1 <!DOCTYPE REFENTRY PUBLIC "-//Sun Microsystems//DTD DocBook V3.0-Based SolBook Subset V2.0//EN" [ 2 <!--ArborText, Inc., 1988-1999, v.4002--> 3 <!--ARC : LSARC 2005/417 GDM2 as default Solaris Display Manager--> 4 <!ENTITY cmd "gdm"> 5 <!ENTITY % commonents SYSTEM "smancommon.ent"> 6 %commonents; 7 <!ENTITY % booktitles SYSTEM "booktitles.ent"> 8 %booktitles; 9 <!ENTITY suncopy "Copyright (c) 2004,2006 Sun Microsystems, Inc. All Rights Reserved."> 10 ]> 11 <?Pub UDT _bookmark _target> 12 <?Pub EntList brvbar bull cross dash diam diams frac12 frac13 frac14 hellip 13 laquo lArr loz mdash nabla ndash para pound rArr raquo sect yen gt lt> 14 <?Pub Inc> 15 <refentry id="gdm-1m"> 16 <!-- %Z%%M% %I% %E% SMI; --> 17 <refmeta><refentrytitle>gdm</refentrytitle><manvolnum>1m</manvolnum> 18 <refmiscinfo class="date">2 Sep 2004</refmiscinfo> 19 <refmiscinfo class="sectdesc">&man1;</refmiscinfo> 20 <refmiscinfo class="software">&release;</refmiscinfo> 21 <refmiscinfo class="arch">generic</refmiscinfo> 22 <refmiscinfo class="copyright">&suncopy;</refmiscinfo> 23 </refmeta> 24 <indexterm><primary>gdm</primary></indexterm><indexterm><primary>GNOME Display 25 Manager</primary></indexterm> 26 <refnamediv id="gdm-1m-name"><refname>gdm</refname><refname>gdm-binary</refname> 27 <refname>gdmchooser</refname><refname>gdmgreeter</refname><refname>gdmlogin 28 </refname><refpurpose>GNOME Display Manager</refpurpose></refnamediv> 29 30 <refsynopsisdiv id="gdm-1m-synp"><title>&synp-tt;</title> 31 <cmdsynopsis><command>&cmd; | gdm-binary</command><arg choice="opt"><option>-config=<replaceable>file</replaceable></option></arg><arg choice="opt"><option>-monte-carlo-sqrt2</option></arg><arg choice="opt"><option>-no-console</option></arg><arg choice="opt"><option>nodaemon</option></arg><arg choice="opt"><option>-preserve-ld-vars</option></arg><arg choice="opt"><option>-version</option></arg><arg choice="opt"><option>-wait-for-go</option></arg> 32 </cmdsynopsis> 33 34 <cmdsynopsis><command>gdmlogin | gdmgreeter</command><arg choice="opt"><option role="nodash"><replaceable>gnome-std-options</replaceable></option></arg> 35 </cmdsynopsis> 36 37 <cmdsynopsis><command>gdmchooser</command><arg choice="opt"><option>clientaddress=<replaceable>address</replaceable></option></arg><arg choice="opt"><option>connectionType=<replaceable>type</replaceable></option></arg><arg choice="opt"><option>xdmaddress=<replaceable>socket</replaceable></option></arg><arg choice="opt"><option role="nodash"><replaceable> gnome-std-options</replaceable></option></arg> 38 </cmdsynopsis></refsynopsisdiv> 39 40 <refsect1 id="gdm-1m-desc"><title>&desc-tt;</title> 41 <para>GDM is the GNOME Display Manager, a program used for login session management. 42 When no user is logged in on the console, GDM displays a graphical user interface 43 that enables the user to enter their username and password. GDM supports 44 XDMCP and supports flexible or on-demand servers via the 45 <citerefentry><refentrytitle>gdmflexiserver</refentrytitle><manvolnum>1</manvolnum></citerefentry> 46 command.</para> 47 <para><command>&cmd;</command> is a wrapper script that launches 48 <command>gdm-binary</command> and passes along any options. Before launching 49 <command>gdm-binary</command> the <command>&cmd;</command> wrapper script sources the 50 <citerefentry><refentrytitle>profile</refentrytitle><manvolnum>4</manvolnum></citerefentry> 51 file to set the standard system environment variables. To support internationalization, 52 <command>&cmd;</command> also sets the LC_MESSAGES environment variable to LANG if 53 neither LC_MESSAGES nor LC_ALL is set.</para> 54 <para>On startup, the GDM daemon parses its config file 55 <filename>/usr/share/gdm/defaults.conf</filename> where system defaults are 56 stored. It also reads <filename>/etc/X11/gdm/custom.conf</filename> and 57 any user settings defined there override the default settings. Per-display 58 configuration settings can be set in 59 <filename>/etc/X11/gdm/custom.conf<replaceable>display</replaceable></filename> 60 where <replaceable>display</replaceable> is the display number, such as ":0". 61 Only the "security/PamStack" setting and the settings in the [gui] and 62 [greeter] sections of the configuration file may be specified in the 63 per-display configuration file, any others are ignored. When GDM displays 64 a GUI on the display, these per-display values override the values in the other 65 configuration files.</para> 66 <para> 67 For each local display, <command>gdm-binary</command> forks an Xserver and a slave 68 process. The main <command>gdm-binary</command> process then listens to XDMCP 69 requests from remote displays, if so configured, and monitors the local display 70 sessions. The main daemon process also allows new local Xservers to start on demand 71 using the 72 <citerefentry><refentrytitle>gdmflexiserver</refentrytitle><manvolnum>1</manvolnum></citerefentry> 73 command.</para> 74 <para>The GDM slave process opens the display and starts either the Themed 75 Greeter or the Plain Greeter. This choice is set by the "daemon/Greeter" parameter 76 in the configuration file for console login and the "daemon/RemoteGreeter" 77 parameter for XDMCP logins. The parameter should be set to "gdmgreeter" to 78 use the Themed Greeter or "gdmlogin" to use the Plain Greeter. The 79 Plain Greeter is lower-bandwidth, which tends to be more appropriate for 80 remote logins. The GDM daemon communicates asynchronously with the slave process 81 through a pipe.</para> 82 <para>From either the Themed Greeter or the Plain Greeter, it is possible 83 to launch the Chooser program <command>gdmchooser</command> to start remote 84 XDMCP login sessions.</para> 85 <para>Although disabled by default, it is also possible to launch the Setup 86 program 87 <citerefentry><refentrytitle>gdmsetup</refentrytitle><manvolnum>1m</manvolnum></citerefentry> 88 to edit the configuration choices in the 89 <filename>/etc/X11/gdm/custom.conf</filename> file. The root password must be 90 entered to launch the Setup program. The ability to launch the Setup program 91 is disabled by default as 92 <citerefentry><refentrytitle>gdmsetup</refentrytitle><manvolnum>1m</manvolnum></citerefentry> 93 runs with root permissions and changing GDM configuration can affect security.