_button</term>

4325

4326

<para>Suspend the system.</para>

4327

</listitem>

4328

</varlistentry>

4329

4330

4331

<term>system_button</term>

4332

4333

<para>Perform halt/restart/suspend/etc. options (if allowed by GDM configuration). Also allows the user to run configurator if the user enters the root password (if allowed by the GDM configuration). This is labelled Actions, and referred to as the Actions menu.</para>

4334

</listitem>

4335

</varlistentry>

4336

</variablelist>

4337

4338

<para>

4339

By default, the GDM login screen will disappear after authentication.

4340

This can result in flicker between the login screen and the session.

4341

The "background" property allows users to specify what

4342

elements of the theme are the background image. When used, this

4343

will cause GDM to remove all non-background items from the display

4344

and render the remaining "background" items to the root

4345

window. This can be used to create a smooth transition between the

4346

login screen and the session. For example, if the GDM theme and the

4347

session use the same background, then this will make the background

4348

apear seamless.

4349

</para>

4350

4351

<para>

4352

Item nodes may specify a "background" property which can be

4353

set to "true" or "false" (not setting this

4354

property is equivalent to "false"), as follows:

4355

</para>

4356

4357

4358

4359

4360

4361

</item>

4362

</screen>

4363

4364

<para>

4365

If no item node has "background" property set, then the

4366

background is not modified when greeter exits.

4367

</para>

4368

4369

<para>

4370

To use a different background for login transition than the one

4371

used for login, the theme should specify two item nodes (which

4372

could contain pixmaps or svg images, for example). The item

4373

which corresponds to the greeter background should not have the

4374

"background" property while the item which corresponds

4375

to the transition background should have the "background"

4376

property. For instance :

4377

</para>

4378

4379

<?xml version="1.0" encoding="UTF-8"?>

4380

<!DOCTYPE greeter SYSTEM "greeter.dtd">

4381

4382

4383

4384

4385

4386

</item>

4387

4388

4389

4390

</item>

4391

[...]

4392

</greeter>

4393

</screen>

4394

</sect3>

4395

4396

4397

<title>Position Node</title>

4398

4399

<para>Each item can specify its position and size via the "pos" node. For example: <screen>

4400

4401

</screen></para>

4402

4403

<para>Both position and size can be given in percent and it will be taken as the percentage of the size of the current container. For toplevel items it's the percentage of the whole screen.</para>

4404

4405

<para>For x and y, you can also specify a negative position which means position from the right or bottom edge. But this only applies with absolute coordinates. With percentage you can specify negative position and it will be still from the same edge.</para>

4406

4407

<para>The position also specifies the anchor of the item, this can be "n" "ne" "e" "se" "s" "sw" "w" and "nw" or "center" which stand for the different edges/corners or "center" for centre. For example: <screen>

4408

4409

</screen></para>

4410

4411

<para>If the item contains a box, you can specify width and height to be "box" to mean that they are supposed to be the width and height of the box, that is the items in the box plus the padding.</para>

4412

4413

<para>If the item contains an SVG image, you can specify width and height to be "scale" to mean that the SVG image should be scaled to fit the requested area.</para>

4414

4415

<para>You can also specify an "expand" property to either be "true" or false. If true then the child will be expanded in the box as much as possible (that is it will be given more space if available).</para>

4416

4417

<para>There are two extra properties you can specify (as of 2.4.4.3) for labels (and labels only). The first is "max-width" which will specify the maximum width of the label in pixels. And the second is "max-screen-percent-width" which specifies the maximum percentage of the screen width that the label can occupy. By default no label will occupy more then 90% of the screen by width. An example may be: <screen>

4418

4419

4420

</screen></para>

4421

</sect3>

4422

4423

4424

4425

4426

<para>Some items may only display in certain modes, like when doing a remote display. Multiple values can be specified and must be separated with commas. The following values are possible:</para>

4427

4428

<para><filename>console</filename> - In console mode.</para>

4429

<para><filename>console-fixed</filename> - In console non-flexi mode.</para>

4430

<para><filename>console-flexi</filename> - In console & flexi mode.</para>

4431

<para><filename>flexi</filename> - In flexi mode.</para>

4432

<para><filename>remote</filename> - In remote mode.</para>

4433

<para><filename>remote-flexi</filename> - In remote & flexi mode.</para>

4434

4435

<para>For example: <screen>

4436

4437

</screen></para>

4438

4439

<para>You can also specify the "type" value to indicate that certain items should only be displayed if the type is true. Valid values include the following:</para>

4440

4441

<para><filename>chooser</filename>, if ChooserButton is set to "true" in the GDM configuration.</para>

4442

<para><filename>config</filename>, if ConfigAvailable is set to "true" in the GDM configuration.</para>

4443

<para><filename>custom_cmd[0-9]</filename>, if <filename>n-th</filename> CustomCommand is specified in the GDM configuration.</para>

4444

<para><filename>halt</filename>, if HaltDaemon is specified in the GDM configuration.</para>

4445

<para><filename>reboot</filename>, if RebootCommand is specified in the GDM configuration.</para>

4446

<para><filename>suspend</filename>, if SuspendCommand is specified in the GDM configuration.</para>

4447

<para><filename>system</filename>, if SystemMenu is specified in the GDM configuration.</para>

4448

<para><filename>timed</filename>, if TimedLoginEnabled is set to "true" in the GDM configuration.</para>

4449

4450

<para>For example: <screen>

4451

4452

</screen></para>

4453

4454

<para>

4455

Alternatively, you can specify a "min-screen-width" or

4456

"min-screen-height" value to indicate that certain

4457

items should only be displayed if the screen resolution is the

4458

at least the given required size.

