~ubuntu-branches/ubuntu/oneiric/gdm3/oneiric

</copyright><copyright><year>2003, 2004.</year><holder>Sun Microsystems</holder></copyright><copyright><year>2007.</year><holder>류창우 (cwryu@debian.org)</holder></copyright>

<para>

Permission is granted to copy, distribute and/or modify this

document under the terms of the GNU Free Documentation

License (GFDL), Version 1.1 or any later version published

by the Free Software Foundation with no Invariant Sections,

no Front-Cover Texts, and no Back-Cover Texts. You can find

a copy of the GFDL at this <ulink type="help" url="ghelp:fdl">link</ulink> or in the file COPYING-DOCS

distributed with this manual.

</para>

<para> This manual is part of a collection of GNOME manuals

distributed under the GFDL. If you want to distribute this

manual separately from the collection, you can do so by

adding a copy of the license to the manual, as described in

100

section 6 of the license.

101

</para>

102

103

<para>

104

Many of the names used by companies to distinguish their

105

products and services are claimed as trademarks. Where those

106

names appear in any GNOME documentation, and the members of

107

the GNOME Documentation Project are made aware of those

108

trademarks, then the names are in capital letters or initial

109

capital letters.

110

</para>

111

112

<para>

113

DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT ARE PROVIDED

114

UNDER THE TERMS OF THE GNU FREE DOCUMENTATION LICENSE

115

WITH THE FURTHER UNDERSTANDING THAT:

116

117

118

119

<para>DOCUMENT IS PROVIDED ON AN "AS IS" BASIS,

120

WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR

121

IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES

122

THAT THE DOCUMENT OR MODIFIED VERSION OF THE

123

DOCUMENT IS FREE OF DEFECTS MERCHANTABLE, FIT FOR

124

A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE

125

RISK AS TO THE QUALITY, ACCURACY, AND PERFORMANCE

126

OF THE DOCUMENT OR MODIFIED VERSION OF THE

127

DOCUMENT IS WITH YOU. SHOULD ANY DOCUMENT OR

128

MODIFIED VERSION PROVE DEFECTIVE IN ANY RESPECT,

129

YOU (NOT THE INITIAL WRITER, AUTHOR OR ANY

130

CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY

131

SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER

132

OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS

133

LICENSE. NO USE OF ANY DOCUMENT OR MODIFIED

134

VERSION OF THE DOCUMENT IS AUTHORIZED HEREUNDER

135

EXCEPT UNDER THIS DISCLAIMER; AND

136

</para>

137

</listitem>

138

139

<para>UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL

140

THEORY, WHETHER IN TORT (INCLUDING NEGLIGENCE),

141

CONTRACT, OR OTHERWISE, SHALL THE AUTHOR,

142

INITIAL WRITER, ANY CONTRIBUTOR, OR ANY

143

DISTRIBUTOR OF THE DOCUMENT OR MODIFIED VERSION

144

OF THE DOCUMENT, OR ANY SUPPLIER OF ANY OF SUCH

145

PARTIES, BE LIABLE TO ANY PERSON FOR ANY

146

DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR

147

CONSEQUENTIAL DAMAGES OF ANY CHARACTER

148

INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS

149

OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR

150

MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR

151

LOSSES ARISING OUT OF OR RELATING TO USE OF THE

152

DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT,

153

EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF

154

THE POSSIBILITY OF SUCH DAMAGES.

155

</para>

156

</listitem>

157

</orderedlist>

158

</para>

159

</legalnotice>

160

161

162

163

164

This manual describes version 2.26.0 of the GNOME Display Manager.

165

It was last updated on 02/10/2009.

166

</releaseinfo>

167

</articleinfo>

168

169

170

171

172

173

174

<para>

175

This manual describes version 2.26.0 of the GNOME Display Manager.

176

It was last updated on 02/10/2009.

177

</para>

178

179

<para>

180

Chooser - A program used to select a remote host for managing a

181

display remotely on the attached display (<command>gdm-host-chooser</command>).

182

</para>

183

184

<para>

185

FreeDesktop - The organization providing desktop standards, such as the

186

Desktop Entry Specification used by GDM.

187

188

http://www.freedesktop.org</ulink>.

189

</para>

190

<para>

191

GDM - GNOME Display Manager. Used to describe the software package as a

192

whole.

193

</para>

194

195

<para>

196

Greeter - The graphical login window (<command>gdm-simple-greeter</command>).

197

</para>

198

199

<para>

200

PAM - Pluggable Authentication Mechanism

201

</para>

202

203

<para>

204

XDMCP - X Display Manage Protocol

205

</para>

206

207

<para>

208

Xserver - An implementation of the X Window System. For example the

209

Xorg webserver provided by the X.org Foundation

210

<ulink type="http" url="http://www.x.org/">http://www.x.org</ulink>.

211

</para>

212

213

<para>

214

Paths that start with a word in angle brackets are relative to the

215

installation prefix. I.e. <filename><share>/pixmaps/</filename>

216

refers to <filename>/usr/share/pixmaps</filename> if GDM was

217

configured with <command>--prefix=/usr</command>.

218

</para>

219

</sect1>

220

221

222

223

224

225

226

227

<title>Introduction</title>

228

229

<para>

230

The GNOME Display Manager (GDM) is a display manager that implements

231

all significant features required for managing attached and remote

232

displays. GDM was written from scratch and does not contain any XDM or

233

X Consortium code.

234

</para>

235

236

<para>

237

Note that GDM is configurable, and many configuration settings have

238

an impact on security. Issues to be aware of are highlighted in this

239

document.

240

</para>

241

242

<para>

243

Please note that some Operating Systems configure GDM to behave

244

differently than the default values as described in this document. If

245

GDM does not seem to behave as documented, then check to see if any

246

related configuration may be different than described here.

247

</para>

248

249

<para>

250

For further information about GDM, refer to the project website at

251

252

http://www.gnome.org/projects/gdm</ulink> and the project

253

Wiki <ulink type="http" url="http://live.gnome.org/GDM">

254

http://live.gnome.org/GDM</ulink>.

255

</para>

256

257

<para>

258

For discussion or queries about GDM, refer to the

259

<address><email>gdm-list@gnome.org</email></address> mail list. This

260

list is archived, and is a good resource to check to seek answers to

261

common questions. This list is archived at

262

263

http://mail.gnome.org/archives/gdm-list/</ulink> and has a search

264

facility to look for messages with keywords.

265

</para>

266

267

<para>

268

Please submit any bug reports or enhancement requests to the

269

"gdm" category in

270

271

http://bugzilla.gnome.org</ulink>.

272

</para>

273

</sect2>

274

275

276

<title>Interface Stability</title>

277

278

<para>

279

GDM 2.20 and earlier supported stable configuration interfaces.

280

However, the codebase was completely rewritten for GDM 2.22, and

281

is not completely backward compatible with older releases. This is

282

in part because things work differently, so some options just don't

283

make sense, in part because some options never made sense, and in

284

part because some functionality has not been reimplemented yet.

285

</para>

286

287

<para>

288

Interfaces which continue to be supported in a stable fashion include

289

the Init, PreSession, PostSession, PostLogin, and Xsession scripts.

290

Some daemon configuration options in the

291

<filename><etc>/gdm/custom.conf</filename> file continue to be

292

supported. Also, the <filename>~/.dmrc</filename>, and face browser

293

image locations are still supported.

294

</para>

295

296

<para>

297

GDM 2.20 and earlier supported the ability to manage multiple displays

298

with separate graphics cards, such as used in terminal server

299

environments, login in a window via a program like Xnest or Xephyr, the

300

gdmsetup program, XML-based greeter themes, and the ability to run the

301

XDMCP chooser from the login screen. These features were not

302

added back during the 2.22 rewrite.

303

</para>

304

305

</sect2>

306

307

308

<title>Functional Description</title>

309

310

<!--

311

<para>

312

TODO - Would be good to discuss D-Bus, perhaps the new GObject model,

313

and to explain the reasons why the rewrite made GDM better.

314

From a high-level overview perspective, rather than the

315

technical aspects.

316

</para>

317

-->

318

319

<para>

320

GDM is responsible for managing displays on the system. This includes

321

authenticating users, starting the user session, and terminating the

322

user session. GDM is configurable and the ways it can be configured

323

are described in the "Configuring GDM" section of this

324

document. GDM is also accessible for users with disabilities.

325

</para>

326

327

<para>

328

GDM provides the ability to manage the main console display, and

329

displays launched via VT. It is integrated with other programs,

330

such as the Fast User Switch Applet (FUSA) and gnome-screensaver

331

to manage multiple displays on the console via the Xserver Virtual

332

Terminal (VT) interface. It also can manage XDMCP displays.

333

</para>

334

335

<para>

336

Regardless of the display type, GDM will do the following when it

337

manages the display. It will start an Xserver process, then run the

338

<filename>Init</filename> script as the root user, and start the

339

greeter program on the display.

340

</para>

341

342

<para>

343

The greeter program is run as the unprivileged "gdm"

344

user/group. This user and group are described in the

345

"Security" section of this document. The main function of

346

the greeter program is to authenticate the user. The authentication

347

process is driven by Pluggable Authentication Modules (PAM). The PAM

348

modules determine what prompts (if any) are shown to the user to

349

authenticate. On the average system, the greeter program will request

350

a username and password for authentication. However some systems may

351

be configured to use alternative mechanisms such as a fingerprint or

352

SmartCard reader. GDM and PAM can be configured to not require any

353

input, which will cause GDM to automatically log in and simply

354

start a session, which can be useful for some environments, such as

355

for kiosks.