</para> 94 <para>GDM relies on 95 <citerefentry><refentrytitle>PAM</refentrytitle><manvolnum>3PAM</manvolnum></citerefentry> 96 (Pluggable Authentication Modules) for password authentication, 97 but supports regular crypt() and shadow passwords on legacy systems. On Solaris, 98 GDM uses 99 <citerefentry><refentrytitle>logindevperm</refentrytitle><manvolnum>4</manvolnum></citerefentry> 100 to set proper device permissions for the user on login.</para> 101 <para>All operations on user files are done with the effective user id of 102 the user. If the sanity check fails on the user's <filename>.Xauthority</filename> 103 file, a fallback cookie is created in <filename>/tmp</filename>.</para> 104 </refsect1> 105 <refsect1 id="gdm-1m-opts"><title>&opts-tt;</title> 106 <para>The following options are supported by <command>&cmd;</command> and 107 <command>gdm-binary</command>:</para> 108 <variablelist termlength="medium"> 109 <varlistentry><term><option>-config=<replaceable>file</replaceable></option></term> 110 <listitem><para>Specify alternate default configuration file.</para> 111 </listitem></varlistentry> 112 <varlistentry><term><option>-monte-carlo-sqrt2</option></term><listitem></listitem> 113 </varlistentry> 114 <varlistentry><term><option>-no-console</option></term><listitem><para>Tell 115 the daemon that it should not run anything on the console. This means that 116 none of the local servers from the [servers] section of the GDM configuration 117 are run, and the console is not used to communicate errors to the user. 118 An empty [servers] section automatically implies this option.</para> 119 </listitem></varlistentry> 120 <varlistentry><term><option>nodaemon</option></term><listitem><para>If this 121 option is specified, GDM does not fork into the background when run. You can 122 use a single dash with this option to preserve compatibility with XDM.</para> 123 </listitem></varlistentry> 124 <varlistentry><term><option>-preserve-ld-vars</option></term><listitem><para> 125 When clearing the environment internally, preserve all variables starting 126 with LD_. This is mostly for debugging purposes.</para> 127 </listitem></varlistentry> 128 <varlistentry><term><option>-version</option></term><listitem><para>Print 129 the version of the GDM daemon.</para> 130 </listitem></varlistentry> 131 <varlistentry><term><option>-wait-for-go</option></term><listitem> 132 <para> 133 If started with this option, GDM initiates, but only starts the first local display 134 and then waits for a GO message in the fifo protocol. No greeter is shown 135 until the GO message is sent. Also, flexiserver requests are denied and XDMCP 136 is not started until GO is given. This is useful for initialization scripts 137 that wish to start X early, but where you do not yet want the user to start 138 logging in: the script sends the GO to the fifo when ready and GDM then continues. 139 </para> 140 </listitem></varlistentry> 141 </variablelist> 142 <para>The following options are supported by <command>gdmlogin</command> and 143 <command>gdmgreeter</command>:</para> 144 <variablelist termlength="medium"> 145 <varlistentry><term><option role="nodash"><replaceable>gnome-std-options</replaceable></option></term> 146 <listitem><para>Standard options available for use with most GNOME applications. 147 See <citerefentry><refentrytitle>gnome-std-options</refentrytitle><manvolnum> 148 5</manvolnum></citerefentry> for more information.</para> 149 </listitem></varlistentry> 150 </variablelist><para>The following options are supported by <command>gdmchooser</command>:</para> 151 <variablelist termlength="medium"> 152 <varlistentry><term><option>clientaddress=<replaceable>address</replaceable></option></term> 153 <listitem><para>Client address to return in response to xdm. This option is 154 for running <command>gdmchooser</command> with xdm, and is not used within 155 GDM.</para> 156 </listitem></varlistentry> 157 <varlistentry><term><option>connectionType=<replaceable>type</replaceable></option></term> 158 <listitem><para>Connection type to return in response to xdm. This option 159 is for running <command>gdmchooser</command> with xdm, and is not used within 160 GDM.</para> 161 </listitem></varlistentry> 162 <varlistentry><term><option>xdmaddress=<replaceable>socket</replaceable></option></term> 163 <listitem><para>Socket for XDM communication.</para> 164 </listitem></varlistentry> 165 <varlistentry><term><option role="nodash"><replaceable>gnome-std-options</replaceable></option></term> 166 <listitem><para>Standard options available for use with most GNOME applications. 167 See <citerefentry><refentrytitle>gnome-std-options</refentrytitle><manvolnum> 168 5</manvolnum></citerefentry> for more information.</para> 169 </listitem></varlistentry> 170 </variablelist></refsect1> 171 <refsect1 id="gdm-1m-exde"><title>&exde-tt;</title> 172 <refsect2 id="gdm-1m-exde-standard"> 173 <title>Plain Greeter</title> 174 <para>The Plain Greeter is the default graphical user interface that is 175 presented to the user. The greeter contains a menu at the top, an optional 176 face browser, an optional logo, and a text entry field. The Plain Greeter 177 corresponds to the executable <command>gdmlogin</command>.</para> 178 <para>The text entry field is used to enter logins, passwords, passphrases, 179 and so on. The field is controlled by the underlying daemon and is basically 180 stateless. The daemon controls the greeter through a simple protocol where 181 the daemon can ask the greeter for a text string with echo turned on or off. 182 Similarly, the daemon can change the label above the text entry field to correspond 183 to the value that the authentication system wants the user to enter.</para> 184 <para>The menu bar in the top of the greeter enables the user to select the 185 requested session type or desktop environment, change the GTK+ theme (if enabled), 186 select an appropriate locale or language, and optionally shutdown, reboot, 187 or suspend the machine, configure GDM (if the user knows the root password), 188 or start an XDMCP chooser.