10139N/A<!
DOCTYPE REFENTRY PUBLIC "-//Sun Microsystems//DTD DocBook V3.0-Based SolBook Subset V2.0//EN" [
10139N/A<!--ArborText, Inc., 1988-1999, v.4002-->
15941N/A<!--ARC : LSARC 2005/417 GDM2 as default Solaris Display Manager --> 10139N/A<!
ENTITY suncopy "Copyright (c) 2004,2006 Sun Microsystems, Inc. All Rights Reserved.">
10139N/A<?
Pub EntList brvbar bull cross dash diam diams frac12 frac13 frac14 hellip 10139N/A laquo lArr loz mdash nabla ndash para pound rArr raquo sect yen gt lt>
10139N/A<
refmeta><
refentrytitle>gdm</
refentrytitle><
manvolnum>1m</
manvolnum>
10139N/A<
refmiscinfo class="date">2 Sep 2004</
refmiscinfo>
10139N/A<
refmiscinfo class="sectdesc">&man1;</
refmiscinfo>
10139N/A<
refmiscinfo class="software">&release;</
refmiscinfo>
10139N/A<
refmiscinfo class="arch">generic</
refmiscinfo>
10139N/A<
refmiscinfo class="copyright">&suncopy;</
refmiscinfo>
10139N/A<
indexterm><
primary>gdm</
primary></
indexterm><
indexterm><
primary>GNOME Display
10139N/A<
refnamediv id="gdm-1m-name"><
refname>gdm</
refname><
refname>gdm-binary</
refname>
10139N/A<
refname>gdmchooser</
refname><
refname>gdmgreeter</
refname><
refname>gdmlogin
10139N/A</
refname><
refpurpose>GNOME Display Manager</
refpurpose></
refnamediv>
10139N/A<
refsynopsisdiv id="gdm-1m-synp"><
title>&synp-tt;</
title>
10139N/A<
cmdsynopsis><
command>&cmd; | gdm-binary</
command><
arg choice="opt"><
option>-config=<
replaceable>file</
replaceable></
option></
arg><
arg choice="opt"><
option>-monte-carlo-sqrt2</
option></
arg><
arg choice="opt"><
option>-no-console</
option></
arg><
arg choice="opt"><
option>nodaemon</
option></
arg><
arg choice="opt"><
option>-preserve-ld-vars</
option></
arg><
arg choice="opt"><
option>-version</
option></
arg><
arg choice="opt"><
option>-wait-for-go</
option></
arg>
10139N/A<
cmdsynopsis><
command>gdmlogin | gdmgreeter</
command><
arg choice="opt"><
option role="nodash"><
replaceable>gnome-std-options</
replaceable></
option></
arg>
10139N/A<
cmdsynopsis><
command>gdmchooser</
command><
arg choice="opt"><
option>clientaddress=<
replaceable>address</
replaceable></
option></
arg><
arg choice="opt"><
option>connectionType=<
replaceable>type</
replaceable></
option></
arg><
arg choice="opt"><
option>xdmaddress=<
replaceable>socket</
replaceable></
option></
arg><
arg choice="opt"><
option role="nodash"><
replaceable> gnome-std-options</
replaceable></
option></
arg>
10139N/A<
refsect1 id="gdm-1m-desc"><
title>&desc-tt;</
title>
10139N/A<
para>GDM is the GNOME Display Manager, a program used for login session management.
10139N/AWhen no user is logged in on the console, GDM displays a graphical user interface
10139N/Athat enables the user to enter their username and password. GDM supports
10139N/AXDMCP and supports flexible or on-demand servers via the
10139N/A<
citerefentry><
refentrytitle>gdmflexiserver</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>
10139N/A<
para><
command>&cmd;</
command> is a wrapper script that launches
10139N/A<
command>gdm-binary</
command> and passes along any options. Before launching
10139N/A<
command>gdm-binary</
command> the <
command>&cmd;</
command> wrapper script sources the
10139N/A<
citerefentry><
refentrytitle>profile</
refentrytitle><
manvolnum>4</
manvolnum></
citerefentry>
10139N/Afile to set the standard system environment variables. To support internationalization,
10139N/A<
command>&cmd;</
command> also sets the LC_MESSAGES environment variable to LANG if
10139N/Aneither LC_MESSAGES nor LC_ALL is set.</
para>
10139N/A<
para>On startup, the GDM daemon parses its config file
10139N/Aany user settings defined there override the default settings. Per-display
10139N/Aconfiguration settings can be set in
10139N/Awhere <
replaceable>display</
replaceable> is the display number, such as ":0".