356

</para>

357

358

<para>

359

In addition to authentication, the greeter program allows the user to

360

select which session to start and which language to use. Sessions are

361

defined by files that end in the .desktop suffix and more information

362

about these files can be found in the "GDM User Session and Language

363

Configuration" section of this document. By default, GDM is configured

364

to display a face browser so the user can select their user account by

365

clicking on an image instead of having to type their username. GDM

366

keeps track of the user's default session and language in the user's

367

<filename>~/.dmrc</filename> and will use these defaults if the user

368

did not pick a session or language in the login GUI.

369

</para>

370

371

<para>

372

After authenticating a user, the daemon runs the

373

<filename>PostLogin</filename> script as root, then runs the

374

<filename>PreSession</filename> script as root. After running these

375

scripts, the user session is started. When the user exits their

376

session, the <filename>PostSession</filename> script is run as root.

377

These scripts are provided as hooks for distributions and end-users

378

to customize how sessions are managed. For example, using these

379

hooks you could set up a machine which creates the user's $HOME

380

directory on the fly, and erases it on logout. The difference

381

between the <filename>PostLogin</filename> and

382

<filename>PreSession</filename> scripts is that

383

<filename>PostLogin</filename> is run before the pam_open_session call

384

so is the right place to do anything which should be run before the

385

user session is initialized. The <filename>PreSession</filename>

386

script is called after session initialization.

387

</para>

388

</sect2>

389

390

391

<title>Greeter Panel</title>

392

<para>

393

The GDM greeter program displays a panel docked at the bottom of the

394

screen which provides additional functionality. When a user is

395

selected, the panel allows the user to select which session, language,

396

and keyboard layout to use after logging in. The keyboard layout

397

selector also changes the keyboard layout used when typing your

398

password. The panel also contains an area for login services to leave

399

status icons. Some example status icons include a battery icon for

400

current battery usage, and an icon for enabling accessibility features.

401

The greeter program also provides buttons which allow the user to

402

shutdown or restart the system. It is possible to configure GDM to not

403

provide the shutdown and restart buttons, if desired. GDM can also be

404

configured via PolicyKit (or via RBAC on Solaris) to require the user

405

have appropriate authorization before accepting the shutdown or restart

406

request.

407

</para>

408

409

<para>

410

Note that keyboard layout features are only available on systems that

411

support libxklavier.

412

</para>

413

</sect2>

414

415

416

417

418

<para>

419

GDM supports "Accessible Login", allowing users to log into

420

their desktop session even if they cannot easily use the screen,

421

mouse, or keyboard in the usual way. Accessible Technology (AT)

422

features such as an on-screen keyboard, screen reader, screen

423

magnifier, and Xserver AccessX keyboard accessibility are available.

424

It is also possible to enable large text or high contrast icons and

425

controls, if needed. Refer to the "Accessibility

426

Configuration" section of the document for more information

427

how various accessibility features can be configured.

428

</para>

429

430

<para>

431

On some Operating Systems, it is necessary to make sure that the GDM

432

user is a member of the "audio" group for AT programs that

433

require audio output (such as text-to-speech) to be functional.

434

</para>

435

</sect2>

436

437

438

<title>The GDM Face Browser</title>

439

440

<para>

441

The Face Browser is the interface which allows users to select their

442

username by clicking on an image. This feature can be enabled or

443

disabled via the /apps/gdm/simple-greeter/disable_user_list GConf

444

key and is on by default. When disabled, users must type their

445

complete username by hand. When enabled, it displays all local users

446

which are available for login on the system (all user accounts defined

447

in the /etc/passwd file that have a valid shell and sufficiently high

448

UID) and remote users that have recently logged in.

449

The face browser in GDM 2.20 and earlier would attempt to display all

450

remote users, which caused performance problems in large,

451

enterprise deployments.

452

</para>

453

454

<para>

455

The Face Browser is configured to display the users who log in most

456

frequently at the top of the list. This helps to ensure that users

457

who log in frequently can quickly find their login image.

458

</para>

459

460

<para>

461

The Face Browser supports "type-ahead search" which dynamically

462

moves the face selection as the user types to the corresponding username

463

in the list. This means that a user with a long username will only

464

have to type the first few characters of the username before the correct

465

item in the list gets selected.

466

</para>

467

468

<para>

469

The icons used by GDM can be installed globally by the sysadmin or can

470

be located in the user's home directories. If installed globally

471

they should be in the <filename><share>/pixmaps/faces/</filename>

472

directory and the filename should be the name of the user. Face image

473

files should be a standard image that GTK+ can read, such as PNG or

474

JPEG. Face icons placed in the global face directory must be readable

475

to the GDM user.

476

</para>

477

478

<!--

479

<para>

480

TODO - In the old GDM the ~/gnome2/gdm file is used, but the new code

481

seems to use ~/.gnome/gdm. Error?

482

</para>

483

-->

484

<para>

485

If there is no global icon for the user, GDM will look in the user's

486

$HOME directory for the image file. GDM will first look for the user's

487

face image in <filename>~/.face</filename>. If not found, it will try

488

<filename>~/.face.icon</filename>. If still not found, it will use the

489

value defined for "face/picture=" in the

490

<filename>~/.gnome2/gdm</filename> file.

491

</para>

492

493

<para>

494

If a user has no defined face image, GDM will use the

495

"stock_person" icon defined in the current GTK+ theme. If no

496

such image is defined, it will fallback to a generic face image.

497

</para>

498

499

<para>

500

Please note that loading and scaling face icons located in remote user

501

home directories can be a very time-consuming task. Since it not

502

practical to load images over NIS or NFS, GDM does not attempt to load

503

face images from remote home directories.

504

</para>

505

506

<para>

507

When the browser is turned on, valid usernames on the computer are

508

exposed for everyone to see. If XDMCP is enabled, then the usernames

509

are exposed to remote users. This, of course, limits security

510

somewhat since a malicious user does not need to guess valid usernames.

511

In some very restrictive environments the face browser may not be

512

appropriate.

513

</para>

514

515

</sect2>

516

517

518

<title>XDMCP</title>

519

520

<!--

521

<para>

522

TODO - What XDMCP features actually work? I know that the

523

chooser is missing.

524

</para>

525

-->

526

527

<para>

528

The GDM daemon can be configured to listen for and manage X Display

529

Manage Protocol (XDMCP) requests from remote displays. By default

530

XDMCP support is turned off, but can be enabled if desired. If GDM is

531

built with TCP Wrapper support, then the daemon will only grant access

532

to hosts specified in the GDM service section in the TCP Wrappers

533

configuration file.

534

</para>

535

536

<para>

537

GDM includes several measures making it more resistant to denial of

538

service attacks on the XDMCP service. A lot of the protocol

539

parameters, handshaking timeouts, etc. can be fine tuned. The default

540

configuration should work reasonably on most systems.

541

</para>

542

543

<para>

544

GDM by default listens for XDMCP requests on the normal UDP port used

545

for XDMCP, port 177, and will respond to QUERY and BROADCAST_QUERY

546

requests by sending a WILLING packet to the originator.

547

</para>

548

549

<para>

550

GDM can also be configured to honor INDIRECT queries and present a

551

host chooser to the remote display. GDM will remember the user's

552

choice and forward subsequent requests to the chosen manager. GDM

553

also supports an extension to the protocol which will make it forget

554

the redirection once the user's connection succeeds. This extension

555

is only supported if both daemons are GDM. It is transparent and

556

will be ignored by XDM or other daemons that implement XDMCP.

557

</para>

558

559

<para>

560

If XDMCP seems to not be working, make sure that all machines are

561

specified in <filename>/etc/hosts</filename>.

562

</para>

563

564

<para>

565

Refer to the "Security" section for information about

566

security concerns when using XDMCP.

567

</para>

568

</sect2>

569

570

571

<title>Logging</title>

572

573

<para>

574

GDM uses syslog to log errors and status. It can also log debugging

575

information, which can be useful for tracking down problems if GDM is

576

not working properly. Debug output can be enabled by setting the

577

debug/Enable key to "true" in the

578

<filename><etc>/gdm/custom.conf</filename> file.

579

</para>

580

581

<para>

582

Output from the various Xservers is stored in the GDM log directory,

583

which is normally <filename><var>/log/gdm/</filename>. Any

584

Xserver messages are saved to a file associated with the display value,

585

<filename><display>.log</filename>.

586

</para>

587

588

<para>

589

The session output is piped through the GDM daemon to the

590

<filename>~/.xsession-errors</filename> file. The file is overwritten

591

on each login, so logging out and logging back into the same user via

592

GDM will cause any messages from the previous session to be lost.

593

</para>

594

595

<para>

596

Note that if GDM can not create this file for some reason, then a

597

fallback file will be created named <filename>~/.xsession-errors.XXXXXXXX</filename>

598

where the <filename>XXXXXXXX</filename> are some random characters.

599

</para>

600

</sect2>

601

602

603

<title>Fast User Switching</title>

604

605

<para>

606

GDM allows multiple users to be logged in at the same time. After one

607

user is logged in, additional users can log in via the User Switcher

608

on the GNOME Panel, or from the "Switch User" button in Lock Screen dialog

609

of GNOME Screensaver. The active session can be changed back and forth using

610

the same mechanism. Note that some distributions may not add the User Switcher

611

to the default panel configuration. It can be added using the panel context

612

menu.

613

</para>

614

<para>

615

Note this feature is available on systems that support Virtual

616

Terminals. This feature will not function if Virtual Terminals is not

617

available.