</para> 189 <para>Optionally, the greeter can provide a face browser that contains icons 190 for all of the users on a system. The icons can be installed globally by the 191 system administrator, or in the user home directories. If installed globally, 192 the icons should be in the <filename><replaceable>share</replaceable>/faces 193 </filename> directory (though this can be configured with the GlobalFaceDir 194 configuration option) and the filename should be the name of the user, optionally 195 with “.png” appended.</para> 196 <para>Users can place their icons in a file called <filename>~/.face</filename>, 197 and can use 198 <citerefentry><refentrytitle>gdmphotosetup</refentrytitle><manvolnum>1</manvolnum></citerefentry> 199 to graphically configure this. 200 Face icons placed in the global face directory must be readable to the GDM 201 user. However, the daemon proxies user pictures to the greeter. Therefore, 202 those do not have to be readable by the GDM user, but must be readable by 203 the root user.</para> 204 <para>Note that loading and scaling face icons located in user home directories 205 can be a very time-consuming task, especially on large systems or systems 206 running NIS. The browser feature is only intended for systems with relatively 207 few users. Also, if home directories are on an on-demand mounted file system 208 such as AFS, GDM might mount all of the home directories just to check for 209 pictures if the face browser is on. However, GDM will try to give up after 210 5 seconds of activity, and only display the users whose pictures have been 211 received so far.</para> 212 <para>To filter out unwanted user names in the browser, the "greeter/Exclude" parameter 213 in the GDM configuration can be set with a list of usernames separated 214 by commas. The greeter automatically ignores the usernames listed, and excludes 215 users whose UIDs are lower than the "greeter/MinimalUID" parameter, which is 100 by 216 default.</para> 217 <para>When the browser is turned on, valid usernames on the machine are exposed 218 to a potential intruder. This might be a bad idea if you do not know who has 219 access to a login screen. This is especially true if you run XDMCP. Note that 220 you should never run XDMCP on an open network. </para> 221 <para>The greeter can optionally display a logo in the login window. The image 222 must be in a format readable to the <filename>gdk-pixbuf</filename> library 223 (GIF, JPG, PNG, TIFF, XPM), and must be readable by the GDM user.</para> 224 </refsect2> 225 <refsect2 id="gdm-1m-exde-graphical"> 226 <title>Themed Greeter</title> 227 <para>The Themed Greeter is a greeter interface that is displayed on the 228 whole screen and is themable. The Themed Greeter corresponds to the executable 229 <command>gdmgreeter</command> 230 .</para> 231 <para>Themes can be selected and new themes can be installed by running 232 <citerefentry><refentrytitle>gdmsetup</refentrytitle><manvolnum>1m</manvolnum></citerefentry>, 233 or by setting the "greeter/GraphicalTheme" parameter in the GDM configuration. 234 The location of themes is specified by the "greeter/GraphicalThemeDir" parameter.</para> 235 <para>The look and feel of this greeter is controlled by the theme, so the 236 user interface elements that are present might differ. The only item that 237 must always be present is the text entry field, as described in the Plain 238 Greeter section above. You can display a menu of available actions by pressing 239 the F10 key. This can be useful if the theme does not provide certain buttons 240 when you wish to perform a particular action. </para> 241 </refsect2> 242 <refsect2 id="gdm-1m-exde-chooser"> 243 <title>Chooser</title> 244 <para>The Chooser displays a list of local machines that accept XDMCP connections. 245 The user can also specify a machine by entering its name directly. Once a 246 machine is selected, a remote XDMCP session can be started. The Chooser can 247 be launched on the console directly from the Plain or Themed Greeter. 248 The chooser corresponds to the executable <command>gdmchooser</command>. 249 </para> 250 </refsect2> 251 <refsect2 id="gdm-1m-exde-xdmcp"> 252 <title>XDMCP</title> 253 <para>GDM can be configured to enable XDMCP so that users can log in remotely 254 and launch a graphical chooser that allows a remote login session to be started. 255 See the [xdmcp] section of the default GDM configuration file.</para> 256 <para>GDM grants access to the hosts specified in the GDM service section 257 of your TCP Wrappers configuration file. GDM does not support remote display 258 access control on systems without TCP Wrappers.</para> 259 <para>GDM includes several measures that make GDM more resistant to denial-of-service 260 attacks on the XDMCP service. Several protocol parameters, handshaking timeouts, 261 and so on can be fine-tuned. The default values should work for most systems, 262 however. Do not change these values unless you know what you are doing.</para> 263 <para>By default, GDM listens to UDP port 177, although this can be configured. 264 GDM responds to QUERY and BROADCAST_QUERY requests by sending a WILLING packet 265 to the originator.</para> 266 <para>GDM can also be configured to honor INDIRECT queries and present a host 267 chooser to the remote display. GDM remembers the user's choice and forwards 268 subsequent requests to the chosen manager. GDM also supports an extension 269 to the protocol which makes GDM forget the redirection once the user's connection 270 succeeds. This extension is only supported if both daemons are GDM. This extension 271 is transparent and is ignored by XDM or other daemons that implement XDMCP. 272 </para> 273 <para>GDM only supports the MIT-MAGIC-COOKIE-1 authentication system. Because 274 of this, the cookies are transmitted as clear text. Therefore, you should 275 be careful about the network where you use this. That is, be careful about 276 where your XDMCP connection is going. Note that if snooping is possible, an 277 attacker could snoop your password as you log in, so a better XDMCP authentication 278 would not help you much anyway. If snooping is possible and undesirable, you 279 should use <filename>ssh</filename> for tunneling an X connection, rather 280 then using GDM's XDMCP. Think of XDMCP as a sort of graphical telnet, with 281 the same security issues.