Configuration
GDM has a number of configuration interfaces. These include scripting integration points, daemon configuration, greeter configuration, general session settings, integration with gnome-settings-daemon configuration, and session configuration. These types of integration are described in detail below.
- 5.1. Scripting Integration Points
- 5.2. Autostart Configuration
- 5.3. Xsession Script
- 5.4. Daemon Configuration
- 5.5. Simple Greeter Configuration
- 5.6. Accessibility Configuration
- 5.7. General Session Settings
- 5.8. GNOME Settings Daemon
- 5.9. GDM Session Configuration
- 5.10. GDM User Session and Language Configuration
5.1. Scripting Integration Points
The GDM script integration points can be found in the <etc>/gdm/ directory:
Xsession Init/ PostLogin/ PreSession/ PostSession/
The Init, PostLogin, PreSession, and PostSession scripts all work as described below.
For each type of script, the default one which will be executed is called "Default" and is stored in a directory associated with the script type. So the default Init script is <etc>/gdm/Init/Default. A per-display script can be provided, and if it exists it will be run instead of the default script. Such scripts are stored in the same directory as the default script and have the same name as the Xserver DISPLAY value for that display. For example, if the <Init>/:0 script exists, it will be run for DISPLAY ":0".
All of these scripts are run with root privilege and return 0 if run successfully, and a non-zero return code if there was any failure that should cause the login session to be aborted. Also note that GDM will block until the scripts finish, so if any of these scripts hang, this will cause the login process to also hang.
When the Xserver for the login GUI has been successfully started, but before the login GUI is actually displayed, GDM will run the Init script. This script is useful for starting programs that should be run while the login screen is showing, or for doing any special initialization if required.
After the user has been successfully authenticated GDM will run the PostLogin script. This is done before any session setup has been done, including before the pam_open_session call. This script is useful for doing any session initialization that needs to happen before the session starts. For example, you might setup the user's $HOME directory if needed.
After the user session has been initialized, GDM will run the PreSession script. This script is useful for doing any session initialization that needs to happen after the session has been initialized. It can be used for session management or accounting, for example.
When a user terminates their session, GDM will run the PostSession script. Note that the Xserver will have been stopped by the time this script is run, so it should not be accessed.
Note that the PostSession script will be run even when the display fails to respond due to an I/O error or similar. Thus, there is no guarantee that X applications will work during script execution.
All of the above scripts will set the $RUNNING_UNDER_GDM environment variable to yes. If the scripts are also shared with other display managers, this allows you to identify when GDM is calling these scripts, so you can run specific code when GDM is used.
5.2. Autostart Configuration
The <share>/gdm/autostart/LoginWindow directory contains files in the format specified by the "FreeDesktop.org Desktop Application Autostart Specification". Standard features in the specification may be used to specify programs that should auto-restart or only be launched if a GConf configuration value is set, etc.
Any .desktop files in this directory will cause the associated program to automatically start with the login GUI greeter. By default, GDM is shipped with files which will autostart the gdm-simple-greeter login GUI greeter itself, the gnome-power-manager application, the gnome-settings-daemon, and the metacity window manager. These programs are needed for the greeter program to work. In addition, desktop files are provided for starting various AT programs if the configuration values specified in the Accessibility Configuration section below are set.
5.3. Xsession Script
There is also an Xsession script located at <etc>/gdm/Xsession which is called between the PreSession and the PostSession scripts. This script does not support per-display like the other scripts. This script is used for actually starting the user session. This script is run as the user, and it will run whatever session was specified by the Desktop session file the user selected to start.
5.4. Daemon Configuration
The GDM daemon is configured using the <etc>/gdm/custom.conf file. Default values are stored in GConf in the gdm.schemas file. It is recommended that end-users modify the <etc>/gdm/custom.conf file because the schemas file may be overwritten when the user updates their system to have a newer version of GDM.
Note that older versions of GDM supported additional configuration options which are no longer supported in the latest versions of GDM.
The <etc>/gdm/custom.conf file is in the keyfile format. Keywords in brackets define group sections, strings before an equal sign (=) are keys and the data after equal sign represents their value. Empty lines or lines starting with the hash mark (#) are ignored.