618

</para>

619

</sect2>

620

</sect1>

621

622

623

624

625

626

627

628

<title>The GDM User And Group</title>

629

630

<para>

631

For security reasons a dedicated user and group id are recommended for

632

proper operation. This user and group are normally "gdm" on

633

most systems, but can be configured to any user or group. All GDM

634

GUI programs are run as this user, so that the programs which interact

635

with the user are run in a sandbox. This user and group should have

636

limited privilege.

637

</para>

638

639

<para>

640

The only special privilege the "gdm" user requires is the

641

ability to read and write Xauth files to the

642

<filename><var>/run/gdm</filename> directory. The

643

<filename><var>/run/gdm</filename> directory should have

644

root:gdm ownership and 1777 permissions.

645

</para>

646

647

<para>

648

You should not, under any circumstances, configure the GDM user/group

649

to a user which a user could easily gain access to, such as the user

650

<filename>nobody</filename>. Any user who gains access to an Xauth

651

key can snoop on and control running GUI programs running in the

652

associated session or perform a denial-of-service attack on it. It

653

is important to ensure that the system is configured properly so that

654

only the "gdm" user has access to these files and that it

655

is not easy to login to this account. For example, the account should

656

be setup to not have a password or allow non-root users to login to the

657

account.

658

</para>

659

660

<para>

661

The GDM greeter configuration is stored in GConf. To allow the GDM

662

user to be able to write configuration, it is necessary for the

663

"gdm" user to have a writable $HOME directory. Users may

664

configure the default GConf configuration as desired to avoid the

665

need to provide the "gdm" user with a writable $HOME

666

directory. However, some features of GDM may be disabled if it is

667

unable to write state information to GConf configuration.

668

</para>

669

</sect2>

670

671

672

673

674

<para>

675

GDM uses PAM for login authentication. PAM stands for Pluggable

676

Authentication Module, and is used by most programs that request

677

authentication on your computer. It allows the administrator to

678

configure specific authentication behavior for different login programs

679

(such as ssh, login GUI, screensaver, etc.)

680

</para>

681

682

<para>

683

PAM is complicated and highly configurable, and this documentation does

684

not intend to explain this in detail. Instead, it is intended to give

685

an overview of how PAM configuration relates with GDM, how PAM is

686

commonly configured with GDM, and known issues. It is expected that

687

a person needing to do PAM configuration would need to do further

688

reading of PAM documentation to understand how to configure PAM and

689

to understand terms used in this section.

690

</para>

691

692

<para>

693

PAM configuration has different, but similar, interfaces on different

694

Operating Systems, so check the

695

<ulink type="help" url="man:pam.d">pam.d</ulink> or

696

<ulink type="help" url="man:pam.conf">pam.conf</ulink> man page for

697

details. Be sure you read the PAM documentation and are comfortable

698

with the security implications of any changes you intend to make to

699

your configuration.

700

</para>

701

702

<para>

703

Note that, by default, GDM uses the "gdm" PAM service name

704

for normal login and the "gdm-autologin" PAM service name for

705

automatic login. These services may not be defined in your pam.d or

706

pam.conf configured file. If there is no entry, then GDM will use the

707

default PAM behavior. On most systems this should work fine.

708

However, the automatic login feature may not work if the gdm-autologin

709

service is not defined.

710

</para>

711

712

<para>

713

The <filename>PostLogin</filename> script is run before

714

pam_open_session is called, and the <filename>PreSession</filename>

715

script is called after. This allows the system administrator to add

716

any scripting to the login process either before or after PAM

717

initializes the session.

718

</para>

719

720

<para>

721

If you wish to make GDM work with other types of authentication

722

mechanisms (such as a fingerprint or SmartCard reader), then you should

723

implement this by using a PAM service module for the desired

724

authentication type rather than by trying to modify the GDM code

725

directly. Refer to the PAM documentation on your system. How to do

726

this is frequently discussed on the

727

<address><email>gdm-list@gnome.org</email></address> mail list,

728

so you can refer to the list archives for more information.

729

</para>

730

731

<para>

732

PAM does have some limitations regarding being able to work with

733

multiple types of authentication at the same time, like supporting

734

the ability to accept either SmartCard and the ability to type the

735

username and password into the login program. There are techniques

736

that are used to make this work, and it is best to research how this

737

problem is commonly solved when setting up such a configuration.

738

</para>

739

740

<para>

741

If automatic login does not work on a system, check to see if the

742

"gdm-autologin" PAM stack is defined in the PAM configuration. For

743

this to work, it is necessary to use a PAM module that simply does no

744

authentication, or which simply returns PAM_SUCCESS from all of its

745

public interfaces. Assuming your system has a pam_allow.so PAM module

746

which does this, a PAM configuration to enable "gdm-autologin" would

747

look like this:

748

</para>

749

750

751

gdm-autologin auth required pam_unix_cred.so.1

752

gdm-autologin auth sufficient pam_allow.so.1

753

gdm-autologin account sufficient pam_allow.so.1

754

gdm-autologin session sufficient pam_allow.so.1

755

gdm-autologin password sufficient pam_allow.so.1

756

</screen>

757

758

<para>

759

The above setup will cause no lastlog entry to be generated. If a

760

lastlog entry is desired, then use the following for the session:

761

</para>

762

763

764

gdm-autologin session required pam_unix_session.so.1

765

</screen>

766

767

<para>

768

If the computer is used by several people, which makes automatic login

769

unsuitable, you may want to allow some users to log in without entering

770

their password. This feature can be enabled as a per-user option in

771

the users-admin tool from the gnome-system-tools; it is achieved by

772

checking that the user is member a Unix group called

773

"nopasswdlogin" before asking for a password. For this to work,

774

the PAM configuration file for the "gdm" service must include

775

a line such as:

776

</para>

777

778

779

gdm auth sufficient pam_succeed_if.so user ingroup nopasswdlogin

780

</screen>

781

782

</sect2>

783

784

785

786

787

<para>

788

GDM generates utmp and wtmp User Accounting Database entries upon

789

session login and logout. The utmp database contains user access

790

and accounting information that is accessed by commands such as

791

<command>finger</command>, <command>last</command>,

792

<command>login</command>, and <command>who</command>. The wtmp

793

database contains the history of user access and accounting

794

information for the utmp database. Refer to the

795

<ulink type="help" url="man:utmp">utmp</ulink> and

796

797

man pages on your system for more information.

798

</para>

799

</sect2>

800

801

802

<title>Xserver Authentication Scheme</title>

803

804

<para>

805

Xserver authorization files are stored in a newly created subdirectory

806

of <filename><var>/run/gdm</filename> at start up. These files

807

are used to store and share a "password" between X clients

808

and the Xserver. This "password" is unique for each session

809

logged in, so users from one session can't snoop on users from another.

810

</para>

811

812

<para>

813

GDM only supports the MIT-MAGIC-COOKIE-1 Xserver authentication

814

scheme. Normally little is gained from the other schemes, and no

815

effort has been made to implement them so far. Be especially

816

careful about using XDMCP because the Xserver authentication cookie

817

goes over the wire as clear text. If snooping is possible, then an

818

attacker could simply snoop your authentication password as you log in,

819

regardless of the authentication scheme being used. If snooping is

820

possible and undesirable, then you should use ssh for tunneling an X

821

connection rather then using XDMCP. You could think of XDMCP as a sort

822

of graphical telnet, having the same security issues. In most cases,

823

ssh -Y should be preferred over GDM's XDMCP features.

824

</para>

825

826

</sect2>

827

828

829

<title>XDMCP Security</title>

830

831

<para>

832

Even though your display is protected by cookies, XEvents and thus

833

keystrokes typed when entering passwords will still go over the wire in

834

clear text. It is trivial to capture these.

835

</para>

836

837

<para>

838

XDMCP is primarily useful for running thin clients such as in terminal

839

labs. Those thin clients will only ever need the network to access

840

the server, and so it seems like the best security policy to have

841

those thin clients on a separate network that cannot be accessed by

842

the outside world, and can only connect to the server. The only point

843

from which you need to access outside is the server. This type of set up

844

should never use an unmanaged hub or other sniffable network.

845

</para>

846

847

</sect2>

848

849

850

<title>XDMCP Access Control</title>

851

852

<para>

853

XDMCP access control is done using TCP wrappers. It is possible to

854

compile GDM without TCP wrapper support, so this feature may not be

855

supported on some Operating Systems.

856

</para>

857

858

<para>

859

You should use the daemon name <command>gdm</command> in the

860

<filename><etc>/hosts.allow</filename> and

861

<filename><etc>/hosts.deny</filename> files. For example to

862

deny computers from <filename>.evil.domain</filename> from logging in,

863

then add

864

</para>

865

866

gdm: .evil.domain

867

</screen>

868

<para>

869

to <filename><etc>/hosts.deny</filename>. You may also need

870

to add

871

</para>

872

873

gdm: .your.domain

874

</screen>

875

<para>

876

to your <filename><etc>/hosts.allow</filename> if you normally

877

disallow all services from all hosts. See the

878

<ulink type="help" url="man:hosts.allow">hosts.allow(5)</ulink> man

879

page for details.

880

</para>

881

</sect2>

882

883

884

<title>Firewall Security</title>

885

886

<para>

887

Even though GDM tries to outsmart potential attackers trying to take

888

advantage of XDMCP, it is still advised that you block the XDMCP port

889

(normally UDP port 177) on your firewall unless really needed. GDM

890

guards against denial of service attacks, but the X protocol is still

891

inherently insecure and should only be used in controlled environments.

892

Also each remote connection takes up lots of resources, so it is much

893

easier to do a denial of service attack via XDMCP than attacking a

894

webserver.

