10139N/A<!
DOCTYPE REFENTRY PUBLIC "-//Sun Microsystems//DTD DocBook V3.0-Based SolBook Subset V2.0//EN" [
10139N/A<!--ArborText, Inc., 1988-1999, v.4002-->
15941N/A<!--ARC : LSARC 2005/417 GDM2 as default Solaris Display Manager --> 17583N/A<!
ENTITY suncopy "Copyright (c) 2004,2006,2009 Sun Microsystems, Inc. All Rights Reserved.">
10139N/A<
refmeta><
refentrytitle>gdm</
refentrytitle><
manvolnum>1m</
manvolnum>
18002N/A<
refmiscinfo class="date">28 Dec 2009</
refmiscinfo>
17583N/A<
refmiscinfo class="sectdesc">&man1m;</
refmiscinfo>
10139N/A<
refmiscinfo class="software">&release;</
refmiscinfo>
10139N/A<
refmiscinfo class="arch">generic</
refmiscinfo>
10139N/A<
refmiscinfo class="copyright">&suncopy;</
refmiscinfo>
17583N/A<
indexterm><
primary>gdm</
primary></
indexterm>
10139N/A<
refsynopsisdiv id="gdm-1m-synp"><
title>&synp-tt;</
title>
17583N/A<
cmdsynopsis><
command>&cmd; | gdm-binary</
command>
17583N/A<
arg choice="opt"><
option>-fatal-warnings</
option></
arg>
17583N/A<
arg choice="opt"><
option>-help</
option></
arg>
17583N/A<
arg choice="opt"><
option>-timed-exit</
option></
arg>
17583N/A<
arg choice="opt"><
option>-version</
option></
arg>
10139N/A<
refsect1 id="gdm-1m-desc"><
title>&desc-tt;</
title>
17583N/AGDM is the GNOME Display Manager, a program used for login session management.
17583N/AGDM supports managing the console display, other attached displays, XDMCP
17583N/Adisplays, and flexible (or on-demand) displays. Flexible displays make use of
17583N/Athe Virtual Terminals (VT) interfaces to allow user switching, so that multiple
17583N/Ausers can run simultaneous sessions sharing the same console. GDM uses
17583N/AConsoleKit to manage what sessions are active on the system. GDM supports a
17583N/Anumber of configuration interfaces which are described in later sections of
17583N/AThe <
command>gdm-binary</
command> program is the actual program which manages
17583N/Athe displays on the system, while <
command>&cmd;</
command> is a wrapper script
17583N/Athat launches the <
command>gdm-binary</
command> program and passes along any
17583N/Aoptions. Before launching <
command>gdm-binary</
command>, the
17583N/A<
command>&cmd;</
command> wrapper script sources the system
17583N/A<
citerefentry><
refentrytitle>profile</
refentrytitle>
17583N/A<
manvolnum>4</
manvolnum></
citerefentry>
17583N/Afile to set standard system environment variables, and sets the LANG and
17583N/ALC_MESSAGES environment variables to support internationalization.
17583N/AFor each display that GDM is configured to manage, the
17583N/A<
command>gdm-binary</
command> program will launch a slave daemon which does the
17583N/Awork to actually manage the display. The slave daemon will start the login
17583N/Agreeter GUI program, the program that the user interacts with. Refer the the
17583N/A"Login Greeter GUI" section below for more information about how the
17583N/AIf Virtual Terminals are supported on your system, you can start a flexible
17583N/Adisplay via the "User Switcher" panel applet. You may need to add
17583N/Athis applet to your panel to make use of it. You can also use the
17583N/A<
citerefentry><
refentrytitle>gdmflexiserver</
refentrytitle>
17583N/A<
manvolnum>1</
manvolnum></
citerefentry>
17583N/Acommand to start flexible displays from the command line.
17583N/AIf you wish to stop the GDM service, you can either send a TERM signal to the
17583N/A<
citerefentry><
refentrytitle>gdm-stop</
refentrytitle>
17583N/A<
manvolnum>1m</
manvolnum></
citerefentry>
17598N/Acommand. On Solaris, the GDM service is managed by the
17598N/A<
citerefentry><
refentrytitle>smf</
refentrytitle>
17598N/A<
manvolnum>5</
manvolnum></
citerefentry>
17598N/Aservice management facility under the service identifier
17598N/AOn Solaris, it is recommended that you use the
17598N/A<
citerefentry><
refentrytitle>svcadm</
refentrytitle>
18002N/A<
manvolnum>1m</
manvolnum></
citerefentry> utility to enable and disable the
18002N/A"gdm" service instead of using the
17598N/A<
citerefentry><
refentrytitle>gdm-stop</
refentrytitle>
18002N/A<
manvolnum>1m</
manvolnum></
citerefentry> command.
17583N/AGDM supports libaudit and Solaris auditing. Refer to the
17583N/A<
citerefentry><
refentrytitle>bsmconv</
refentrytitle>
17583N/A<
manvolnum>1m</
manvolnum></
citerefentry> manpage for more information about
17583N/Ahow to enable Solaris auditing. On Solaris, GDM uses
17583N/A<
citerefentry><
refentrytitle>logindevperm</
refentrytitle>
17583N/A<
manvolnum>4</
manvolnum></
citerefentry>
17583N/Ato ensure that device permissions are set properly for the user on login.
17583N/AThe following options are supported by <
command>&cmd;</
command> and
17583N/A<
variablelist termlength="medium">
17583N/A<
term><
option>-fatal-warnings</
option></
term>
17583N/AMake all warnings fatal. Useful for debugging.
17583N/A</
para></
listitem></
varlistentry>
17671N/A<
term><
option>-help</
option></
term>
17671N/A</
para></
listitem></
varlistentry>
17583N/A<
term><
option>-timed-exit</
option></
term>
17583N/AExit after 30 seconds. Useful for debugging.