</para> 282 </refsect2> 283 <refsect2 id="gdm-1m-exde-control"> 284 <title>Controlling GDM</title> 285 <para>You can control GDM behavior during runtime in several different ways. 286 You can run certain commands, or you can talk to GDM using either a UNIX socket 287 protocol, or a FIFO protocol.</para> 288 <para>You can control GDM behavior as follows:</para> 289 <itemizedlist> 290 <listitem><para>To stop GDM, you can either send the TERM signal to the main 291 daemon, or run the 292 <citerefentry><refentrytitle>gdm-stop</refentrytitle><manvolnum>1m</manvolnum></citerefentry> 293 command.</para></listitem> 294 <listitem><para>To restart GDM, you can either send the HUP signal to the 295 main daemon, or run the 296 <citerefentry><refentrytitle>gdm-restart</refentrytitle><manvolnum>1m</manvolnum></citerefentry> 297 command.</para></listitem> 298 <listitem><para>To restart GDM but only after all users have logged out, you 299 can either send the USR1 signal to the main daemon, or run the 300 <citerefentry><refentrytitle>gdm-safe-restart</refentrytitle><manvolnum>1m</manvolnum></citerefentry> 301 command.</para></listitem> 302 </itemizedlist> 303 <para>The 304 <citerefentry><refentrytitle>gdm-stop</refentrytitle><manvolnum>1m</manvolnum></citerefentry>, 305 <citerefentry><refentrytitle>gdm-restart</refentrytitle><manvolnum>1m</manvolnum></citerefentry>, and 306 <citerefentry><refentrytitle>gdm-safe-restart</refentrytitle><manvolnum>1m</manvolnum></citerefentry> 307 commands are in the <filename>/sbin</filename> directory.</para> 308 <para>The 309 <citerefentry><refentrytitle>gdmflexiserver</refentrytitle><manvolnum>1</manvolnum></citerefentry> 310 command can be used to communicate with the GDM daemon and to start new flexible 311 (on demand) servers.</para> 312 </refsect2> 313 <refsect2 id="gdm-1m-exde-config"> 314 <title>Configuration</title> 315 <para>The GDM configuration files contain comments that explain each 316 configuration parameter.</para> 317 </refsect2> 318 <refsect2 id="gdm-1m-exde-security"> 319 <title>Security</title> 320 <para>GDM is best used with a dedicated user id and group id that GDM uses 321 for graphical interfaces such as <command>gdmgreeter</command>, <command> 322 gdmlogin</command>, and <command>gdmchooser</command>. You can specify the 323 name of this user and group in the [daemon] section of the GDM configuration 324 file.</para> 325 <para>The GDM user and group, which are normally just "gdm", should not be a 326 user or group of any particular privilege. The reason for using the GDM user 327 and group is to have the user interface run as a user without privileges, 328 so that in the unlikely case that someone finds a weakness in the GUI, they 329 cannot access root on the machine.</para> 330 <para>Note that the GDM user and group have some privileges that make them 331 somewhat dangerous. This user and group has access to the server authorization directory 332 (specified by the "daemon/ServAuthDir" parameter in the GDM configuration 333 file) which contains all of the X server authorization files and other private information. 334 This means that someone who gains the GDM user/group privileges can then connect 335 to any session. Do not, under any circumstances, make the GDM user/group a 336 user/group that might be easy to get access to, such as the user <literal> 337 "nobody"</literal>.</para> 338 <para>The server authorization directory (daemon/ServAuthDir) is used for a host 339 of random internal data, in addition to the X server authorization files, 340 and the naming is really a relic of history. The GDM daemon forces this directory 341 to be owned by root:gdm with permissions of 1770. This means that only the 342 root user and the GDM group have write access to this directory, but the GDM 343 group cannot remove the root-owned files from this directory, such as the 344 X server authorization files.</para> 345 <para>By default, GDM does not trust the server authorization directory and 346 treats it in the same way as a temporary directory with respect to creating 347 files. This means that someone breaking the GDM user cannot mount attacks 348 by creating links in this directory. Similarly, the X server log directory 349 is treated safely, but that directory should really be owned and writable 350 only by the root user.</para> 351 </refsect2> 352 <refsect2 id="gdm-1m-exde-accessibility"> 353 <title>Accessibility</title> 354 <para>GDM supports "Accessible Login" to allow users to log in to their desktop 355 session even if they cannot easily use the screen, mouse, or keyboard in the 356 usual way. This feature enables the user to launch assistive technologies 357 at login time by means of special "gestures" from the standard keyboard and 358 from a keyboard, pointing device, or switch device attached to the USB or 359 PS/2 mouse port. This also enables the user to change the visual appearance 360 of the login UI before logging in, for example to use a higher-contrast color 361 scheme for better visibility. GDM only supports accessibility with the Plain 362 Greeter, so the "daemon/Greeter" parameter in the GDM configuration must 363 be set to the Plain Greeter "gdmlogin".</para> 364 <para>To enable Accessible Login, the system administrator must modify the 365 default login configuration by manually modifying the standard GDM configuration 366 files, and the <filename>AccessKeyMouseEvents</filename>, and 367 <filename>AccessDwellMouseEvents</filename> module configuration files. 368 </para> 369 <para>To allow users to change the color and contrast scheme of the login 370 dialog, set the "gui/AllowGtkThemeChange" parameter in the GDM configuration 371 to "true".