The file <etc>/gdm/custom.conf supports the "[daemon]", "[security]", and "[xdmcp]" group sections. Within each group, there are particular key/value pairs that can be specified to modify how GDM behaves. For example, to enable timed login and specify the timed login user to be a user named "you", you would modify the file so it contains the following lines:
[daemon] TimedLoginEnable=true TimedLogin=you
A full list of supported configuration keys follow:
- 5.4.1. [chooser]
- 5.4.2. [daemon]
- 5.4.3. Debug Options
- 5.4.4. Greeter Options
- 5.4.5. Security Options
- 5.4.6. XDCMP Support
5.4.1. [chooser]
- Multicast
-
Multicast=false
If true and IPv6 is enabled, the chooser will send a multicast query to the local network and collect responses from the hosts who have joined multicast group.
- MulticastAddr
-
MulticastAddr=ff02::1
This is the Link-local multicast address.
5.4.2. [daemon]
- TimedLoginEnable
-
TimedLoginEnable=false
If the user given in TimedLogin should be logged in after a number of seconds (set with TimedLoginDelay) of inactivity on the login screen. This is useful for public access terminals or perhaps even home use. If the user uses the keyboard or browses the menus, the timeout will be reset to TimedLoginDelay or 30 seconds, whichever is higher. If the user does not enter a username but just hits the ENTER key while the login program is requesting the username, then GDM will assume the user wants to login immediately as the timed user. Note that no password will be asked for this user so you should be careful, although if using PAM it can be configured to require password entry before allowing login. Refer to the "Security->PAM" section of the manual for more information, or for help if this feature does not seem to work.
- TimedLogin
-
TimedLogin=
This is the user that should be logged in after a specified number of seconds of inactivity.
If the value ends with a vertical bar | (the pipe symbol), then GDM will execute the program specified and use whatever value is returned on standard out from the program as the user. The program is run with the DISPLAY environment variable set so that it is possible to specify the user in a per-display fashion. For example if the value is "/usr/bin/getloginuser|", then the program "/usr/bin/getloginuser" will be run to get the user value.
- TimedLoginDelay
-
TimedLoginDelay=30
Delay in seconds before the TimedLogin user will be logged in.
- AutomaticLoginEnable
-
AutomaticLoginEnable=false
If true, the user given in AutomaticLogin should be logged in immediately. This feature is like timed login with a delay of 0 seconds.
- AutomaticLogin
-
AutomaticLogin=
This is the user that should be logged in immediately if AutomaticLoginEnable is true.
If the value ends with a vertical bar | (the pipe symbol), then GDM will execute the program specified and use whatever value is returned on standard out from the program as the user. The program is run with the DISPLAY environment variable set so that it is possible to specify the user in a per-display fashion. For example if the value is "/usr/bin/getloginuser|", then the program "/usr/bin/getloginuser" will be run to get the user value.
- User
-
User=gdm
The username under which the greeter and other GUI programs are run. Refer to the Group configuration key and to the "Security->GDM User And Group" section of this document for more information.
- Group
-
Group=gdm
The group name under which the greeter and other GUI programs are run. Refer to the User configuration key and to the "Security->GDM User And Group" section of this document for more information.
5.4.3. Debug Options
- Enable
-
Enable=false
To enable debugging, set the debug/Enable key to "true" in the <etc>/gdm/custom.conf file and restart GDM. Then debug output will be sent to the system log file (<var>/log/messages or <var>/adm/messages depending on your Operating System).
5.4.4. Greeter Options
- IncludeAll
-
IncludeAll=true
If true, then the face browser will show all users on the local machine. If false, the face browser will only show users who have recently logged in.
When this key is true, GDM will call fgetpwent() to get a list of local users on the system. Any users with a user id less than 500 (or 100 if running on Oracle Solaris) are filtered out. The Face Browser also will display any users that have previously logged in on the system (for example NIS/LDAP users). It gets this list via calling the ck-history ConsoleKit interface. It will also filter out any users which do not have a valid shell (valid shells are any shell that getusershell() returns - /sbin/nologin or /bin/false are considered invalid shells even if getusershell() returns them).
If false, then GDM more simply only displays users that have previously logged in on the system (local or NIS/LDAP users) by calling the ck-history ConsoleKit interface.
- Include
-
Include=
Set to a list of users to always include in the Face Browser. This value is set to a list of users separated by commas. By default, the value is empty.
- Exclude
-
Exclude=bin,root,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,nobody4,noaccess,postgres,pvm,rpm,nfsnobody,pcap
Set to a list of users to always exclude in the Face Browser. This value is set to a list of users separated by commas. Note that the setting in the custom.conf overrides the default value, so if you wish to add additional users to the list, then you need to set the value to the default value with additional users appended to the list.