17583N/A</
para></
listitem></
varlistentry>
17583N/A<
term><
option>-version</
option></
term>
17583N/A</
para></
listitem></
varlistentry>
17584N/A<
refsect1 id="pkg-config-1-envr"><
title>&envr-tt;</
title>
17584N/A<
citerefentry><
refentrytitle>environ</
refentrytitle>
17584N/A<
manvolnum>5</
manvolnum></
citerefentry>
17584N/Afor descriptions of environment variables.
17584N/AWhen the following description refers to "scripts", these are
17584N/Areferring to the GDM <
filename>Init</
filename>, <
filename>PostLogin</
filename>,
17584N/A<
filename>PreSession</
filename>, and <
filename>PostSession</
filename> scripts.
17584N/A<
variablelist termlength="wholeline">
17584N/A<
term><
envar>DESKTOP_SESSION</
envar></
term>
17584N/AFor any user session started by GDM, this environment variable is set to the
17584N/Asession name the user has chosen in the login GUI, such as "gnome" to
17584N/Asession file was used to launch the session.
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
variablelist termlength="wholeline">
17584N/A<
term><
envar>DISPLAY</
envar></
term>
17584N/AWhen running scripts and for any user session started by GDM, this environment
17584N/Avariable is set to the Xserver display value associated with the session.
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
variablelist termlength="wholeline">
17584N/A<
variablelist termlength="wholeline">
17584N/A<
term><
envar>DESKTOP_SESSION</
envar></
term>
17584N/AFor any user session started by GDM, this environment variable is set to the
17584N/Akeyboard layout that the user has chosen in the login GUI.
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
term><
envar>HOME</
envar></
term>
17584N/AWhen running scripts and for any user session started by GDM, this environment
17584N/Avariable is set to the home directory associated with the user.
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
term><
envar>LANG</
envar></
term>
17584N/AFor any user session started by GDM, this environment variable is set to the
17584N/Alangauge choice selected when the user logged in.
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
term><
envar>REMOTE_HOST</
envar></
term>
17584N/AWhen running scripts, this environment variable is set to the hostname if the
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
term><
envar>RUNNING_UNDER_GDM</
envar></
term>
17584N/AWhen running scripts, this environment variable is set to "true", so
17584N/Athat they can identify when they are executed by the GDM process.
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
term><
envar>SHELL</
envar></
term>
17584N/AWhen running scripts and for any user session started by GDM, this environment
17584N/Avariable is set to the shell associated with the session.
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
term><
envar>USER</
envar></
term>
17584N/AWhen running scripts and for any user session started by GDM, this environment
17584N/Avariable is set to the username associated with the session.
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
term><
envar>USERNAME</
envar></
term>
17584N/AWhen running scripts and for any user session started by GDM, this environment
17584N/Avariable is set to the username associated with the session.
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
term><
envar>XAUTHORITY</
envar></
term>
17584N/AWhen running scripts and for any user session started by GDM, this environment
17584N/Avariable is set to the Xserver Xauthority file being used by the session.
17584N/A</
para></
listitem></
varlistentry>
17584N/A<
term><
envar>XDG_SESSION_COOKIE</
envar></
term>
17584N/AThis environment variable is provided by ConsoleKit, and this value is set
17584N/Afor any user session started by GDM so that ConsoleKit can properly identify
17584N/A</
para></
listitem></
varlistentry>
17583N/A<
refsect1 id="gdm-1m-exde"><
title>&exde-tt;</
title>
17597N/A<
refsect2 id="gdm-1m-exde-greeter">
17583N/A<
title>Login Greeter GUI</
title>
17583N/AThe login greeter GUI allows the user to specify how their user session should
17583N/Abe started and ensures that the user authenticates before gaining access to
17583N/Atheir user session. Authentication can be disabled if desired.
17583N/A<
citerefentry><
refentrytitle>pam</
refentrytitle>
17583N/A<
manvolnum>3PAM</
manvolnum></
citerefentry>
17583N/Ato manage how the user authenticates (for example, by entering a username and
17583N/Apassword, via a SmartCard, fingerprint reader, etc.). If authentication is
17583N/Anot desired, then GDM provides two configuration options which can be used
17583N/Ato bypass it: "Automatic Login" and "Timed Login". These
17583N/Aare not enabled by default, but can be turned on if desired.
17589N/AThe Automatic Login feature will cause GDM to bypass the login greeter GUI
17589N/Aentirely and immediately start a session for the user specified in the GDM
17583N/Aconfiguration. The Timed Login feature will display the login greeter GUI for
17583N/Aa number of seconds specified in the GDM configuration. If no user logs in
17583N/Abefore the timeout, then GDM will automatically start the user session for the
17583N/Auser specified in the GDM configuration. Timed Login is useful if you wish to
17583N/Ahave the opportunity to login as a different user on some occasions. Obviously
17583N/Aneither Automatic Login or Timed Login are secure, and they should only be used
17583N/Aon systems where the security provided by authentication is not needed.
17583N/AGDM normally uses a PAM stack named "gdm". When Automatic Login or
17583N/ATimed Login is enabled, then GDM instead uses a PAM stack named
17583N/A"gdm-autologin". Note that Automatic Login and Timed Login will not
17583N/Awork properly if the "gdm-autologin" PAM stack is not defined in your
17583N/AThe login greeter GUI provides two mechanisms for specifying which user is
17583N/Alogging into the system. Either the "Face Browser" can be used,
17583N/Aor GDM can prompt the user with the requests specified by the system PAM
17583N/Aconfiguration. By default, this means entering both the username and password
17583N/AThe Face Browser is designed to work when PAM is configured to allow users to
17583N/Aselect their username, so it is not useful with certain PAM configurations
17583N/A(such as when the username is identified via a SmartCard or fingerprint). The
17583N/AFace Browser obviously exposes usernames to anyone with access to the machine,
17583N/Aso users may wish to disable it if this is considered a security issue.