</para> 372 <para>To restrict user changes of the visual appearance to a subset of available 373 themes, the "gui/GtkThemesToAllow" parameter in the GDM configuration 374 can be set to a list of acceptable themes separated by commas. For example: <screen><userinput> 375 GtkThemesToAllow=blueprint,HighContrast,HighContrastInverse</userinput></screen></para> 376 <para>To enable the use of assistive technologies such as the On-screen Keyboard, 377 Screen Reader, or Magnifier, the "daemon/AddGtkModules" parameter in the 378 GDM configuration must be uncommented and set to "true". Also, the "daemon/GtkModulesList" 379 parameter must be uncommented and set to "gail:atk-bridge:/usr/lib/gtk-2.0/modules/libdwellmouselistener:/usr/lib/gtk-2.0/modules/libkeymouselistener". 380 </para> 381 <para>System administrators might wish to load only the minimum subset of 382 these modules that is required to support their user base. Depending on the 383 end-user needs, it might not be necessary to load all of the GtkModules:</para> 384 <itemizedlist> 385 <listitem><para>If a user needs the integrated Screen Reader and Magnifier, 386 you must include "gail" and "atk-bridge".</para></listitem> 387 <listitem><para>If a user needs a pointing device without buttons or switches, 388 include "dwellmouselistener".</para></listitem> 389 <listitem><para>If a user needs a pointing device with switches, alternative 390 physical keyboard, or switch/button device, include "keymouselistener".</para> 391 </listitem> 392 </itemizedlist> 393 <para>Including all four modules is suitable for most system configurations. 394 The Onscreen Keyboard can operate without gail and atk-bridge, but with a 395 reduced feature set. For optimum accessibility, we recommend including gail 396 and atk-bridge.</para> 397 <para>When "keymouselistener" or "dwellmouselistener" have been added to the 398 GtkModules loaded by GDM, you can assign user actions to the launching of 399 specific assistive technologies. These gesture associations are contained 400 in the files AccessKeyMouseEvents and AccessDwellMouseEvents, respectively. 401 The gesture format is described in the two files.</para> 402 <para>The AccessKeyMouseEvents file controls the keymouselistener Gesture 403 Listener and is used to define key-press, mouse button, or XInput device sequences 404 that can be used to launch programs needed for accessibility. To reduce the 405 likelihood of unintentional launch, these 'gestures' may be associated with 406 multiple switch presses and/or minimum durations.</para> 407 <para>The DwellKeyMouseEvents file controls the dwellmouselistener and supports 408 gestures that involve only motion of a pointing device such as the system 409 mouse. Motion of an alternative pointing device such as a head pointer or 410 trackball can also be defined. All gestures are specified by the same syntax, 411 there is no distinction between a 'core mouse' gesture and motion from an 412 alternate input device.</para> 413 <para>Motion gestures are defined as "crossing events" into and out of the 414 login dialog window. If the 'dwellmouselistener' GtkModule is loaded, alternative 415 pointing devices are temporarily "latched" to the core pointer, such that 416 motion from alternative devices results in movement of the onscreen pointer. 417 </para> 418 <para>To use text-to-speech services at login time (for instance, when using 419 the Screen Reader in speech mode) on some operating systems, the gdm user 420 must be a member of the "audio" group.</para> 421 </refsect2> 422 <refsect2 id="gdm-1m-exde-logging"> 423 <title>Logging</title> 424 <para>GDM uses syslog to log errors or status. GDM can also log debugging 425 information, if enabled in the GDM configuration.</para> 426 <para>Output from the various X servers is stored in the GDM log directory, 427 which is configurable but is usually <filename><replaceable>var</replaceable>/log/gdm 428 </filename>. The output from the session can be found in a file called <filename><replaceable> 429 display</replaceable>.log</filename>. Four older versions of this file are 430 also stored, by appending 1 through 4 to the filename. These files are rotated, 431 as new sessions on that display are started. You can use these logs to view 432 what the X server said when it started up.</para> 433 <para>The output from the user session is redirected to <filename>~/.xsession-errors 434 </filename> before even the PreSession script is started, so it is not necessary 435 to redirect this again in the session setup script. If the user session lasted 436 less then 10 seconds, GDM assumes that the session crashed and allows the 437 user to view this file in a dialog before returning to the login screen. This 438 enables the user to view the session errors from the last session and correct 439 the problem.</para> 440 <para>You can suppress the 10–second warning by returning code 66 from 441 the Xsessionscript or from your session binary (the default Xsession script 442 propagates those codes back). This is useful if you have special logins for 443 which it is not an error to return less than 10 seconds later, or if you already 444 set up the session to display an error message and the GDM message would be 445 confusing and redundant.</para> 446 <para>The session output is piped through the GDM daemon, so the <filename> 447 ~/.xsession-errors</filename> file is capped by GDM at about 200 kilobytes, 448 to prevent a possible denial-of-service attack on the session. An application 449 could, on reading some wrong data, print out warnings or errors on stderr 450 or stdout. This could fill up the user's home directory, the user would then 451 have to log out and log back in to clear this. This could be especially nasty 452 if quotas are set. GDM also correctly traps the XFSZ signal and stops writing 453 the file, which would lead to killed sessions if the file was redirected in 454 the old-fashioned way from the script.</para> 455 <para>Note that some distributors seem to override the <filename>~/.xsession-errors 456 </filename> redirection and redirect in their own Xsession script (set by 457 the BaseXsession configuration key), which means that GDM cannot trap the 458 output and cap this file. You also lose output from the PreSession script 459 which can make debugging more difficult, as perhaps useful output of what 460 is wrong is not printed out. See the description of the BaseXsession configuration 461 key for more information, especially on how to handle multiple display managers 462 using the same script.