1
<?xml version="1.0" encoding="utf-8"?>
2
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
3
<!ENTITY legal SYSTEM "legal.xml">
4
<!ENTITY version "2.26.0">
5
<!ENTITY date "02/10/2009">
6
<!ENTITY mdash "—">
7
<!ENTITY percnt "%">
9
<article id="index" lang="ko">
11
<title>GNOME Display Manager Reference Manual</title>
15
<revnumber>0.0</revnumber>
20
<abstract role="description">
22
GDM is the GNOME Display Manager, a graphical login program.
28
<firstname>Martin</firstname><othername>K.</othername>
29
<surname>Petersen</surname>
31
<address><email>mkp@mkp.net</email></address>
35
<firstname>George</firstname><surname>Lebl</surname>
37
<address><email>jirka@5z.com</email></address>
41
<firstname>Jon</firstname><surname>McCann</surname>
43
<address><email>mccann@jhu.edu</email></address>
47
<firstname>Ray</firstname><surname>Strode</surname>
49
<address><email>rstrode@redhat.com</email></address>
52
<author role="maintainer">
53
<firstname>Brian</firstname><surname>Cameron</surname>
55
<address><email>Brian.Cameron@Sun.COM</email></address>
62
<holder>Martin K. Petersen</holder>
68
<holder>George Lebl</holder>
74
<holder>Red Hat, Inc.</holder>
83
<holder>Sun Microsystems, Inc.</holder>
84
</copyright><copyright><year>2003, 2004.</year><holder>Sun Microsystems</holder></copyright><copyright><year>2007.</year><holder>류창우 (cwryu@debian.org)</holder></copyright>
86
<legalnotice id="legalnotice">
88
Permission is granted to copy, distribute and/or modify this
89
document under the terms of the GNU Free Documentation
90
License (GFDL), Version 1.1 or any later version published
91
by the Free Software Foundation with no Invariant Sections,
92
no Front-Cover Texts, and no Back-Cover Texts. You can find
93
a copy of the GFDL at this <ulink type="help" url="ghelp:fdl">link</ulink> or in the file COPYING-DOCS
94
distributed with this manual.
96
<para> This manual is part of a collection of GNOME manuals
97
distributed under the GFDL. If you want to distribute this
98
manual separately from the collection, you can do so by
99
adding a copy of the license to the manual, as described in
100
section 6 of the license.
104
Many of the names used by companies to distinguish their
105
products and services are claimed as trademarks. Where those
106
names appear in any GNOME documentation, and the members of
107
the GNOME Documentation Project are made aware of those
108
trademarks, then the names are in capital letters or initial
113
DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT ARE PROVIDED
114
UNDER THE TERMS OF THE GNU FREE DOCUMENTATION LICENSE
115
WITH THE FURTHER UNDERSTANDING THAT:
119
<para>DOCUMENT IS PROVIDED ON AN "AS IS" BASIS,
120
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
121
IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES
122
THAT THE DOCUMENT OR MODIFIED VERSION OF THE
123
DOCUMENT IS FREE OF DEFECTS MERCHANTABLE, FIT FOR
124
A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE
125
RISK AS TO THE QUALITY, ACCURACY, AND PERFORMANCE
126
OF THE DOCUMENT OR MODIFIED VERSION OF THE
127
DOCUMENT IS WITH YOU. SHOULD ANY DOCUMENT OR
128
MODIFIED VERSION PROVE DEFECTIVE IN ANY RESPECT,
129
YOU (NOT THE INITIAL WRITER, AUTHOR OR ANY
130
CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY
131
SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER
132
OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS
133
LICENSE. NO USE OF ANY DOCUMENT OR MODIFIED
134
VERSION OF THE DOCUMENT IS AUTHORIZED HEREUNDER
135
EXCEPT UNDER THIS DISCLAIMER; AND
139
<para>UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL
140
THEORY, WHETHER IN TORT (INCLUDING NEGLIGENCE),
141
CONTRACT, OR OTHERWISE, SHALL THE AUTHOR,
142
INITIAL WRITER, ANY CONTRIBUTOR, OR ANY
143
DISTRIBUTOR OF THE DOCUMENT OR MODIFIED VERSION
144
OF THE DOCUMENT, OR ANY SUPPLIER OF ANY OF SUCH
145
PARTIES, BE LIABLE TO ANY PERSON FOR ANY
146
DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR
147
CONSEQUENTIAL DAMAGES OF ANY CHARACTER
148
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS
149
OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR
150
MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR
151
LOSSES ARISING OUT OF OR RELATING TO USE OF THE
152
DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT,
153
EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF
154
THE POSSIBILITY OF SUCH DAMAGES.
164
This manual describes version 2.26.0 of the GNOME Display Manager.
165
It was last updated on 02/10/2009.
169
<!-- ============= Preface ================================== -->
172
<title>이 설명서의 용어 및 관례</title>
175
This manual describes version 2.26.0 of the GNOME Display Manager.
176
It was last updated on 02/10/2009.
180
Chooser - A program used to select a remote host for managing a
181
display remotely on the attached display (<command>gdm-host-chooser</command>).
185
FreeDesktop - The organization providing desktop standards, such as the
186
Desktop Entry Specification used by GDM.
187
<ulink type="http" url="http://www.freedesktop.org/">
188
http://www.freedesktop.org</ulink>.
191
GDM - GNOME Display Manager. Used to describe the software package as a
196
Greeter - The graphical login window (<command>gdm-simple-greeter</command>).
200
PAM - Pluggable Authentication Mechanism
204
XDMCP - X Display Manage Protocol
208
Xserver - An implementation of the X Window System. For example the
209
Xorg webserver provided by the X.org Foundation
210
<ulink type="http" url="http://www.x.org/">http://www.x.org</ulink>.
214
Paths that start with a word in angle brackets are relative to the
215
installation prefix. I.e. <filename><share>/pixmaps/</filename>
216
refers to <filename>/usr/share/pixmaps</filename> if GDM was
217
configured with <command>--prefix=/usr</command>.
221
<!-- ============= Overview ================================= -->
223
<sect1 id="overview">
226
<sect2 id="introduction">
227
<title>Introduction</title>
230
The GNOME Display Manager (GDM) is a display manager that implements
231
all significant features required for managing attached and remote
232
displays. GDM was written from scratch and does not contain any XDM or
237
Note that GDM is configurable, and many configuration settings have
238
an impact on security. Issues to be aware of are highlighted in this
243
Please note that some Operating Systems configure GDM to behave
244
differently than the default values as described in this document. If
245
GDM does not seem to behave as documented, then check to see if any
246
related configuration may be different than described here.
250
For further information about GDM, refer to the project website at
251
<ulink type="http" url="http://www.gnome.org/projects/gdm/">
252
http://www.gnome.org/projects/gdm</ulink> and the project
253
Wiki <ulink type="http" url="http://live.gnome.org/GDM">
254
http://live.gnome.org/GDM</ulink>.
258
For discussion or queries about GDM, refer to the
259
<address><email>gdm-list@gnome.org</email></address> mail list. This
260
list is archived, and is a good resource to check to seek answers to
261
common questions. This list is archived at
262
<ulink type="http" url="http://mail.gnome.org/archives/gdm-list/">
263
http://mail.gnome.org/archives/gdm-list/</ulink> and has a search
264
facility to look for messages with keywords.
268
Please submit any bug reports or enhancement requests to the
270
<ulink type="http" url="http://bugzilla.gnome.org/">
271
http://bugzilla.gnome.org</ulink>.
275
<sect2 id="stability">
276
<title>Interface Stability</title>
279
GDM 2.20 and earlier supported stable configuration interfaces.
280
However, the codebase was completely rewritten for GDM 2.22, and
281
is not completely backward compatible with older releases. This is
282
in part because things work differently, so some options just don't
283
make sense, in part because some options never made sense, and in
284
part because some functionality has not been reimplemented yet.
288
Interfaces which continue to be supported in a stable fashion include
289
the Init, PreSession, PostSession, PostLogin, and Xsession scripts.
290
Some daemon configuration options in the
291
<filename><etc>/gdm/custom.conf</filename> file continue to be
292
supported. Also, the <filename>~/.dmrc</filename>, and face browser
293
image locations are still supported.