895

</para>

896

897

<para>

898

It is also wise to block all of the Xserver ports. These are TCP

899

ports 6000+ (one for each display number) on your firewall. Note that

900

GDM will use display numbers 20 and higher for flexible on-demand

901

servers.

902

</para>

903

904

<para>

905

X is not a very safe protocol when using it over the Internet, and

906

XDMCP is even less safe.

907

</para>

908

</sect2>

909

910

911

<title>PolicyKit</title>

912

913

<!--

914

<para>

915

TODO - Should we say more?

916

</para>

917

-->

918

919

<para>

920

GDM may be configured to use PolicyKit to allow the system

921

administrator to control whether the login screen should provide

922

the shutdown and restart buttons on the greeter screen.

923

</para>

924

925

<para>

926

These buttons are controlled by the

927

<filename>org.freedesktop.consolekit.system.stop-multiple-users</filename>

928

and

929

<filename>org.freedesktop.consolekit.system.restart-multiple-users</filename>

930

actions respectively. Policy for these actions can be set up using the

931

polkit-gnome-authorization tool, or the polkit-auth command line program.

932

</para>

933

934

</sect2>

935

936

937

<title>RBAC (Role Based Access Control)</title>

938

939

<para>

940

GDM may be configured to use RBAC instead of PolicyKit. In this

941

case the RBAC configuration is used to control whether the login screen

942

should provide the shutdown and restart buttons on the greeter screen.

943

</para>

944

945

<para>

946

For example, on Solaris, the "solaris.system.shutdown"

947

authorization is used to control this. Simply modify the

948

<filename>/etc/user_attr</filename> file so that the "gdm"

949

user has this authorization.

950

</para>

951

</sect2>

952

953

</sect1>

954

955

956

957

958

<title>ConsoleKit 지원</title>

959

960

<!--

961

<para>

962

TODO - Should we update these docs? Probably should mention any

963

configuration that users may want to do for using it with GDM?

964

If so, perhaps this section should be moved to a subsection of

965

the "Configure" section?

966

</para>

967

-->

968

969

<para>

970

GDM includes support for publishing user login information with the user

971

and login session accounting framework known as ConsoleKit. ConsoleKit

972

is able to keep track of all the users currently logged in. In this

973

respect, it can be used as a replacement for the utmp or utmpx files that

974

are available on most Unix-like Operating Systems.

975

</para>

976

977

<para>

978

When GDM is about to create a new login process for a user it will call

979

a privileged method of ConsoleKit in order to open a new session for this

980

user. At this time GDM also provides ConsoleKit with information about

981

this user session such as: the user ID, the X11 Display name that will be

982

associated with the session, the host-name from which the session

983

originates (useful in the case of an XDMCP session), whether or not this

984

session is attached, etc. As the entity that initiates the user process,

985

GDM is in a unique position to know about the user session and to be

986

trusted to provide these bits of information. The use of this privileged

987

method is restricted by the use of the D-Bus system message bus security

988

policy.

989

</para>

990

991

<para>

992

In case a user with an existing session has authenticated

993

at GDM and requests to resume that existing session, GDM calls a

994

privileged method of ConsoleKit to unlock that session. The exact

995

details of what happens when the session receives this unlock signal are

996

undefined and session-specific. However, most sessions will unlock a

997

screensaver in response.

998

</para>

999

1000

<para>

1001

When the user chooses to log out, or if GDM or the session quit

1002

unexpectedly the user session will be unregistered from ConsoleKit.

1003

</para>

1004

</sect1>

1005

1006

1007

1008

1009

1010

1011

<para>

1012

GDM has a number of configuration interfaces. These include scripting

1013

integration points, daemon configuration, greeter configuration,

1014

general session settings, integration with gnome-settings-daemon

1015

configuration, and session configuration. These types of integration are

1016

described in detail below.

1017

</para>

1018

1019

1020

<title>Scripting Integration Points</title>

1021

1022

<para>

1023

The GDM script integration points can be found in the

1024

<filename><etc>/gdm/</filename> directory:

1025

</para>

1026

1027

1028

Xsession

1029

Init/

1030

PostLogin/

1031

PreSession/

1032

PostSession/

1033

</screen>

1034

1035

<para>

1036

The <filename>Init</filename>, <filename>PostLogin</filename>,

1037

<filename>PreSession</filename>, and <filename>PostSession</filename>

1038

scripts all work as described below.

1039

</para>

1040

1041

<para>

1042

For each type of script, the default one which will be executed is

1043

called "Default" and is stored in a directory associated with

1044

the script type. So the default <filename>Init</filename> script is

1045

<filename><etc>/gdm/Init/Default</filename>. A per-display

1046

script can be provided, and if it exists it will be run instead of the

1047

default script. Such scripts are stored in the same directory as the

1048

default script and have the same name as the Xserver DISPLAY value for

1049

that display. For example, if the <filename><Init>/:0</filename>

1050

script exists, it will be run for DISPLAY ":0".

1051

</para>

1052

1053

<para>

1054

All of these scripts are run with root privilege and return 0 if run

1055

successfully, and a non-zero return code if there was any failure that

1056

should cause the login session to be aborted. Also note that GDM will

1057

block until the scripts finish, so if any of these scripts hang, this

1058

will cause the login process to also hang.

1059

</para>

1060

1061

<para>

1062

When the Xserver for the login GUI has been successfully started, but

1063

before the login GUI is actually displayed, GDM will run the

1064

<filename>Init</filename> script. This script is useful for starting

1065

programs that should be run while the login screen is showing, or for

1066

doing any special initialization if required.

1067

</para>

1068

1069

<para>

1070

After the user has been successfully authenticated GDM will run the

1071

<filename>PostLogin</filename> script. This is done before any session

1072

setup has been done, including before the pam_open_session call. This

1073

script is useful for doing any session initialization that needs to

1074

happen before the session starts. For example, you might setup the

1075

user's $HOME directory if needed.

1076

</para>

1077

1078

<para>

1079

After the user session has been initialized, GDM will run the

1080

<filename>PreSession</filename> script. This script is useful for

1081

doing any session initialization that needs to happen after the

1082

session has been initialized. It can be used for session management or

1083

accounting, for example.

1084

</para>

1085

1086

<para>

1087

When a user terminates their session, GDM will run the

1088

<filename>PostSession</filename> script. Note that the Xserver will

1089

have been stopped by the time this script is run, so it should not be

1090

accessed.

1091

</para>

1092

1093

<para>

1094

Note that the <filename>PostSession</filename> script will be run

1095

even when the display fails to respond due to an I/O error or

1096

similar. Thus, there is no guarantee that X applications will work

1097

during script execution.

1098

</para>

1099

1100

<para>

1101

All of the above scripts will set the

1102

<filename>$RUNNING_UNDER_GDM</filename> environment variable to

1103

<filename>yes</filename>. If the scripts are also shared with other

1104

display managers, this allows you to identify when GDM is calling these

1105

scripts, so you can run specific code when GDM is used.

1106

</para>

1107

</sect2>

1108

1109

1110

<title>Autostart Configuration</title>

1111

1112

<para>

1113

The <filename><share>/gdm/autostart/LoginWindow</filename>

1114

directory contains files in the format specified by the

1115

"FreeDesktop.org Desktop Application Autostart

1116

Specification". Standard features in the specification may be

1117

used to specify programs that should auto-restart or only be launched

1118

if a GConf configuration value is set, etc.

1119

</para>

1120

1121

<para>

1122

Any <filename>.desktop</filename> files in this directory will cause

1123

the associated program to automatically start with the login GUI

1124

greeter. By default, GDM is shipped with files which will autostart

1125

the gdm-simple-greeter login GUI greeter itself, the

1126

gnome-power-manager application, the gnome-settings-daemon, and the

1127

metacity window manager. These programs are needed for the greeter

1128

program to work. In addition, desktop files are provided for starting

1129

various AT programs if the configuration values specified in the

1130

Accessibility Configuration section below are set.

1131

</para>

1132

</sect2>

1133

1134

1135

<title>Xsession Script</title>

1136

1137

<para>

1138

There is also an <filename>Xsession</filename> script located at

1139

<filename><etc>/gdm/Xsession</filename> which is called between

1140

the <filename>PreSession</filename> and the

1141

<filename>PostSession</filename> scripts. This script does not

1142

support per-display like the other scripts. This script is used for

1143

actually starting the user session. This script is run as the user,

1144

and it will run whatever session was specified by the Desktop session

1145

file the user selected to start.

1146

</para>

1147

</sect2>

1148

1149

1150

<title>Daemon Configuration</title>

1151

1152

<para>

1153

The GDM daemon is configured using the

1154

<filename><etc>/gdm/custom.conf</filename> file. Default

1155

values are stored in GConf in the <filename>gdm.schemas</filename>

1156

file. It is recommended that end-users modify the

1157

<filename><etc>/gdm/custom.conf</filename> file because the

1158

schemas file may be overwritten when the user updates their system to

1159

have a newer version of GDM.

1160

</para>

1161

1162

<para>

1163

Note that older versions of GDM supported additional configuration

1164

options which are no longer supported in the latest versions of GDM.

1165

</para>

1166

1167

<para>

1168

The <filename><etc>/gdm/custom.conf</filename> file is in the

1169

<filename>keyfile</filename> format. Keywords in brackets

1170

define group sections, strings before an equal sign (=) are keys and

1171

the data after equal sign represents their value. Empty lines or

1172

lines starting with the hash mark (#) are ignored.