4459

</para>

4460

4461

<para>

4462

For example:

4463

4464

4465

</screen>

4466

</para>

4467

4468

<para>Note that if SystemMenu is off then the halt, restart, suspend, chooser and config choices will not be shown, so this is a global toggle for them all. See some of the standard themes for how the show modes are used.</para>

4469

</sect3>

4470

4471

4472

<title>Normal/Active/Prelight Nodes</title>

4473

4474

<para>Depending on the item type (except for userlist - refer to colour node below), it can specify its colour, font or image via the following tags:</para>

4475

4476

<para><filename>normal</filename> - normal state.</para>

4477

<para><filename>active</filename> - when the item has active focus.</para>

4478

<para><filename>prelight</filename> - when the mouse is hovering over the item.</para>

4479

4480

<para>When item is "rect" (alpha can be omitted and defaults to 0.0): <screen>

4481

4482

</screen></para>

4483

4484

<para>When item is "label" <screen>

4485

4486

</screen></para>

4487

4488

<para>When the item type is "pixmap" or "SVG", then the normal, active, and prelight tags specify the images to use as follows: <screen>

4489

4490

</screen></para>

4491

4492

<para>Note that relative pathnames are assumed to be in the same directory as the theme <filename>.xml</filename> file in <filename><share>/gdm/themes/<theme_name></filename>.</para>

4493

4494

<para>Note that alternative image file can be specified using the altfile[n] property. GDM will use the last valid image filename specified. For example: <screen>

4495

4496

</screen> If <filename>distribution-foo-image.png</filename> is a valid image filename it will be used. Otherwise distribution-blah-image.png will be used if valid. This feature supported since 2.16.3.</para>

4497

4498

</sect3>

4499

4500

4501

<title>Face Browser Icon/Label Colour Nodes</title>

4502

4503

<para>If the item type is of userlist, then the background colour for the icon and label can be set separately via the the following tag:</para>

4504

4505

<para>

4506

4507

4508

</screen>

4509

</para>

4510

</sect3>

4511

4512

4513

4514

4515

<para>Text tags are used by labels. They can be used to display localised text as follows (if the "xml:lang" attribute is omitted, the C locale is assumed): <screen>

4516

<text xml:lang="fr">Option</text>

4517

</screen></para>

4518

4519

<para>You can include pango markup in the text nodes for labels, however you must encode it. So for example to have the label of "foo<sup>bar</sup>", you must type: <screen>

4520

4521

</screen></para>

4522

4523

<para>Text nodes can contain the following special character sequences which will be translated as follows:</para>

4524

4525

<para>%% - A literal % character</para>

4526

<para>%c - Clock time. Only labels with the "clock" id will update automatically every second. Other labels will contain a static timestamp.</para>

4527

<para>%d - Display name (DISPLAY environment variable)</para>

4528

<para>%h - Hostname (gethostname output)</para>

4529

<para>%m - Machine name (uname.machine output)</para>

4530

<para>%n - Node name (uname.nodename output)</para>

4531

<para>%o - Domain name (getdomainname output)</para>

4532

<para>%r - Release name (uname.release output)</para>

4533

<para>%s - System name (uname.sysname output)</para>

4534

<para>%t - Current timed delay value from configuration file (0 if off) followed by the word "seconds" if value is greater than 1 or the word "second" if the value is 1. This character sequence is intended to be only used internally to display the "timed-label" message, which is automatically updated every second.</para>

4535

<para>%u - Timed username value from configuration file (empty if off) This character sequence is intended to be only used internally to display the "timed-label" message, which is automatically updated every second.</para>

4536

<para>\n - Carriage return</para>

4537

<para>_ - An underscore causes the following character to be underlined. If it precedes a % character sequence, the string that replaces the character sequence is underlined.</para>

4538

</sect3>

4539

4540

4541

<title>Stock node</title>

4542

4543

<para>Certain common localised labels can be specified via the stock tags. The "text" tag is ignored if the "stock" tag is used. You should really use the stock labels rather then just putting all the translations into the themes. This gives faster load times and likely better translations. The following values are valid:</para>

4544

4545

<para><filename>cancel</filename>, _("_Cancel"</para>

4546

<para>

4547

<filename>caps-lock-warning</filename>,

4548

_("Caps Lock is on."