10139N/A[greeter] sections of the configuration file may be specified in the
10139N/Aper-display configuration file, any others are ignored. When GDM displays
10139N/Aa GUI on the display, these per-display values override the values in the other
10139N/AFor each local display, <
command>gdm-binary</
command> forks an Xserver and a slave
10139N/Aprocess. The main <
command>gdm-binary</
command> process then listens to XDMCP
10139N/Arequests from remote displays, if so configured, and monitors the local display
10139N/Asessions. The main daemon process also allows new local Xservers to start on demand
10139N/A<
citerefentry><
refentrytitle>gdmflexiserver</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>
10139N/A<
para>The GDM slave process opens the display and starts either the Themed
10139N/Aparameter for XDMCP logins. The parameter should be set to "gdmgreeter" to
10139N/Ause the Themed Greeter or "gdmlogin" to use the Plain Greeter. The
10139N/APlain Greeter is lower-bandwidth, which tends to be more appropriate for
10139N/Aremote logins. The GDM daemon communicates asynchronously with the slave process
10139N/A<
para>From either the Themed Greeter or the Plain Greeter, it is possible
10139N/Ato launch the Chooser program <
command>gdmchooser</
command> to start remote
10139N/A<
para>Although disabled by default, it is also possible to launch the Setup
10139N/A<
citerefentry><
refentrytitle>gdmsetup</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>
10139N/Ato edit the configuration choices in the
10139N/Aentered to launch the Setup program. The ability to launch the Setup program
10139N/A<
citerefentry><
refentrytitle>gdmsetup</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>
10139N/Aruns with root permissions and changing GDM configuration can affect security.</
para>
10139N/A<
citerefentry><
refentrytitle>PAM</
refentrytitle><
manvolnum>3PAM</
manvolnum></
citerefentry>
10139N/A(Pluggable Authentication Modules) for password authentication,
10139N/Abut supports regular crypt() and shadow passwords on legacy systems. On Solaris,
10139N/A<
citerefentry><
refentrytitle>logindevperm</
refentrytitle><
manvolnum>4</
manvolnum></
citerefentry>
10139N/Ato set proper device permissions for the user on login.</
para>
10139N/A<
para>All operations on user files are done with the effective user id of
10139N/Athe user. If the sanity check fails on the user's <
filename>.Xauthority</
filename>
10139N/Afile, a fallback cookie is created in <
filename>/tmp</
filename>.</
para>
10139N/A<
refsect1 id="gdm-1m-opts"><
title>&opts-tt;</
title>
10139N/A<
para>The following options are supported by <
command>&cmd;</
command> and
10139N/A<
command>gdm-binary</
command>:</
para>
10139N/A<
variablelist termlength="medium">
10139N/A<
varlistentry><
term><
option>-config=<
replaceable>file</
replaceable></
option></
term>
10139N/A<
listitem><
para>Specify alternate default configuration file.</
para>
10139N/A<
varlistentry><
term><
option>-monte-carlo-sqrt2</
option></
term><
listitem></
listitem>
10139N/A<
varlistentry><
term><
option>-no-console</
option></
term><
listitem><
para>Tell
10139N/Athe daemon that it should not run anything on the console. This means that
10139N/Anone of the local servers from the [servers] section of the GDM configuration
10139N/Aare run, and the console is not used to communicate errors to the user.
10139N/AAn empty [servers] section automatically implies this option.</
para>
10139N/A<
varlistentry><
term><
option>nodaemon</
option></
term><
listitem><
para>If this
10139N/Aoption is specified, GDM does not fork into the background when run. You can
10139N/Ause a single dash with this option to preserve compatibility with XDM.</
para>
10139N/A<
varlistentry><
term><
option>-preserve-ld-vars</
option></
term><
listitem><
para>
10139N/AWhen clearing the environment internally, preserve all variables starting
10139N/Awith LD_. This is mostly for debugging purposes.</
para>
10139N/A<
varlistentry><
term><
option>-version</
option></
term><
listitem><
para>Print
10139N/Athe version of the GDM daemon.</
para>
10139N/A<
varlistentry><
term><
option>-wait-for-go</
option></
term><
listitem>
10139N/AIf started with this option, GDM initiates, but only starts the first local display
10139N/Aand then waits for a GO message in the fifo protocol. No greeter is shown
10139N/Auntil the GO message is sent. Also, flexiserver requests are denied and XDMCP
10139N/Ais not started until GO is given. This is useful for initialization scripts
10139N/Athat wish to start X early, but where you do not yet want the user to start
10139N/Alogging in: the script sends the GO to the fifo when ready and GDM then continues.
10139N/A<
para>The following options are supported by <
command>gdmlogin</
command> and
10139N/A<
command>gdmgreeter</
command>:</
para>
10139N/A<
variablelist termlength="medium">
10139N/A<
varlistentry><
term><
option role="nodash"><
replaceable>gnome-std-options</
replaceable></
option></
term>
10139N/A<
listitem><
para>Standard options available for use with most GNOME applications.
10139N/ASee <
citerefentry><
refentrytitle>gnome-std-options</
refentrytitle><
manvolnum>
10139N/A5</
manvolnum></
citerefentry> for more information.</
para>
10139N/A</
variablelist><
para>The following options are supported by <
command>gdmchooser</
command>:</
para>
10139N/A<
variablelist termlength="medium">
10139N/A<
varlistentry><
term><
option>clientaddress=<
replaceable>address</
replaceable></
option></
term>
10139N/A<
listitem><
para>Client address to return in response to xdm. This option is
10139N/Afor running <
command>gdmchooser</
command> with xdm, and is not used within
10139N/A<
varlistentry><
term><
option>connectionType=<
replaceable>type</
replaceable></
option></
term>
10139N/A<
listitem><
para>Connection type to return in response to xdm. This option
10139N/Ais for running <
command>gdmchooser</
command> with xdm, and is not used within
10139N/A<
varlistentry><
term><
option>xdmaddress=<
replaceable>socket</
replaceable></
option></
term>
10139N/A<
listitem><
para>Socket for XDM communication.</
para>
10139N/A<
varlistentry><
term><
option role="nodash"><
replaceable>gnome-std-options</
replaceable></
option></
term>
10139N/A<
listitem><
para>Standard options available for use with most GNOME applications.
