1. Introduction 1.1. Project/Component Working Name: GNOME Display Manager (GDM) Rewrite 1.2. Name of Document Author/Supplier: Brian Cameron 1.3. Date of This Document: 08/11/2009 1.4. Name of Major Document Customer(s)/Consumer(s): 1.4.1. The PAC or CPT you expect to review your project: Solaris PAC 1.4.2. The ARC(s) you expect to review your project: LSARC 1.4.3. The Director/VP who is "Sponsoring" this project: Robert O'Dea 1.4.4. The name of your business unit: Software - OPG 1.5. Email Aliases: 1.5.1. Responsible Manager: leo.binchy@sun.com 1.5.2. Responsible Engineer: brian.cameron@sun.com 1.5.3 Marketing Manager: dan.robert@sun.com 1.5.4. Interest List: desktop-discuss@opensolaris.org 2. Project Summary 2.1. Project Description: Starting with GDM version 2.21, the code has been rewritten to make better use of GObject object-oriented techniques, and D-Bus for IPC (inter-process communication). It also makes use of ConsoleKit to keep track of information about each managed session, and ConsoleKit provides better support of switching between graphical VT sessions. ConsoleKit will be integrated into Solaris with the new GDM rewrite. The Desktop team intends to integrate GDM 2.28 into Solaris. Today, Solaris does not support graphical VT sessions. The virtual console team is currently targeting build 122 to add VT support for the Xserver. It is unclear when the "vtdaemon" service will be enabled by default on Solaris, but after build 122 systems can be easily configured to enable the "vtdaemon" SMF service if there is a wish to use graphical VT sessions. Refer to PSARC 2006/591 Virtual Console and PSRAC 2008/515 Virtual Console Update. VT support is not needed to use GDM, but GDM will support it as soon as it is available. 4. Technical Description: 4.1. Details: The GDM rewrite provides a login experience that is similar to the gdmlogin GUI provided by the older GDM. The usability has been much improved with a more usable Face Browser and a panel which displays a number of new options. GDM uses the GTK+ widget set and supports accessibility. The GDM greeter GUI runs as a special user which can be configured. By default the "gdm" user and "gdm" group are used. This user has no special permissions except the ability to read the Xauth keys associated with displays that GDM sets up. This ensures that if a user somehow were to compromise the GDM GUI programs, they would not get higher privilege such as root permissions. The following text refers to the "gdm" user and "gdm" group, but note that these can be configured to be a different user and/or group if desired. The GDM login program now has a GUI panel. This provides widgets which show the user battery status and provides a new interface for manually starting and stopping accessibility programs on-demand. The panel also can provide an interface for selecting the keyboard layout to use; however, this keyboard layout switching feature is not available on Solaris since it depends on libxklavier which is not available on Solaris. If configured, GDM can will display "Shutdown" and "Restart" buttons for shutting down and restarting the machine. Refer to section 4.1.9 for more information. The user can select the username from the Face Browser list and enter the password. The most frequent users are displayed first and the list of frequent users is obtained using the ConsoleKit /usr/bin/ck-history interface. If the user starts typing, it will automatically scroll down to the users that match that search prefix. The Face Browser also includes an "Other" choice which allows the user to avoid using the Face Browser and enter the PAM prompts directly (e.g. username and password) if they wish. This "Other" choice is needed, for example, to login as a system user (since system users are not displayed in the Face Browser), or to login as a NIS/LDAP user. The Face Browser feature can be disabled via configuration so that users simply enter responses to PAM prompts. For example, many Sun Ray users would likely want to disable the Face Browser. If GDM is configured to not display the Face Browser, then the user must click a "Log In" button on the GUI to start the PAM conversation and enter the username and password. Once the user has entered their username, or selected it via the Face Browser, the panel shows interfaces for selecting the session to log into and the language to use. If there is only one session type installed on the system, the session selection interface is not displayed and GDM assumes the user will log the user into that one available session. The user's default choices for session and language are automatically selected, so the user only needs to select them on first-time login or if they wish to use a non-default value. If