4549

</para>

4550

<para><filename>chooser</filename>, _("Remote Login via _XDMCP"</para>

4551

<para><filename>config</filename>, _("_Configure"</para>

4552

<para>

4553

<filename>custom_cmd[0-9]</filename>, getting label from config file

4554

</para>

4555

<para><filename>disconnect</filename>, _("D_isconnect"</para>

4556

4557

<para><filename>language</filename>, _("_Language"</para>

4558

4559

<para>

4560

<filename>options</filename>, _("_Options"

4561

</para>

4562

4563

<para><filename>reboot</filename>, _("_Restart"</para>

4564

<para><filename>session</filename>, _("_Session"</para>

4565

<para>

4566

<filename>startagain</filename>, _("_Start Again"

4567

</para>

4568

<para><filename>suspend</filename>, _("Sus_pend"</para>

4569

<para><filename>system</filename>, _("_Actions" (Formerly "S_ystem"</para>

4570

<para><filename>timed-label</filename>, _("User %u will login in %t"</para>

4571

<para><filename>username-label</filename>, _("Username:"</para>

4572

<para><filename>welcome-label</filename>, _("Welcome to %n"</para>

4573

4574

<para>For example: <screen>

4575

4576

</screen></para>

4577

</sect3>

4578

4579

4580

<title>Custom Widgetry</title>

4581

4582

<para>Currently there is one item which is customisable and this is the list item. If you need to ask the user extra things, such as to pick from a list of places to log into, or set of custom login sessions you can set up the list item and add list item children that describe the choices. Each list item must have an id and a text child. The choice will be recorded in the file <filename><ServAuthDir>/<display>.GreeterInfo</filename> as <filename><list id>=<listitem id></filename>.</para>

4583

4584

<para>For example, suppose we are on display :0, <filename>ServAuthDir</filename> is <filename><var>/lib/gdm</filename> and we have the following in the theme:</para>

4585

4586

4587

4588

4589

4590

4591

</listitem>

4592

4593

4594

</listitem>

4595

</item>

4596

</screen>

4597

4598

<para>

4599

Using GDM 2.20, the file is created in INI format. The group value

4600

is "GreeterInfo", and the "custom-config" key

4601

will specify the id of the chosen listitem. For example, if the user

4602

chooses "Foo" (which has an id value of "foo",

4603

then <filename><var>/lib/gdm/:0.GreeterInfo</filename> will

4604

contain:

4605

4606

[GreeterInfo]

4607

custom-config=foo

4608

</screen>

4609

</para>

4610

<para>

4611

Using GDM 2.18 and earlier, the file is not saved in INI format, so

4612

the "GreeterInfo" group will not be in the file. In other

4613

words, the file will contain only the following:

4614

4615

custom-config=foo

4616

</screen>

4617

</para>

4618

</sect3>

4619

</sect2>

4620

</sect1>

4621

4622

4623

<title>Accessibility</title>

4624

<para>

4625

GDM supports "Accessible Login", allowing users to log into

4626

their desktop session even if they cannot easily use the screen, mouse,

4627

or keyboard in the usual way. Accessible Technology (AT) programs

4628

such as <command>GOK</command> (on-screen keyboard) and

4629

<command>orca</command> (magnifier and text-to-speech) are supported.

4630

The "GTK+ Greeter" best supports accessibility, so it is

4631

recommended for accessibility support. The "Themed Greeter"

4632

supports some accessibility features and may be usable by some users.

4633

But some AT programs, such as <command>GOK</command>, do not yet work

4634

with the "Themed Greeter".

4635

</para>

4636

4637

<para>

4638

Accessibility is enabled by specifying the "GTK+ Greeter"

4639

in the "Local" tab for the console display and specifying

4640

the "GTK+ Greeter" in the "Remote" tab for

4641

remote displays. Or you can modify the <filename>Greeter</filename>

4642

and <filename>RemoteGreeter</filename> configuration options by hand

4643

to be <command>/usr/lib/gdmlogin</command>.

4644

</para>

4645

4646

<para>

4647

The GDM greeter programs support the ability to launch AT's at login

4648

time via configurable "gestures". These gestures can be

4649

defined to be standard keyboard hotkeys, switch device event, or

4650

mouse motion events. When using the "GTK+ Greeter", the

4651

user may also change the visual appearance of the login UI. For

4652

example, to use a higher-contrast color scheme for better visibility.

4653

</para>

4654

4655

<para>

4656

Note that <command>gdmsetup</command> does not yet work with

4657

accessibility, so that users who require AT programs should only

4658

configure GDM by editing the ASCII files directly.

4659

</para>

4660

4661

4662

<title>Accessibility Configuration</title>

4663

4664

<para>

4665

In order to enable Accessible Login, the system administrator must

4666

make some changes to the default login configuration by manually

4667

modifying three human-readable configuration files, stored in

4668

the GDM Custom Configuration File, AccessKeyMouseEvents File, and

4669

AccessDwellMouseEvents File. The AccessKeyMouseEvents and

4670

AccessDwellMouseEvents contain reasonable default gestures for

4671

launching <command>GOK</command> and <command>orca</command>, but

4672

some users may require these gestures to be configured to best

4673

meet their needs. For example, shorter or longer duration for

4674

holding down a button or hotkey might make the login experience

4675

more usable for some users. Also, additional AT programs may be

4676

added to the configuration file if needed.