10139N/ASee <
citerefentry><
refentrytitle>gnome-std-options</
refentrytitle><
manvolnum>
10139N/A5</
manvolnum></
citerefentry> for more information.</
para>
10139N/A<
refsect1 id="gdm-1m-exde"><
title>&exde-tt;</
title>
10139N/A<
refsect2 id="gdm-1m-exde-standard">
10139N/A<
para>The Plain Greeter is the default graphical user interface that is
10139N/Apresented to the user. The greeter contains a menu at the top, an optional
10139N/Aface browser, an optional logo, and a text entry field. The Plain Greeter
10139N/Acorresponds to the executable <
command>gdmlogin</
command>.</
para>
10139N/A<
para>The text entry field is used to enter logins, passwords, passphrases,
10139N/Aand so on. The field is controlled by the underlying daemon and is basically
10139N/Astateless. The daemon controls the greeter through a simple protocol where
10139N/Athe daemon can ask the greeter for a text string with echo turned on or off.
10139N/ASimilarly, the daemon can change the label above the text entry field to correspond
10139N/Ato the value that the authentication system wants the user to enter.</
para>
10139N/A<
para>The menu bar in the top of the greeter enables the user to select the
10139N/Arequested session type or desktop environment, change the GTK+ theme (if enabled),
10139N/Aselect an appropriate locale or language, and optionally shutdown, reboot,
10139N/Aor suspend the machine, configure GDM (if the user knows the root password),
10139N/Aor start an XDMCP chooser.</
para>
10139N/A<
para>Optionally, the greeter can provide a face browser that contains icons
10139N/Afor all of the users on a system. The icons can be installed globally by the
10139N/Asystem administrator, or in the user home directories. If installed globally,
10139N/Athe icons should be in the <
filename><
replaceable>share</
replaceable>/faces
10139N/A</
filename> directory (though this can be configured with the GlobalFaceDir
10139N/Aconfiguration option) and the filename should be the name of the user, optionally
10139N/Awith “.png” appended.</
para>
10139N/A<
para>Users can place their icons in a file called <
filename>~/.face</
filename>,
10139N/A<
citerefentry><
refentrytitle>gdmphotosetup</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>
10139N/AFace icons placed in the global face directory must be readable to the GDM
10139N/Auser. However, the daemon proxies user pictures to the greeter. Therefore,
10139N/Athose do not have to be readable by the GDM user, but must be readable by
10139N/A<
para>Note that loading and scaling face icons located in user home directories
10139N/Acan be a very time-consuming task, especially on large systems or systems
10139N/Arunning NIS. The browser feature is only intended for systems with relatively
10139N/Afew users. Also, if home directories are on an on-demand mounted file system
10139N/Asuch as AFS, GDM might mount all of the home directories just to check for
10139N/Apictures if the face browser is on. However, GDM will try to give up after
10139N/A5 seconds of activity, and only display the users whose pictures have been
10139N/Ain the GDM configuration can be set with a list of usernames separated
10139N/Aby commas. The greeter automatically ignores the usernames listed, and excludes
10139N/A<
para>When the browser is turned on, valid usernames on the machine are exposed
10139N/Ato a potential intruder. This might be a bad idea if you do not know who has
10139N/Aaccess to a login screen. This is especially true if you run XDMCP. Note that
10139N/Ayou should never run XDMCP on an open network. </
para>
10139N/A<
para>The greeter can optionally display a logo in the login window. The image
10139N/Amust be in a format readable to the <
filename>gdk-pixbuf</
filename> library
10139N/A(GIF, JPG, PNG, TIFF, XPM), and must be readable by the GDM user.</
para>
10139N/A<
refsect2 id="gdm-1m-exde-graphical">
10139N/A<
para>The Themed Greeter is a greeter interface that is displayed on the
10139N/Awhole screen and is themable. The Themed Greeter corresponds to the executable
10139N/A<
para>Themes can be selected and new themes can be installed by running
10139N/A<
citerefentry><
refentrytitle>gdmsetup</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>,
10139N/A<
para>The look and feel of this greeter is controlled by the theme, so the
10139N/Auser interface elements that are present might differ. The only item that
10139N/Amust always be present is the text entry field, as described in the Plain
10139N/AGreeter section above. You can display a menu of available actions by pressing
10139N/Athe F10 key. This can be useful if the theme does not provide certain buttons
10139N/Awhen you wish to perform a particular action. </
para>
10139N/A<
refsect2 id="gdm-1m-exde-chooser">
10139N/A<
para>The Chooser displays a list of local machines that accept XDMCP connections.
10139N/AThe user can also specify a machine by entering its name directly. Once a
10139N/Amachine is selected, a remote XDMCP session can be started. The Chooser can
10139N/Abe launched on the console directly from the Plain or Themed Greeter.
10139N/AThe chooser corresponds to the executable <
command>gdmchooser</
command>.