5.4.5. Security Options
- DisallowTCP
-
DisallowTCP=true
If true, then always append -nolisten tcp to the command line when starting attached Xservers, thus disallowing TCP connection. This is a more secure configuration if you are not using remote connections.
5.4.6. XDCMP Support
- DisplaysPerHost
-
DisplaysPerHost=1
To prevent attackers from filling up the pending queue, GDM will only allow one connection for each remote computer. If you want to provide display services to computers with more than one screen, you should increase this value.
Note that the number of attached DISPLAYS allowed is not limited. Only remote connections via XDMCP are limited by this configuration option.
- Enable
-
Enable=false
Setting this to true enables XDMCP support allowing remote displays/X terminals to be managed by GDM.
gdm listens for requests on UDP port 177. See the Port option for more information.
If GDM is compiled to support it, access from remote displays can be controlled using the TCP Wrappers library. The service name is gdm
You should add
to your <etc>/hosts.allow, depending on your TCP Wrappers configuration. See the hosts.allow man page for details.gdm:.my.domain
Please note that XDMCP is not a particularly secure protocol and that it is a good idea to block UDP port 177 on your firewall unless you really need it.
- HonorIndirect
-
HonorIndirect=true
Enables XDMCP INDIRECT choosing (i.e. remote execution of gdmchooser) for X-terminals which do not supply their own display browser.
- MaxPending
-
MaxPending=4
To avoid denial of service attacks, GDM has fixed size queue of pending connections. Only MaxPending displays can start at the same time.
Please note that this parameter does not limit the number of remote displays which can be managed. It only limits the number of displays initiating a connection simultaneously.
- MaxSessions
-
MaxSessions=16
Determines the maximum number of remote display connections which will be managed simultaneously. I.e. the total number of remote displays that can use your host.
- MaxWait
-
MaxWait=30
When GDM is ready to manage a display an ACCEPT packet is sent to it containing a unique session id which will be used in future XDMCP conversations.
GDM will then place the session id in the pending queue waiting for the display to respond with a MANAGE request.
If no response is received within MaxWait seconds, GDM will declare the display dead and erase it from the pending queue freeing up the slot for other displays.
- MaxWaitIndirect
-
MaxWaitIndirect=30
The MaxWaitIndirect parameter determines the maximum number of seconds between the time where a user chooses a host and the subsequent indirect query where the user is connected to the host. When the timeout is exceeded, the information about the chosen host is forgotten and the indirect slot freed up for other displays. The information may be forgotten earlier if there are more hosts trying to send indirect queries then MaxPendingIndirect.
- PingIntervalSeconds
-
PingIntervalSeconds=60
If the Xserver does not respond in the specified number of seconds, then the connection is stopped and the session ended. When this happens the daemon dies with an ALARM signal. Note that GDM 2.20 and earlier multiplied this setting by 2, so it may be necessary to increase the timeout if upgrading from GDM 2.20 and earlier to a newer version.
Note that GDM in the past used to have a PingInterval configuration key which was also in minutes. For most purposes you'd want this setting to be lower than one minute. However since in most cases where XDMCP would be used (such as terminal labs), a lag of more than 15 or so seconds would really mean that the terminal was turned off or restarted and you would want to end the session.
- Port
-
Port=177
The UDP port number gdm should listen to for XDMCP requests. Do not change this unless you know what you are doing.
- Willing
-
Willing=<etc>/gdm/Xwilling
When the machine sends a WILLING packet back after a QUERY it sends a string that gives the current status of this server. The default message is the system ID, but it is possible to create a script that displays customized message. If this script does not exist or this key is empty the default message is sent. If this script succeeds and produces some output, the first line of it's output is sent (and only the first line). It runs at most once every 3 seconds to prevent possible denial of service by flooding the machine with QUERY packets.
5.5. Simple Greeter Configuration
The GDM default greeter is called the simple Greeter and is configured via GConf. Default values are stored in GConf in the gdm-simple-greeter.schemas file. These defaults can be overridden if the "gdm" user has a writable $HOME directory to store GConf settings. These values can be edited using the gconftool-2 or gconf-editor programs. The following configuration options are supported:
- /apps/gdm/simple-greeter/banner_message_enable
-
false (boolean)
Controls whether the banner message text is displayed.
- /apps/gdm/simple-greeter/banner_message_text
-
NULL (string)
Specifies the text banner message to show on the greeter window.