4677

</para>

4678

4679

4680

<title>Accessibile Theming</title>

4681

4682

<para>

4683

If using the "GTK+ Greeter" users can easily

4684

switch the color and contrast scheme of the dialog. To do this,

4685

ensure the <filename>AllowGtkThemeChange</filename> parameter in

4686

the GDM configuration is set to "true". This should

4687

be the default value. When true, the "Standard

4688

Greeter" contains a menu allowing the user to change to a

4689

different GTK+ theme. The <filename>GtkThemesToAllow</filename>

4690

configuration choice can also be used to limit the choices

4691

available as desired. For example:

4692

</para>

4693

4694

4695

GtkThemesToAllow=HighContrast,HighContrastInverse

4696

</screen>

4697

4698

<para>

4699

If using the "Themed Greeter" there may be suitable

4700

GDM themes available that provide needed color and contrast

4701

schemes, but these are not yet shipped with the GDM program.

4702

Some distributions may ship such themes. There is not yet any

4703

mechanism to switch between themes in the "Themed

4704

Greeter", so if an accessible theme is required by one

4705

user, then all users would need to use the same theme.

4706

</para>

4707

</sect3>

4708

4709

4710

<title>AT Program Support</title>

4711

4712

<para>

4713

To enable user to launch AT such as the <command>GOK</command>

4714

or <command>orca</command>, the

4715

<filename>AddGtkModules</filename> parameter in the GDM

4716

configuration must be set to "true".

4717

Also the <filename>GtkModulesList</filename> parameter must be

4718

uncommented and set as follows:

4719

</para>

4720

4721

4722

GtkModulesList=gail:atk-bridge:/usr/lib/gtk-2.0/modules/libdwellmouselistener:/usr/lib/gtk-2.0/modules/libkeymouselistener

4723

</screen>

4724

4725

<para>

4726

This causes all GDM GUI programs to be run with the appropriate

4727

GTK modules for launching AT programs. The use of assistive

4728

technologies and the atk-bridge module requires the registry

4729

daemon, <command>at-spi-registryd</command>, to be running.

4730

This is handled by the GDM GUI starting with version 2.17.

4731

</para>

4732

4733

<para>

4734

System administrators may wish to load only the minimum subset

4735

of these modules which is required to support their user base.

4736

The "libkeymouselistener" provides hotkey and switch

4737

gesture support while the "libdwellmouselistener"

4738

provides mouse motion gesture support. If your user base only

4739

requires one or the other, it is only necessary to include the

4740

gesture listener that is needed. Also, some AT programs may not

4741

require gail or atk-bridge. If you find the AT programs you

4742

need works fine without including these, then they may be

4743

omitted. Note that some AT programs work with a reduced feature

4744

set if gail and/or atk-bridge are not present. However, for

4745

general accessibility use, including all four is suitable.

4746

</para>

4747

4748

<para>

4749

Once "keymouselistener" and/or

4750

"dwellmouselistener" have been added to the

4751

<filename>AddGtkModules</filename> loaded by GDM, then you may

4752

need to modiify the gesture configurations to meet your user's

4753

needs. Default gestures are provided for launching

4754

<command>GOK</command> and <command>orca</command>, but it is

4755

recommended to modify these gestures so they work best for your

4756

user base. These gesture associations are contained in files

4757

<filename>AccessKeyMouseEvents</filename> and

4758

<filename>AccessDwellMouseEvents</filename>, respectively. Both

4759

files are located in the

4760

<filename><etc>/gdm/modules</filename> directory. The

4761

gesture configuration format is described in the comment section

4762

of the two configuration files.

4763

</para>

4764

4765

<para>

4766

The AccessKeyMouseEvents file controls the keymouselistener

4767

Gesture Listener and is used to define key-press, mouse button,

4768

or XInput device sequences that can be used to launch

4769

applications needed for accessibility. In order to reduce the

4770

likelihood of unintentional launch, these "gestures"

4771

may be associated with multiple switch presses and/or minimum

4772

durations. Note that the XKB extension is needed for key

4773

gestures to work, so you may need to add +xkb to your X server

4774

command line for gestures to work properly. The X server command

4775

line is specified in the GDM configuration file in the

4776

<filename>server-foo</filename> sections.

4777

</para>

4778

4779

<para>

4780

The DwellKeyMouseEvents file controls the dwellmouselistner and

4781

supports gestures that involve the motion of a pointing device

4782

such as the system mouse of an alternative pointing device such

4783

as a head pointer or trackball may also be defined. Motion

4784

gestures are defined as "crossing events" into and out

4785

of the login dialog window. If the

4786

"dwellmouselistener" gesture listener is loaded, then

4787

alternative pointing devices are temporarily "latched"

4788

to the core pointer, such that motion from alternative devices

4789

results in movement of the onscreen pointer. All gestures are

4790

specified by the same syntax; that is, there is no distinction

4791

between a "core mouse" gesture and motion from an

4792

alternate input device.

4793

</para>

4794

4795

<para>

4796

On some operating systems, it is necessary to make sure that the

4797

GDM user is a member of the "audio" group for AT

4798

programs that require audio output (such as text-to-speech) to

4799

be functional.

4800

</para>

4801

4802

<para>Currently GDM does not remember what accessible technology programs have been started when switching applications. So if the user switches between the login program and the chooser, for example, then it is necessary for the user to redo the gesture. Users may need to also set up their default session so that the assistive technologies required are started automatically (or have appropriate key-bindings defined to start them) after the user session has started.</para>

4803

</sect3>

4804

4805

4806

<title>AT Troubleshooting</title>

4807

4808

<para>

4809

There are some common issues that cause users to have problems

4810

getting the gesture listeners to work. It is recommended that

4811

people use GDM version 2.18.0 or later for best results.