17583N/AWhen the Face Browser is enabled, a list of users will appear in the login
17583N/Agreeter GUI. An icon for each user is shown, and users can specify what icon
17583N/Ais associated with their user. If the user has an image file named
17583N/A<
filename>~/.face</
filename>, then GDM will associate this image with the user.
17583N/AIf the user does not have such an image file, a default icon is displayed.
17583N/AImage files must be no larger than 64K in size, or they are ignored by GDM.
17583N/AThe login greeter GUI can be configured to provide "Shutdown",
18002N/A"Restart", and "Suspend" buttons which allow the user to
18002N/Ashutdown, restart, or suspend the system if desired. On Solaris, the buttons
18002N/Aspecified for the "gdm" user in the
18002N/Amake these buttons available from the GDM login GUI screen.
17583N/AWhile the login greeter GUI is displayed, a panel is provided at the bottom
17583N/Aof the screen which provides useful information, interfaces that allow the
17583N/Auser to specify how their session should be started, and interfaces to help
17583N/Athe user navigate the login screen. These include:
17583N/AA clock, showing the date and time.
17583N/AAn alternative keyboard layout (if supported).
17583N/AThe ability to launch assistive technology programs if desired.
17583N/AThe ability to monitor the system battery (if using a system with a battery).
17583N/AThe login greeter GUI also allows the user to take a screenshot. If the
17583N/Auser presses the keybindng associated with printing the screen, then the
17583N/A<
command>gdm-screenshot</
command> is run to take the screenshot.
17583N/A<
refsect2 id="gdm-1m-exde-accessibility">
17583N/AGDM supports accessibility. Users can click on the accessibility icon on
17583N/Athe panel to specify which assistive programs should be launched with the
17583N/Alogin GUI programs. It is also possible to configure a system so that
17583N/Aneeded assistive programs should always be launched.
17583N/A<
refsect2 id="gdm-1m-exde-security">
17583N/AThe GDM login GUI programs are run with a dedicated user id and group id.
17583N/ABy default "gdm" is used for both the user id and group id, but these
17583N/Avalues are configurable. The reason for using this special user and group is
17583N/Ato make sure that the GDM user interfaces run as a user without unnecessary
17583N/Aprivileges, so that in the unlikely case that someone finds a weakness in the
17583N/AGUI, they will not gain access to a privileged account on the machine.
17583N/ANote that the GDM user and group do have some privileges beyond what a normal
17583N/Auser has. This user and group has access to the Xserver authorization
17583N/Adirectory which contains all of the Xserver authorization files and other
17583N/Aprivileges can then connect to any running Xserver session. Do not, under any
17583N/Aaccess to, such as the user "<
literal>nobody</
literal>".
17583N/AFile permissions are set on the authorization files so that only the user
17583N/Ahas read and write access to ensure that users are unable to access the
17583N/Aauthorization files belonging to other users.
17583N/A<
refsect2 id="gdm-1m-exde-xdmcp">
17589N/AXDMCP (X Display Manager Control Protocol) displays the login screen and
17589N/Aresulting session on a remote machine over the network interface. By default,
17589N/AXDMCP is disabled in GDM. However, GDM can be configured to enable XDMCP so
17589N/Athat users can log into the system from remote hosts. By default, GDM listens
17589N/Ato UDP port 177, although this can be configured. GDM responds to QUERY and
17589N/ABROADCAST_QUERY requests by sending a WILLING packet to the originator.
17583N/AGDM provides configuration options that make GDM more resistant to
17583N/Adenial-of-service attacks on the XDMCP service. The default values should work
17583N/Afor most systems, but several protocol parameters, handshaking timeouts, and so
17583N/Aon can be fine-tuned to make it more secure. It is not recommended that you
17583N/Amodify the XDMCP configuration unless you know what you are doing.
17583N/AGDM grants access to the hosts specified in the GDM service section of your TCP
17583N/AWrappers configuration file. Refer to the
17583N/A<
citerefentry><
refentrytitle>libwrap</
refentrytitle>
17583N/A<
manvolnum>3</
manvolnum></
citerefentry>
17583N/Amanpage for more information. GDM does not support remote display access
17583N/Acontrol on systems without TCP Wrapper support.
17583N/AGDM can also be configured to honor INDIRECT queries and present a host
17583N/Achooser to the remote display. GDM remembers the user's choice and forwards
17583N/Asubsequent requests to the chosen manager. GDM also supports an extension
17583N/Ato the protocol which makes GDM forget the redirection once the user's
17583N/Aconnection succeeds. This extension is only supported if both daemons are GDM.
17583N/AThis extension is transparent and is ignored by XDM or other daemons that
17583N/AGDM only supports the MIT-MAGIC-COOKIE-1 authentication system. Because of
17583N/Athis, the cookies are transmitted as clear text. Therefore, you should be
17583N/Acareful about the network where you use this. That is, be careful about where
17583N/Ayour XDMCP connection is going. Note that if snooping is possible, an attacker
17583N/Acould snoop your password as you log in, so a better XDMCP authentication would
17583N/Anot help you much anyway. If snooping is possible and undesirable, you should
17583N/A<
citerefentry><
refentrytitle>ssh</
refentrytitle>
17583N/A<
manvolnum>1</
manvolnum></
citerefentry>
17583N/Afor tunneling an X connection, rather then using GDM's XDMCP. Think of XDMCP as a sort of graphical telnet, with the same security issues.