</para> 463 <para>Note that if the session is a failsafe session, or if GDM cannot open 464 this file for some reason, a fallback file is created named <filename>/tmp/xses-<replaceable> 465 user</replaceable>.XXXXXX</filename>, where XXXXXX are random characters. 466 </para> 467 <para>If you run a system with quotas set, use the PostSession script to delete 468 the <filename>~/.xsession-errors</filename> file, so that this log file is 469 not stored unnecessarily.</para> 470 </refsect2> 471 </refsect1> 472 <refsect1 id="gdm-1m-exit"><title>&exit-tt;</title> 473 <para>The following exit values are returned:</para> 474 <variablelist termlength="xtranarrow"> 475 <varlistentry><term><returnvalue>0</returnvalue></term><listitem><para>Application 476 exited successfully</para> 477 </listitem></varlistentry> 478 <varlistentry><term><returnvalue>>0</returnvalue></term><listitem><para>Application 479 exited with failure</para> 480 </listitem></varlistentry> 481 </variablelist></refsect1> 482 <refsect1 id="gdm-1m-file"><title>&file-tt;</title> 483 <para>The following files are used by this application:</para> 484 <variablelist termlength="medium"> 485 <varlistentry><term><filename>/usr/sbin/&cmd;</filename></term><listitem><para> 486 Wrapper script that launches GNOME Display Manager</para> 487 </listitem></varlistentry> 488 <varlistentry><term><filename>/usr/sbin/gdm-binary</filename></term><listitem> 489 <para>Executable for GNOME Display Manager</para> 490 </listitem></varlistentry> 491 <varlistentry><term><filename>/usr/lib/gdmchooser</filename></term><listitem> 492 <para>Executable for GDM Chooser</para> 493 </listitem></varlistentry> 494 <varlistentry><term><filename>/usr/lib/gdmgreeter</filename></term><listitem> 495 <para>Executable for GDM Themed Greeter</para> 496 </listitem></varlistentry> 497 <varlistentry><term><filename>/usr/lib/gdmlogin</filename></term><listitem> 498 <para>Executable for GDM Plain Greeter</para> 499 </listitem></varlistentry> 500 </variablelist><para>The system administrator can specify, in the GDM 501 configuration file, the maximum file size that GDM should accept. If 502 the face browser is enabled, a tunable maximum icon size is also enforced. 503 On large systems, the face browser should be turned off for performance reasons. 504 Looking up icons in home directories, scaling, and rendering face icons can 505 take quite a long time.</para> 506 <para>In general, GDM is very reluctant to read or write user files. For instance, 507 GDM refuses to touch anything but regular files. Links, sockets, and devices 508 are ignored. The value of the "security/RelaxPermissions" parameter in the 509 GDM configuration determines whether GDM accepts files that are writable 510 by the user's group or others. These are ignored by default.</para> 511 <para>Note that normally it is assumed that the home directory is only readable 512 by the user. However, NFS traffic can be snooped. For setups with NFS directories, 513 set the "daemon/UserAuthDir" parameter in the GDM configuration 514 to a local directory such as <filename>/tmp</filename>. GDM tries to open 515 the normal authorization file for reading as root. If this fails, GDM concludes 516 that it is on an NFS mount and automatically uses "daemon/UserAuthFBDir" (usually <filename> 517 /tmp</filename>), as defined in the GDM configuration. This 518 can be changed by setting the "security/NeverPlaceCookiesOnNFS" parameter 519 to “false”. 520 </para> 521 <refsect2 id="gdm-1m-file-login"> 522 <title>GDM Login Scripts and Session Files</title> 523 <para>The following GDM login scripts are discussed below:</para> 524 <itemizedlist> 525 <listitem><para><filename>/etc/X11/gdm/Init/<replaceable>hostname</replaceable></filename></para> 526 </listitem> 527 <listitem><para><filename>/etc/X11/gdm/Init/XDMCP</filename></para></listitem> 528 <listitem><para><filename>/etc/X11/gdm/Init/Default</filename></para></listitem> 529 <listitem><para><filename>/etc/X11/gdm/PostLogin/<replaceable>hostname</replaceable></filename></para> 530 </listitem> 531 <listitem><para><filename>/etc/X11/gdm/PostLogin/XDMCP</filename></para></listitem> 532 <listitem><para><filename>/etc/X11/gdm/PostLogin/Default</filename></para> 533 </listitem> 534 <listitem><para><filename>/etc/X11/gdm/PreSession/<replaceable>hostname</replaceable></filename></para> 535 </listitem> 536 <listitem><para><filename>/etc/X11/gdm/PreSession/XDMCP</filename></para> 537 </listitem> 538 <listitem><para><filename>/etc/X11/gdm/PreSession/Default</filename></para> 539 </listitem> 540 <listitem><para><filename>/etc/X11/gdm/Xsession</filename></para></listitem> 541 <listitem><para><filename>/etc/X11/gdm/PostSession/<replaceable>hostname</replaceable></filename></para> 542 </listitem> 543 <listitem><para><filename>/etc/X11/gdm/PostSession/XDMCP</filename></para> 544 </listitem> 545 <listitem><para><filename>/etc/X11/gdm/PostSession/Default</filename></para> 546 </listitem> 547 </itemizedlist> 548 <para>The following session files are discussed below:</para> 549 <itemizedlist> 550 <listitem><para><filename>/usr/share/xsessions/*.desktop</filename></para> 551 </listitem> 552 <listitem><para><filename>~/.dmrc</filename> (default user session)</para> 553 </listitem> 554 </itemizedlist> 555 <para>When the X server has been successfully started, GDM tries to run the 556 Init/<replaceable>displayname</replaceable> script. For example, <filename> 557 Init/:0</filename> for the first local display. If this file is not found, 558 GDM attempts to run Init/<replaceable>hostname</replaceable>. For example, <filename> 559 Init/somehost</filename>. If this file is also not found, GDM tries <filename> 560 Init/XDMCP</filename> for all XDMCP logins or <filename>Init/Flexi</filename> 561 for all on-demand flexible servers. If none of the above are found, GDM runs <filename> 562 Init/Default</filename>. The script runs with root privileges and GDM blocks 563 until the script terminates. Use the <filename>Init/*</filename> script for 564 programs that are supposed to run alongside the GDM login window, for example <filename> 565 xconsole</filename>. Commands to set the background and so on should go in 566 this file too.