4812

</para>

4813

4814

<para>

4815

Some older X servers have a bug which causes detectable

4816

autorepeat to fail when XEVIE is enabled (which happens when

4817

atk-bridge is included as a GTK Module). This bug causes key

4818

gestures with a duration greater than 0 to always fail. A

4819

workaround is to simply redefine all key gestures so they have

4820

zero length duration, or upgrade your X server.

4821

</para>

4822

4823

<para>

4824

Some versions of <command>GOK</command> and

4825

<command>orca</command> will not launch unless the

4826

"gdm" user has a writable home directory. This has

4827

been fixed in GNOME 2.18, but if using an older version of

4828

GNOME, then making sure that the GDM user has a writable home

4829

directory should make these programs functional.

4830

</para>

4831

4832

<para>

4833

If you see an hourglass cursor when you complete a gesture but

4834

the program does not start, then this indicates that the gesture

4835

was received, but that there was a problem starting the program.

4836

Most likely the issue may be the lack of a writable gdm home

4837

directory.

4838

</para>

4839

4840

<para>

4841

Also note that some input devices require X server configuration

4842

before GDM will recognize them.

4843

</para>

4844

</sect3>

4845

4846

4847

<title>Accessibility Login Sound Configuration</title>

4848

4849

<para>

4850

By default, GDM requires a media application such as

4851

"play" to be present to play sounds for successful or

4852

failed login. GDM defaults

4853

the location of this application to

4854

<filename><bin>/play</filename> (or

4855

<filename><bin>/audioplay</filename> on Solaris. This can

4856

be changed via the <filename>SoundProgram</filename> GDM

4857

configuration option. Typically most text-to-speech programs

4858

(such as <command>orca</command>) use a separate mechanism to

4859

play audio, so this configuration setting is not needed for

4860

them to work.

4861

</para>

4862

</sect3>

4863

</sect2>

4864

</sect1>

4865

4866

4867

<title>Solaris Specific Features</title>

4868

4869

4870

<title>Using GDM on Solaris</title>

4871

4872

<para>

4873

GDM is not yet the default login program on Solaris. If you wish

4874

to switch to using GDM, then you need to turn off CDE login and

4875

start the GDM service. Note that turning off or disabiling CDE

4876

login will cause any running sessions to immediately exit, and any

4877

unsaved data will be lost. Only run these commands if you are

4878

sure there is no unsaved data in your running sessions. It would

4879

be best to run these commands from console login, or a Failsafe

4880

Terminal rather than from a running GUI session. The first step

4881

is to run the following command to see if CDE login is running as

4882

an SMF service.

4883

</para>

4884

4885

4886

svcs cde-login

4887

</screen>

4888

4889

<para>

4890

If the <command>svcs</command> command responds that this

4891

service is enabled, then run this command to disable CDE login:

4892

</para>

4893

4894

4895

svcadm disable cde-login

4896

</screen>

4897

4898

<para>

4899

If the <command>svcs</command> command responds that this pattern

4900

doesn't match any instances, then run these commands to stop

4901

CDE login:

4902

</para>

4903

4904

4905

/usr/dt/config/dtconfig -d

4906

Either reboot, or kill any running dtlogin processes.

4907

</screen>

4908

4909

<para>

4910

At this point you will be presented with a console login. Login

4911

as root, and run the following command. If on Solaris 10 the

4912

servicename is "gdm2-login", if on Solaris Nevada the

4913

servicename is "gdm".

4914

</para>

4915

4916

4917

svcadm enable servicename

4918

</screen>

4919

</sect2>

4920

4921

4922

<title>Solaris Configuration</title>

4923

<para>

4924

On Solaris, the following configuration is recommended.

4925

This turns on IPv6 and also turns on PreFetch for

4926

performance benefit.

4927

4928

4929

./autogen.sh --prefix=/usr --sysconfdir=/etc/X11 --localstatedir=/var

4930

--libexecdir=/usr/lib --enable-ipv6=yes --with-at-bindir=/usr/sfw/bin

4931

--with-prefetch --with-post-path=/usr/openwin/bin --with-pam-prefix=/etc

4932

--with-lang-file=/etc/default/init

4933

</screen>

4934

</para>

4935

4936

<para>

4937

Configuring GDM with the

4938

"--with-post-path=/usr/openwin/bin" on Solaris is

4939

recommended for accessing X server programs.

4940

</para>

4941

</sect2>

4942

4943

4944

<title>Solaris /etc/logindevperm</title>

4945

<para>GDM supports /etc/logindevperm, but only on Solaris 10 and higher. Refer to the logindevperm.4 man page for more information.</para>

4946

4947

<para>To make /etc/logindevperm functionality work on Solaris 9 or earlier you would have to hack the GDM PreSession and PostSession script to chmod the device permissions directly. In other words, if /etc/logindevperm had a listing like this:</para>

4948

4949

4950

/dev/console 0600 /dev/sound/* # audio devices

4951

</screen>

4952

4953

<para>

4954

Then the PreSession script would need to be modified to chown

4955

/dev/console to the user:group who is logging into the console

4956

and ensure whatever permissions is specified in /etc/logindevperm

4957

(0600 for the line above). Then in the PostSession script chmod

4958

the device back to root:root and ensure 0600 this time (do not

4959

use the value in the /etc/logindevperm file). Linux uses a

4960

different mechanism for managing device permissions, so this

4961

extra scripting is not needed.