1173

</para>

1174

1175

<para>

1176

The file <filename><etc>/gdm/custom.conf</filename> supports the

1177

"[daemon]", "[security]", and "[xdmcp]"

1178

group sections. Within each group, there are particular key/value

1179

pairs that can be specified to modify how GDM behaves. For example,

1180

to enable timed login and specify the timed login user to be a user

1181

named "you", you would modify the file so it contains the

1182

following lines:

1183

</para>

1184

1185

1186

[daemon]

1187

TimedLoginEnable=true

1188

TimedLogin=you

1189

</screen>

1190

1191

<para>

1192

A full list of supported configuration keys follow:

1193

</para>

1194

1195

1196

<title>[chooser]</title>

1197

1198

1199

1200

<term>Multicast</term>

1201

1202

<synopsis>Multicast=false</synopsis>

1203

<para>

1204

If true and IPv6 is enabled, the chooser will send a multicast

1205

query to the local network and collect responses from the hosts

1206

who have joined multicast group.

1207

</para>

1208

</listitem>

1209

</varlistentry>

1210

1211

1212

<term>MulticastAddr</term>

1213

1214

<synopsis>MulticastAddr=ff02::1</synopsis>

1215

<para>

1216

This is the Link-local multicast address.

1217

</para>

1218

</listitem>

1219

</varlistentry>

1220

</variablelist>

1221

</sect3>

1222

1223

1224

<title>[daemon]</title>

1225

1226

1227

<term>TimedLoginEnable</term>

1228

1229

<synopsis>TimedLoginEnable=false</synopsis>

1230

<para>

1231

If the user given in <filename>TimedLogin</filename> should be

1232

logged in after a number of seconds (set with

1233

<filename>TimedLoginDelay</filename>) of inactivity on the

1234

1235

perhaps even home use. If the user uses the keyboard or

1236

browses the menus, the timeout will be reset to

1237

<filename>TimedLoginDelay</filename> or 30 seconds, whichever

1238

is higher. If the user does not enter a username but just

1239

hits the ENTER key while the login program is requesting the

1240

username, then GDM will assume the user wants to login

1241

immediately as the timed user. Note that no password will be

1242

asked for this user so you should be careful, although if using

1243

PAM it can be configured to require password entry before

1244

allowing login. Refer to the "Security->PAM"

1245

section of the manual for more information, or for help if this

1246

feature does not seem to work.

1247

</para>

1248

</listitem>

1249

</varlistentry>

1250

1251

1252

<term>TimedLogin</term>

1253

1254

<synopsis>TimedLogin=</synopsis>

1255

<para>

1256

This is the user that should be logged in after a specified

1257

number of seconds of inactivity.

1258

</para>

1259

<para>

1260

If the value ends with a vertical bar | (the pipe symbol),

1261

then GDM will execute the program specified and use whatever

1262

value is returned on standard out from the program as the user.

1263

The program is run with the DISPLAY environment variable set so

1264

that it is possible to specify the user in a per-display

1265

fashion. For example if the value is "/usr/bin/getloginuser|",

1266

then the program "/usr/bin/getloginuser" will be run to get the

1267

user value.

1268

</para>

1269

</listitem>

1270

</varlistentry>

1271

1272

1273

<term>TimedLoginDelay</term>

1274

1275

<synopsis>TimedLoginDelay=30</synopsis>

1276

<para>

1277

Delay in seconds before the <filename>TimedLogin</filename>

1278

user will be logged in.

1279

</para>

1280

</listitem>

1281

</varlistentry>

1282

1283

1284

<term>AutomaticLoginEnable</term>

1285

1286

<synopsis>AutomaticLoginEnable=false</synopsis>

1287

<para>

1288

If true, the user given in <filename>AutomaticLogin</filename>

1289

should be logged in immediately. This feature is like timed

1290

1291

</para>

1292

</listitem>

1293

</varlistentry>

1294

1295

1296

<term>AutomaticLogin</term>

1297

1298

<synopsis>AutomaticLogin=</synopsis>

1299

<para>

1300

This is the user that should be logged in immediately if

1301

<filename>AutomaticLoginEnable</filename> is true.

1302

</para>

1303

<para>

1304

If the value ends with a vertical bar | (the pipe symbol),

1305

then GDM will execute the program specified and use whatever

1306

value is returned on standard out from the program as the user.

1307

The program is run with the DISPLAY environment variable set so

1308

that it is possible to specify the user in a per-display

1309

fashion. For example if the value is "/usr/bin/getloginuser|",

1310

then the program "/usr/bin/getloginuser" will be run to get the

1311

user value.

1312

</para>

1313

</listitem>

1314

</varlistentry>

1315

1316

1317

1318

1319

1320

<para>

1321

The username under which the greeter and other GUI programs

1322

are run. Refer to the <filename>Group</filename>

1323

configuration key and to the "Security->GDM User And

1324

Group" section of this document for more information.

1325

</para>

1326

</listitem>

1327

</varlistentry>

1328

1329

1330

<term>Group</term>

1331

1332

<synopsis>Group=gdm</synopsis>

1333

<para>

1334

The group name under which the greeter and other GUI programs

1335

are run. Refer to the <filename>User</filename>

1336

configuration key and to the "Security->GDM User And

1337

Group" section of this document for more information.

1338

</para>

1339

</listitem>

1340

</varlistentry>

1341

</variablelist>

1342

</sect3>

1343

1344

1345

<title>Debug Options</title>

1346

1347

1348

<title>[debug]</title>

1349

1350

1351

<term>Enable</term>

1352

1353

<synopsis>Enable=false</synopsis>

1354

<para>

1355

To enable debugging, set the debug/Enable key to

1356

"true" in the

1357

<filename><etc>/gdm/custom.conf</filename>

1358

file and restart GDM. Then debug output will be sent to the

1359

system log file (<filename><var>/log/messages</filename>

1360

or <filename><var>/adm/messages</filename> depending on

1361

your Operating System).

1362

</para>

1363

</listitem>

1364

</varlistentry>

1365

</variablelist>

1366

</sect3>

1367

1368

1369

<title>Greeter Options</title>

1370

1371

1372

<title>[greeter]</title>

1373

1374

1375

<term>IncludeAll</term>

1376

1377

<synopsis>IncludeAll=true</synopsis>

1378

<para>

1379

If true, then the face browser will show all users on the local

1380

machine. If false, the face browser will only show users who

1381

have recently logged in.

1382

</para>

1383

1384

<para>

1385

When this key is true, GDM will call fgetpwent() to get a list

1386

of local users on the system. Any users with a user id less

1387

than 500 (or 100 if running on Solaris) are filtered out. The

1388

Face Browser also will display any users that have previously

1389

logged in on the system (for example NIS/LDAP users). It gets

1390

this list via calling the <command>ck-history</command>

1391

ConsoleKit interface. It will also filter out any users which

1392

do not have a valid shell (valid shells are any shell that

1393

getusershell() returns - /sbin/nologin or /bin/false are

1394

considered invalid shells even if getusershell() returns them).

1395

</para>

1396

1397

<para>

1398

If false, then GDM more simply only displays users that have

1399

previously logged in on the system (local or NIS/LDAP users) by

1400

calling the <command>ck-history</command> ConsoleKit interface.

1401

</para>

1402

</listitem>

1403

</varlistentry>

1404

1405

1406

<term>Include</term>

1407

1408

<synopsis>Include=</synopsis>

1409

<para>

1410

Set to a list of users to always include in the Face Browser.

1411

This value is set to a list of users separated by commas. By

1412

default, the value is empty.

1413

</para>

1414

</listitem>

1415

</varlistentry>

1416

1417

1418

<term>Exclude</term>

1419

1420

<synopsis>Exclude=bin,root,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,nobody4,noaccess,postgres,pvm,rpm,nfsnobody,pcap</synopsis>

1421

<para>

1422

Set to a list of users to always exclude in the Face Browser.

1423

This value is set to a list of users separated by commas. Note

1424

that the setting in the <filename>custom.conf</filename>

1425

overrides the default value, so if you wish to add additional

1426

users to the list, then you need to set the value to the

1427

default value with additional users appended to the list.

1428

</para>

1429

</listitem>

1430

</varlistentry>

1431

</variablelist>

1432

</sect3>

1433

1434

1435

1436

1437

1438

<title>[security]</title>

1439

1440

1441

<term>DisallowTCP</term>

1442

1443

<synopsis>DisallowTCP=true</synopsis>

1444

<para>

1445

If true, then always append <filename>-nolisten tcp</filename>

1446

to the command line when starting attached Xservers, thus

1447

disallowing TCP connection. This is a more secure

1448

configuration if you are not using remote connections.

1449

</para>

1450

</listitem>

1451

</varlistentry>

1452

</variablelist>

1453

</sect3>

1454

1455

1456

<title>XDCMP Support</title>

1457

1458

1459

<title>[xdmcp]</title>

1460

1461

1462

<term>DisplaysPerHost</term>

1463

1464

<synopsis>DisplaysPerHost=1</synopsis>

1465

<para>

1466

To prevent attackers from filling up the pending queue, GDM

1467

will only allow one connection for each remote computer. If

1468

you want to provide display services to computers with more

1469

than one screen, you should increase this value.

1470

</para>

1471

1472

<para>

1473

Note that the number of attached DISPLAYS allowed is not

1474

limited. Only remote connections via XDMCP are limited by

1475

this configuration option.

1476

</para>

1477

</listitem>

1478

</varlistentry>

1479

1480

1481

<term>Enable</term>

1482

1483

<synopsis>Enable=false</synopsis>

1484

<para>

1485

Setting this to true enables XDMCP support allowing remote

1486

displays/X terminals to be managed by GDM.