a non-default value is selected, GDM automatically makes it the new default value for that user in subsequent logins. The new GDM also makes use of the GNOME infrastructure by using gnome-session, the gnome-settings-daemon, and the metacity window manager to run the graphical login program. The old GDM did not use these, and instead used its own light window manager for example. There are some regressions when using the new GDM. Refer to section 4.1.15 for more information. Note that GDM now provides two types of slaves: - The gdm-simple-slave which works similar to the old GDM where it manages a single active session at a time. - The gdm-factory-slave and gdm-product-slave which runs a login screen all the time on a VT. When users authenticate the session is started in a different VT. This model supports better user switching. The gdm-factory-slave/gdm-product-slave are experimental and disabled by default. It is necessary to recompile the code to enable them. Therefore these binaries are not shipped with the Solaris packages. Only the gdm-simple-slave greeter binary is shipped with Solaris. 4.1.1 Detail About GDM Program Interfaces - /usr/sbin/gdm-binary [--debug] [--fatal-warnings] [--timed-exit] [--version] The main GDM process. It supports arguments for debugging and for printing the version number. One difference with the previous version of GDM is that the main process no longer runs as a daemon. The gdm-binary program spawns slave processes as needed for each display that needs to be managed. - /usr/bin/gdmdynamic [--add=DISPLAY | --delete=DISPLAY | --list ] This program calls ck-seat-tool to start or stop a session on a given display and calls ck-list-sessions to return a listing of displays previously started via ck-seat-tool. This interface will be used by Sun Ray for starting and stopping sessions on Sun Ray devices, but could also be used for dynamically managing other kinds of displays. To use gdmdynamic, it must be run as the same user which is running the main GDM and ConsoleKit daemons, which is normally root. Otherwise the request is ignored. Currently this program is added by a Solaris specific patch for backwards compatibility. When the Sun Ray product fully integrates with ConsoleKit, this will be removed. New users should use the new ck-seat-tool program. - /usr/bin/gdmflexiserver [--version] [--debug] This program is provided for backwards compatibility. It can be used with no arguments to start a flexible display on a new VT. Aside from the --version and --debug arguments, it no longer supports other arguments that were previously supported by GDM, such as the --command argument. D-Bus interfaces replace the functionalities that were previously provided by --command. - /usr/sbin/gdm-stop Script for stopping GDM. - /usr/bin/gdm-screenshot [--debug] A utility for taking a picture of the GDM login GUI screen. - /usr/lib/gdm-crash-logger - /usr/share/gdm/gdb-cmd If any GDM process receives the following signals, then the gdm-crash-logger program is run: SIGSEGV, SIGBUS, SIGILL, SIGABRT, SIGTRAP, SIGFPE, or SIGPIPE. gdm-crash-logger runs the following command to get a stack trace, then prints the stack trace to the syslog. gdb --batch --quiet --command=/usr/share/gdm/gdb-cmd --pid=PID The /usr/share/gdm/gdb-cmd command script runs the following: bt thread apply all bt full q If the call to gdm-crash-logger fails to return with a valid return code, then GDM uses fallback code that calls backtrace (3C) and prints the output to the syslog. - /usr/lib/gdm-simple-slave A slave daemon that runs the gdm-simple-greeter directly. - /usr/lib/gdm-session-worker A separate process which handles PAM/audit interactions. The gdm-simple-slave interacts with it via the gdm-session D-Bus interface. The gdm-simple-slave interacts directly with gdm-session-worker, while gdm-factory-slave uses a relay connection. The gdm-session-worker process also launches the /etc/gdm/Xsession script after successful login, which starts the user session (e.g. gnome-session for a GNOME user session). - /usr/lib/gdm-simple-greeter The default login GUI program. Used both by gdm-factory-slave and gdm-simple-slave. - /usr/lib/gdm-host-chooser - /usr/lib/gdm-simple-chooser The XDMCP chooser GUI program. gdm-simple-chooser is intended to be launched from the login GUI while gdm-host-chooser is an application which can be launched with the user runs the Xserver with the -indirect flag. - /usr/lib/gdm-user-switch-applet The Fast-User-Switch-Applet. When VT is enabled, this applet allows users to quickly switch to a login screen on a separate VT. The username value will be pre-filled if the user has selected a user in the applet, so the user only needs to enter the password. Therefore, this feature may