4962

</para>

4963

</sect2>

4964

4965

4966

<title>Solaris Automatic Login</title>

4967

<para>

4968

Automatic login does not work on Solaris 10 and earlier because

4969

PAM is not configured to support this feature by default.

4970

Automatic login is a GDM feature that is not enabled by default,

4971

so you would only notice this problem if you try to make use of

4972

it. Turning this feature on causes your computer to login to a

4973

specified username on startup without asking for username

4974

and password. This is an insecure way to set up your

4975

computer.

4976

</para>

4977

4978

<para>If using Solaris 10 or lower, then you need to compile the pam_allow.c code provided with the GDM release and install it to /usr/lib/security (or provide the full path in /etc/pam.conf) and ensure it is owned by uid 0 and not group or world writable.</para>

4979

4980

<para>The following are reasonable pam.conf values for turning on automatic login in GDM. Make sure to read the PAM documentation (e.g. pam.d/pam.conf man page) and be comfortable with the security implications of any changes you intend to make to your configuration.</para>

4981

4982

4983

gdm-autologin auth required pam_unix_cred.so.1

4984

gdm-autologin auth sufficient pam_allow.so.1

4985

gdm-autologin account sufficient pam_allow.so.1

4986

gdm-autologin session sufficient pam_allow.so.1

4987

gdm-autologin password sufficient pam_allow.so.1

4988

</screen>

4989

4990

<para>The above setup will cause no lastlog entry to be generated. If a lastlog entry is desired, then use the following for session:</para>

4991

4992

4993

gdm-autologin session required pam_unix_session.so.1

4994

</screen>

4995

</sect2>

4996

4997

4998

<title>Solaris RBAC support for Shutdown, Reboot, and Suspend</title>

4999

5000

<para>

5001

Starting with GDM 2.19, GDM supports RBAC (Role Based

5002

Access Control) for enabling the system commands (Shutdown,

5003

Reboot, Suspend, etc.) that appear in the greeter system

5004

menu and via the <command>gdmflexiserver</command>

5005

QUERY_LOGOUT_ACTION, SET_LOGOUT_ACTION, and

5006

SET_SAFE_LOGOUT_ACTION commands.

5007

</para>

5008

5009

<para>

5010

On Solaris GDM has the following value specified for the

5011

<filename>RBACSystemCommandKeys</filename> configuration

5012

option.

5013

</para>

5014

5015

5016

HALT:solaris.system.shutdown;REBOOT:solaris.system.shutdown

5017

</screen>

5018

5019

<para>

5020

This will cause the SHUTDOWN and REBOOT features to only be

5021

enabled for users who have RBAC authority. In other words,

5022

those users who have the "solaris.system.shutdown"

5023

authorization name specified. The GDM greeter will only

5024

display these options if the gdm user (specified in the

5025

<filename>User</filename> configuration option, "gdm" by

5026

default) has such RBAC permissions.

5027

</para>

5028

5029

<para>

5030

Therefore, add the "solaris.system.shutdown"

5031

authorization name to the <filename>/etc/user_attr</filename>

5032

for all users who should have authority to shutdown and

5033

reboot the system. If you want these options to appear in

5034

the greeter program, also add this authorization name to

5035

the gdm user. If you don't want to use RBAC, then you may

5036

unset the <filename>RBACSystemCommandKeys</filename> GDM

5037

configuration key, and this will make the system commands

5038

available for all users. Refer to the

5039

<filename>user_attr</filename> man page for more information

5040

about setting RBAC privileges.

5041

</para>

5042

5043

<para>

5044

Note that on Solaris there are two programs that can be used

5045

to shutdown the system. These are GDM and

5046

<command>gnome-sys-suspend</command>.

5047

<command>gnome-sys-suspend</command> is a GUI front-end for

5048

the <command>sys-suspend</command>.

5049

</para>

5050

5051

<para>

5052

If GDM is being used as the login program and the user has

5053

RBAC permissions to shutdown the machine (or RBAC support

5054

is disabled in GDM), then the GNOME panel

5055

"Shut Down.." option will use GDM to shutdown, reboot,

5056

and suspend the machine. This is a bit nicer than using

5057

<command>gnome-sys-suspend</command> since GDM will wait until

5058

the user session has finished (including running the

5059

PostSession script, etc.) before running the

5060

shutdown/reboot/suspend command. Also the

5061

<command>gnome-sys-suspend</command> command is less functional

5062

since it does not support a reboot option, only shutdown and

5063

suspend.

5064

</para>

5065

5066

<para>

5067

If GDM is not being used to manage shutdown, reboot, and

5068

suspend; then the GNOME panel uses

5069

<command>gnome-sys-suspend</command> when you select the

5070

"Shut Down..." option from the application menu.