297
GDM 2.20 and earlier supported the ability to manage multiple displays
298
with separate graphics cards, such as used in terminal server
299
environments, login in a window via a program like Xnest or Xephyr, the
300
gdmsetup program, XML-based greeter themes, and the ability to run the
301
XDMCP chooser from the login screen. These features were not
302
added back during the 2.22 rewrite.
307
<sect2 id="functionaldesc">
308
<title>Functional Description</title>
312
TODO - Would be good to discuss D-Bus, perhaps the new GObject model,
313
and to explain the reasons why the rewrite made GDM better.
314
From a high-level overview perspective, rather than the
320
GDM is responsible for managing displays on the system. This includes
321
authenticating users, starting the user session, and terminating the
322
user session. GDM is configurable and the ways it can be configured
323
are described in the "Configuring GDM" section of this
324
document. GDM is also accessible for users with disabilities.
328
GDM provides the ability to manage the main console display, and
329
displays launched via VT. It is integrated with other programs,
330
such as the Fast User Switch Applet (FUSA) and gnome-screensaver
331
to manage multiple displays on the console via the Xserver Virtual
332
Terminal (VT) interface. It also can manage XDMCP displays.
336
Regardless of the display type, GDM will do the following when it
337
manages the display. It will start an Xserver process, then run the
338
<filename>Init</filename> script as the root user, and start the
339
greeter program on the display.
343
The greeter program is run as the unprivileged "gdm"
344
user/group. This user and group are described in the
345
"Security" section of this document. The main function of
346
the greeter program is to authenticate the user. The authentication
347
process is driven by Pluggable Authentication Modules (PAM). The PAM
348
modules determine what prompts (if any) are shown to the user to
349
authenticate. On the average system, the greeter program will request
350
a username and password for authentication. However some systems may
351
be configured to use alternative mechanisms such as a fingerprint or
352
SmartCard reader. GDM and PAM can be configured to not require any
353
input, which will cause GDM to automatically log in and simply
354
start a session, which can be useful for some environments, such as
359
In addition to authentication, the greeter program allows the user to
360
select which session to start and which language to use. Sessions are
361
defined by files that end in the .desktop suffix and more information
362
about these files can be found in the "GDM User Session and Language
363
Configuration" section of this document. By default, GDM is configured
364
to display a face browser so the user can select their user account by
365
clicking on an image instead of having to type their username. GDM
366
keeps track of the user's default session and language in the user's
367
<filename>~/.dmrc</filename> and will use these defaults if the user
368
did not pick a session or language in the login GUI.
372
After authenticating a user, the daemon runs the
373
<filename>PostLogin</filename> script as root, then runs the
374
<filename>PreSession</filename> script as root. After running these
375
scripts, the user session is started. When the user exits their
376
session, the <filename>PostSession</filename> script is run as root.
377
These scripts are provided as hooks for distributions and end-users
378
to customize how sessions are managed. For example, using these
379
hooks you could set up a machine which creates the user's $HOME
380
directory on the fly, and erases it on logout. The difference
381
between the <filename>PostLogin</filename> and
382
<filename>PreSession</filename> scripts is that
383
<filename>PostLogin</filename> is run before the pam_open_session call
384
so is the right place to do anything which should be run before the
385
user session is initialized. The <filename>PreSession</filename>
386
script is called after session initialization.
390
<sect2 id="greeterpanel">
391
<title>Greeter Panel</title>
393
The GDM greeter program displays a panel docked at the bottom of the
394
screen which provides additional functionality. When a user is
395
selected, the panel allows the user to select which session, language,
396
and keyboard layout to use after logging in. The keyboard layout
397
selector also changes the keyboard layout used when typing your
398
password. The panel also contains an area for login services to leave
399
status icons. Some example status icons include a battery icon for
400
current battery usage, and an icon for enabling accessibility features.
401
The greeter program also provides buttons which allow the user to
402
shutdown or restart the system. It is possible to configure GDM to not
403
provide the shutdown and restart buttons, if desired. GDM can also be
404
configured via PolicyKit (or via RBAC on Solaris) to require the user
405
have appropriate authorization before accepting the shutdown or restart
410
Note that keyboard layout features are only available on systems that
415
<sect2 id="accessibility">
416
<title>접근성 기능</title>
419
GDM supports "Accessible Login", allowing users to log into
420
their desktop session even if they cannot easily use the screen,
421
mouse, or keyboard in the usual way. Accessible Technology (AT)
422
features such as an on-screen keyboard, screen reader, screen
423
magnifier, and Xserver AccessX keyboard accessibility are available.
424
It is also possible to enable large text or high contrast icons and
425
controls, if needed. Refer to the "Accessibility
426
Configuration" section of the document for more information
427
how various accessibility features can be configured.
431
On some Operating Systems, it is necessary to make sure that the GDM
432
user is a member of the "audio" group for AT programs that
433
require audio output (such as text-to-speech) to be functional.
437
<sect2 id="facebrowser">
438
<title>The GDM Face Browser</title>
441
The Face Browser is the interface which allows users to select their
442
username by clicking on an image. This feature can be enabled or
443
disabled via the /apps/gdm/simple-greeter/disable_user_list GConf
444
key and is on by default. When disabled, users must type their
445
complete username by hand. When enabled, it displays all local users
446
which are available for login on the system (all user accounts defined
447
in the /etc/passwd file that have a valid shell and sufficiently high
448
UID) and remote users that have recently logged in.
449
The face browser in GDM 2.20 and earlier would attempt to display all
450
remote users, which caused performance problems in large,
451
enterprise deployments.
455
The Face Browser is configured to display the users who log in most
456
frequently at the top of the list. This helps to ensure that users
457
who log in frequently can quickly find their login image.
461
The Face Browser supports "type-ahead search" which dynamically
462
moves the face selection as the user types to the corresponding username
463
in the list. This means that a user with a long username will only
464
have to type the first few characters of the username before the correct
465
item in the list gets selected.
469
The icons used by GDM can be installed globally by the sysadmin or can
470
be located in the user's home directories. If installed globally
471
they should be in the <filename><share>/pixmaps/faces/</filename>
472
directory and the filename should be the name of the user. Face image
473
files should be a standard image that GTK+ can read, such as PNG or
474
JPEG. Face icons placed in the global face directory must be readable
480
TODO - In the old GDM the ~/gnome2/gdm file is used, but the new code
481
seems to use ~/.gnome/gdm. Error?
485
If there is no global icon for the user, GDM will look in the user's
486
$HOME directory for the image file. GDM will first look for the user's
487
face image in <filename>~/.face</filename>. If not found, it will try
488
<filename>~/.face.icon</filename>. If still not found, it will use the
489
value defined for "face/picture=" in the
490
<filename>~/.gnome2/gdm</filename> file.
494
If a user has no defined face image, GDM will use the
495
"stock_person" icon defined in the current GTK+ theme. If no
496
such image is defined, it will fallback to a generic face image.
500
Please note that loading and scaling face icons located in remote user
501
home directories can be a very time-consuming task. Since it not
502
practical to load images over NIS or NFS, GDM does not attempt to load
503
face images from remote home directories.
507
When the browser is turned on, valid usernames on the computer are
508
exposed for everyone to see. If XDMCP is enabled, then the usernames
509
are exposed to remote users. This, of course, limits security
510
somewhat since a malicious user does not need to guess valid usernames.
511
In some very restrictive environments the face browser may not be
522
TODO - What XDMCP features actually work? I know that the
528
The GDM daemon can be configured to listen for and manage X Display
529
Manage Protocol (XDMCP) requests from remote displays. By default
530
XDMCP support is turned off, but can be enabled if desired. If GDM is
531
built with TCP Wrapper support, then the daemon will only grant access
532
to hosts specified in the GDM service section in the TCP Wrappers
537
GDM includes several measures making it more resistant to denial of
538
service attacks on the XDMCP service. A lot of the protocol
539
parameters, handshaking timeouts, etc. can be fine tuned. The default
540
configuration should work reasonably on most systems.
544
GDM by default listens for XDMCP requests on the normal UDP port used
545
for XDMCP, port 177, and will respond to QUERY and BROADCAST_QUERY
546
requests by sending a WILLING packet to the originator.