17583N/A<
refsect2 id="gdm-1m-configuration">
17583N/A<
title>GDM Configuration</
title>
17583N/AConsoleKit interfaces are used to configure how GDM should manage displays
17583N/Ain a multiseat environment, so to configure multiseat please refer to the
17583N/A<
citerefentry><
refentrytitle>console-kit-daemon</
refentrytitle>
17583N/A<
manvolnum>1m</
manvolnum></
citerefentry>
17583N/AGDM also provides a number of configuration interfaces which allow the user to
17583N/Aspecify how GDM should operate. The configuration available for the GDM
17583N/Adaemon and the GDM login greeter GUI are described below. GDM also provides
17583N/Ascripting interfaces and other interfaces to configure how sessions are started
17583N/Awhich are described in the "GDM Login Scripts and Session Files"
17583N/AThe default system configuration for the GDM daemon is stored in the file
17583N/AUsers are not recommended to modify this file since it may be overwritten on
17583N/Aupgrade. Instead users should override these settings by specifying values in
17637N/A<
replaceable>type</
replaceable>" format. The type can be
17637N/A<
replaceable>string</
replaceable>, <
replaceable>integer</
replaceable>,
17637N/Aor <
replaceable>boolean</
replaceable>. To override the
17583N/AThe following keys are supported for configuring the GDM daemon:
17583N/A<
variablelist termlength="wholeline">
17731N/AIf true and IPv6 is enabled, the chooser will send a multicast query to the
17731N/Alocal network and collect responses from the hosts who have joined multicast
17731N/A</
para></
listitem></
varlistentry>
17731N/AThis is the Link-local Multicast address.
17731N/A</
para></
listitem></
varlistentry>
17583N/AIf the user given in TimedLogin should be logged in after a number of seconds
17583N/A(set with TimedLoginDelay) of inactivity on the login screen. This is useful
17583N/Afor public access terminals or perhaps even home use. If the user uses the
17583N/Akeyboard or browses the menus, the timeout will be reset to TimedLoginDelay or
17583N/A30 seconds, whichever is higher. If the user does not enter a username but just
17583N/Ahits the ENTER key while the login program is requesting the username, then GDM
17583N/Awill assume the user wants to login immediately as the timed user. Note that no
17583N/Apassword will be asked for this user so you should be careful, although if
17583N/Ausing PAM it can be configured to require password entry before allowing login.
17583N/AThis is the user that should be logged in after a specified number of seconds
17583N/Aof inactivity. If the value ends with a vertical bar | (the pipe symbol), then
17583N/AGDM will execute the program specified and use whatever value is returned on
17583N/Astandard out from the program as the user. The program is run with the DISPLAY
17583N/Aenvironment variable set so that it is possible to specify the user in a
17583N/Aper-display fashion. For example if the value is
17583N/A</
para></
listitem></
varlistentry>
17583N/ADelay in seconds before the TimedLogin user will be logged in.
17583N/A</
para></
listitem></
varlistentry>
17583N/AIf true, the user given in AutomaticLogin should be logged in immediately.
17583N/AThis feature is like timed login with a delay of 0 seconds.
17583N/A</
para></
listitem></
varlistentry>
17583N/AThis is the user that should be logged in immediately if AutomaticLoginEnable
17583N/Ais true. If the value ends with a vertical bar | (the pipe symbol), then GDM
17583N/Awill execute the program specified and use whatever value is returned on
17583N/Astandard out from the program as the user. The program is run with the DISPLAY
17583N/Aenvironment variable set so that it is possible to specify the user in a
17583N/Aper-display fashion. For example if the value is
17583N/A</
para></
listitem></
varlistentry>
17583N/AThe username under which the greeter and other GUI programs are run.
17583N/A</
para></
listitem></
varlistentry>
17637N/AThe group id used to run the login GUI programs
17637N/A</
para></
listitem></
varlistentry>
17731N/AIf true, then GDM will provide debug output in the system log, which is
17637N/A</
para></
listitem></
varlistentry>
17637N/AIf true, then the face browser will show all users on the local machine. If
17637N/Afalse, the face browser will only show users who have recently logged in.
17637N/AWhen this key is true, GDM will call fgetpwent() to get a list of local users
17637N/Aon the system. Anyusers with a user id less than 500 (or 100 if running on
17637N/ASolaris) are filtered out. The Face Browser also will display any users that
17637N/Ahave previously logged in on the system (for example
NIS/
LDAP users). It gets
17637N/A<
citerefentry><
refentrytitle>ck-history</
refentrytitle>
17637N/A<
manvolnum>1</
manvolnum></
citerefentry>
17637N/AConsoleKit interface. It will also filter out any users which do not have a
17715N/Avalid shell (valid shells are any shell that getusershell() returns -
17637N/Aconsidered invalid shells even if getusershell() returns them).
17637N/AIf false, then GDM more simply only displays users that have previously logged
17637N/A<
citerefentry><
refentrytitle>ck-history</
refentrytitle>
17637N/A<
manvolnum>1</
manvolnum></
citerefentry>
17637N/A</
para></
listitem></
varlistentry>
17637N/ASet to a list of users to always include in the Face Browser. This value
17637N/Ais set to a list of users separated by commas. By default, the value is
17637N/A</
para></
listitem></
varlistentry>
17637N/A<
term>
greeter/
Exclude=bin,root,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,nobody4,noaccess,postgres,pvm,rpm,nfsnobody,pcap (string)</
term>
17715N/ASet to a list of users to always exclude in the Face Browser. This value
17670N/Ais set to a list of users separated by commas. Note that the setting in the
17670N/Ato add additional users to the list, then you need to set the value to the
17670N/Adefault value with additional users appended to the list.
17637N/A</
para></
listitem></
varlistentry>
17665N/AIf true, then the session, language and layout dialogs in the login greeter GUI
17665N/Awill show the option "Last" by default. The users default settings
17665N/Ain their <
filename>~/.dmrc</
filename> file will be used. If no settings exist
17665N/Ain this file, then the system defaults will be used. Note that GDM normally
17665N/Acaches the user's <
filename>~/.dmrc</
filename> in the
17665N/AGDM to avoid using the cache, and instead accesses the user's configuration
17665N/Asettings from their <
filename>~/.dmrc</
filename> file after
17665N/A<
citerefentry><
refentrytitle>pam_setcred</
refentrytitle>
17665N/A<
manvolnum>3PAM</
manvolnum></
citerefentry></
olink> is called.