- /apps/gdm/simple-greeter/disable_restart_buttons
-
false (boolean)
Controls whether to show the restart buttons in the login window.
- /apps/gdm/simple-greeter/disable_user_list
-
false (boolean)
If true, then the face browser with known users is not shown in the login window.
- /apps/gdm/simple-greeter/logo_icon_name
-
computer (string)
Set to the themed icon name to use for the greeter logo.
- /apps/gdm/simple-greeter/recent-languages
-
[] (string list)
Set to a list of languages to be shown by default in the login window. Default value is "[]". With the default setting only the system default language is shown and the option "Other..." which pops-up a dialog box showing a full list of available languages which the user can select.
Users are not intended to change this setting by hand. Instead GDM keeps track of any languages selected in this configuration key, and will show them in the language combo box along with the "Other..." choice. This way, commonly selected languages are easier to select.
- /apps/gdm/simple-greeter/recent-layouts
-
[] (string list)
Set to a list of keyboard layouts to be shown by default in the login panel. Default value is "[]". With the default setting only the system default keyboard layout is shown and the option "Other..." which pops-up a dialog box showing a full list of available keyboard layouts which the user can select.
Users are not intended to change this setting by hand. Instead GDM keeps track of any keyboard layouts selected in this configuration key, and will show them in the keyboard layout combo box along with the "Other..." choice. This way, commonly selected keyboard layouts are easier to select.
- /apps/gdm/simple-greeter/wm_use_compiz
-
false (boolean)
Controls whether compiz is used as the window manager instead of metacity.
5.6. Accessibility Configuration
This section describes the accessibility configuration options available in GDM.
5.6.1. GDM Accessibility Dialog And GConf Keys
The GDM greeter panel at the login screen displays an accessibility icon. Clicking on that icon opens the GDM Accessibility Dialog. In the GDM Accessibility Dialog, there is a list of checkboxes, so the user can enable or disable the associated assistive tools.
The checkboxes that correspond to the on-screen keyboard, screen magnifier and screen reader assistive tools act on the three GConf keys that are described in the next section of this document. By enabling or disabling these checkboxes, the associated GConf key is set to "true" or "false". When the GConf key is set to true, the assistive tools linked to this GConf key are launched. When the GConf key is set to "false", any running assistive tool linked to this GConf key are terminated. These GConf keys are not automatically reset to a default state after the user has logged in. Consequently, the assistive tools that were running during the last GDM login session will automatically be launched at the next GDM login session.
The other checkboxes in the GDM Accessibility Dialog do not have corresponding GConf keys because no additional program is launched to provide the accessibility features that they offer. These other options correspond to accessibility features that are provided by the Xserver, which is always running during the GDM session.
5.6.2. Accessibility GConf Keys
GDM offers the following GConf keys to control its accessibility features:
- /desktop/gnome/interface/accessibility
-
false (boolean)
Controls whether the Accessibility infrastructure will be started with the GDM GUI. This is needed for many accessibility technology programs to work.
- /desktop/gnome/applications/at/screen_magnifier_enabled
-
false (boolean)
If set, then the assistive tools linked to this GConf key will be started with the GDM GUI program. By default this is a screen magnifier application.
- /desktop/gnome/applications/at/screen_keyboard_enabled
-
false (boolean)
If set, then the assistive tools linked to this GConf key will be started with the GDM GUI program. By default this is an on-screen keyboard application.
- /desktop/gnome/applications/at/screen_reader_enabled
-
false (boolean)
If set, then the assistive tools linked to this GConf key will be started with the GDM GUI program. By default this is a screen reader application.
5.6.3. Linking GConf Keys to Accessibility Tools
For the screen_magnifier_enabled, the screen_keyboard_enabled, and the screen_reader_enabled GConf keys, the assistive tool which gets launched depends on the desktop files located in the GDM autostart directory as described in the "Autostart Configuration" section of this manual. Any desktop file in the GDM autostart directory can be linked to these GConf key via specifying that GConf key in the AutostartCondition value in the desktop file. So the exact AutostartCondition line in the desktop file could be one of the following:
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled AutostartCondition=GNOME /desktop/gnome/applications/at/screen_magnifier_enabled AutostartCondition=GNOME /desktop/gnome/applications/at/screen_reader_enabled
When an accessibility key is true, then any program which is linked to that key in a GDM autostart desktop file will be launched (unless the Hidden key is set to true in that desktop file). A single GConf key can even start multiple assistive tools if there are multiple desktop files with this AutostartCondition in the GDM autostart directory.