550
GDM can also be configured to honor INDIRECT queries and present a
551
host chooser to the remote display. GDM will remember the user's
552
choice and forward subsequent requests to the chosen manager. GDM
553
also supports an extension to the protocol which will make it forget
554
the redirection once the user's connection succeeds. This extension
555
is only supported if both daemons are GDM. It is transparent and
556
will be ignored by XDM or other daemons that implement XDMCP.
560
If XDMCP seems to not be working, make sure that all machines are
561
specified in <filename>/etc/hosts</filename>.
565
Refer to the "Security" section for information about
566
security concerns when using XDMCP.
571
<title>Logging</title>
574
GDM uses syslog to log errors and status. It can also log debugging
575
information, which can be useful for tracking down problems if GDM is
576
not working properly. Debug output can be enabled by setting the
577
debug/Enable key to "true" in the
578
<filename><etc>/gdm/custom.conf</filename> file.
582
Output from the various Xservers is stored in the GDM log directory,
583
which is normally <filename><var>/log/gdm/</filename>. Any
584
Xserver messages are saved to a file associated with the display value,
585
<filename><display>.log</filename>.
589
The session output is piped through the GDM daemon to the
590
<filename>~/.xsession-errors</filename> file. The file is overwritten
591
on each login, so logging out and logging back into the same user via
592
GDM will cause any messages from the previous session to be lost.
596
Note that if GDM can not create this file for some reason, then a
597
fallback file will be created named <filename>~/.xsession-errors.XXXXXXXX</filename>
598
where the <filename>XXXXXXXX</filename> are some random characters.
603
<title>Fast User Switching</title>
606
GDM allows multiple users to be logged in at the same time. After one
607
user is logged in, additional users can log in via the User Switcher
608
on the GNOME Panel, or from the "Switch User" button in Lock Screen dialog
609
of GNOME Screensaver. The active session can be changed back and forth using
610
the same mechanism. Note that some distributions may not add the User Switcher
611
to the default panel configuration. It can be added using the panel context
615
Note this feature is available on systems that support Virtual
616
Terminals. This feature will not function if Virtual Terminals is not
622
<!-- ============= Security ================================= -->
624
<sect1 id="security">
628
<title>The GDM User And Group</title>
631
For security reasons a dedicated user and group id are recommended for
632
proper operation. This user and group are normally "gdm" on
633
most systems, but can be configured to any user or group. All GDM
634
GUI programs are run as this user, so that the programs which interact
635
with the user are run in a sandbox. This user and group should have
640
The only special privilege the "gdm" user requires is the
641
ability to read and write Xauth files to the
642
<filename><var>/run/gdm</filename> directory. The
643
<filename><var>/run/gdm</filename> directory should have
644
root:gdm ownership and 1777 permissions.
648
You should not, under any circumstances, configure the GDM user/group
649
to a user which a user could easily gain access to, such as the user
650
<filename>nobody</filename>. Any user who gains access to an Xauth
651
key can snoop on and control running GUI programs running in the
652
associated session or perform a denial-of-service attack on it. It
653
is important to ensure that the system is configured properly so that
654
only the "gdm" user has access to these files and that it
655
is not easy to login to this account. For example, the account should
656
be setup to not have a password or allow non-root users to login to the
661
The GDM greeter configuration is stored in GConf. To allow the GDM
662
user to be able to write configuration, it is necessary for the
663
"gdm" user to have a writable $HOME directory. Users may
664
configure the default GConf configuration as desired to avoid the
665
need to provide the "gdm" user with a writable $HOME
666
directory. However, some features of GDM may be disabled if it is
667
unable to write state information to GConf configuration.
675
GDM uses PAM for login authentication. PAM stands for Pluggable
676
Authentication Module, and is used by most programs that request
677
authentication on your computer. It allows the administrator to
678
configure specific authentication behavior for different login programs
679
(such as ssh, login GUI, screensaver, etc.)
683
PAM is complicated and highly configurable, and this documentation does
684
not intend to explain this in detail. Instead, it is intended to give
685
an overview of how PAM configuration relates with GDM, how PAM is
686
commonly configured with GDM, and known issues. It is expected that
687
a person needing to do PAM configuration would need to do further
688
reading of PAM documentation to understand how to configure PAM and
689
to understand terms used in this section.
693
PAM configuration has different, but similar, interfaces on different
694
Operating Systems, so check the
695
<ulink type="help" url="man:pam.d">pam.d</ulink> or
696
<ulink type="help" url="man:pam.conf">pam.conf</ulink> man page for
697
details. Be sure you read the PAM documentation and are comfortable
698
with the security implications of any changes you intend to make to
703
Note that, by default, GDM uses the "gdm" PAM service name
704
for normal login and the "gdm-autologin" PAM service name for
705
automatic login. These services may not be defined in your pam.d or
706
pam.conf configured file. If there is no entry, then GDM will use the
707
default PAM behavior. On most systems this should work fine.
708
However, the automatic login feature may not work if the gdm-autologin
709
service is not defined.
713
The <filename>PostLogin</filename> script is run before
714
pam_open_session is called, and the <filename>PreSession</filename>
715
script is called after. This allows the system administrator to add
716
any scripting to the login process either before or after PAM
717
initializes the session.
721
If you wish to make GDM work with other types of authentication
722
mechanisms (such as a fingerprint or SmartCard reader), then you should
723
implement this by using a PAM service module for the desired
724
authentication type rather than by trying to modify the GDM code
725
directly. Refer to the PAM documentation on your system. How to do
726
this is frequently discussed on the
727
<address><email>gdm-list@gnome.org</email></address> mail list,
728
so you can refer to the list archives for more information.
732
PAM does have some limitations regarding being able to work with
733
multiple types of authentication at the same time, like supporting
734
the ability to accept either SmartCard and the ability to type the
735
username and password into the login program. There are techniques
736
that are used to make this work, and it is best to research how this
737
problem is commonly solved when setting up such a configuration.
741
If automatic login does not work on a system, check to see if the
742
"gdm-autologin" PAM stack is defined in the PAM configuration. For
743
this to work, it is necessary to use a PAM module that simply does no
744
authentication, or which simply returns PAM_SUCCESS from all of its
745
public interfaces. Assuming your system has a pam_allow.so PAM module
746
which does this, a PAM configuration to enable "gdm-autologin" would
751
gdm-autologin auth required pam_unix_cred.so.1
752
gdm-autologin auth sufficient pam_allow.so.1
753
gdm-autologin account sufficient pam_allow.so.1
754
gdm-autologin session sufficient pam_allow.so.1
755
gdm-autologin password sufficient pam_allow.so.1
759
The above setup will cause no lastlog entry to be generated. If a
760
lastlog entry is desired, then use the following for the session:
764
gdm-autologin session required pam_unix_session.so.1
768
If the computer is used by several people, which makes automatic login
769
unsuitable, you may want to allow some users to log in without entering
770
their password. This feature can be enabled as a per-user option in
771
the users-admin tool from the gnome-system-tools; it is achieved by
772
checking that the user is member a Unix group called
773
"nopasswdlogin" before asking for a password. For this to work,
774
the PAM configuration file for the "gdm" service must include
779
gdm auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
784
<sect2 id="utmpwtmp">
785
<title>utmp and wtmp</title>
788
GDM generates utmp and wtmp User Accounting Database entries upon
789
session login and logout. The utmp database contains user access
790
and accounting information that is accessed by commands such as
791
<command>finger</command>, <command>last</command>,
792
<command>login</command>, and <command>who</command>. The wtmp
793
database contains the history of user access and accounting
794
information for the utmp database. Refer to the
795
<ulink type="help" url="man:utmp">utmp</ulink> and
796
<ulink type="help" url="man:wtmp">wtmp</ulink>
797
man pages on your system for more information.
802
<title>Xserver Authentication Scheme</title>
805
Xserver authorization files are stored in a newly created subdirectory
806
of <filename><var>/run/gdm</filename> at start up. These files
807
are used to store and share a "password" between X clients
808
and the Xserver. This "password" is unique for each session
809
logged in, so users from one session can't snoop on users from another.