not be useful with some PAM stacks. For example, it would not be useful with a fingerprint reader PAM stack which would not need username entry. This, and other files associated with this applet will only be delivered after VT fully integrates into Solaris. Such other files include: - /usr/share/gnome-2.0/ui/GNOME_FastUserSwitchApplet.xml - /usr/lib/bonobo/servers/GNOME_FastUserSwitchApplet.server Session migration works as follows. When you switch to another VT when you have an existing user session running, then the screenlock program is automatically launched so that the VT you just switched away from will be locked. If the user switches back to it, then they need to re-authenticate with the lockscreen program to get back into their session. If the user switches to a VT where there is not an existing user session running, then the user will be presented with the GDM login program. If the user tries to log into a user who already has a session running, then migration is done. GDM will do a chvt() call on the Xserver running the existing session. This switches the current active VT to where the user's session is running. In this case it will also unlock the screensaver since the user doesn't need to re-authenticate after logging in via the GDM greeter. - /usr/lib/gdm-xdmcp-chooser-slave The slave to be used when a user is running the XDMCP chooser. 4.1.2 GDM autostart mechanism The /usr/share/gdm/autostart/LoginWindow directory contains desktop files which follow the FreeDesktop Desktop File Specification. Any programs which have a desktop file installed will be automatically run in the login session. So if the user desires any additional programs to start with the login GUI, it is possible to add a desktop file to this directory to do this. This directory contains the following desktop files, so these programs are always launched in the GDM greeter GUI session: - gdm-simple-greeter.desktop This starts the GDM greeter itself. - gnome-power-manager.desktop The gnome-power-manager is launched with GDM so that GDM can report on the battery state. - gnome-settings-daemon.desktop gnome-settings-daemon is always started with GDM. - metacity.desktop The metacity window manager is always started with the GDM greeter. The autostart directory also contains the following accessibility related desktop files so that these programs are autolaunched if the user has set the appropriate GConf keys for the "gdm" user. - at-spi-registryd-wrapper.desktop If the /desktop/gnome/interface/accessibility GConf key is set for the "gdm" user, then this ensures the at-spi-registryd process is started. - gnome-mag.desktop If the /desktop/gnome/applications/at/screen_magnifier_enabled GConf key is set for the "gdm" user, then gnome-mag will be autolaunched. - gok.desktop If the /desktop/gnome/applications/at/screen_keyboard_enabled GConf key is set for the "gdm" user, then GOK will be autolaunched. - orca-screen-reader.desktop If the /desktop/gnome/applications/at/screen_reader_enabled GConf key is set for the "gdm" user, then orca will be autolaunched. Note that many of these desktop files use the FreeDesktop Autostart Specification and the FreeDesktop Startup Notification Specification to ensure that they autorestart if necessary. Also note that GDM has a bug that all GDM login GUI's share the same GConf settings, so that changing a setting (such as enabling an a11y feature) will affect logins on all systems. Until this bug is fixed, it is best to disable GDM a11y in multi-user environments. 4.1.3 Detail About GDM Server Configuration The GDM rewrite uses different configuration mechanisms than the old GDM. The GDM daemon stores default values via GConf in the gdm.schemas GConf file. If these values need to be configured for a given machine, the system administrator is expected to modify the /etc/gdm/custom.conf file. This file is in the same format as the old GDM, though it supports fewer configuration options. The following options are supported: chooser/Multicast - Set to "true" or "false". If true, then the chooser will send a multicast query to the local network and collect responses from the hosts who have joined multicast group. The value is "true" by default. chooser/MulticastAddr - The Link-local Multicast address. The value is "ff02::1" by default. daemon/User - The user who runs GDM GUI applications daemon/Group - The group who runs GDM GUI applications daemon/AutomaticLoginEnable - Set to "true" or "false". If true, then Automatic login is enabled. The value is "false" by default. daemon/AutomaticLogin - Set to automatic login user. This can be set to a script with the syntax "|scriptname". If the script returns a valid user, this will be used as the user, otherwise AutomaticLogin will be