</para> 567 <para>The system administrator decides whether clients started by the <filename> 568 Init</filename> script should be killed before starting the user session. 569 This is controlled by the "daemon/KillInitClients" parameter in the GDM 570 configuration.</para> 571 <para>When the user has been successfully authenticated, GDM tries the scripts 572 in the <filename>PostLogin</filename> directory in the same manner as for 573 the <filename>Init</filename> directory. This is done before any session setup 574 is done, so this is the script where you might set up the home directory if 575 you need to (though you should use the pam_mount module for this, if you can). 576 You have the USER and DISPLAY environment variables set for this script, and 577 again it is run with root privileges. The script should return 0 on success 578 as otherwise the user is not logged in. This is not true for failsafe session 579 however.</para> 580 <para>After the user session has been set up from the GDM perspective, GDM 581 runs the scripts in the <filename>PreSession</filename> directory, again in 582 the same manner as the <filename>Init</filename> directory. Use this script 583 for local session management or accounting. The USER environment variable 584 contains the login of the authenticated user and DISPLAY is set to the current 585 display. The script should return 0 on success. Any other value causes GDM 586 to terminate the current login process. This is not true for failsafe sessions 587 however. Also, the X_SERVERS environment variable is set and this points to 588 a fake generated X servers file for use with the 589 <citerefentry><refentrytitle>sessreg</refentrytitle><manvolnum>1</manvolnum></citerefentry> 590 accounting program.</para> 591 <para>After this, the user's session is started. The available session executables 592 are taken from the Exec= line in the <filename>.desktop</filename> files in 593 the path specified by SessionDesktopDir. The user chooses from these sessions 594 at login time and GDM reads the file <filename>~/.dmrc</filename> for the 595 user's default. The default GNOME session uses the Xsession script. The script 596 is run as the user, and this is the user session. This script should load 597 the user's profile and generally do all that is needed to launch a session. 598 As many systems reset the language selections done by GDM, GDM also sets the 599 GDM_LANG variable to the selected language. You can use this to reset the 600 language environment variables after you run the user's profile. If the user 601 elected to use the system language, then GDM_LANG is not set.</para> 602 <para>When the user terminates the session, the <filename>PostSession</filename> 603 scripts are run, similar to <filename>Init</filename>, <filename>PostLogin 604 </filename>, and <filename>PreSession</filename>. Again, the script is run 605 with root privileges, the slave daemon blocks, the USER environment variable 606 contains the name of the user who just logged out, and DISPLAY is set to the 607 display the user used. Note, however, that the X server for this display might 608 already be dead so you should not try to access it. Also, the X_SERVERS environment 609 variable is set and points to a fake generated X servers file for use with the 610 <citerefentry><refentrytitle>sessreg</refentrytitle><manvolnum>1</manvolnum></citerefentry> 611 accounting program.</para> 612 <para>Note that the <filename>PostSession</filename> script runs even when 613 the display fails to respond due to an I/O error or similar. Thus, there is 614 no guarantee that X applications will work during script execution.</para> 615 <para>Except for the <filename>Xsession</filename> script, all of these scripts 616 also have the environment variable RUNNING_UNDER_GDM set to yes, so that you 617 can use similar scripts for different display managers. The <filename>Xsession 618 </filename> always has GDMSESSION set to the basename of the session that 619 the user chose to run, without the <filename>.desktop</filename> extension. 620 In addition, DESKTOP_SESSION is also set to the same value.</para> 621 <para>None of the <filename>Init</filename>, <filename>PostLogin</filename>, <filename> 622 PreSession</filename>, or <filename>PostSession</filename> scripts are necessary 623 and they can be omitted. However, the <filename>Xsession</filename> script 624 is required, as is at least one session <filename>.desktop</filename> file. 625 </para> 626 </refsect2> 627 <refsect2 id="gdm-1m-file-config"> 628 <title>Configuration Files</title> 629 <variablelist termlength="wholeline"> 630 <varlistentry><term><filename>/usr/share/gdm/defaults.conf</filename></term><listitem> 631 <para>Contains GDM default configuration and documentation.</para> 632 </listitem></varlistentry> 633 <varlistentry><term><filename>/etc/X11/gdm/custom.conf</filename></term><listitem> 634 <para>Contains user-specific GDM configuration and documentation.</para> 635 </listitem></varlistentry> 636 <varlistentry><term><filename>/etc/X11/gdm/custom.conf<replaceable>display</replaceable></filename></term><listitem> 637 <para>Contains per-display GDM configuration and documentation.</para> 638 </listitem></varlistentry> 639 </variablelist></refsect2> 640 <refsect2 id="gdm-1m-file-themes"> 641 <title>Themes</title> 642 <variablelist termlength="wholeline"> 643 <varlistentry><term><filename>/usr/share/gdm/themes</filename></term><listitem> 644 <para>Can be configured using the "greeter/GraphicalThemeDir" configuration parameter</filename>.</para> 645 </listitem></varlistentry> 646 </variablelist></refsect2> 647 <refsect2 id="gdm-1m-file-face"> 648 <title>Face Browser</title> 649 <variablelist termlength="wholeline"> 650 <varlistentry><term><filename>/usr/share/pixmaps/faces</filename></term><listitem><para>Global 651 directory for face images.</para> 652 </listitem></varlistentry> 653 <varlistentry><term><filename>~/.face</filename></term><listitem><para>User-defined 654 icon to be used by GDM face browser.