813
GDM only supports the MIT-MAGIC-COOKIE-1 Xserver authentication
814
scheme. Normally little is gained from the other schemes, and no
815
effort has been made to implement them so far. Be especially
816
careful about using XDMCP because the Xserver authentication cookie
817
goes over the wire as clear text. If snooping is possible, then an
818
attacker could simply snoop your authentication password as you log in,
819
regardless of the authentication scheme being used. If snooping is
820
possible and undesirable, then you should use ssh for tunneling an X
821
connection rather then using XDMCP. You could think of XDMCP as a sort
822
of graphical telnet, having the same security issues. In most cases,
823
ssh -Y should be preferred over GDM's XDMCP features.
828
<sect2 id="xdmcpsecurity">
829
<title>XDMCP Security</title>
832
Even though your display is protected by cookies, XEvents and thus
833
keystrokes typed when entering passwords will still go over the wire in
834
clear text. It is trivial to capture these.
838
XDMCP is primarily useful for running thin clients such as in terminal
839
labs. Those thin clients will only ever need the network to access
840
the server, and so it seems like the best security policy to have
841
those thin clients on a separate network that cannot be accessed by
842
the outside world, and can only connect to the server. The only point
843
from which you need to access outside is the server. This type of set up
844
should never use an unmanaged hub or other sniffable network.
849
<sect2 id="xdmcpaccess">
850
<title>XDMCP Access Control</title>
853
XDMCP access control is done using TCP wrappers. It is possible to
854
compile GDM without TCP wrapper support, so this feature may not be
855
supported on some Operating Systems.
859
You should use the daemon name <command>gdm</command> in the
860
<filename><etc>/hosts.allow</filename> and
861
<filename><etc>/hosts.deny</filename> files. For example to
862
deny computers from <filename>.evil.domain</filename> from logging in,
869
to <filename><etc>/hosts.deny</filename>. You may also need
876
to your <filename><etc>/hosts.allow</filename> if you normally
877
disallow all services from all hosts. See the
878
<ulink type="help" url="man:hosts.allow">hosts.allow(5)</ulink> man
883
<sect2 id="firewall">
884
<title>Firewall Security</title>
887
Even though GDM tries to outsmart potential attackers trying to take
888
advantage of XDMCP, it is still advised that you block the XDMCP port
889
(normally UDP port 177) on your firewall unless really needed. GDM
890
guards against denial of service attacks, but the X protocol is still
891
inherently insecure and should only be used in controlled environments.
892
Also each remote connection takes up lots of resources, so it is much
893
easier to do a denial of service attack via XDMCP than attacking a
898
It is also wise to block all of the Xserver ports. These are TCP
899
ports 6000+ (one for each display number) on your firewall. Note that
900
GDM will use display numbers 20 and higher for flexible on-demand
905
X is not a very safe protocol when using it over the Internet, and
906
XDMCP is even less safe.
910
<sect2 id="policykit">
911
<title>PolicyKit</title>
915
TODO - Should we say more?
920
GDM may be configured to use PolicyKit to allow the system
921
administrator to control whether the login screen should provide
922
the shutdown and restart buttons on the greeter screen.
926
These buttons are controlled by the
927
<filename>org.freedesktop.consolekit.system.stop-multiple-users</filename>
929
<filename>org.freedesktop.consolekit.system.restart-multiple-users</filename>
930
actions respectively. Policy for these actions can be set up using the
931
polkit-gnome-authorization tool, or the polkit-auth command line program.
937
<title>RBAC (Role Based Access Control)</title>
940
GDM may be configured to use RBAC instead of PolicyKit. In this
941
case the RBAC configuration is used to control whether the login screen
942
should provide the shutdown and restart buttons on the greeter screen.
946
For example, on Solaris, the "solaris.system.shutdown"
947
authorization is used to control this. Simply modify the
948
<filename>/etc/user_attr</filename> file so that the "gdm"
949
user has this authorization.
955
<!-- ============= ConsoleKit ================================ -->
957
<sect1 id="consolekit">
958
<title>ConsoleKit 지원</title>
962
TODO - Should we update these docs? Probably should mention any
963
configuration that users may want to do for using it with GDM?
964
If so, perhaps this section should be moved to a subsection of
965
the "Configure" section?
970
GDM includes support for publishing user login information with the user
971
and login session accounting framework known as ConsoleKit. ConsoleKit
972
is able to keep track of all the users currently logged in. In this
973
respect, it can be used as a replacement for the utmp or utmpx files that
974
are available on most Unix-like Operating Systems.
978
When GDM is about to create a new login process for a user it will call
979
a privileged method of ConsoleKit in order to open a new session for this
980
user. At this time GDM also provides ConsoleKit with information about
981
this user session such as: the user ID, the X11 Display name that will be
982
associated with the session, the host-name from which the session
983
originates (useful in the case of an XDMCP session), whether or not this
984
session is attached, etc. As the entity that initiates the user process,
985
GDM is in a unique position to know about the user session and to be
986
trusted to provide these bits of information. The use of this privileged
987
method is restricted by the use of the D-Bus system message bus security
992
In case a user with an existing session has authenticated
993
at GDM and requests to resume that existing session, GDM calls a
994
privileged method of ConsoleKit to unlock that session. The exact
995
details of what happens when the session receives this unlock signal are
996
undefined and session-specific. However, most sessions will unlock a
997
screensaver in response.
1001
When the user chooses to log out, or if GDM or the session quit
1002
unexpectedly the user session will be unregistered from ConsoleKit.
1006
<!-- ============= Configuration ============================= -->
1008
<sect1 id="configuration">
1012
GDM has a number of configuration interfaces. These include scripting
1013
integration points, daemon configuration, greeter configuration,
1014
general session settings, integration with gnome-settings-daemon
1015
configuration, and session configuration. These types of integration are
1016
described in detail below.
1019
<sect2 id="scripting">
1020
<title>Scripting Integration Points</title>
1023
The GDM script integration points can be found in the
1024
<filename><etc>/gdm/</filename> directory:
1036
The <filename>Init</filename>, <filename>PostLogin</filename>,
1037
<filename>PreSession</filename>, and <filename>PostSession</filename>
1038
scripts all work as described below.
1042
For each type of script, the default one which will be executed is
1043
called "Default" and is stored in a directory associated with
1044
the script type. So the default <filename>Init</filename> script is
1045
<filename><etc>/gdm/Init/Default</filename>. A per-display
1046
script can be provided, and if it exists it will be run instead of the
1047
default script. Such scripts are stored in the same directory as the
1048
default script and have the same name as the Xserver DISPLAY value for
1049
that display. For example, if the <filename><Init>/:0</filename>
1050
script exists, it will be run for DISPLAY ":0".
1054
All of these scripts are run with root privilege and return 0 if run
1055
successfully, and a non-zero return code if there was any failure that
1056
should cause the login session to be aborted. Also note that GDM will
1057
block until the scripts finish, so if any of these scripts hang, this
1058
will cause the login process to also hang.
1062
When the Xserver for the login GUI has been successfully started, but
1063
before the login GUI is actually displayed, GDM will run the
1064
<filename>Init</filename> script. This script is useful for starting
1065
programs that should be run while the login screen is showing, or for
1066
doing any special initialization if required.
1070
After the user has been successfully authenticated GDM will run the
1071
<filename>PostLogin</filename> script. This is done before any session
1072
setup has been done, including before the pam_open_session call. This
1073
script is useful for doing any session initialization that needs to
1074
happen before the session starts. For example, you might setup the
1075
user's $HOME directory if needed.
1079
After the user session has been initialized, GDM will run the
1080
<filename>PreSession</filename> script. This script is useful for
1081
doing any session initialization that needs to happen after the
1082
session has been initialized. It can be used for session management or
1083
accounting, for example.
1087
When a user terminates their session, GDM will run the
1088
<filename>PostSession</filename> script. Note that the Xserver will
1089
have been stopped by the time this script is run, so it should not be
1094
Note that the <filename>PostSession</filename> script will be run
1095
even when the display fails to respond due to an I/O error or
1096
similar. Thus, there is no guarantee that X applications will work
1097
during script execution.
1101
All of the above scripts will set the
1102
<filename>$RUNNING_UNDER_GDM</filename> environment variable to
1103
<filename>yes</filename>. If the scripts are also shared with other
1104
display managers, this allows you to identify when GDM is calling these
1105
scripts, so you can run specific code when GDM is used.