5071

If the pop-up that appears when you select this only

5072

shows the suspend and shutdown options, then you are

5073

likely using <command>gnome-sys-suspend</command>. If

5074

you are using this, then refer to the

5075

<command>sys-suspend</command> man page for information

5076

about how to configure it. Or consider using GDM and

5077

configuring it to provide these options.

5078

</para>

5079

</sect2>

5080

5081

5082

<title>Other Solaris Features</title>

5083

<para>GDM supports a few features specific to Solaris, as follows:</para>

5084

5085

<para>GDM supports Solaris Auditing if running on Solaris 10 or higher. GDM should not be used if auditing is needed and running Solaris 9 or older.</para>

5086

5087

<para>GDM supports a security feature which causes the X server to run as the user instead of as the root user. GDM must be using PAM for this feature to be enabled, which is the normal case for Solaris. This second feature has the side-effect of causing the X server to always restart between sessions, which disables the AlwaysRestartServer configuration option.</para>

5088

5089

<para>Solaris supports the <filename>/etc/default/login</filename> interface, which affects the <filename>DefaultPath</filename>, <filename>RootPath</filename>, <filename>PasswordRequired</filename>, and <filename>AllowRemoteRoot</filename> options as described in the "Configuration" section.</para>

5090

</sect2>

5091

</sect1>

5092

5093

5094

<title>Example Configurations</title>

5095

5096

5097

<title>Defining Custom Commands</title>

5098

5099

<para>

5100

Suppose you want to add a custom command to the GDM menu that will give

5101

you the opportunity to boot into other operating system such as Windoze.

5102

Just add the following options into the

5103

<filename>[customcommand]</filename> section of the GDM configuration

5104

file.

5105

5106

5107

[customcommand]

5108

CustomCommand0=/sbin/rebootwindoze;/usr/local/sbin/rebootwindoze

5109

CustomCommandLabel0=_Windoze

5110

CustomCommandLRLabel0=Reboot into _Windoze

5111

CustomCommandText0=Are you sure you want to restart the computer into Windoze?

5112

CustomCommandTooltip0=Restarts the computer into Windoze

5113

CustomCommandIsPersistent0=true

5114

</screen>

5115

5116

CustomCommand0 specifies two commands separated by a semicolon:

5117

<filename>/sbin/rebootwindoze</filename> and

5118

<filename>/usr/local/sbin/rebootwindoze</filename>. GDM will use

5119

the first valid command in the list. This allows different

5120

commands for different operating systems to be included.

5121

</para>

5122

<para>

5123

Note, that besides being able to customise this option to reboot into

5124

different operating systems you can also use it to define your own

5125

custom behaviours that you wish to run from the GDM menu. Suppose you

5126

want to give users the opportunity to run system update scripts from the

5127

login screen. Add the following options into the

5128

<filename>[customcommand]</filename> section of your GDM configuration

5129

file.

5130

5131

5132

[customcommand]

5133

CustomCommand0=/sbin/updatesystem;/usr/local/sbin/updatesystem

5134

CustomCommandLabel0=_Update Me

5135

CustomCommandLRLabel0=Update the system

5136

CustomCommandText0=Are you sure you want to update the system software?

5137

CustomCommandTooltip0=Updates the system

5138

CustomCommandNoRestart0=true

5139

</screen>

5140

</para>

5141

5142

<para>Both custom commands could be defined as follows. <screen>

5143

[customcommand]

5144

CustomCommand0=/sbin/rebootwindoze;/usr/local/sbin/rebootwindoze

5145

CustomCommandLabel0=_Windoze

5146

CustomCommandLRLabel0=Reboot into _Windoze

5147

CustomCommandText0=Are you sure you want to restart the computer into Windoze?

5148

CustomCommandTooltip0=Restarts the computer into Windoze

5149

CustomCommandIsPersistent0=true

5150

5151

CustomCommand1=/sbin/updatesystem;/usr/local/sbin/updatesystem

5152

CustomCommandLabel1=_Update Me

5153

CustomCommandLRLabel1=Update the system

5154

CustomCommandText1=Are you sure you want to update the system software?

5155

CustomCommandTooltip1=Updates the system

5156

CustomCommandNoRestart1=true

5157

</screen></para>

5158

5159

<para>There can be up to 10 custom commands numbered 0-9. <screen>

5160

[customcommand]

5161

CustomCommand0=/sbin/rebootwindoze;/usr/local/sbin/rebootwindoze

5162

CustomCommandLabel0=_Windoze

5163

CustomCommandLRLabel0=Reboot into _Windoze

5164

CustomCommandText0=Are you sure you want to restart the computer into Windoze?

5165

CustomCommandTooltip0=Restarts the computer into Windoze

5166

CustomCommandIsPersistent0=true

5167

5168

CustomCommand1=/sbin/updatesystem;/usr/local/sbin/updatesystem

5169

CustomCommandLabel1=_Update Me

5170

CustomCommandLRLabel1=Update the system

5171

CustomCommandText1=Are you sure you want to update the system software?

5172

CustomCommandTooltip1=Updates the system

5173

CustomCommandNoRestart1=true

5174

5175

CustomCommand3=/sbin/do_something

5176

.

5177

.

5178

.