10139N/A<
refsect2 id="gdm-1m-exde-xdmcp">
10139N/A<
para>GDM can be configured to enable XDMCP so that users can log in remotely
10139N/Aand launch a graphical chooser that allows a remote login session to be started.
10139N/ASee the [xdmcp] section of the default GDM configuration file.</
para>
10139N/A<
para>GDM grants access to the hosts specified in the GDM service section
10139N/Aof your TCP Wrappers configuration file. GDM does not support remote display
10139N/Aaccess control on systems without TCP Wrappers.</
para>
10139N/A<
para>GDM includes several measures that make GDM more resistant to denial-of-service
10139N/Aattacks on the XDMCP service. Several protocol parameters, handshaking timeouts,
10139N/Aand so on can be fine-tuned. The default values should work for most systems,
10139N/Ahowever. Do not change these values unless you know what you are doing.</
para>
10139N/A<
para>By default, GDM listens to UDP port 177, although this can be configured.
10139N/AGDM responds to QUERY and BROADCAST_QUERY requests by sending a WILLING packet
10139N/A<
para>GDM can also be configured to honor INDIRECT queries and present a host
10139N/Achooser to the remote display. GDM remembers the user's choice and forwards
10139N/Asubsequent requests to the chosen manager. GDM also supports an extension
10139N/Ato the protocol which makes GDM forget the redirection once the user's connection
10139N/Asucceeds. This extension is only supported if both daemons are GDM. This extension
10139N/Ais transparent and is ignored by XDM or other daemons that implement XDMCP.
10139N/A<
para>GDM only supports the MIT-MAGIC-COOKIE-1 authentication system. Because
10139N/Aof this, the cookies are transmitted as clear text. Therefore, you should
10139N/Abe careful about the network where you use this. That is, be careful about
10139N/Awhere your XDMCP connection is going. Note that if snooping is possible, an
10139N/Aattacker could snoop your password as you log in, so a better XDMCP authentication
10139N/Awould not help you much anyway. If snooping is possible and undesirable, you
15995N/A<
citerefentry><
refentrytitle>ssh</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>
15995N/Afor tunneling an X connection, rather then using GDM's XDMCP. Think of XDMCP as a sort of graphical telnet, with the same security issues.</
para>
10139N/A<
refsect2 id="gdm-1m-exde-control">
10139N/A<
para>You can control GDM behavior during runtime in several different ways.
10139N/AYou can run certain commands, or you can talk to GDM using either a UNIX socket
10139N/Aprotocol, or a FIFO protocol.</
para>
10139N/A<
para>You can control GDM behavior as follows:</
para>
10139N/A<
listitem><
para>To stop GDM, you can either send the TERM signal to the main
10139N/A<
citerefentry><
refentrytitle>gdm-stop</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>
10139N/A<
listitem><
para>To restart GDM, you can either send the HUP signal to the
10139N/A<
citerefentry><
refentrytitle>gdm-restart</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>
10139N/A<
listitem><
para>To restart GDM but only after all users have logged out, you
10139N/Acan either send the USR1 signal to the main daemon, or run the
10139N/A<
citerefentry><
refentrytitle>gdm-safe-restart</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>
10139N/A<
citerefentry><
refentrytitle>gdm-stop</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>gdm-restart</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>, and
10139N/A<
citerefentry><
refentrytitle>gdm-safe-restart</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>
10139N/Acommands are in the <
filename>/sbin</
filename> directory.</
para>
10139N/A<
citerefentry><
refentrytitle>gdmflexiserver</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>
10139N/Acommand can be used to communicate with the GDM daemon and to start new flexible
10139N/A<
refsect2 id="gdm-1m-exde-config">
10139N/A<
para>The GDM configuration files contain comments that explain each
10139N/A<
refsect2 id="gdm-1m-exde-security">
10139N/A<
para>GDM is best used with a dedicated user id and group id that GDM uses
10139N/Afor graphical interfaces such as <
command>gdmgreeter</
command>, <
command>
10139N/Agdmlogin</
command>, and <
command>gdmchooser</
command>. You can specify the
10139N/Aname of this user and group in the [daemon] section of the GDM configuration
10139N/A<
para>The GDM user and group, which are normally just "gdm", should not be a
10139N/Auser or group of any particular privilege. The reason for using the GDM user
10139N/Aand group is to have the user interface run as a user without privileges,
10139N/Aso that in the unlikely case that someone finds a weakness in the GUI, they
10139N/Acannot access root on the machine.</
para>
10139N/A<
para>Note that the GDM user and group have some privileges that make them
10139N/Asomewhat dangerous. This user and group has access to the server authorization directory
10139N/Afile) which contains all of the X server authorization files and other private information.