1109
<sect2 id="autostart">
1110
<title>Autostart Configuration</title>
1113
The <filename><share>/gdm/autostart/LoginWindow</filename>
1114
directory contains files in the format specified by the
1115
"FreeDesktop.org Desktop Application Autostart
1116
Specification". Standard features in the specification may be
1117
used to specify programs that should auto-restart or only be launched
1118
if a GConf configuration value is set, etc.
1122
Any <filename>.desktop</filename> files in this directory will cause
1123
the associated program to automatically start with the login GUI
1124
greeter. By default, GDM is shipped with files which will autostart
1125
the gdm-simple-greeter login GUI greeter itself, the
1126
gnome-power-manager application, the gnome-settings-daemon, and the
1127
metacity window manager. These programs are needed for the greeter
1128
program to work. In addition, desktop files are provided for starting
1129
various AT programs if the configuration values specified in the
1130
Accessibility Configuration section below are set.
1134
<sect2 id="xsessionscript">
1135
<title>Xsession Script</title>
1138
There is also an <filename>Xsession</filename> script located at
1139
<filename><etc>/gdm/Xsession</filename> which is called between
1140
the <filename>PreSession</filename> and the
1141
<filename>PostSession</filename> scripts. This script does not
1142
support per-display like the other scripts. This script is used for
1143
actually starting the user session. This script is run as the user,
1144
and it will run whatever session was specified by the Desktop session
1145
file the user selected to start.
1149
<sect2 id="daemonconfig">
1150
<title>Daemon Configuration</title>
1153
The GDM daemon is configured using the
1154
<filename><etc>/gdm/custom.conf</filename> file. Default
1155
values are stored in GConf in the <filename>gdm.schemas</filename>
1156
file. It is recommended that end-users modify the
1157
<filename><etc>/gdm/custom.conf</filename> file because the
1158
schemas file may be overwritten when the user updates their system to
1159
have a newer version of GDM.
1163
Note that older versions of GDM supported additional configuration
1164
options which are no longer supported in the latest versions of GDM.
1168
The <filename><etc>/gdm/custom.conf</filename> file is in the
1169
<filename>keyfile</filename> format. Keywords in brackets
1170
define group sections, strings before an equal sign (=) are keys and
1171
the data after equal sign represents their value. Empty lines or
1172
lines starting with the hash mark (#) are ignored.
1176
The file <filename><etc>/gdm/custom.conf</filename> supports the
1177
"[daemon]", "[security]", and "[xdmcp]"
1178
group sections. Within each group, there are particular key/value
1179
pairs that can be specified to modify how GDM behaves. For example,
1180
to enable timed login and specify the timed login user to be a user
1181
named "you", you would modify the file so it contains the
1187
TimedLoginEnable=true
1192
A full list of supported configuration keys follow:
1195
<sect3 id="choosersection">
1196
<title>[chooser]</title>
1200
<term>Multicast</term>
1202
<synopsis>Multicast=false</synopsis>
1204
If true and IPv6 is enabled, the chooser will send a multicast
1205
query to the local network and collect responses from the hosts
1206
who have joined multicast group.
1212
<term>MulticastAddr</term>
1214
<synopsis>MulticastAddr=ff02::1</synopsis>
1216
This is the Link-local multicast address.
1223
<sect3 id="daemonsection">
1224
<title>[daemon]</title>
1227
<term>TimedLoginEnable</term>
1229
<synopsis>TimedLoginEnable=false</synopsis>
1231
If the user given in <filename>TimedLogin</filename> should be
1232
logged in after a number of seconds (set with
1233
<filename>TimedLoginDelay</filename>) of inactivity on the
1234
login screen. This is useful for public access terminals or
1235
perhaps even home use. If the user uses the keyboard or
1236
browses the menus, the timeout will be reset to
1237
<filename>TimedLoginDelay</filename> or 30 seconds, whichever
1238
is higher. If the user does not enter a username but just
1239
hits the ENTER key while the login program is requesting the
1240
username, then GDM will assume the user wants to login
1241
immediately as the timed user. Note that no password will be
1242
asked for this user so you should be careful, although if using
1243
PAM it can be configured to require password entry before
1244
allowing login. Refer to the "Security->PAM"
1245
section of the manual for more information, or for help if this
1246
feature does not seem to work.
1252
<term>TimedLogin</term>
1254
<synopsis>TimedLogin=</synopsis>
1256
This is the user that should be logged in after a specified
1257
number of seconds of inactivity.
1260
If the value ends with a vertical bar | (the pipe symbol),
1261
then GDM will execute the program specified and use whatever
1262
value is returned on standard out from the program as the user.
1263
The program is run with the DISPLAY environment variable set so
1264
that it is possible to specify the user in a per-display
1265
fashion. For example if the value is "/usr/bin/getloginuser|",
1266
then the program "/usr/bin/getloginuser" will be run to get the
1273
<term>TimedLoginDelay</term>
1275
<synopsis>TimedLoginDelay=30</synopsis>
1277
Delay in seconds before the <filename>TimedLogin</filename>
1278
user will be logged in.
1284
<term>AutomaticLoginEnable</term>
1286
<synopsis>AutomaticLoginEnable=false</synopsis>
1288
If true, the user given in <filename>AutomaticLogin</filename>
1289
should be logged in immediately. This feature is like timed
1290
login with a delay of 0 seconds.
1296
<term>AutomaticLogin</term>
1298
<synopsis>AutomaticLogin=</synopsis>
1300
This is the user that should be logged in immediately if
1301
<filename>AutomaticLoginEnable</filename> is true.
1304
If the value ends with a vertical bar | (the pipe symbol),
1305
then GDM will execute the program specified and use whatever
1306
value is returned on standard out from the program as the user.
1307
The program is run with the DISPLAY environment variable set so
1308
that it is possible to specify the user in a per-display
1309
fashion. For example if the value is "/usr/bin/getloginuser|",
1310
then the program "/usr/bin/getloginuser" will be run to get the
1319
<synopsis>User=gdm</synopsis>
1321
The username under which the greeter and other GUI programs
1322
are run. Refer to the <filename>Group</filename>
1323
configuration key and to the "Security->GDM User And
1324
Group" section of this document for more information.
1332
<synopsis>Group=gdm</synopsis>
1334
The group name under which the greeter and other GUI programs
1335
are run. Refer to the <filename>User</filename>
1336
configuration key and to the "Security->GDM User And
1337
Group" section of this document for more information.
1344
<sect3 id="debugsection">
1345
<title>Debug Options</title>
1348
<title>[debug]</title>
1353
<synopsis>Enable=false</synopsis>
1355
To enable debugging, set the debug/Enable key to
1357
<filename><etc>/gdm/custom.conf</filename>
1358
file and restart GDM. Then debug output will be sent to the
1359
system log file (<filename><var>/log/messages</filename>
1360
or <filename><var>/adm/messages</filename> depending on
1361
your Operating System).
1368
<sect3 id="greetersection">
1369
<title>Greeter Options</title>
1372
<title>[greeter]</title>
1375
<term>IncludeAll</term>
1377
<synopsis>IncludeAll=true</synopsis>
1379
If true, then the face browser will show all users on the local
1380
machine. If false, the face browser will only show users who
1381
have recently logged in.
1385
When this key is true, GDM will call fgetpwent() to get a list
1386
of local users on the system. Any users with a user id less
1387
than 500 (or 100 if running on Solaris) are filtered out. The
1388
Face Browser also will display any users that have previously
1389
logged in on the system (for example NIS/LDAP users). It gets
1390
this list via calling the <command>ck-history</command>
1391
ConsoleKit interface. It will also filter out any users which
1392
do not have a valid shell (valid shells are any shell that
1393
getusershell() returns - /sbin/nologin or /bin/false are
1394
considered invalid shells even if getusershell() returns them).
1398
If false, then GDM more simply only displays users that have
1399
previously logged in on the system (local or NIS/LDAP users) by
1400
calling the <command>ck-history</command> ConsoleKit interface.
1406
<term>Include</term>
1408
<synopsis>Include=</synopsis>
1410
Set to a list of users to always include in the Face Browser.