17665N/AThis feature is useful in situations where users might log into multiple
17665N/Aservers and the system administrator wants to avoid situations where the
17665N/Auser's cached settings might become inconsistant across different servers.
17665N/A</
para></
listitem></
varlistentry>
17622N/AIf true, then always append "<
option>nolisten</
option> tcp" to the
17622N/AXserver command line when starting attached Xservers, thus disallowing TCP
17622N/Aconnection. This is a more secure configuration if you are not using remote
17622N/Aconnections. Note that on Solaris, the
17622N/A<
literal>x11-server</
literal> service also controls whether this option is
17622N/Aappended to the Xserver command line. The GDM configuration value is set to
17622N/A"false" by default on Solaris to defer control of this feature to
17622N/Athis <
literal>x11-server</
literal> property. Refer to the
17622N/A<
citerefentry><
refentrytitle>Xserver</
refentrytitle>
17622N/A<
manvolnum>1</
manvolnum></
citerefentry>
17583N/A</
para></
listitem></
varlistentry>
17583N/ATo prevent attackers from filling up the pending queue, GDM will only allow one
17583N/Aconnection for each remote computer. If you want to provide display services to
17583N/Acomputers with more than one screen, you should increase this value. Note that
17583N/Athe number of attached DISPLAYS allowed is not limited. Only remote connections
17583N/Avia XDMCP are limited by this configuration option.
17583N/A</
para></
listitem></
varlistentry>
17583N/ASetting this to true enables XDMCP support allowing remote displays/X terminals
17583N/Ato be managed by GDM. If GDM is compiled to support it, access from remote
17583N/Adisplays can be controlled using the TCP Wrappers library.
17583N/A</
para></
listitem></
varlistentry>
17637N/AEnables XDMCP INDIRECT choosing for X-terminals which do not supply their own
17583N/A</
para></
listitem></
varlistentry>
17583N/ATo avoid denial of service attacks, GDM has fixed size queue of pending
17583N/Aconnections. Only MaxPending displays can start at the same time. Please note
17583N/Athat this parameter does not limit the number of remote displays which can be
17583N/Amanaged. It only limits the number of displays initiating a connection
17583N/A</
para></
listitem></
varlistentry>
17583N/ADetermines the maximum number of remote display connections which will be
17583N/Amanaged simultaneously.
I.e. the total number of remote displays that can use
17583N/A</
para></
listitem></
varlistentry>
17583N/AWhen GDM is ready to manage a display an ACCEPT packet is sent to it containing
17583N/Aa unique session id which will be used in future XDMCP conversations. GDM will
17583N/Athen place the session id in the pending queue waiting for the display to
17583N/Arespond with a MANAGE request. If no response is received within MaxWait
17583N/Aseconds, GDM will declare the display dead and erase it from the pending queue
17583N/Afreeing up the slot for other displays.
17583N/A</
para></
listitem></
varlistentry>
17583N/AThe MaxWaitIndirect parameter determines the maximum number of seconds between
17583N/Athe time where a user chooses a host and the subsequent indirect query where
17583N/Athe user is connected to the host. When the timeout is exceeded, the
17583N/Ainformation about the chosen host is forgotten and the indirect slot freed up
17583N/Afor other displays. The information may be forgotten earlier if there are more
17583N/Ahosts trying to send indirect queries then MaxPendingIndirect.
17583N/A</
para></
listitem></
varlistentry>
17583N/AInterval in which to ping the Xserver in seconds. If the Xserver does not
17583N/Arespond before the next time we ping it, the connection is stopped and the
17583N/Asession ended. This is a combination of the XDM PingInterval and PingTimeout,
17583N/A</
para></
listitem></
varlistentry>
17583N/AThe UDP port number gdm should listen to for XDMCP requests.
17583N/A</
para></
listitem></
varlistentry>
17583N/AWhen the machine sends a WILLING packet back after a QUERY it sends a string
17583N/Athat gives the current status of this server. The default message is the system
17583N/AID, but it is possible to create a script that displays customized message. If
17583N/Athis script does not exist or this key is empty the default message is sent.
17583N/AIf this script succeeds and produces some output, the first line of it's output
17583N/Ais sent (and only the first line). It runs at most once every 3 seconds to
17583N/Aprevent possible denial of service by flooding the machine with QUERY packets.
17583N/A</
para></
listitem></
varlistentry>
17583N/AThe default system configuration for the GDM login greeter GUI is stored in
17583N/Athe system GConf schemas directory in the file
17583N/AGConf. Users are not recommended to modify this file file since it may be
17583N/Aoverwritten on upgrade. Instead users should override these settings by
17583N/Amodifying the GConf configuration for the GDM user (the user specified in the
17583N/A<
citerefentry><
refentrytitle>gconftool-2</
refentrytitle>
17583N/A<
manvolnum>1</
manvolnum></
citerefentry>
17583N/A<
citerefentry><
refentrytitle>gconf-editor</
refentrytitle>
17583N/A<
manvolnum>1</
manvolnum></
citerefentry>
18002N/Aprograms to set these values, if desired. Refer to the EXAMPLES section of
18002N/Athis manpage for more information about how to use these tools to change
17948N/AGDM will use the GCONF_DEFAULT_SOURCE_PATH environment variable to ensure that each display uses it's own GConf configuration. This way changes in GConf will only affect the greeter in a per-seat manner.
17583N/AThe following keys are supported for configuring the GDM login greeter GUI and
17583N/A"GConf key=<
replaceable>default_value</
replaceable>
17583N/A(<
replaceable>gconf_data_type</
replaceable>)"
17583N/A<
variablelist termlength="wholeline">
17583N/AControls whether the banner message text is displayed.