10139N/AThis means that someone who gains the GDM
user/
group privileges can then connect
10139N/Aof random internal data, in addition to the X server authorization files,
10139N/Aand the naming is really a relic of history. The GDM daemon forces this directory
10139N/Ato be owned by root:gdm with permissions of 1770. This means that only the
10139N/Aroot user and the GDM group have write access to this directory, but the GDM
10139N/Agroup cannot remove the root-owned files from this directory, such as the
10139N/AX server authorization files.</
para>
10139N/A<
para>By default, GDM does not trust the server authorization directory and
10139N/Atreats it in the same way as a temporary directory with respect to creating
10139N/Afiles. This means that someone breaking the GDM user cannot mount attacks
10139N/Aby creating links in this directory. Similarly, the X server log directory
10139N/Ais treated safely, but that directory should really be owned and writable
10139N/A<
refsect2 id="gdm-1m-exde-accessibility">
10139N/A<
para>GDM supports "Accessible Login" to allow users to log in to their desktop
10139N/Asession even if they cannot easily use the screen, mouse, or keyboard in the
10139N/Ausual way. This feature enables the user to launch assistive technologies
10139N/Aat login time by means of special "gestures" from the standard keyboard and
10139N/Afrom a keyboard, pointing device, or switch device attached to the USB or
10139N/APS/2 mouse port. This also enables the user to change the visual appearance
10139N/Aof the login UI before logging in, for example to use a higher-contrast color
10139N/Ascheme for better visibility. GDM only supports accessibility with the Plain
10139N/Abe set to the Plain Greeter "gdmlogin".</
para>
10139N/A<
para>To enable Accessible Login, the system administrator must modify the
10139N/Adefault login configuration by manually modifying the standard GDM configuration
10139N/Afiles, and the <
filename>AccessKeyMouseEvents</
filename>, and
10139N/A<
filename>AccessDwellMouseEvents</
filename> module configuration files.
10139N/A<
para>To allow users to change the color and contrast scheme of the login
10139N/A<
para>To restrict user changes of the visual appearance to a subset of available
10139N/Acan be set to a list of acceptable themes separated by commas. For example: <
screen><
userinput>
10139N/AGtkThemesToAllow=blueprint,HighContrast,HighContrastInverse</
userinput></
screen></
para>
10139N/A<
para>To enable the use of assistive technologies such as the On-screen Keyboard,
10139N/A<
para>System administrators might wish to load only the minimum subset of
10139N/Athese modules that is required to support their user base. Depending on the
10139N/Aend-user needs, it might not be necessary to load all of the GtkModules:</
para>
10139N/A<
listitem><
para>If a user needs the integrated Screen Reader and Magnifier,
10139N/Ayou must include "gail" and "atk-bridge".</
para></
listitem>
10139N/A<
listitem><
para>If a user needs a pointing device without buttons or switches,
10139N/Ainclude "dwellmouselistener".</
para></
listitem>
10139N/A<
listitem><
para>If a user needs a pointing device with switches, alternative
10139N/A<
para>Including all four modules is suitable for most system configurations.
10139N/AThe Onscreen Keyboard can operate without gail and atk-bridge, but with a
10139N/Areduced feature set. For optimum accessibility, we recommend including gail
10139N/A<
para>When "keymouselistener" or "dwellmouselistener" have been added to the
10139N/AGtkModules loaded by GDM, you can assign user actions to the launching of
10139N/Aspecific assistive technologies. These gesture associations are contained
10139N/Ain the files AccessKeyMouseEvents and AccessDwellMouseEvents, respectively.
10139N/AThe gesture format is described in the two files.</
para>
10139N/A<
para>The AccessKeyMouseEvents file controls the keymouselistener Gesture
10139N/AListener and is used to define key-press, mouse button, or XInput device sequences
10139N/Athat can be used to launch programs needed for accessibility. To reduce the
10139N/Alikelihood of unintentional launch, these 'gestures' may be associated with
10139N/A<
para>The DwellKeyMouseEvents file controls the dwellmouselistener and supports
10139N/Agestures that involve only motion of a pointing device such as the system
10139N/Amouse. Motion of an alternative pointing device such as a head pointer or
10139N/Atrackball can also be defined. All gestures are specified by the same syntax,
10139N/Athere is no distinction between a 'core mouse' gesture and motion from an
10139N/A<
para>Motion gestures are defined as "crossing events" into and out of the
10139N/Alogin dialog window. If the 'dwellmouselistener' GtkModule is loaded, alternative
10139N/Apointing devices are temporarily "latched" to the core pointer, such that
10139N/Amotion from alternative devices results in movement of the onscreen pointer.