1411
This value is set to a list of users separated by commas. By
1412
default, the value is empty.
1418
<term>Exclude</term>
1420
<synopsis>Exclude=bin,root,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,nobody4,noaccess,postgres,pvm,rpm,nfsnobody,pcap</synopsis>
1422
Set to a list of users to always exclude in the Face Browser.
1423
This value is set to a list of users separated by commas. Note
1424
that the setting in the <filename>custom.conf</filename>
1425
overrides the default value, so if you wish to add additional
1426
users to the list, then you need to set the value to the
1427
default value with additional users appended to the list.
1434
<sect3 id="securitysection">
1435
<title>보안 옵션</title>
1438
<title>[security]</title>
1441
<term>DisallowTCP</term>
1443
<synopsis>DisallowTCP=true</synopsis>
1445
If true, then always append <filename>-nolisten tcp</filename>
1446
to the command line when starting attached Xservers, thus
1447
disallowing TCP connection. This is a more secure
1448
configuration if you are not using remote connections.
1455
<sect3 id="xdmcpsection">
1456
<title>XDCMP Support</title>
1459
<title>[xdmcp]</title>
1462
<term>DisplaysPerHost</term>
1464
<synopsis>DisplaysPerHost=1</synopsis>
1466
To prevent attackers from filling up the pending queue, GDM
1467
will only allow one connection for each remote computer. If
1468
you want to provide display services to computers with more
1469
than one screen, you should increase this value.
1473
Note that the number of attached DISPLAYS allowed is not
1474
limited. Only remote connections via XDMCP are limited by
1475
this configuration option.
1483
<synopsis>Enable=false</synopsis>
1485
Setting this to true enables XDMCP support allowing remote
1486
displays/X terminals to be managed by GDM.
1490
<filename>gdm</filename> listens for requests on UDP port 177.
1491
See the Port option for more information.
1495
If GDM is compiled to support it, access from remote displays
1496
can be controlled using the TCP Wrappers library. The service
1497
name is <filename>gdm</filename>
1505
to your <filename><etc>/hosts.allow</filename>, depending
1506
on your TCP Wrappers configuration. See the
1507
<ulink type="help" url="man:hosts.allow">hosts.allow</ulink>
1508
man page for details.
1512
Please note that XDMCP is not a particularly secure protocol
1513
and that it is a good idea to block UDP port 177 on your
1514
firewall unless you really need it.
1520
<term>HonorIndirect</term>
1522
<synopsis>HonorIndirect=true</synopsis>
1524
Enables XDMCP INDIRECT choosing (i.e. remote execution of
1525
<filename>gdmchooser</filename>) for X-terminals which do not
1526
supply their own display browser.
1532
<term>MaxPending</term>
1534
<synopsis>MaxPending=4</synopsis>
1536
To avoid denial of service attacks, GDM has fixed size queue
1537
of pending connections. Only MaxPending displays can start at
1542
Please note that this parameter does not limit the number of
1543
remote displays which can be managed. It only limits the number
1544
of displays initiating a connection simultaneously.
1550
<term>MaxSessions</term>
1552
<synopsis>MaxSessions=16</synopsis>
1554
Determines the maximum number of remote display connections
1555
which will be managed simultaneously. I.e. the total number of
1556
remote displays that can use your host.
1562
<term>MaxWait</term>
1564
<synopsis>MaxWait=30</synopsis>
1566
When GDM is ready to manage a display an ACCEPT packet is sent
1567
to it containing a unique session id which will be used in
1568
future XDMCP conversations.
1572
GDM will then place the session id in the pending queue
1573
waiting for the display to respond with a MANAGE request.
1577
If no response is received within MaxWait seconds, GDM will
1578
declare the display dead and erase it from the pending queue
1579
freeing up the slot for other displays.
1585
<term>MaxWaitIndirect</term>
1587
<synopsis>MaxWaitIndirect=30</synopsis>
1589
The MaxWaitIndirect parameter determines the maximum number of
1590
seconds between the time where a user chooses a host and the
1591
subsequent indirect query where the user is connected to the
1592
host. When the timeout is exceeded, the information about the
1593
chosen host is forgotten and the indirect slot freed up for
1594
other displays. The information may be forgotten earlier if
1595
there are more hosts trying to send indirect queries then
1596
<filename>MaxPendingIndirect</filename>.
1602
<term>PingIntervalSeconds</term>
1604
<synopsis>PingIntervalSeconds=15</synopsis>
1606
Interval in which to ping the Xserver in seconds. If the
1607
Xserver does not respond before the next time we ping it, the
1608
connection is stopped and the session ended. This is a
1609
combination of the XDM PingInterval and PingTimeout, but in
1614
Note that GDM in the past used to have a
1615
<filename>PingInterval</filename> configuration key which was
1616
also in minutes. For most purposes you'd want this setting
1617
to be lower than one minute. However since in most cases where
1618
XDMCP would be used (such as terminal labs), a lag of more
1619
than 15 or so seconds would really mean that the terminal was
1620
turned off or restarted and you would want to end the session.
1628
<synopsis>Port=177</synopsis>
1630
The UDP port number <filename>gdm</filename> should listen to
1631
for XDMCP requests. Do not change this unless you know what
1638
<term>Willing</term>
1640
<synopsis>Willing=<etc>/gdm/Xwilling</synopsis>
1642
When the machine sends a WILLING packet back after a QUERY it
1643
sends a string that gives the current status of this server.
1644
The default message is the system ID, but it is possible to
1645
create a script that displays customized message. If this
1646
script does not exist or this key is empty the default message
1647
is sent. If this script succeeds and produces some output,
1648
the first line of it's output is sent (and only the first
1649
line). It runs at most once every 3 seconds to prevent
1650
possible denial of service by flooding the machine with QUERY
1659
<sect2 id="greeterconfiguration">
1660
<title>Simple Greeter Configuration</title>
1663
The GDM default greeter is called the simple Greeter and is
1664
configured via GConf. Default values are stored in GConf in the
1665
<filename>gdm-simple-greeter.schemas</filename> file. These defaults
1666
can be overridden if the "gdm" user has a writable $HOME
1667
directory to store GConf settings. These values can be edited using
1668
the <command>gconftool-2</command> or <command>gconf-editor</command>
1669
programs. The following configuration options are supported:
1673
<title>Greeter Configuration Keys</title>
1676
<term>/apps/gdm/simple-greeter/banner_message_enable</term>
1678
<synopsis>false (boolean)</synopsis>
1680
Controls whether the banner message text is displayed.
1686
<term>/apps/gdm/simple-greeter/banner_message_text</term>
1688
<synopsis>NULL (string)</synopsis>
1690
Specifies the text banner message to show on the greeter
1697
<term>/apps/gdm/simple-greeter/disable_restart_buttons</term>
1699
<synopsis>false (boolean)</synopsis>
1701
Controls whether to show the restart buttons in the login
1708
<term>/apps/gdm/simple-greeter/disable_user_list</term>
1710
<synopsis>false (boolean)</synopsis>
1712
If true, then the face browser with known users is not shown
1713
in the login window.
1719
<term>/apps/gdm/simple-greeter/logo_icon_name</term>
1721
<synopsis>computer (string)</synopsis>
1723
Set to the themed icon name to use for the greeter logo.
1729
<term>/apps/gdm/simple-greeter/recent-languages</term>
1731
<synopsis>[] (string list)</synopsis>
1733
Set to a list of languages to be shown by default in the login
1734
window. Default value is "[]". With the default setting only
1735
the system default language is shown and the option "Other..."
1736
which pops-up a dialog box showing a full list of available
1737
languages which the user can select.
1741
Users are not intended to change this setting by hand. Instead
1742
GDM keeps track of any languages selected in this configuration
1743
key, and will show them in the language combo box along with
1744
the "Other..." choice. This way, commonly selected languages
1745
are easier to select.
1751
<term>/apps/gdm/simple-greeter/recent-layouts</term>
1753
<synopsis>[] (string list)</synopsis>
1755
Set to a list of keyboard layouts to be shown by default in the
1756
login panel. Default value is "[]". With the default setting
1757
only the system default keyboard layout is shown and the option
1758
"Other..." which pops-up a dialog box showing a full list of
1759
available keyboard layouts which the user can select.