17583N/A</
para></
listitem></
varlistentry>
17583N/ASpecifies the text banner message to show on the greeter window.
17583N/A</
para></
listitem></
varlistentry>
17583N/AControls whether to show the restart buttons in the login window.
17583N/A</
para></
listitem></
varlistentry>
17583N/AIf true, then the face browser with known users is not shown in the login
17583N/A</
para></
listitem></
varlistentry>
17583N/ASet to the themed icon name to use for the greeter logo.
17583N/A</
para></
listitem></
varlistentry>
17583N/AControls whether compiz is used as the window manager instead of metacity.
17583N/A</
para></
listitem></
varlistentry>
17583N/AControls whether the Accessibility infrastructure will be started with the GDM
17583N/AGUI. This is needed for many accessibility technology programs to work.
17583N/A</
para></
listitem></
varlistentry>
17583N/AIf set, then the assistive tools linked to this GConf key will be started with
17583N/Athe GDM GUI program. By default this is a screen magnifier application.
17583N/A</
para></
listitem></
varlistentry>
17583N/AIf set, then the assistive tools linked to this GConf key will be started with
17583N/Athe GDM GUI program. By default this is an on-screen keyboard application.
17583N/A</
para></
listitem></
varlistentry>
17583N/AIf set, then the assistive tools linked to this GConf key will be started with
17583N/Athe GDM GUI program. By default this is a screen reader application.
17583N/A</
para></
listitem></
varlistentry>
17583N/AOn Solaris, GDM also supports the CONSOLE, PASSREQ, PATH, and SUPATH
17583N/A<
citerefentry><
refentrytitle>login</
refentrytitle>
17583N/A<
manvolnum>1</
manvolnum></
citerefentry> manpage for details.
17583N/A<
refsect2 id="gdm-1m-exde-logging">
17583N/AGDM logs error and debug information to the system syslog file.
17583N/AOutput from the Xservers started by GDM is stored in the GDM log directory,
17583N/Asaved in a file <
filename><
replaceable>display</
replaceable>.log</
filename>,
17583N/Awhere <
replaceable>display</
replaceable> is the DISPLAY value for the
17583N/AOutput from the GDM login greeter GUI is saved in a file
17583N/Aoutput from the GDM slave daemon is saved in a file
17583N/Athe <
replaceable>display</
replaceable> is the DISPLAY value for the
17583N/AFour older versions of each file are also stored, by appending 1 through 4 to
17583N/Athe filename. These files are rotated, as new sessions on that display are
17583N/AThe output from the user session is saved in a file
17583N/A<
filename>~/.xsession-errors</
filename>. The user session output is
17583N/Aredirected before the <
filename>PreSession</
filename> script is started.
17583N/ANote that if the session is a failsafe session, or if GDM cannot open this file
17583N/Afor some reason, a fallback file is created named
17583N/A<
filename>/
tmp/
xses-<
replaceable>user</
replaceable>.XXXXXX</
filename>,
17583N/Awhere XXXXXX are random characters.
17583N/AIf you run a system with quotas set, consider using the PostSession script to
17583N/Adelete the <
filename>~/.xsession-errors</
filename> file, so that this log file
17948N/A<
refsect1 id="gdm-1m-exam"><
title>&exam-tt;</
title>
18002N/ANote that the user should change user to the "gdm" user before
18002N/A<
citerefentry><
refentrytitle>gconftool-2</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry> commands. For example, the
18002N/A <
citerefentry><
refentrytitle>su</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>
18002N/Acommand could be used. Configuration changes will only take effect if they
18002N/Aapply to the "gdm" user.
17948N/A<
title>To Enable Face Browser for all GDM login greeter GUI</
title>
18002N/A<
title>To Change the Background Image to <
filename>
stream.jpg</
filename> for the GDM login greeter GUI</
title>
17948N/A<
title>To Disable Face Browser for StaticSeat1 GDM login greeter GUI</
title>
17583N/A<
refsect1 id="gdm-1m-exit"><
title>&exit-tt;</
title>
17583N/AThe following exit values are returned:
17583N/A<
variablelist termlength="xtranarrow">
17583N/A<
term><
returnvalue>0</
returnvalue></
term>
17583N/A</
para></
listitem></
varlistentry>
17583N/A<
term><
returnvalue>>0</
returnvalue></
term>
17583N/A<
refsect1 id="gdm-1m-file"><
title>&file-tt;</
title>
17583N/AThe following files are used by this application:
17597N/A<
variablelist termlength="wholeline">
17583N/AWrapper script that launches GNOME Display Manager
17583N/A</
para></
listitem></
varlistentry>
17593N/AExecutable for GNOME Display Manager.