10139N/A<
para>To use text-to-speech services at login time (for instance, when using
10139N/Athe Screen Reader in speech mode) on some operating systems, the gdm user
10139N/Amust be a member of the "audio" group.</
para>
10139N/A<
refsect2 id="gdm-1m-exde-logging">
10139N/A<
para>GDM uses syslog to log errors or status. GDM can also log debugging
10139N/Ainformation, if enabled in the GDM configuration.</
para>
10139N/A<
para>Output from the various X servers is stored in the GDM log directory,
10139N/Awhich is configurable but is usually <
filename><
replaceable>var</
replaceable>/
log/
gdm 10139N/A</
filename>. The output from the session can be found in a file called <
filename><
replaceable>
10139N/Adisplay</
replaceable>.log</
filename>. Four older versions of this file are
10139N/Aalso stored, by appending 1 through 4 to the filename. These files are rotated,
10139N/Aas new sessions on that display are started. You can use these logs to view
10139N/Awhat the X server said when it started up.</
para>
10139N/A<
para>The output from the user session is redirected to <
filename>~/.xsession-errors
10139N/A</
filename> before even the PreSession script is started, so it is not necessary
10139N/Ato redirect this again in the session setup script. If the user session lasted
10139N/Aless then 10 seconds, GDM assumes that the session crashed and allows the
10139N/Auser to view this file in a dialog before returning to the login screen. This
10139N/Aenables the user to view the session errors from the last session and correct
10139N/A<
para>You can suppress the 10–second warning by returning code 66 from
10139N/Athe Xsessionscript or from your session binary (the default Xsession script
10139N/Apropagates those codes back). This is useful if you have special logins for
10139N/Awhich it is not an error to return less than 10 seconds later, or if you already
10139N/Aset up the session to display an error message and the GDM message would be
10139N/A<
para>The session output is piped through the GDM daemon, so the <
filename>
10139N/A~/.xsession-errors</
filename> file is capped by GDM at about 200 kilobytes,
10139N/Ato prevent a possible denial-of-service attack on the session. An application
10139N/Acould, on reading some wrong data, print out warnings or errors on stderr
10139N/Aor stdout. This could fill up the user's home directory, the user would then
10139N/Ahave to log out and log back in to clear this. This could be especially nasty
10139N/Aif quotas are set. GDM also correctly traps the XFSZ signal and stops writing
10139N/Athe file, which would lead to killed sessions if the file was redirected in
10139N/Athe old-fashioned way from the script.</
para>
10139N/A<
para>Note that some distributors seem to override the <
filename>~/.xsession-errors
10139N/A</
filename> redirection and redirect in their own Xsession script (set by
10139N/Athe BaseXsession configuration key), which means that GDM cannot trap the
10139N/Aoutput and cap this file. You also lose output from the PreSession script
10139N/Awhich can make debugging more difficult, as perhaps useful output of what
10139N/Ais wrong is not printed out. See the description of the BaseXsession configuration
10139N/Akey for more information, especially on how to handle multiple display managers
10139N/A<
para>Note that if the session is a failsafe session, or if GDM cannot open
10139N/Athis file for some reason, a fallback file is created named <
filename>/
tmp/
xses-<
replaceable>
10139N/Auser</
replaceable>.XXXXXX</
filename>, where XXXXXX are random characters.
10139N/A<
para>If you run a system with quotas set, use the PostSession script to delete
10139N/Athe <
filename>~/.xsession-errors</
filename> file, so that this log file is
10139N/Anot stored unnecessarily.</
para>
10139N/A<
refsect1 id="gdm-1m-exit"><
title>&exit-tt;</
title>
10139N/A<
para>The following exit values are returned:</
para>
10139N/A<
variablelist termlength="xtranarrow">
10139N/A<
varlistentry><
term><
returnvalue>0</
returnvalue></
term><
listitem><
para>Application
10139N/A<
varlistentry><
term><
returnvalue>>0</
returnvalue></
term><
listitem><
para>Application
10139N/A<
refsect1 id="gdm-1m-file"><
title>&file-tt;</
title>
10139N/A<
para>The following files are used by this application:</
para>
10139N/A<
variablelist termlength="medium">
10139N/A<
varlistentry><
term><
filename>/
usr/
sbin/&cmd;</
filename></
term><
listitem><
para>
10139N/AWrapper script that launches GNOME Display Manager</
para>
10139N/A<
para>Executable for GNOME Display Manager</
para>
10139N/A<
para>Executable for GDM Chooser</
para>
10139N/A<
para>Executable for GDM Themed Greeter</
para>
10139N/A<
para>Executable for GDM Plain Greeter</
para>
10139N/A</
variablelist><
para>The system administrator can specify, in the GDM
10139N/Aconfiguration file, the maximum file size that GDM should accept. If
10139N/Athe face browser is enabled, a tunable maximum icon size is also enforced.
10139N/AOn large systems, the face browser should be turned off for performance reasons.
10139N/ALooking up icons in home directories, scaling, and rendering face icons can
10139N/A<
para>In general, GDM is very reluctant to read or write user files. For instance,
10139N/AGDM refuses to touch anything but regular files. Links, sockets, and devices
10139N/AGDM configuration determines whether GDM accepts files that are writable
10139N/Aby the user's group or others. These are ignored by default.</
para>
10139N/A<
para>Note that normally it is assumed that the home directory is only readable
10139N/Aby the user. However, NFS traffic can be snooped. For setups with NFS directories,
10139N/Ato a local directory such as <
filename>/tmp</
filename>. GDM tries to open
10139N/Athe normal authorization file for reading as root. If this fails, GDM concludes
10139N/A/tmp</
filename>), as defined in the GDM configuration. This
10139N/A<
refsect2 id="gdm-1m-file-login">
10139N/A<
title>GDM Login Scripts and Session Files</
title>
10139N/A<
para>The following GDM login scripts are discussed below:</
para>
10139N/A<
listitem><
para><
filename>/
etc/
X11/
gdm/
Init/<
replaceable>hostname</
replaceable></
filename></
para>
10139N/A<
para>The following session files are discussed below:</
para>
10139N/A<
listitem><
para><
filename>~/.dmrc</
filename> (default user session)</
para>
10139N/A<
para>When the X server has been successfully started, GDM tries to run the
10139N/AInit/<
replaceable>displayname</
replaceable> script. For example, <
filename>
10139N/AInit/:0</
filename> for the first local display. If this file is not found,
10139N/AGDM attempts to run Init/<
replaceable>hostname</
replaceable>. For example, <
filename>
10139N/Afor all on-demand flexible servers. If none of the above are found, GDM runs <
filename>
10139N/Auntil the script terminates. Use the <
filename>Init/*</
filename> script for
10139N/Aprograms that are supposed to run alongside the GDM login window, for example <
filename>
10139N/Axconsole</
filename>. Commands to set the background and so on should go in
10139N/A<
para>The system administrator decides whether clients started by the <
filename>
10139N/AInit</
filename> script should be killed before starting the user session.