considered off for this display. The script is passed $DISPLAY so that the username can be specified differently in a per-display manner. daemon/TimedLoginEnable - Set to "true" or "false". If true, then Timed login is enabled. The value is "false" by default. daemon/TimedLogin - Set to timed login user. daemon/TimedLoginDelay - Timed login delay in seconds. The value s 30 seconds by default. security/DisallowTCP - Set to "true" or "false". If true, then always append "-nolisten tcp" to the Xserver command line. The value is "true" by default in the upstream community. However, on Solaris, we set the value to "false" so that the Xserver "options/tcp_listen" SMF property controls whether "-nolisten tcp" is added to the command line or not. xdmcp/DisplaysPerHost - Maximum number of remote connections from a single host Default value is 1. xdmcp/Enable - Set to "true" or "false". If true, then XDMCP is enabled. The value is "false" by default. xdmcp/HonorIndirect - Set to "true" or "false". If true, then XDMCP INDIRECT choosing is enabled. The value is "true" by default. xdmcp/MaxPending - This integer value controls how many displays can start at the same time. The value is 4 by default. xdmcp/MaxSessions - The maximum number of remote displays connections which will be managed simultaneously. The value is 16 by default. xdmcp/MaxWait - When GDM is ready to manage a display, an ACCEPT packet is sent to it containing a unique session id. GDM will then place the session id in the pending queue waiting for the display to respond with a MANAGE request. If no response is received within xdmcp/MaxWait seconds, GDM will abort the connection. The value is 30 seconds by default. xdmcp/MaxWaitIndirect - Determines the maximum number of seconds between the time where a user chooses a host and the subsequent indirect query where the user is connected to the host. If exceeded, the connection is aborted. The value is 30 seconds by default. xdmcp/PingIntervalSeconds - Interval in which to ping the Xserver in seconds. If the Xserver does not return before the next ping, the connection is stopped. the value is 15 seconds by default. xdmcp/Port - XDMCP port to use. The value is 177 by default. xdmcp/Willing - When the machine sends a WILLING packet back after a QUERY it sends a string that gives the current status of this server. The default message is the system ID, but it is possible to create a script that displays customized messages. If this script does not exist or if the value is empty, then the default message is sent. If the script succeeds and produces some output, the first line of its output is sent. It runs at most once every 3 seconds to prevent possible denial of service by flooding the machine with QUERY packets. The value is "/etc/gdm/Xwilling" by default. In addition, GDM integrates with libwrap so the sysadmin can control which hosts may connect via XDMCP. 4.1.4 Detail About GDM Greeter Configuration The GDM greeter supports configuration via GConf settings stored in the gdm user's $HOME directory. Default values are stored in the gdm-simple-greeter.schemas GConf file. The sysadmin is expected to change the GConf settings in the gdm users $HOME directory. This can be done via the /usr/bin/gconftool-2 or /usr/bin/gconf-editor tools. - /apps/gdm/simple-greeter/banner_message_enable Boolean value. Controls whether the banner message text is displayed. Default value is false. - /apps/gdm/simple-greeter/banner_message_text String value. Specifies the text banner message to show on the greeter window. Default value is NULL. - /apps/gdm/simple-greeter/debug Boolean value. If true, then debugging mode is enabled for the greeter. - /apps/gdm/simple-greeter/disable_restart_buttons Boolean value. Controls whether to show the restart and shutdown buttons in the login window. Even if true, GDM checks to see if the "gdm" user (or the user specified in the daemon/User configuration option) has authorization for the solaris.system.shutdown key (the system default is that the "gdm" user does not have such authorization). If not, the buttons are not displayed regardless of this configuration setting. Default value is false. - /apps/gdm/simple-greeter/disable_user_list Boolean value. If true, then the Face Browser with known users is not shown. In this case, normal PAM prompting is used. - /apps/gdm/simple-greeter/logo_icon_name String value. Specifies the themed icon name to use for the greeter logo. - /apps/gdm/simple-greeter/recent-languages String value. This is set to a list of languages to be shown by default in the login window. Default value is "[]". With the default setting only the system default language is shown and the option "Other..." which pops-up a dialog box showing a full list of