1487

</para>

1488

1489

<para>

1490

<filename>gdm</filename> listens for requests on UDP port 177.

1491

See the Port option for more information.

1492

</para>

1493

1494

<para>

1495

If GDM is compiled to support it, access from remote displays

1496

can be controlled using the TCP Wrappers library. The service

1497

name is <filename>gdm</filename>

1498

</para>

1499

1500

<para>

1501

You should add

1502

1503

gdm:.my.domain

1504

</screen>

1505

to your <filename><etc>/hosts.allow</filename>, depending

1506

on your TCP Wrappers configuration. See the

1507

<ulink type="help" url="man:hosts.allow">hosts.allow</ulink>

1508

man page for details.

1509

</para>

1510

1511

<para>

1512

Please note that XDMCP is not a particularly secure protocol

1513

and that it is a good idea to block UDP port 177 on your

1514

firewall unless you really need it.

1515

</para>

1516

</listitem>

1517

</varlistentry>

1518

1519

1520

<term>HonorIndirect</term>

1521

1522

<synopsis>HonorIndirect=true</synopsis>

1523

<para>

1524

Enables XDMCP INDIRECT choosing (i.e. remote execution of

1525

<filename>gdmchooser</filename>) for X-terminals which do not

1526

supply their own display browser.

1527

</para>

1528

</listitem>

1529

</varlistentry>

1530

1531

1532

<term>MaxPending</term>

1533

1534

<synopsis>MaxPending=4</synopsis>

1535

<para>

1536

To avoid denial of service attacks, GDM has fixed size queue

1537

of pending connections. Only MaxPending displays can start at

1538

the same time.

1539

</para>

1540

1541

<para>

1542

Please note that this parameter does not limit the number of

1543

remote displays which can be managed. It only limits the number

1544

of displays initiating a connection simultaneously.

1545

</para>

1546

</listitem>

1547

</varlistentry>

1548

1549

1550

<term>MaxSessions</term>

1551

1552

<synopsis>MaxSessions=16</synopsis>

1553

<para>

1554

Determines the maximum number of remote display connections

1555

which will be managed simultaneously. I.e. the total number of

1556

remote displays that can use your host.

1557

</para>

1558

</listitem>

1559

</varlistentry>

1560

1561

1562

<term>MaxWait</term>

1563

1564

<synopsis>MaxWait=30</synopsis>

1565

<para>

1566

When GDM is ready to manage a display an ACCEPT packet is sent

1567

to it containing a unique session id which will be used in

1568

future XDMCP conversations.

1569

</para>

1570

1571

<para>

1572

GDM will then place the session id in the pending queue

1573

waiting for the display to respond with a MANAGE request.

1574

</para>

1575

1576

<para>

1577

If no response is received within MaxWait seconds, GDM will

1578

declare the display dead and erase it from the pending queue

1579

freeing up the slot for other displays.

1580

</para>

1581

</listitem>

1582

</varlistentry>

1583

1584

1585

<term>MaxWaitIndirect</term>

1586

1587

<synopsis>MaxWaitIndirect=30</synopsis>

1588

<para>

1589

The MaxWaitIndirect parameter determines the maximum number of

1590

seconds between the time where a user chooses a host and the

1591

subsequent indirect query where the user is connected to the

1592

host. When the timeout is exceeded, the information about the

1593

chosen host is forgotten and the indirect slot freed up for

1594

other displays. The information may be forgotten earlier if

1595

there are more hosts trying to send indirect queries then

1596

<filename>MaxPendingIndirect</filename>.

1597

</para>

1598

</listitem>

1599

</varlistentry>

1600

1601

1602

<term>PingIntervalSeconds</term>

1603

1604

<synopsis>PingIntervalSeconds=15</synopsis>

1605

<para>

1606

Interval in which to ping the Xserver in seconds. If the

1607

Xserver does not respond before the next time we ping it, the

1608

connection is stopped and the session ended. This is a

1609

combination of the XDM PingInterval and PingTimeout, but in

1610

seconds.

1611

</para>

1612

1613

<para>

1614

Note that GDM in the past used to have a

1615

<filename>PingInterval</filename> configuration key which was

1616

also in minutes. For most purposes you'd want this setting

1617

to be lower than one minute. However since in most cases where

1618

XDMCP would be used (such as terminal labs), a lag of more

1619

than 15 or so seconds would really mean that the terminal was

1620

turned off or restarted and you would want to end the session.

1621

</para>

1622

</listitem>

1623

</varlistentry>

1624

1625

1626

1627

1628

1629

<para>

1630

The UDP port number <filename>gdm</filename> should listen to

1631

for XDMCP requests. Do not change this unless you know what

1632

you are doing.

1633

</para>

1634

</listitem>

1635

</varlistentry>

1636

1637

1638

<term>Willing</term>

1639

1640

<synopsis>Willing=<etc>/gdm/Xwilling</synopsis>

1641

<para>

1642

When the machine sends a WILLING packet back after a QUERY it

1643

sends a string that gives the current status of this server.

1644

The default message is the system ID, but it is possible to

1645

create a script that displays customized message. If this

1646

script does not exist or this key is empty the default message

1647

is sent. If this script succeeds and produces some output,

1648

the first line of it's output is sent (and only the first

1649

line). It runs at most once every 3 seconds to prevent

1650

possible denial of service by flooding the machine with QUERY

1651

packets.

1652

</para>

1653

</listitem>

1654

</varlistentry>

1655

</variablelist>

1656

</sect3>

1657

</sect2>

1658

1659

1660

<title>Simple Greeter Configuration</title>

1661

1662

<para>

1663

The GDM default greeter is called the simple Greeter and is

1664

configured via GConf. Default values are stored in GConf in the

1665

<filename>gdm-simple-greeter.schemas</filename> file. These defaults

1666

can be overridden if the "gdm" user has a writable $HOME

1667

directory to store GConf settings. These values can be edited using

1668

the <command>gconftool-2</command> or <command>gconf-editor</command>

1669

programs. The following configuration options are supported:

1670

</para>

1671

1672

1673

<title>Greeter Configuration Keys</title>

1674

1675

1676

<term>/apps/gdm/simple-greeter/banner_message_enable</term>

1677

1678

<synopsis>false (boolean)</synopsis>

1679

<para>

1680

Controls whether the banner message text is displayed.

1681

</para>

1682

</listitem>

1683

</varlistentry>

1684

1685

1686

<term>/apps/gdm/simple-greeter/banner_message_text</term>

1687

1688

<synopsis>NULL (string)</synopsis>

1689

<para>

1690

Specifies the text banner message to show on the greeter

1691

window.

1692

</para>

1693

</listitem>

1694

</varlistentry>

1695

1696

1697

<term>/apps/gdm/simple-greeter/disable_restart_buttons</term>

1698

1699

<synopsis>false (boolean)</synopsis>

1700

<para>

1701

Controls whether to show the restart buttons in the login

1702

window.

1703

</para>

1704

</listitem>

1705

</varlistentry>

1706

1707

1708

<term>/apps/gdm/simple-greeter/disable_user_list</term>

1709

1710

<synopsis>false (boolean)</synopsis>

1711

<para>

1712

If true, then the face browser with known users is not shown

1713

in the login window.

1714

</para>

1715

</listitem>

1716

</varlistentry>

1717

1718

1719

<term>/apps/gdm/simple-greeter/logo_icon_name</term>

1720

1721

<synopsis>computer (string)</synopsis>

1722

<para>

1723

Set to the themed icon name to use for the greeter logo.

1724

</para>

1725

</listitem>

1726

</varlistentry>

1727

1728

1729

<term>/apps/gdm/simple-greeter/recent-languages</term>

1730

1731

<synopsis>[] (string list)</synopsis>

1732

<para>

1733

Set to a list of languages to be shown by default in the login

1734

window. Default value is "[]". With the default setting only

1735

the system default language is shown and the option "Other..."

1736

which pops-up a dialog box showing a full list of available

1737

languages which the user can select.

1738

</para>

1739

1740

<para>

1741

Users are not intended to change this setting by hand. Instead

1742

GDM keeps track of any languages selected in this configuration

1743

key, and will show them in the language combo box along with

1744

the "Other..." choice. This way, commonly selected languages

1745

are easier to select.

1746

</para>

1747

</listitem>

1748

</varlistentry>

1749

1750

1751

<term>/apps/gdm/simple-greeter/recent-layouts</term>

1752

1753

<synopsis>[] (string list)</synopsis>

1754

<para>

1755

Set to a list of keyboard layouts to be shown by default in the

1756

1757

only the system default keyboard layout is shown and the option

1758

"Other..." which pops-up a dialog box showing a full list of

1759

available keyboard layouts which the user can select.

1760

</para>

1761

1762

<para>

1763

Users are not intended to change this setting by hand. Instead

1764

GDM keeps track of any keyboard layouts selected in this

1765

configuration key, and will show them in the keyboard layout

1766

combo box along with the "Other..." choice. This way, commonly

1767

selected keyboard layouts are easier to select.

1768

</para>

1769

</listitem>

1770

</varlistentry>

1771

1772

1773

<term>/apps/gdm/simple-greeter/wm_use_compiz</term>

1774

1775

<synopsis>false (boolean)</synopsis>

1776

<para>

1777

Controls whether compiz is used as the window manager instead

1778

of metacity.

1779

</para>

1780

</listitem>

1781

</varlistentry>

1782

</variablelist>

1783

</sect2>

1784

1785

1786

<title>Accessibility Configuration</title>

1787

1788

<para>

1789

This section describes the accessibility configuration options available

1790

in GDM.