10139N/A<
para>When the user has been successfully authenticated, GDM tries the scripts
10139N/Ain the <
filename>PostLogin</
filename> directory in the same manner as for
10139N/Athe <
filename>Init</
filename> directory. This is done before any session setup
10139N/Ais done, so this is the script where you might set up the home directory if
10139N/Ayou need to (though you should use the pam_mount module for this, if you can).
10139N/AYou have the USER and DISPLAY environment variables set for this script, and
10139N/Aagain it is run with root privileges. The script should return 0 on success
10139N/Aas otherwise the user is not logged in. This is not true for failsafe session
10139N/A<
para>After the user session has been set up from the GDM perspective, GDM
10139N/Aruns the scripts in the <
filename>PreSession</
filename> directory, again in
10139N/Athe same manner as the <
filename>Init</
filename> directory. Use this script
10139N/Afor local session management or accounting. The USER environment variable
10139N/Acontains the login of the authenticated user and DISPLAY is set to the current
10139N/Adisplay. The script should return 0 on success. Any other value causes GDM
10139N/Ato terminate the current login process. This is not true for failsafe sessions
10139N/Ahowever. Also, the X_SERVERS environment variable is set and this points to
10139N/Aa fake generated X servers file for use with the
10139N/A<
citerefentry><
refentrytitle>sessreg</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>
10139N/A<
para>After this, the user's session is started. The available session executables
10139N/Aare taken from the Exec= line in the <
filename>.desktop</
filename> files in
10139N/Athe path specified by SessionDesktopDir. The user chooses from these sessions
10139N/Aat login time and GDM reads the file <
filename>~/.dmrc</
filename> for the
10139N/Auser's default. The default GNOME session uses the Xsession script. The script
10139N/Ais run as the user, and this is the user session. This script should load
10139N/Athe user's profile and generally do all that is needed to launch a session.
10139N/AAs many systems reset the language selections done by GDM, GDM also sets the
10139N/AGDM_LANG variable to the selected language. You can use this to reset the
10139N/Alanguage environment variables after you run the user's profile. If the user
10139N/Aelected to use the system language, then GDM_LANG is not set.</
para>
10139N/A<
para>When the user terminates the session, the <
filename>PostSession</
filename>
10139N/Ascripts are run, similar to <
filename>Init</
filename>, <
filename>PostLogin
10139N/A</
filename>, and <
filename>PreSession</
filename>. Again, the script is run
10139N/Awith root privileges, the slave daemon blocks, the USER environment variable
10139N/Acontains the name of the user who just logged out, and DISPLAY is set to the
10139N/Adisplay the user used. Note, however, that the X server for this display might
10139N/Aalready be dead so you should not try to access it. Also, the X_SERVERS environment
10139N/Avariable is set and points to a fake generated X servers file for use with the
10139N/A<
citerefentry><
refentrytitle>sessreg</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>
10139N/A<
para>Note that the <
filename>PostSession</
filename> script runs even when
10139N/Athe display fails to respond due to an I/O error or similar. Thus, there is
10139N/Ano guarantee that X applications will work during script execution.</
para>
10139N/A<
para>Except for the <
filename>Xsession</
filename> script, all of these scripts
10139N/Aalso have the environment variable RUNNING_UNDER_GDM set to yes, so that you
10139N/Acan use similar scripts for different display managers. The <
filename>Xsession
10139N/A</
filename> always has GDMSESSION set to the basename of the session that
10139N/Athe user chose to run, without the <
filename>.desktop</
filename> extension.
10139N/AIn addition, DESKTOP_SESSION is also set to the same value.</
para>
10139N/A<
para>None of the <
filename>Init</
filename>, <
filename>PostLogin</
filename>, <
filename>
10139N/APreSession</
filename>, or <
filename>PostSession</
filename> scripts are necessary
10139N/Aand they can be omitted. However, the <
filename>Xsession</
filename> script
10139N/Ais required, as is at least one session <
filename>.desktop</
filename> file.
10139N/A<
refsect2 id="gdm-1m-file-config">
10139N/A<
title>Configuration Files</
title>
10139N/A<
variablelist termlength="wholeline">
10139N/A<
para>Contains GDM default configuration and documentation.</
para>
10139N/A<
para>Contains user-specific GDM configuration and documentation.</
para>
10139N/A<
para>Contains per-display GDM configuration and documentation.</
para>
10139N/A<
refsect2 id="gdm-1m-file-themes">
10139N/A<
variablelist termlength="wholeline">
10139N/A<
refsect2 id="gdm-1m-file-face">
10139N/A<
variablelist termlength="wholeline">
10139N/Adirectory for face images.</
para>
10139N/A<
varlistentry><
term><
filename>~/.face</
filename></
term><
listitem><
para>User-defined
10139N/Aicon to be used by GDM face browser.</
para>
10139N/A<
refsect2 id="gdm-1m-file-gesture">
10139N/A<
title>Gesture Listener Configuration Files</
title>
10139N/A<
variablelist termlength="wholeline">
10139N/A</
filename></
term><
listitem><
para>Configuration for the dwellmouselistener.