available languages which the user can select. Users are not intended to change this setting by hand. Instead GDM keeps track of any languages selected in this configuration key, and will show them in the language combo box along with the "Other..." choice. This way, commonly selected languages are easier to select. - /apps/gdm/simple-greeter/recent-layouts String value. This is set to a list of keyboard layouts to be shown by default in the login panel. Default value is "[]". With the default setting only the system default keyboard layout is shown and the option "Other..." which pops-up a dialog box showing a full list of available keyboard layouts which the user can select. Users are not intended to change this setting by hand. Instead GDM keeps track of any keyboard layouts selected in this configuration key, and will show them in the keyboard layout combo box along with the "Other..." choice. This way, commonly selected keyboard layouts are easier to select. Note that this feature is only available if libxklavier is available on the system. On Solaris, it is not, so the layout widget is never shown. - /apps/gdm/simple-greeter/wm_use_compiz Boolean value. If true, compiz is used as the window manager instead of metacity. Default is false. - /apps/gdm/simple-greeter/show_last Boolean value. If true, then the language and session choices will default to "Last Selected", and GDM will use whatever choices are defined in the user's $HOME/.dmrc file, which will be accessed after pam_setcred has comleted. Refer to the description of how /var/cache/gdm works in section 4.1.6 for more information. Default is false. - /apps/gdm/simple-greeter/include_all Boolean value. If true, then GDM will use heuristics to determine which users to display in the Face Browser. In this case, it will call fgetpwent(3C) to get the list of local users and to avoid accessing users via nsswitch.conf). The Face Browser also will display any users that have previously logged in on the system (for example NIS/LDAP users). It gets this list via calling the ck-history ConsoleKit interface. It will also filter out any users which do not have a valid shell (valid shells are any shell that getusershell() returns. /sbin/nologin or /bin/false are considered invalid shells even if getusershell() returns them), If false, then GDM more simply only displays users that have previously logged in on the system (local or NIS/LDAP users) by calling the ck-history ConsoleKit interface. In both cases, GDM filters out any users with a UID less than 100 and which are in the following list: bin, root, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, nobody, nobody4, noaccess, GDM_USERNAME (normally the "gdm" user), postgres, pvm, rpm, nfsnobody, pcap. - /apps/gdm/simple-greeter/include String value. This can be set to a list of usernames separated by commas. Any valid username is automatically added to the Face Browser, regardless of the above include_all setting. - /apps/gdm/simple-greeter/exclude String value. This can be set to a list of usernames separated by commas. Any valid username is automatically filtered out of the Face Browser, regardless of the include_all or include settings. 4.1.5 Detail About GDM Script Interfaces GDM supports the following script interfaces - /etc/gdm/Init - /etc/gdm/PostLogin - /etc/gdm/PreSession - /etc/gdm/PostSession The Init script is run when a display is managed and after the Xserver has started, but before the greeter program is shown. The PostLogin script is run after a user has successfully authenticated, but before any session setup has been done, including before the pam_open_session call. The PreSession script is run after the user session has been initialized, but before starting the user session. The PostSession script is run after the user session exits, when the user terminates their session. The above four interfaces are directories which contain a Default script. This Default script is run by default. The directories can also contain a per-display script with a DISPLAY name, such as ":0". If such a per-display script exists, then it is run instead of the Default script. - /etc/gdm/Xwilling Refer to the "xdmcp/Willing" configuration setting in section 4.1.3. By default, no such script is installed, but the script will work as described in section 4.1.3 if present. 