5179

5180

CustomCommand4=/sbin/do_something_else

5181

.

5182

.

5183

.

5184

</screen></para>

5185

</sect2>

5186

</sect1>

5187

5188

5189

<title>Troubleshooting</title>

5190

5191

<para>This section discusses helpful tips for getting GDM working. In general, if you have a problem using GDM, you can submit a bug to the "gdm" category in <ulink type="http" url="http://bugzilla.gnome.org/">bugzilla.gnome.org</ulink> or send an email to the <address><email>gdm-list@gnome.org</email></address> mail list.</para>

5192

5193

<para>If GDM is failing to work properly, it is always a good idea to include debug information. Use the <command>gdmsetup</command> command to turn on debugging ("Enable debug messages to system log" checkbox in the "Security" tab), then use GDM to the point where it fails, and include the GDM output sent to your system log (<filename><var>/log/messages</filename> or <filename><var>/adm/messages</filename> depending on your operating system). Since the system log can be large, please only include the GDM debug information and do not sent the entire file. If you do not see any GDM syslog output, you may need to configure syslog (see syslog.3c man page).</para>

5194

5195

<para>You should not leave debugging on after collecting data. It will clutter your syslog and slow system performance.</para>

5196

5197

5198

<title>GDM Will Not Start</title>

5199

5200

<para>There are a many problems that can cause GDM to fail to start, but this section will discuss a few common problems and how to approach tracking down a problem with GDM starting. Some problems will cause GDM to respond with an error message or dialogue when it tries to start, but it can be difficult to track down problems when GDM fails silently.</para>

5201

5202

<para>

5203

First make sure that the X server is configured properly. The

5204

GDM configuration file contains a command in the [server-Standard]

5205

section that is used for starting the X server. Verify that this

5206

command works on your system. Running this command from the

5207

console should start the X server. If it fails, then the problem

5208

is likely with your X server configuration. Refer to your X server

5209

error log for an idea of what the problem may be. The problem may

5210

also be that your X server requires different command-line options.

5211

If so, then modify the X server command in the GDM configuration file

5212

so that it is correct for your system.

5213

</para>

5214

5215

<para>

5216

Another common problem is that the GDM greeter program is having

5217

trouble starting. This can happen, for example, if GDM cannot find

5218

a needed library or other resource. Try starting the X server and

5219

a terminal program, set the shell environment variable

5220

DOING_GDM_DEVELOPMENT=1 and run

5221

<command><lib>/gdmlogin</command>

5222

or <command><lib>/gdmgreeter</command>. Any error messages

5223

echoed to the terminal will likely highlight the problem. Also,

5224

turning on debug and checking the output sent to the system log

5225

will often highlight the problem.

5226

</para>

5227

5228

<para>Also make sure that the <filename>/tmp</filename> directory has reasonable ownership and permissions, and that the machine's file system is not full. These problems will cause GDM to fail to start.</para>

5229

</sect2>

5230

5231

5232

<title>GDM Will Not Access User Settings</title>

5233

5234

<para>GDM saves user settings, such as your default session and default language, in the <filename>~/.dmrc</filename>. Other files, such as the user's <filename>~/.Xauthority</filename> file will also affect login. GDM, by default, is strict about how it tries to access files in the user's home directory, and will ignore the file if they do not conform to certain rules. You can use the <filename>RelaxPermissions</filename> configuration option to make GDM less strict about how it accesses files in the user's home directory, or correct the permissions issues that cause GDM to ignore the file. This is discussed in detail described in the "File Access" section of the "Overview".</para>

5235

</sect2>

5236

</sect1>

5237

5238

5239

5240

5241

<title>Licence</title>

5242

<para>This program is free software; you can redistribute it and/or modify it under the terms of the <ulink type="help" url="gnome-help:gpl"><citetitle>GNU General Public Licence</citetitle></ulink> as published by the Free Software Foundation; either version 2 of the Licence, or (at your option) any later version.</para>

5243

<para>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the <citetitle>GNU General Public Licence</citetitle> for more details.</para>

5244

<para>

5245

A copy of the <citetitle>GNU General Public License</citetitle> is

5246

included as an appendix to the <citetitle>GNOME Users

5247

Guide</citetitle>. You may also obtain a copy of the

5248

<citetitle>GNU General Public License</citetitle> from the Free

5249

Software Foundation by visiting <ulink type="http" url="http://www.fsf.org">their Web site</ulink> or by writing to

5250

5251

Free Software Foundation, Inc.

5252

<street>51 Franklin Street, Fifth Floor</street>

5253

<city>Boston</city>, <state>MA</state> <postcode>02110-1301</postcode>

5254

5255

</address>

5256

</para>

5257

</sect1>

5258

</article>

5259

<!-- Keep this comment at the end of the file

5260

Local variables:

5261

mode: sgml

5262

sgml-omittag:t

5263

sgml-shorttag:t

5264

sgml-minimize-attributes:nil

5265

sgml-always-quote-attributes:t

5266

sgml-indent-step:2

5267

sgml-indent-data:t

5268

sgml-parent-document:nil

5269

sgml-exposed-tags:nil

5270

sgml-local-catalogs:nil

5271

sgml-local-ecat-files:nil

5272

End:

5273

-->