1791

</para>

1792

1793

1794

<title>GDM Accessibility Dialog And GConf Keys</title>

1795

1796

<para>

1797

The GDM greeter panel at the login screen displays an accessibility

1798

icon. Clicking on that icon opens the GDM Accessibility Dialog. In

1799

the GDM Accessibility Dialog, there is a list of checkboxes, so the

1800

user can enable or disable the associated assistive tools.

1801

</para>

1802

1803

<para>

1804

The checkboxes that correspond to the on-screen keyboard, screen

1805

magnifier and screen reader assistive tools act on the three GConf

1806

keys that are described in the next section of this document. By

1807

enabling or disabling these checkboxes, the associated GConf key is

1808

set to "true" or "false". When the GConf key is set to true, the

1809

assistive tools linked to this GConf key are launched. When the

1810

GConf key is set to "false", any running assistive tool linked to

1811

this GConf key are terminated. These GConf keys are not automatically

1812

reset to a default state after the user has logged in. Consequently,

1813

the assistive tools that were running during the last GDM login

1814

session will automatically be launched at the next GDM login session.

1815

</para>

1816

1817

<para>

1818

The other checkboxes in the GDM Accessibility Dialog do not have

1819

corresponding GConf keys because no additional program is launched to

1820

provide the accessibility features that they offer. These other

1821

options correspond to accessibility features that are provided by the

1822

Xserver, which is always running during the GDM session.

1823

</para>

1824

</sect3>

1825

1826

1827

<title>Accessibility GConf Keys</title>

1828

1829

<para>

1830

GDM offers the following GConf keys to control its accessibility

1831

features:

1832

</para>

1833

1834

1835

<title>GDM Configuration Keys</title>

1836

1837

1838

<term>/desktop/gnome/interface/accessibility</term>

1839

1840

<synopsis>false (boolean)</synopsis>

1841

<para>

1842

Controls whether the Accessibility infrastructure will be

1843

started with the GDM GUI. This is needed for many

1844

accessibility technology programs to work.

1845

</para>

1846

</listitem>

1847

</varlistentry>

1848

1849

<term>/desktop/gnome/applications/at/screen_magnifier_enabled</term>

1850

1851

<synopsis>false (boolean)</synopsis>

1852

<para>

1853

If set, then the assistive tools linked to this GConf key will

1854

be started with the GDM GUI program. By default this is a

1855

screen magnifier application.

1856

</para>

1857

</listitem>

1858

</varlistentry>

1859

1860

<term>/desktop/gnome/applications/at/screen_keyboard_enabled</term>

1861

1862

<synopsis>false (boolean)</synopsis>

1863

<para>

1864

If set, then the assistive tools linked to this GConf key will

1865

be started with the GDM GUI program. By default this is an

1866

on-screen keyboard application.

1867

</para>

1868

</listitem>

1869

</varlistentry>

1870

1871

<term>/desktop/gnome/applications/at/screen_reader_enabled</term>

1872

1873

<synopsis>false (boolean)</synopsis>

1874

<para>

1875

If set, then the assistive tools linked to this GConf key will

1876

be started with the GDM GUI program. By default this is a

1877

screen reader application.

1878

</para>

1879

</listitem>

1880

</varlistentry>

1881

</variablelist>

1882

</sect3>

1883

1884

1885

<title>Linking GConf Keys to Accessbility Tools</title>

1886

1887

<para>

1888

For the screen_magnifier_enabled, the screen_keyboard_enabled, and the

1889

screen_reader_enabled GConf keys, the assistive tool which gets

1890

launched depends on the desktop files located in the GDM autostart

1891

directory as described in the "Autostart Configuration" section of

1892

this manual. Any desktop file in the GDM autostart directory can be

1893

linked to these GConf key via specifying that GConf key in the

1894

AutostartCondition value in the desktop file. So the exact

1895

AutostartCondition line in the desktop file could be one of the

1896

following:

1897

</para>

1898

1899

1900

AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled

1901

AutostartCondition=GNOME /desktop/gnome/applications/at/screen_magnifier_enabled

1902

AutostartCondition=GNOME /desktop/gnome/applications/at/screen_reader_enabled

1903

</screen>

1904

1905

<para>

1906

When an accessibility key is true, then any program which is linked to

1907

that key in a GDM autostart desktop file will be launched (unless the

1908

Hidden key is set to true in that desktop file). A single GConf key

1909

can even start multiple assistive tools if there are multiple desktop

1910

files with this AutostartCondition in the GDM autostart directory.

1911

</para>

1912

</sect3>

1913

1914

1915

<title>Example Of Modifying Accessibility Tool Configuration</title>

1916

1917

<para>

1918

For example, if GNOME is distributed with GOK as the default on-screen

1919

keyboard, then this could be replaced with a different program if

1920

desired. To replace GOK with the on-screen keyboard application

1921

"onboard" and additionally activate the assistive tool "mousetweaks"

1922

for dwelling support, then the following configuration is needed.

1923

</para>

1924

1925

<para>

1926

Create a desktop file for onboard and a second one for mousetweaks;

1927

for example, onboard.desktop and mousetweaks.desktop. These files

1928

must be placed in the GDM autostart directory and be in the format

1929

as explained in the "Autostart Configuration" section of this

1930

document.

1931

</para>

1932

1933

<para>

1934

The following is an example <filename>onboard.desktop</filename> file:

1935

</para>

1936

1937

1938

[Desktop Entry]

1939

Encoding=UTF-8

1940

Name=Onboard Onscreen Keyboard

1941

Comment=Use an on-screen keyboard

1942

TryExec=onboard

1943

Exec=onboard --size 500x180 -x 20 -y 10

1944

Terminal=false

1945

Type=Application

1946

StartupNotify=true

1947

Categories=GNOME;GTK;Accessibility;

1948

AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled

1949

</screen>

1950

1951

<para>

1952

The following is an example <filename>mousetweaks.desktop</filename>

1953

file:

1954

</para>

1955

1956

1957

[Desktop Entry]

1958

Encoding=UTF-8

1959

Name=Software Mouse-Clicks

1960

Comment=Perform clicks by dwelling with the pointer

1961

TryExec=mousetweaks

1962

Exec=mousetweaks --enable-dwell -m window -c -x 20 -y 240

1963

Terminal=false

1964

Type=Application

1965

StartupNotify=true

1966

Categories=GNOME;GTK;Accessibility;

1967

AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled

1968

</screen>

1969

1970

<para>

1971

Note the line with the AutostartCondition that links both desktop

1972

files to the GConf key for the on-screen keyboard.

1973

</para>

1974

1975

<para>

1976

To disable GOK from starting, the desktop file for the GOK on-screen

1977

keyboard must be removed or deactivated. Otherwise onboard and GOK

1978

would simultaneously be started. This can be done by removing the

1979

gok.desktop file from the GDM autostart directory, or by adding the

1980

"Hidden=true" key setting to the gok.desktop file.

1981

</para>

1982

1983

<para>

1984

After making these changes, GOK will no longer be started when the

1985

user activates the on-screen keyboard in the GDM session; but onboard

1986

and mousetweaks will instead be launched.

1987

</para>

1988

</sect3>

1989

</sect2>

1990

1991

1992

<title>General Session Settings</title>

1993

<!--

1994

<para>

1995

TODO - I think this section should be expanded upon. What specific

1996

keys are of interest, or would some users be likely to want

1997

to configure? Also, would be good to be more specific about

1998

how lock down management is handled.

1999

</para>

2000

-->

2001

<para>

2002

The GDM Greeter uses some of the same framework that your desktop

2003

session will use. And so, it is influenced by a number of the same

2004

GConf settings. For each of these settings the Greeter will use the

2005

default value unless it is specifically overridden by a) GDM's

2006

installed mandatory policy b) system mandatory policy. GDM installs

2007

its own mandatory policy to lock down some settings for security.

2008

</para>

2009

</sect2>

2010

2011

2012

<title>GNOME Settings Daemon</title>

2013

<!--

2014

<para>

2015

TODO - I think this section should be expanded upon. What specific

2016

keys are of interest, or would some users be likely to want

2017

to configure? Also, would be good to give a more complete

2018

list of plugins that users might want to consider disabling.

2019

Also, shouldn't we list the sound/active key in the Greeter

2020

configuration setting? Oddly I do not find this key used

2021

in anything but the chooser in SVN.

2022

</para>

2023

-->

2024

2025

<para>

2026

GDM enables the following gnome-settings-daemon plugins:

2027

a11y-keyboard, background, sound, xsettings.

2028

</para>

2029

2030

<para>

2031

These are responsible for things like the background image, font and

2032

theme settings, sound events, etc.

2033

</para>

2034

2035

<para>

2036

Plugins can also be disabled using GConf. For example, if you want to

2037

disable the sound plugin then unset the following key:

2038

<filename>/apps/gdm/simple-greeter/settings-manager-plugins/sound/active</filename>.

2039

</para>

2040

</sect2>

2041

2042

2043

<title>GDM Session Configuration</title>

2044

2045

<para>

2046

GDM sessions are specified using the FreeDesktop.org Desktop Entry

2047

Specification, which can be referenced at the following URL:

2048

2049

http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec</ulink>.

2050

</para>

2051

2052

<para>

2053

By default, GDM will install desktop files in the

2054

<filename><share>/xsessions</filename> directory. GDM will

2055

search the following directories in this order to find desktop files:

2056

<filename><etc>/X11/sessions/</filename>,

2057

<filename><dmconfdir>/Sessions</filename>,

2058

<filename><share>/xsessions</filename>, and

2059

<filename><share>/gdm/BuiltInSessions</filename>. By default the

2060

<filename><dmconfdir></filename> is set to

2061

<filename><etc>/dm/</filename> unless GDM is configured to use

2062

a different directory via the "--with-dmconfdir" option.