17597N/A</
para></
listitem></
varlistentry>
10139N/A<
refsect2 id="gdm-1m-file-login">
10139N/A<
title>GDM Login Scripts and Session Files</
title>
17583N/AThe following GDM login integration interfaces are discussed below:
17583N/A<
listitem><
filename>/
etc/
gdm/
Init/<
replaceable>display</
replaceable></
filename></
listitem>
17583N/A<
listitem><
filename>~/profile</
filename></
listitem>
17583N/AThe following session files are also discussed below:
15996N/A<
listitem><
filename>~/.dmrc</
filename> (default user session)</
listitem>
17583N/AThe <
filename>Init</
filename>, <
filename>PostLogin</
filename>,
17583N/A<
filename>PreSession</
filename>, and <
filename>PostSession</
filename> scripts
17583N/AFor each type of script, the default one which will be executed is called
17583N/A"Default" and is stored in a directory associated with the script
17583N/Atype. So the default <
filename>Init</
filename> script is
17583N/Aprovided, and if it exists it will be run instead of the default script. Such
17583N/Ascripts are stored in the same directory as the default script and have the
17583N/Asame name as the Xserver DISPLAY value for that display. For example, if the
17583N/AAll of these scripts are run with root privilege and return 0 if run
17583N/Asuccessfully, and a non-zero return code if there was any failure that should
17583N/Acause the login session to be aborted. Also note that GDM will block until the
17583N/Ascripts finish, so if any of these scripts hang, this will cause the login
17583N/AWhen the Xserver for the login GUI has been successfully started, but before
17583N/Athe login GUI is actually displayed, GDM will run the <
filename>Init</
filename>
17583N/Ascript. This script is useful for starting programs that should be run while
17583N/Athe login screen is showing, or for doing any special initialization if
17583N/AAfter the user has been successfully authenticated GDM will run the
17583N/A<
filename>PostLogin</
filename> script. This is done before any session setup
17583N/Ahas been done, including before the
17583N/A<
citerefentry><
refentrytitle>pam_open_session</
refentrytitle>
17583N/A<
manvolnum>3PAM</
manvolnum></
citerefentry>
17583N/Acall. This script is useful for doing any session initialization that needs to
17583N/Ahappen before the session starts. For example, you might setup the user's
17583N/AAfter the user session has been initialized, GDM will run the
17583N/A<
filename>PreSession</
filename> script. This script is useful for doing any
17583N/Asession initialization that needs to happen after the session has been
17583N/Ainitialized. It can be used for session management or accounting, for example.
17583N/AWhen a user terminates their session, GDM will run the
17583N/A<
filename>PostSession</
filename> script. Note that the Xserver will have been
17583N/Astopped by the time this script is run, so it should not be accessed.
17583N/ANote that the <
filename>PostSession</
filename> script will be run even when the
17583N/Adisplay fails to respond due to an I/O error or similar. Thus, there is no
17583N/Aguarantee that X applications will work during script execution.
17583N/AAll of the above scripts will set the RUNNING_UNDER_GDM environment variable
17583N/Ato "yes". If the scripts are also shared with other display managers,
17583N/Athis allows you to identify when GDM is calling these scripts, so you can run
17583N/Acontains <
filename>.desktop</
filename> files. Any
17583N/A<
filename>.desktop</
filename> files in this directory will cause the
17583N/Aassociated program to automatically start with the login GUI greeter. By
17583N/Adefault, GDM is shipped with files which will autostart the gdm-simple-greeter
17583N/Alogin GUI greeter itself, the <
command>gnome-power-manager</
command>
17583N/Aapplication, the <
command>gnome-settings-daemon</
command>, and the
17583N/A<
command>metacity</
command> window manager. These programs are needed for the
17583N/Agreeter program to work. In addition, desktop files are provided for starting
17583N/Avarious AT programs if the associated accessibility configuration GConf keys
17952N/A<
para>The administrator can customize .desktop files. For example, an <
filename>
xterm.desktop</
filename> file can be useful when debugging the GDM login greeter. A .desktop file to launch <
citerefentry><
refentrytitle>xterm</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry> would look as follows:
17948N/AX-GNOME-Autostart-Phase=Applications
17583N/AThe user's default session and language choices are stored in the
17583N/A<
filename>~/.dmrc</
filename> file. When a user logs in for the first time, this
17583N/Afile is created with the user's initial choices. The user can change these
17583N/Adefault values by simply changing to a different value when logging in. GDM
17583N/Awill remember this change for subsequent logins.
17583N/AThe session types which are available in the GDM login greeter GUI are
17583N/Aspecified by <
filename>.desktop</
filename> files. These desktop files are in
17583N/Astandard INI format and the executable that will be run to start the session
17583N/Ais specified by the "Exec" key in the file. Desktop files are
17583N/AHowever, GDM will search for desktop files in the following directories in this
17583N/A<
filename>PreSession</
filename> and the <
filename>PostSession</
filename>
17583N/Ascripts. This script does not support per-display like the other scripts. This
17583N/Ascript is used for actually starting the user session. This script is run as
17583N/Athe user, and it will run whatever session was specified by the Desktop session
17583N/A<
filename>~/.profile</
filename>, and all scripts in the
17583N/A<
citerefentry><
refentrytitle>profile</
refentrytitle>
17583N/A<
manvolnum>4</
manvolnum></
citerefentry>
10139N/A<
refsect2 id="gdm-1m-file-config">
10139N/A<
title>Configuration Files</
title>
10139N/A<
variablelist termlength="wholeline">
17583N/AGDM default daemon configuration.
17583N/A</
para></
listitem></
varlistentry>
17583N/AGDM daemon configuration customization.
17583N/A</
para></
listitem></
varlistentry>
17583N/AGDM default login greeter GUI configuration.
17583N/AOn Solaris, GDM supports the CONSOLE, PASSREQ, PATH, and SUPATH configuration
17583N/A<
citerefentry><
refentrytitle>login</
refentrytitle>
17583N/A<
manvolnum>1</
manvolnum></
citerefentry>
17583N/AThe GDM user's mandatory GConf settings.
17948N/A<
term><
filename>~gdm/<
replaceable>seat</
replaceable>/.gconf</
filename></
term>
17948N/AThe per-seat GDM user's GConf settings.
17583N/AThis file specifies the GDM user's mandatory GConf settings directory.
10139N/A<
refsect2 id="gdm-1m-file-logging">
10139N/A<
variablelist termlength="wholeline">
17583N/A<
term><
filename>/
var/
log/
gdm/<
replaceable>display</
replaceable>.log</
filename></
term>
17583N/AXserver output for each <
replaceable>display</
replaceable>.
17583N/AGDM login greeter GUI output for each <
replaceable>display</
replaceable>.
17583N/AGDM slave daemon output for each <
replaceable>display</
replaceable>.