</para> 655 </listitem></varlistentry> 656 </variablelist></refsect2> 657 <refsect2 id="gdm-1m-file-gesture"> 658 <title>Gesture Listener Configuration Files</title> 659 <variablelist termlength="wholeline"> 660 <varlistentry><term><filename>/etc/X11/gdm/modules/AccessDwellMouseEvents 661 </filename></term><listitem><para>Configuration for the dwellmouselistener. 662 </para> 663 </listitem></varlistentry> 664 <varlistentry><term><filename>/etc/X11/gdm/modules/AccessKeyMouseEvents</filename></term> 665 <listitem><para>Configuration for the keymouselistener.</para> 666 </listitem></varlistentry> 667 </variablelist></refsect2> 668 669 <refsect2 id="gdm-1m-system-files"> 670 <title>System files</title> 671 <variablelist termlength="wholeline"> 672 <varlistentry><term><filename>/etc/profile</filename></term><listitem><para>System environment</para> 673 </listitem></varlistentry> 674 </variablelist></refsect2> 675 676 <refsect2 id="gdm-1m-file-logging"> 677 <title>Logging</title> 678 <variablelist termlength="wholeline"> 679 <varlistentry><term><filename>/var/log/gdm/<replaceable>display</replaceable>.log 680 </filename></term><listitem><para>Output from Xserver for each session. This 681 can be configured using the "daemon/LogDir" parameter in the GDM configuration. 682 </para> 683 </listitem></varlistentry> 684 <varlistentry><term><filename>~/.xsession-errors</filename></term><listitem> 685 <para>Output from user's session.</para> 686 </listitem></varlistentry> 687 <varlistentry><term><filename>/tmp/xsess-<replaceable>user</replaceable>.XXXXXX 688 </filename></term><listitem><para>Output from session in failsafe mode or 689 if <filename>~/.xsession-errors</filename> cannot be written.</para> 690 </listitem></varlistentry> 691 </variablelist></refsect2> 692 <refsect2 id="gdm-1m-file-sockets"> 693 <title>Sockets</title> 694 <variablelist termlength="wholeline"> 695 <varlistentry><term><filename>/tmp/.gdm_socket</filename></term><listitem> 696 <para>Temporary file used for GDM socket communications.</para> 697 </listitem></varlistentry> 698 </variablelist></refsect2> 699 <refsect2 id="gdm-1m-file-pid"> 700 <title>Process Id</title> 701 <variablelist termlength="wholeline"> 702 <varlistentry><term><filename>/var/run/gdm.pid</filename></term><listitem> 703 <para>Stores the ProcessID for the running GDM daemon. This can be configured 704 using the "daemon/PidFile" parameter in the GDM configuration.</para> 705 </listitem></varlistentry> 706 </variablelist></refsect2> 707 <refsect2 id="gdm-1m-file-xserver"> 708 <title>Xserver Authentication Directory</title> 709 <variablelist termlength="wholeline"> 710 <varlistentry><term><filename>/var/lib/gdm</filename></term><listitem><para> 711 Stores Xserver authentication files. This can be configured using the 712 "daemon/ServAuthDir" parameter in the GDM configuration.</para> 713 </listitem></varlistentry> 714 </variablelist></refsect2> 715 </refsect1> 716 <refsect1 id="gdm-1m-attr"><title>&attr-tt;</title> 717 <para>See <olink targetdocent="REFMAN5" localinfo="attributes-5"><citerefentry> 718 <refentrytitle>attributes</refentrytitle><manvolnum>5</manvolnum></citerefentry></olink> 719 for descriptions of the following attributes:</para> 720 <informaltable frame="all"> 721 <tgroup cols="2" colsep="1" rowsep="1"><colspec colname="COLSPEC0" colwidth="1*"> 722 <colspec colname="COLSPEC1" colwidth="1*"> 723 <thead> 724 <row><entry align="center" valign="middle">ATTRIBUTE TYPE</entry><entry align="center" 725 valign="middle">ATTRIBUTE VALUE</entry></row> 726 </thead> 727 <tbody> 728 <row><entry><para>Availability</para></entry><entry><para>SUNWgnome-display-mgr 729 </para></entry></row> 730 <row><entry colname="COLSPEC0"><para>Interface stability</para></entry><entry 731 colname="COLSPEC1"><para>Volatile</para></entry></row> 732 <row><entry colname="COLSPEC0"><para>/usr/share/gdm/defaults.conf</para></entry><entry 733 colname="COLSPEC1"><para>Volatile</para></entry></row> 734 <row><entry colname="COLSPEC0"><para>/etc/X11/gdm/custom.conf</para></entry><entry 735 colname="COLSPEC1"><para>Volatile</para></entry></row> 736 </tbody> 737 </tgroup> 738 </informaltable> 739 </refsect1> 740 <refsect1 id="gdm-1m-also"><title>&also-tt;</title> 741 <!--Reference to another man page--> 742 <!--Reference to a Help manual--> 743 <!--Reference to a book.--> 744 <para>Latest version of the <citetitle>GNOME Desktop User Guide</citetitle> 745 for your platform.</para> 746 <para> 747 <citerefentry><refentrytitle>gdmXnestchooser</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 748 <citerefentry><refentrytitle>gdmdynamic</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 749 <citerefentry><refentrytitle>gdmflexiserver</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 750 <citerefentry><refentrytitle>gdmphotosetup</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 751 <citerefentry><refentrytitle>gdmthemetester</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 752 <citerefentry><refentrytitle>Xserver</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 753 <citerefentry><refentrytitle>gdm-restart</refentrytitle><manvolnum>1m</manvolnum></citerefentry>, 754 <citerefentry><refentrytitle>gdmsetup</refentrytitle><manvolnum>1m</manvolnum></citerefentry>, 755 <citerefentry><refentrytitle>profile</refentrytitle><manvolnum>4</manvolnum></citerefentry>, 756 <citerefentry><refentrytitle>gnome-std-options</refentrytitle><manvolnum>5</manvolnum></citerefentry>, 757 <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>3pam</manvolnum></citerefentry>, 758 <citerefentry><refentrytitle>logindevperm</refentrytitle><manvolnum>4</manvolnum></citerefentry>, 759 <citerefentry><refentrytitle>attributes</refentrytitle><manvolnum>5</manvolnum></citerefentry> 760 </para> 761 </refsect1> 762 <refsect1 id="gdm-1-note"><title>¬e-tt;</title> 763 <para>Original man page written by Martin K. Petersen <mkp (a] mkp.net>, George 764 Lebl <jirka (a] 5z.com>. Copyright (c) 1998, 1999 by Martin K. Petersen. Copyright 765 (c) 2001, 2003, 2004 by George Lebl. Copyright (c) 2003 by Red Hat, Inc.</para> 766 <para>Updated by Brian Cameron, Sun Microsystems Inc., 2004, 2006.</para> 767 </refsect1> 768 </refentry> 769
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.