11904N/A<
listitem><
para>Configuration for the keymouselistener.</
para>
10139N/A<
refsect2 id="gdm-1m-system-files">
10139N/A<
variablelist termlength="wholeline">
10139N/A<
varlistentry><
term><
filename>/
etc/
profile</
filename></
term><
listitem><
para>System environment</
para>
10139N/A<
refsect2 id="gdm-1m-file-logging">
10139N/A<
variablelist termlength="wholeline">
10139N/A<
varlistentry><
term><
filename>/
var/
log/
gdm/<
replaceable>display</
replaceable>.log
10139N/A</
filename></
term><
listitem><
para>Output from Xserver for each session. This
10139N/A<
varlistentry><
term><
filename>~/.xsession-errors</
filename></
term><
listitem>
10139N/A<
para>Output from user's session.</
para>
10139N/A<
varlistentry><
term><
filename>/
tmp/
xsess-<
replaceable>user</
replaceable>.XXXXXX
10139N/A</
filename></
term><
listitem><
para>Output from session in failsafe mode or
10139N/Aif <
filename>~/.xsession-errors</
filename> cannot be written.</
para>
10139N/A<
refsect2 id="gdm-1m-file-sockets">
10139N/A<
variablelist termlength="wholeline">
10139N/A<
para>Temporary file used for GDM socket communications.</
para>
10139N/A<
variablelist termlength="wholeline">
10139N/A<
para>Stores the ProcessID for the running GDM daemon. This can be configured
10139N/A<
refsect2 id="gdm-1m-file-xserver">
10139N/A<
title>Xserver Authentication Directory</
title>
10139N/A<
variablelist termlength="wholeline">
10139N/AStores Xserver authentication files. This can be configured using the
10139N/A<
refsect1 id="gdm-1m-attr"><
title>&attr-tt;</
title>
10139N/A<
para>See <
olink targetdocent="REFMAN5" localinfo="attributes-5"><
citerefentry>
10139N/A<
refentrytitle>attributes</
refentrytitle><
manvolnum>5</
manvolnum></
citerefentry></
olink>
10139N/Afor descriptions of the following attributes:</
para>
10139N/A<
tgroup cols="2" colsep="1" rowsep="1"><
colspec colname="COLSPEC0" colwidth="1*">
10139N/A<
colspec colname="COLSPEC1" colwidth="1*">
10139N/A<
row><
entry align="center" valign="middle">ATTRIBUTE TYPE</
entry><
entry align="center" 10139N/Avalign="middle">ATTRIBUTE VALUE</
entry></
row>
10139N/A<
row><
entry><
para>Availability</
para></
entry><
entry><
para>SUNWgnome-display-mgr
10139N/A<
row><
entry colname="COLSPEC0"><
para>Interface stability</
para></
entry><
entry 10139N/Acolname="COLSPEC1"><
para>Volatile</
para></
entry></
row>
13033N/Acolname="COLSPEC1"><
para>Volatile</
para></
entry></
row>
13033N/Acolname="COLSPEC1"><
para>Volatile</
para></
entry></
row>
10139N/A<
refsect1 id="gdm-1m-also"><
title>&also-tt;</
title>
10139N/A<!--Reference to another man page--> 10139N/A<!--Reference to a Help manual--> 10139N/A<
para>Latest version of the <
citetitle>GNOME Desktop User Guide</
citetitle>
10139N/A<
citerefentry><
refentrytitle>gdmXnestchooser</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>gdmdynamic</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>gdmflexiserver</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>gdmphotosetup</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>gdmthemetester</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
15995N/A<
citerefentry><
refentrytitle>ssh</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>Xserver</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>gdm-restart</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>gdmsetup</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>profile</
refentrytitle><
manvolnum>4</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>gnome-std-options</
refentrytitle><
manvolnum>5</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>pam</
refentrytitle><
manvolnum>3pam</
manvolnum></
citerefentry>,
11904N/A<
citerefentry><
refentrytitle>logindevperm</
refentrytitle><
manvolnum>4</
manvolnum></
citerefentry>,
11904N/A<
citerefentry><
refentrytitle>attributes</
refentrytitle><
manvolnum>5</
manvolnum></
citerefentry>
10139N/A<
refsect1 id="gdm-1-note"><
title>¬e-tt;</
title>
10139N/A<
para>Original man page written by Martin K. Petersen <mkp@mkp.net>, George
10139N/ALebl <jirka@5z.com>. Copyright (c) 1998, 1999 by Martin K. Petersen. Copyright
10139N/A(c) 2001, 2003, 2004 by George Lebl. Copyright (c) 2003 by Red Hat, Inc.</
para>
10139N/A<
para>Updated by Brian Cameron, Sun Microsystems Inc., 2004, 2006.</
para>