17583N/A<
term><
filename>~/.xsession-errors</
filename></
term>
17583N/A</
para></
listitem></
varlistentry>
17583N/A<
refsect2 id="gdm-1m-file-xauth">
17584N/A<
title>GDM Xauthority files</
title>
17583N/A<
variablelist termlength="wholeline">
17583N/AStores the Xserver authentication files for each managed session.
17583N/A<
refsect2 id="gdm-1m-file-face">
17583N/A<
variablelist termlength="wholeline">
17583N/AGlobal directory for face images.
17583N/A</
para></
listitem></
varlistentry>
17583N/A<
term><
filename>~/.face</
filename></
term>
17583N/AUser-defined icon to be used by GDM face browser.
17583N/A<
refsect2 id="gdm-1m-file-cache">
10139N/A<
variablelist termlength="wholeline">
17583N/AGDM copies the user's <
filename>~/.dmrc</
filenam> and
17583N/A<
filename>~/.face</
filename> files to
17583N/Athat they can be accessed on subsequent logins without accessing the user's
17583N/A<
citerefentry><
refentrytitle>pam_setcred</
refentrytitle>
17583N/A<
manvolnum>3PAM</
manvolnum></
citerefentry></
olink> is called.
10139N/A<
refsect1 id="gdm-1m-attr"><
title>&attr-tt;</
title>
17583N/ASee <
olink targetdocent="REFMAN5" localinfo="attributes-5">
17583N/A<
citerefentry><
refentrytitle>attributes</
refentrytitle>
17583N/A<
manvolnum>5</
manvolnum></
citerefentry></
olink>
17583N/Afor descriptions of the following attributes:
17593N/A<
tgroup cols="2" colsep="1" rowsep="1">
17593N/A<
colspec colname="COLSPEC0" colwidth="1*">
10139N/A<
colspec colname="COLSPEC1" colwidth="1*">
17583N/A<
entry align="center" valign="middle">ATTRIBUTE TYPE</
entry>
17583N/A<
entry align="center" valign="middle">ATTRIBUTE VALUE</
entry>
17583N/A<
entry><
para>Availability</
para></
entry>
17583N/A<
entry><
para>SUNWgnome-display-mgr</
para></
entry>
17583N/A<
entry colname="COLSPEC0"><
para>Interface stability</
para></
entry>
17583N/A<
entry colname="COLSPEC1"><
para>Volatile</
para></
entry>
17583N/A<
entry colname="COLSPEC1"><
para>Volatile</
para></
entry>
17583N/A<
entry colname="COLSPEC1"><
para>Volatile</
para></
entry>
17583N/A<
entry colname="COLSPEC1"><
para>Volatile</
para></
entry>
10139N/A<
refsect1 id="gdm-1m-also"><
title>&also-tt;</
title>
10139N/A<!--Reference to another man page--> 10139N/A<!--Reference to a Help manual--> 17598N/AMore information can be found at:
17598N/ALatest version of the <
citetitle>GNOME Desktop User Guide</
citetitle> for your
10139N/A<
citerefentry><
refentrytitle>gdmdynamic</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>gdmflexiserver</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
17583N/A<
citerefentry><
refentrytitle>gdm-screenshot</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
17583N/A<
citerefentry><
refentrytitle>gconftool-2</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
17583N/A<
citerefentry><
refentrytitle>gconf-editor</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
16354N/A<
citerefentry><
refentrytitle>login</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
15995N/A<
citerefentry><
refentrytitle>ssh</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
17622N/A<
citerefentry><
refentrytitle>Xorg</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>Xserver</
refentrytitle><
manvolnum>1</
manvolnum></
citerefentry>,
17583N/A<
citerefentry><
refentrytitle>console-kit-daemon</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>,
17583N/A<
citerefentry><
refentrytitle>bsmconv</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>,
17583N/A<
citerefentry><
refentrytitle>gdm-stop</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>,
17598N/A<
citerefentry><
refentrytitle>svcadm</
refentrytitle><
manvolnum>1m</
manvolnum></
citerefentry>,
17583N/A<
citerefentry><
refentrytitle>libwrap</
refentrytitle><
manvolnum>3</
manvolnum></
citerefentry>,
16354N/A<
citerefentry><
refentrytitle>pam</
refentrytitle><
manvolnum>3PAM</
manvolnum></
citerefentry>,
17583N/A<
citerefentry><
refentrytitle>logindevperm</
refentrytitle><
manvolnum>4</
manvolnum></
citerefentry>,
16354N/A<
citerefentry><
refentrytitle>
pam.conf</
refentrytitle><
manvolnum>4</
manvolnum></
citerefentry>,
10139N/A<
citerefentry><
refentrytitle>profile</
refentrytitle><
manvolnum>4</
manvolnum></
citerefentry>,
18002N/A<
citerefentry><
refentrytitle>user_attr</
refentrytitle><
manvolnum>4</
manvolnum></
citerefentry>,
17584N/A<
citerefentry><
refentrytitle>attributes</
refentrytitle><
manvolnum>5</
manvolnum></
citerefentry>,
17598N/A<
citerefentry><
refentrytitle>environ</
refentrytitle><
manvolnum>5</
manvolnum></
citerefentry>,
17598N/A<
citerefentry><
refentrytitle>smf</
refentrytitle><
manvolnum>5</
manvolnum></
citerefentry>
10139N/A<
refsect1 id="gdm-1-note"><
title>¬e-tt;</
title>
17583N/AThis man page written by Martin K. Petersen <mkp@mkp.net>, George Lebl
17583N/A<jirka@5z.com>, and Brian Cameron <brian.cameron@sun.com>.
17583N/ACopyright (c) 1998, 1999 by Martin K. Petersen.
17583N/ACopyright (c) 2001, 2003, 2004 by George Lebl.
17583N/ACopyright (c) 2003 by Red Hat, Inc.
17583N/ACopyright (c) 2006, 2009 by Sun Microsystems, Inc.