5.6.4. Example Of Modifying Accessibility Tool Configuration
For example, if GNOME is distributed with GOK as the default on-screen keyboard, then this could be replaced with a different program if desired. To replace GOK with the on-screen keyboard application "onboard" and additionally activate the assistive tool "mousetweaks" for dwelling support, then the following configuration is needed.
Create a desktop file for onboard and a second one for mousetweaks; for example, onboard.desktop and mousetweaks.desktop. These files must be placed in the GDM autostart directory and be in the format as explained in the "Autostart Configuration" section of this document.
The following is an example onboard.desktop file:
[Desktop Entry] Encoding=UTF-8 Name=Onboard Onscreen Keyboard Comment=Use an on-screen keyboard TryExec=onboard Exec=onboard --size 500x180 -x 20 -y 10 Terminal=false Type=Application StartupNotify=true Categories=GNOME;GTK;Accessibility; AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled
The following is an example mousetweaks.desktop file:
[Desktop Entry] Encoding=UTF-8 Name=Software Mouse-Clicks Comment=Perform clicks by dwelling with the pointer TryExec=mousetweaks Exec=mousetweaks --enable-dwell -m window -c -x 20 -y 240 Terminal=false Type=Application StartupNotify=true Categories=GNOME;GTK;Accessibility; AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled
Note the line with the AutostartCondition that links both desktop files to the GConf key for the on-screen keyboard.
To disable GOK from starting, the desktop file for the GOK on-screen keyboard must be removed or deactivated. Otherwise onboard and GOK would simultaneously be started. This can be done by removing the gok.desktop file from the GDM autostart directory, or by adding the "Hidden=true" key setting to the gok.desktop file.
After making these changes, GOK will no longer be started when the user activates the on-screen keyboard in the GDM session; but onboard and mousetweaks will instead be launched.
5.7. General Session Settings
The GDM Greeter uses some of the same framework that your desktop session will use. And so, it is influenced by a number of the same GConf settings. For each of these settings the Greeter will use the default value unless it is specifically overridden by a) GDM's installed mandatory policy b) system mandatory policy. GDM installs its own mandatory policy to lock down some settings for security.
5.8. GNOME Settings Daemon
GDM enables the following gnome-settings-daemon plugins: a11y-keyboard, background, sound, xsettings.
These are responsible for things like the background image, font and theme settings, sound events, etc.
Plugins can also be disabled using GConf. For example, if you want to disable the sound plugin then unset the following key: /apps/gdm/simple-greeter/settings-manager-plugins/sound/active.
5.9. GDM Session Configuration
GDM sessions are specified using the FreeDesktop.org Desktop Entry Specification, which can be referenced at the following URL: http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec.
By default, GDM will install desktop files in the <share>/xsessions directory. GDM will search the following directories in this order to find desktop files: <etc>/X11/sessions/, <dmconfdir>/Sessions, <share>/xsessions, and <share>/gdm/BuiltInSessions. By default the <dmconfdir> is set to <etc>/dm/ unless GDM is configured to use a different directory via the "--with-dmconfdir" option.
A session can be disabled by editing the desktop file and adding a line as follows: Hidden=true.
GDM desktop files support a GDM-specific extension, a key named "X-GDM-BypassXsession". If the key is not specified in a desktop file, the value defaults to "false". If this key is specified to be "true" in a desktop file, then GDM will launch the program specified by the desktop file "Exec" key directly when starting the user session. It will not run the program via the <etc>/gdm/Xsession script, which is the normal behavior. Since bypassing the <etc>/gdm/Xsession script avoids setting up the user session with the normal system and user settings, sessions started this way can be useful for debugging problems in the system or user scripts that might be preventing a user from being able to start a session.
5.10. GDM User Session and Language Configuration
The user's default session and language choices are stored in the ~/.dmrc file. When a user logs in for the first time, this file is created with the user's initial choices. The user can change these default values by simply changing to a different value when logging in. GDM will remember this change for subsequent logins.
The ~/.dmrc file is in the standard INI format. It has one section called [Desktop] which has two keys: Session and Language.
The Session key specifies the basename of the session .desktop file that the user wishes to normally use without the .desktop extension. The Language key specifies the language that the user wishes to use by default. If either of these keys is missing, the system default is used. The file would normally look as follows:
[Desktop] Session=gnome Language=cs_CZ.UTF-8