1763
Users are not intended to change this setting by hand. Instead
1764
GDM keeps track of any keyboard layouts selected in this
1765
configuration key, and will show them in the keyboard layout
1766
combo box along with the "Other..." choice. This way, commonly
1767
selected keyboard layouts are easier to select.
1773
<term>/apps/gdm/simple-greeter/wm_use_compiz</term>
1775
<synopsis>false (boolean)</synopsis>
1777
Controls whether compiz is used as the window manager instead
1785
<sect2 id="accessibilityconfiguration">
1786
<title>Accessibility Configuration</title>
1789
This section describes the accessibility configuration options available
1793
<sect3 id="accessibilitydialog">
1794
<title>GDM Accessibility Dialog And GConf Keys</title>
1797
The GDM greeter panel at the login screen displays an accessibility
1798
icon. Clicking on that icon opens the GDM Accessibility Dialog. In
1799
the GDM Accessibility Dialog, there is a list of checkboxes, so the
1800
user can enable or disable the associated assistive tools.
1804
The checkboxes that correspond to the on-screen keyboard, screen
1805
magnifier and screen reader assistive tools act on the three GConf
1806
keys that are described in the next section of this document. By
1807
enabling or disabling these checkboxes, the associated GConf key is
1808
set to "true" or "false". When the GConf key is set to true, the
1809
assistive tools linked to this GConf key are launched. When the
1810
GConf key is set to "false", any running assistive tool linked to
1811
this GConf key are terminated. These GConf keys are not automatically
1812
reset to a default state after the user has logged in. Consequently,
1813
the assistive tools that were running during the last GDM login
1814
session will automatically be launched at the next GDM login session.
1818
The other checkboxes in the GDM Accessibility Dialog do not have
1819
corresponding GConf keys because no additional program is launched to
1820
provide the accessibility features that they offer. These other
1821
options correspond to accessibility features that are provided by the
1822
Xserver, which is always running during the GDM session.
1826
<sect3 id="accessibilitygconfconfiguration">
1827
<title>Accessibility GConf Keys</title>
1830
GDM offers the following GConf keys to control its accessibility
1835
<title>GDM Configuration Keys</title>
1838
<term>/desktop/gnome/interface/accessibility</term>
1840
<synopsis>false (boolean)</synopsis>
1842
Controls whether the Accessibility infrastructure will be
1843
started with the GDM GUI. This is needed for many
1844
accessibility technology programs to work.
1849
<term>/desktop/gnome/applications/at/screen_magnifier_enabled</term>
1851
<synopsis>false (boolean)</synopsis>
1853
If set, then the assistive tools linked to this GConf key will
1854
be started with the GDM GUI program. By default this is a
1855
screen magnifier application.
1860
<term>/desktop/gnome/applications/at/screen_keyboard_enabled</term>
1862
<synopsis>false (boolean)</synopsis>
1864
If set, then the assistive tools linked to this GConf key will
1865
be started with the GDM GUI program. By default this is an
1866
on-screen keyboard application.
1871
<term>/desktop/gnome/applications/at/screen_reader_enabled</term>
1873
<synopsis>false (boolean)</synopsis>
1875
If set, then the assistive tools linked to this GConf key will
1876
be started with the GDM GUI program. By default this is a
1877
screen reader application.
1884
<sect3 id="accessibilitytoolsconfiguration">
1885
<title>Linking GConf Keys to Accessbility Tools</title>
1888
For the screen_magnifier_enabled, the screen_keyboard_enabled, and the
1889
screen_reader_enabled GConf keys, the assistive tool which gets
1890
launched depends on the desktop files located in the GDM autostart
1891
directory as described in the "Autostart Configuration" section of
1892
this manual. Any desktop file in the GDM autostart directory can be
1893
linked to these GConf key via specifying that GConf key in the
1894
AutostartCondition value in the desktop file. So the exact
1895
AutostartCondition line in the desktop file could be one of the
1900
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled
1901
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_magnifier_enabled
1902
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_reader_enabled
1906
When an accessibility key is true, then any program which is linked to
1907
that key in a GDM autostart desktop file will be launched (unless the
1908
Hidden key is set to true in that desktop file). A single GConf key
1909
can even start multiple assistive tools if there are multiple desktop
1910
files with this AutostartCondition in the GDM autostart directory.
1914
<sect3 id="accessibilitytoolexample">
1915
<title>Example Of Modifying Accessibility Tool Configuration</title>
1918
For example, if GNOME is distributed with GOK as the default on-screen
1919
keyboard, then this could be replaced with a different program if
1920
desired. To replace GOK with the on-screen keyboard application
1921
"onboard" and additionally activate the assistive tool "mousetweaks"
1922
for dwelling support, then the following configuration is needed.
1926
Create a desktop file for onboard and a second one for mousetweaks;
1927
for example, onboard.desktop and mousetweaks.desktop. These files
1928
must be placed in the GDM autostart directory and be in the format
1929
as explained in the "Autostart Configuration" section of this
1934
The following is an example <filename>onboard.desktop</filename> file:
1940
Name=Onboard Onscreen Keyboard
1941
Comment=Use an on-screen keyboard
1943
Exec=onboard --size 500x180 -x 20 -y 10
1947
Categories=GNOME;GTK;Accessibility;
1948
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled
1952
The following is an example <filename>mousetweaks.desktop</filename>
1959
Name=Software Mouse-Clicks
1960
Comment=Perform clicks by dwelling with the pointer
1962
Exec=mousetweaks --enable-dwell -m window -c -x 20 -y 240
1966
Categories=GNOME;GTK;Accessibility;
1967
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled
1971
Note the line with the AutostartCondition that links both desktop
1972
files to the GConf key for the on-screen keyboard.
1976
To disable GOK from starting, the desktop file for the GOK on-screen
1977
keyboard must be removed or deactivated. Otherwise onboard and GOK
1978
would simultaneously be started. This can be done by removing the
1979
gok.desktop file from the GDM autostart directory, or by adding the
1980
"Hidden=true" key setting to the gok.desktop file.
1984
After making these changes, GOK will no longer be started when the
1985
user activates the on-screen keyboard in the GDM session; but onboard
1986
and mousetweaks will instead be launched.
1991
<sect2 id="generalsessionconfig">
1992
<title>General Session Settings</title>
1995
TODO - I think this section should be expanded upon. What specific
1996
keys are of interest, or would some users be likely to want
1997
to configure? Also, would be good to be more specific about
1998
how lock down management is handled.
2002
The GDM Greeter uses some of the same framework that your desktop
2003
session will use. And so, it is influenced by a number of the same
2004
GConf settings. For each of these settings the Greeter will use the
2005
default value unless it is specifically overridden by a) GDM's
2006
installed mandatory policy b) system mandatory policy. GDM installs
2007
its own mandatory policy to lock down some settings for security.
2011
<sect2 id="gnomesettingsdaemon">
2012
<title>GNOME Settings Daemon</title>
2015
TODO - I think this section should be expanded upon. What specific
2016
keys are of interest, or would some users be likely to want
2017
to configure? Also, would be good to give a more complete
2018
list of plugins that users might want to consider disabling.
2019
Also, shouldn't we list the sound/active key in the Greeter
2020
configuration setting? Oddly I do not find this key used
2021
in anything but the chooser in SVN.
2026
GDM enables the following gnome-settings-daemon plugins:
2027
a11y-keyboard, background, sound, xsettings.
2031
These are responsible for things like the background image, font and
2032
theme settings, sound events, etc.
2036
Plugins can also be disabled using GConf. For example, if you want to
2037
disable the sound plugin then unset the following key:
2038
<filename>/apps/gdm/simple-greeter/settings-manager-plugins/sound/active</filename>.
2042
<sect2 id="sessionconfig">
2043
<title>GDM Session Configuration</title>
2046
GDM sessions are specified using the FreeDesktop.org Desktop Entry
2047
Specification, which can be referenced at the following URL:
2048
<ulink url="http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec">
2049
http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec</ulink>.