4.1.6 Detail About Other GDM Interfaces - /usr/share/xsessions All display managers which follow the FreeDesktop Desktop File Specification use this directory and expect all available sessions to have installed a desktop file in this directory. These desktop files are in the format specifies by the FreeDesktop Desktop Specification. The /usr/share/xsessions file location is not a part of the specification, but is a de facto standard supported by all popular FreeDesktop display managers such as GDM and KDM. For example, the gnome-session module installs a gnome.desktop file. Such desktop files specify what program to run to start the session. When using GDM, the specified program for the session is run by the /etc/gdm/Xsession script. If only one desktop file is installed to this directory, then GDM does not bother to show the user a dialog to select the session and assumes to start the only available session. GDM delivers a /usr/share/xsessions/xterm.desktop to allow users to log into an xterm window, much like the Failsafe option in the older GDM. - /var/cache/gdm - $HOME/.dmrc - $HOME/.face The $HOME/.dmrc file contains the user's default language and session choices. Unless the user picks a different language or session in the greeter dialog, the choices from this file are used. If the file does not exist, it is created on first-time login with the choices selected. This file is in standard INI format. For example, a file could contain these lines: [Desktop] Session=gnome Language=cs_CZ.UTF-8 The $HOME/.face file contains the user's default image to be used in the face browser. So that GDM does not access the user's $HOME directory before pam_setcred, the above $HOME/.dmrc and $HOME/.face files are accessed via a cache in /var/cache/gdm. It is necessary for GDM to not access the $HOME directory before pam_setcred because this causes problems for certain configurations, such as kerberos. The cache works as follows: - The SUNWgnome-display-mgr-root package would install a directory /var/cache/gdm. This directory will be owned by root:gdm with 640 permissions. - At run-time GDM would create a directory /var/cache/gdm/user-$uid when a user logs in, if the directory does not already exist. In this directory will be placed two files: dmrc and face. - If the /var/cache/gdm/user-$uid/dmrc file does not exist, then GDM will log the user into the default session/language or whichever ones they selected in the GUI. Then it will save the dmrc file to the cache with the default settings. On next login, the defaults will be read from the cache. - On first login the /var/cache/gdm/user-$uid/face file will not exist so the user will see a generic user icon for their face. After authentication, GDM will check if the user has a defined face and copy it to the cached file. Also, on logout, GDM will check again if the user has a defined face and copy it to the cached file. Updating the cache on logout ensures the face image will be available on next login if the user defined it during their session. Obviously the face image will only be copied to the cache if one is not already in the cache or if the cached file is older. - The show_last configuration option is also available to make GDM behave much like the old GDM where the default language/session choice is "Last Selected". When this configuration option is set to true, then GDM will copy the user's $HOME/.dmrc file into the cache after pam_setcred and just log into whatever session the user has defined there. This will be useful in Sun Ray environments where there is a cluster of servers and there is a desire to avoid the situation where the caches on different machines can get out-of-sync, and you really want to use whatever defaults the user has defined in their $HOME directory. - /var/lib/gdm /var/lib/gdm/.gconf.path /var/lib/gdm/.gconf.mandatory/%gconf-tree.xml /var/lib/gdm is the default $HOME directory for the GDM user. This directory contains standard GConf files where the user can store modified configuration options. Though users would likely use the /usr/bin/gconftool-2 or /usr/bin/gconf-editor programs to modify the settings instead of modifying the files directly. The /var/lib/gdm/.gconf.path file is a standard interface that is loaded by the /etc/gconf/2/path file after loading the system GConf mandatory settings. This file simply specifies that the /var/lib/gdm/.gconf.mandatory override any normal system settings. The /var/lib/gdm/.gconf.mandatory/%gconf-tree.xml file specifies configuration settings that are specific to GDM. For example, these settings are used to lockdown the session used while the GDM GUI is showing. For example, keybindings are disabled so the user can not use normal keybindings to launch applications. GDM will use the GCONF_DEFAULT_SOURCE_PATH environment variable to ensure that each display uses it's own GConf configuration. This way changes in GConf will only affect the greeter in a per-seat manner. - /var/run/gdm This directory is used for storing Xauth keys for all active sessions. It has the following permissions: drwxrwxr-t 4 root gdm 273 Jan 30 18:39 gdm This directory contains a subdirectory for each Xauth key. For user "foo", the directory would be auth-for-foo-XXXXX where mkdtemp(3C) is used to build a unique filename, replacing the "XXXXX" string with a unique string. The Xauth key is stored in a file in this directory called "database" which only has read-write permissions for the user. Note that GDM packages do not install any files to /var/run. Files in this directory are created when GDM starts. 