2063

</para>

2064

2065

<para>

2066

A session can be disabled by editing the desktop file and adding a line

2067

as follows: <filename>Hidden=true</filename>.

2068

</para>

2069

2070

<para>

2071

GDM desktop files support a GDM-specific extension, a key named

2072

"X-GDM-BypassXsession". If the key is not specified in a

2073

desktop file, the value defaults to "false". If this key is

2074

specified to be "true" in a desktop file, then GDM will

2075

launch the program specified by the desktop file "Exec" key

2076

directly when starting the user session. It will not run the program

2077

via the <filename><etc>/gdm/Xsession</filename> script, which is

2078

the normal behavior. Since bypassing the

2079

<filename><etc>/gdm/Xsession</filename> script avoids setting up

2080

the user session with the normal system and user settings, sessions

2081

started this way can be useful for debugging problems in the system or

2082

user scripts that might be preventing a user from being able to start

2083

a session.

2084

</para>

2085

2086

</sect2>

2087

2088

2089

<title>GDM User Session and Language Configuration</title>

2090

<para>

2091

The user's default session and language choices are stored in the

2092

<filename>~/.dmrc</filename> file. When a user logs in for the first

2093

time, this file is created with the user's initial choices. The user

2094

can change these default values by simply changing to a different value

2095

when logging in. GDM will remember this change for subsequent logins.

2096

</para>

2097

2098

<para>

2099

The <filename>~/.dmrc</filename> file is in the standard

2100

<filename>INI</filename> format. It has one section called

2101

<filename>[Desktop]</filename> which has two keys:

2102

<filename>Session</filename> and <filename>Language</filename>.

2103

</para>

2104

2105

<para>

2106

The <filename>Session</filename> key specifies the basename of the

2107

session <filename>.desktop</filename> file that the user wishes to

2108

normally use without the <filename>.desktop</filename> extension.

2109

The <filename>Language</filename> key specifies the language that the

2110

user wishes to use by default. If either of these keys is missing, the

2111

system default is used. The file would normally look as follows:

2112

</para>

2113

2114

2115

[Desktop]

2116

Session=gnome

2117

Language=cs_CZ.UTF-8

2118

</screen>

2119

</sect2>

2120

2121

</sect1>

2122

2123

2124

2125

2126

2127

2128

2129

<title>GDM Root User Commands</title>

2130

2131

<para>

2132

The GDM package provides the following commands in

2133

<filename>sbindir</filename> intended to be run by the root user:

2134

</para>

2135

2136

2137

<title><command>gdm</command> and <command>gdm-binary</command>

2138

Command Line Options</title>

2139

2140

<para>

2141

The <command>gdm</command> command is really just a script which

2142

runs the <command>gdm-binary</command>, passing along any options.

2143

Before launching <command>gdm-binary</command>, the gdm wrapper

2144

script will source the <filename><etc>/profile</filename> file

2145

to set the standard system environment variables. In order to better

2146

support internationalization, it will also set the LC_MESSAGES

2147

environment variable to LANG if neither LC_MESSAGES or LC_ALL are

2148

set. The <command>gdm-binary</command> is the actual GDM daemon.

2149

</para>

2150

2151

2152

<title><command>gdm</command> and <command>gdm-binary</command>

2153

Command Line Options</title>

2154

2155

2156

2157

2158

<para>

2159

Gives a brief overview of the command line options.

2160

</para>

2161

</listitem>

2162

</varlistentry>

2163

2164

2165

<term>--fatal-warnings</term>

2166

2167

<para>

2168

Make all warnings cause GDM to exit.

2169

</para>

2170

</listitem>

2171

</varlistentry>

2172

2173

2174

<term>--timed-exit</term>

2175

2176

<para>

2177

Exit after 30 seconds. Useful for debugging.

2178

</para>

2179

</listitem>

2180

</varlistentry>

2181

2182

2183

<term>--version</term>

2184

2185

<para>

2186

Print the version of the GDM daemon.

2187

</para>

2188

</listitem>

2189

</varlistentry>

2190

</variablelist>

2191

</sect3>

2192

2193

2194

<title><command>gdm-restart</command> Command Line Options</title>

2195

2196

<para>

2197

<command>gdm-restart</command> stops and restarts GDM by sending

2198

the GDM daemon a HUP signal. This command will immediately terminate

2199

all sessions and log out users currently logged in with GDM.

2200

</para>

2201

</sect3>

2202

2203

2204

<title><command>gdm-safe-restart</command> Command Line Options</title>

2205

2206

<para>

2207

<command>gdm-safe-restart</command> stops and restarts GDM by

2208

sending the GDM daemon a USR1 signal. GDM will be restarted as soon

2209

as all users log out.

2210

</para>

2211

</sect3>

2212

2213

2214

<title><command>gdm-stop</command> Command Line Options</title>

2215

2216

<para>

2217

<command>gdm-stop</command> stops GDM by sending the GDM daemon

2218

a TERM signal.

2219

</para>

2220

</sect3>

2221

</sect2>

2222

</sect1>

2223

2224

2225

2226

2227

2228

<!--

2229

<para>

2230

TODO - any other tips we should add? Might be useful to highlight any

2231

common D-Bus configuration issues?

2232

</para>

2233

-->

2234

2235

<para>

2236

This section discusses helpful tips for getting GDM working. In general,

2237

if you have a problem using GDM, you can submit a bug or send an email

2238

to the gdm-list mailing list. Information about how to do this is in

2239

the Introduction section of the document.

2240

</para>

2241

2242

<para>

2243

If GDM is failing to work properly, it is always a good idea to include

2244

debug information. To enable debugging, set the debug/Enable key to

2245

"true" in the <filename><etc>/gdm/custom.conf</filename>

2246

file and restart GDM. Then use GDM to the point where it fails, and

2247

debug output will be sent to the system log file

2248

(<filename><var>/log/messages</filename> or

2249

<filename><var>/adm/messages</filename> depending on your Operating

2250

System). If you share this output with the GDM community via a bug

2251

report or email, please only include the GDM related debug information

2252

and not the entire file since it can be large. If you do not see any

2253

GDM syslog output, you may need to configure syslog (refer to the

2254

<ulink type="help" url="man:syslog">syslog</ulink> man page).

2255

</para>

2256

2257

2258

<title>GDM Will Not Start</title>

2259

2260

<para>

2261

There are a many problems that can cause GDM to fail to start, but

2262

this section will discuss a few common problems and how to approach

2263

tracking down a problem with GDM starting. Some problems will

2264

cause GDM to respond with an error message or dialog when it tries

2265

to start, but it can be difficult to track down problems when GDM

2266

fails silently.

2267

</para>

2268

2269

<para>

2270

First make sure that the Xserver is configured properly. The

2271

GDM configuration file contains a command in the [server-Standard]

2272

section that is used for starting the Xserver. Verify that this

2273

command works on your system. Running this command from the

2274

console should start the Xserver. If it fails, then the problem

2275

is likely with your Xserver configuration. Refer to your Xserver

2276

error log for an idea of what the problem may be. The problem may

2277

also be that your Xserver requires different command-line options.

2278

If so, then modify the Xserver command in the GDM configuration file

2279

so that it is correct for your system.

2280

</para>

2281

2282

<para>

2283

Also make sure that the <filename>/tmp</filename> directory has

2284

reasonable ownership and permissions, and that the machine's file

2285

system is not full. These problems will cause GDM to fail to start.

2286

</para>

2287

</sect2>

2288

</sect1>

2289

2290

2291

2292

2293

<title>License</title>

2294

<para>

2295

This program is free software; you can redistribute it and/or

2296

modify it under the terms of the <ulink type="help" url="gnome-help:gpl">

2297

<citetitle>GNU General Public License</citetitle></ulink> as

2298

published by the Free Software Foundation;

2299

either version 2 of the License, or (at your option) any later

2300

version.

2301

</para>

2302

<para>

2303

This program is distributed in the hope that it will be useful, but

2304

WITHOUT ANY WARRANTY; without even the implied warranty of

2305

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

2306

<citetitle>GNU General Public License</citetitle> for more details.

2307

</para>

2308

<para>

2309

A copy of the <citetitle>GNU General Public License</citetitle> is

2310

included as an appendix to the <citetitle>GNOME Users

2311

Guide</citetitle>. You may also obtain a copy of the

2312

<citetitle>GNU General Public License</citetitle> from the Free

2313

Software Foundation by visiting

2314

<ulink type="http" url="http://www.fsf.org">their Web site</ulink> or by

2315

writing to

2316

2317

Free Software Foundation, Inc.

2318

<street>51 Franklin Street, Fifth Floor</street>

2319

<city>Boston</city>, <state>MA</state> <postcode>02110-1301</postcode>

2320

2321

</address>

2322

</para>

2323

</sect1>

2324

</article>

2325

<!-- Keep this comment at the end of the file

2326

Local variables:

2327

mode: sgml

2328

sgml-omittag:t

2329

sgml-shorttag:t

2330

sgml-minimize-attributes:nil

2331

sgml-always-quote-attributes:t

2332

sgml-indent-step:2

2333

sgml-indent-data:t

2334

sgml-parent-document:nil

2335

sgml-exposed-tags:nil

2336

sgml-local-catalogs:nil

2337

sgml-local-ecat-files:nil

2338

End:

2339

-->

Older »