2053
By default, GDM will install desktop files in the
2054
<filename><share>/xsessions</filename> directory. GDM will
2055
search the following directories in this order to find desktop files:
2056
<filename><etc>/X11/sessions/</filename>,
2057
<filename><dmconfdir>/Sessions</filename>,
2058
<filename><share>/xsessions</filename>, and
2059
<filename><share>/gdm/BuiltInSessions</filename>. By default the
2060
<filename><dmconfdir></filename> is set to
2061
<filename><etc>/dm/</filename> unless GDM is configured to use
2062
a different directory via the "--with-dmconfdir" option.
2066
A session can be disabled by editing the desktop file and adding a line
2067
as follows: <filename>Hidden=true</filename>.
2071
GDM desktop files support a GDM-specific extension, a key named
2072
"X-GDM-BypassXsession". If the key is not specified in a
2073
desktop file, the value defaults to "false". If this key is
2074
specified to be "true" in a desktop file, then GDM will
2075
launch the program specified by the desktop file "Exec" key
2076
directly when starting the user session. It will not run the program
2077
via the <filename><etc>/gdm/Xsession</filename> script, which is
2078
the normal behavior. Since bypassing the
2079
<filename><etc>/gdm/Xsession</filename> script avoids setting up
2080
the user session with the normal system and user settings, sessions
2081
started this way can be useful for debugging problems in the system or
2082
user scripts that might be preventing a user from being able to start
2088
<sect2 id="userconfig">
2089
<title>GDM User Session and Language Configuration</title>
2091
The user's default session and language choices are stored in the
2092
<filename>~/.dmrc</filename> file. When a user logs in for the first
2093
time, this file is created with the user's initial choices. The user
2094
can change these default values by simply changing to a different value
2095
when logging in. GDM will remember this change for subsequent logins.
2099
The <filename>~/.dmrc</filename> file is in the standard
2100
<filename>INI</filename> format. It has one section called
2101
<filename>[Desktop]</filename> which has two keys:
2102
<filename>Session</filename> and <filename>Language</filename>.
2106
The <filename>Session</filename> key specifies the basename of the
2107
session <filename>.desktop</filename> file that the user wishes to
2108
normally use without the <filename>.desktop</filename> extension.
2109
The <filename>Language</filename> key specifies the language that the
2110
user wishes to use by default. If either of these keys is missing, the
2111
system default is used. The file would normally look as follows:
2117
Language=cs_CZ.UTF-8
2123
<!-- ============= GDM Commands ============================= -->
2125
<sect1 id="binaries">
2126
<title>GDM 명령어</title>
2128
<sect2 id="sbindir_binaries">
2129
<title>GDM Root User Commands</title>
2132
The GDM package provides the following commands in
2133
<filename>sbindir</filename> intended to be run by the root user:
2136
<sect3 id="gdmcommandline">
2137
<title><command>gdm</command> and <command>gdm-binary</command>
2138
Command Line Options</title>
2141
The <command>gdm</command> command is really just a script which
2142
runs the <command>gdm-binary</command>, passing along any options.
2143
Before launching <command>gdm-binary</command>, the gdm wrapper
2144
script will source the <filename><etc>/profile</filename> file
2145
to set the standard system environment variables. In order to better
2146
support internationalization, it will also set the LC_MESSAGES
2147
environment variable to LANG if neither LC_MESSAGES or LC_ALL are
2148
set. The <command>gdm-binary</command> is the actual GDM daemon.
2152
<title><command>gdm</command> and <command>gdm-binary</command>
2153
Command Line Options</title>
2156
<term>-?, --help</term>
2159
Gives a brief overview of the command line options.
2165
<term>--fatal-warnings</term>
2168
Make all warnings cause GDM to exit.
2174
<term>--timed-exit</term>
2177
Exit after 30 seconds. Useful for debugging.
2183
<term>--version</term>
2186
Print the version of the GDM daemon.
2193
<sect3 id="gdmrestartcommandline">
2194
<title><command>gdm-restart</command> Command Line Options</title>
2197
<command>gdm-restart</command> stops and restarts GDM by sending
2198
the GDM daemon a HUP signal. This command will immediately terminate
2199
all sessions and log out users currently logged in with GDM.
2203
<sect3 id="gdmsaferestartcommandline">
2204
<title><command>gdm-safe-restart</command> Command Line Options</title>
2207
<command>gdm-safe-restart</command> stops and restarts GDM by
2208
sending the GDM daemon a USR1 signal. GDM will be restarted as soon
2209
as all users log out.
2213
<sect3 id="gdmstopcommandline">
2214
<title><command>gdm-stop</command> Command Line Options</title>
2217
<command>gdm-stop</command> stops GDM by sending the GDM daemon
2224
<!-- ============= Troubleshooting =========================== -->
2226
<sect1 id="troubleshooting">
2227
<title>문제 해결</title>
2230
TODO - any other tips we should add? Might be useful to highlight any
2231
common D-Bus configuration issues?
2236
This section discusses helpful tips for getting GDM working. In general,
2237
if you have a problem using GDM, you can submit a bug or send an email
2238
to the gdm-list mailing list. Information about how to do this is in
2239
the Introduction section of the document.
2243
If GDM is failing to work properly, it is always a good idea to include
2244
debug information. To enable debugging, set the debug/Enable key to
2245
"true" in the <filename><etc>/gdm/custom.conf</filename>
2246
file and restart GDM. Then use GDM to the point where it fails, and
2247
debug output will be sent to the system log file
2248
(<filename><var>/log/messages</filename> or
2249
<filename><var>/adm/messages</filename> depending on your Operating
2250
System). If you share this output with the GDM community via a bug
2251
report or email, please only include the GDM related debug information
2252
and not the entire file since it can be large. If you do not see any
2253
GDM syslog output, you may need to configure syslog (refer to the
2254
<ulink type="help" url="man:syslog">syslog</ulink> man page).
2257
<sect2 id="wontstart">
2258
<title>GDM Will Not Start</title>
2261
There are a many problems that can cause GDM to fail to start, but
2262
this section will discuss a few common problems and how to approach
2263
tracking down a problem with GDM starting. Some problems will
2264
cause GDM to respond with an error message or dialog when it tries
2265
to start, but it can be difficult to track down problems when GDM
2270
First make sure that the Xserver is configured properly. The
2271
GDM configuration file contains a command in the [server-Standard]
2272
section that is used for starting the Xserver. Verify that this
2273
command works on your system. Running this command from the
2274
console should start the Xserver. If it fails, then the problem
2275
is likely with your Xserver configuration. Refer to your Xserver
2276
error log for an idea of what the problem may be. The problem may
2277
also be that your Xserver requires different command-line options.
2278
If so, then modify the Xserver command in the GDM configuration file
2279
so that it is correct for your system.
2283
Also make sure that the <filename>/tmp</filename> directory has
2284
reasonable ownership and permissions, and that the machine's file
2285
system is not full. These problems will cause GDM to fail to start.
2290
<!-- ============= Application License ============================= -->
2292
<sect1 id="license">
2293
<title>License</title>
2295
This program is free software; you can redistribute it and/or
2296
modify it under the terms of the <ulink type="help" url="gnome-help:gpl">
2297
<citetitle>GNU General Public License</citetitle></ulink> as
2298
published by the Free Software Foundation;
2299
either version 2 of the License, or (at your option) any later
2303
This program is distributed in the hope that it will be useful, but
2304
WITHOUT ANY WARRANTY; without even the implied warranty of
2305
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
2306
<citetitle>GNU General Public License</citetitle> for more details.
2309
A copy of the <citetitle>GNU General Public License</citetitle> is
2310
included as an appendix to the <citetitle>GNOME Users
2311
Guide</citetitle>. You may also obtain a copy of the
2312
<citetitle>GNU General Public License</citetitle> from the Free
2313
Software Foundation by visiting
2314
<ulink type="http" url="http://www.fsf.org">their Web site</ulink> or by
2317
Free Software Foundation, Inc.
2318
<street>51 Franklin Street, Fifth Floor</street>
2319
<city>Boston</city>, <state>MA</state> <postcode>02110-1301</postcode>
2320
<country>USA</country>
2325
<!-- Keep this comment at the end of the file
2330
sgml-minimize-attributes:nil
2331
sgml-always-quote-attributes:t
2334
sgml-parent-document:nil
2335
sgml-exposed-tags:nil
2336
sgml-local-catalogs:nil
2337
sgml-local-ecat-files:nil