4.1.7 Detail About Other GDM Environment Variable Usage When GDM runs various internal processes the GDM_CHOOSER_DBUS_ADDRESS and GDM_GREETER_DBUS_ADDRESS environment variables are set so that the D-Bus address of the chooser and greeter can be accessed. GDM GUI programs access the GNOME_ACCESSIBILITY environment variable. If set, it will start the accessibility registry so that accessibility programs work. This environment variable gets set by gnome-session if the "gdm" user has configured accessibility to be enabled. GDM GUI programs access the DESKTOP_AUTOSTART_ID. If set, it will register itself with the session manager. This way the greeter will auto restart if it crashes. This environment variable will normally be set by the session manager because the gdm-simple-greeter.desktop file (discussed in section 4.1.2) specifies X-GNOME-Autostart-Notify=true. Also, common environment variables such as G_DEBUG and GTK_MODULES also affect GDM in the expected manner. When starting a user session the following environment variables are set: DESKTOP_SESSION - Set to the session name the user has chosen, such as "gnome" when logging into the GNOME desktop. GDMSESSION - Set to the same value as DESKTOP_SESSION. LANG - Set to the language choice selected when the user logged in. GDM_LANG - Set to the same value as LANG. GDM_KEYBOARD_LAYOUT - Set to the keyboard layout choice selected when the user logged in. DISPLAY - Set to the DISPLAY value. HOME - Set to the user's $HOME directory. LOGNAME - Set to the username logging in. PATH - Set to "/usr/bin". However, if the /etc/default/login file specifies a value for PATH it is always used; except for the root user, which uses the SUPATH value. SHELL - Set to the user's shell. USER - Set to the username logging in. USERNAME - Set to the username logging in. XAUTHORITY - Set to the location of the Xauth file. XDG_SESSION_COOKIE - Provided by ConsoleKit and passed along to the user session. When running scripts (such as Init, PostSession, PreSession, PostSession), the following are set so that the scripts can access user information. Note that in the case of the Init script, username is not set so getpwname will not return valid values. HOME - If getpwname returns a valid $HOME directory, it is set to that value, otherwise set to "/". PWD - If getpwname returns a valid $HOME directory, it is set to that value, otherwise set to "/". SHELL - If getwpname returns a valid shell, it is set to that value, otherwise set to "/bin/sh". DISPLAY - Set to the DISPLAY value. LOGNAME - Set to username of user logging in. REMOTE_HOST - Set to the hostname if non-local (e.g. XDMCP). RUNNING_UNDER_GDM - Set to "true" USER - Set to username of user logging in. USERNAME - Set to username of user logging in. XAUTHORITY - Set to the location of the Xauth file. When starting the Xserver, the following environment values are set: DISPLAY - Set to the DISPLAY value. HOME - If getpwname returns a valid $HOME directory, it is set to that value, otherwise set to "/". SHELL - If getwpname returns a valid shell, it is set to that value, otherwise set to "/bin/sh". XAUTHORITY - Set to location of the Xauth file. 4.1.8 Detail About Xserver interfaces GDM starts the Xserver via the /usr/X11/bin/Xserver script. It then waits until it receives the USR1 signal, which the Xserver will send when the Xserver is initialized and ready to use. On Solaris the private to Solaris SDTLOGIN interface (/var/dt/sdtlogin) is used to drop the Xserver to user permissions after authentication for added security. GDM supports all Xserver a11y features (sticky keys, slow keys, etc.). The GDM Accessibility dialog also allows users to turn on these features via a checkbutton, but the normal keybindings for launching these a11y features will also work. 4.1.9 ConsoleKit Integration GDM uses ConsoleKit to keep track of information about each running session. This information is also useful to other programs, such as the Fast-User Switch applet, so ConsoleKit provides a standard interface for getting this information via D-Bus. GDM provides Shutdown and Reboot buttons for shutting down and restarting the system. These buttons are only available if enabled in the configuration, and if the "gdm" user has authorization for the solaris.system.shutdown RBAC key (the system default is that the "gdm" user does not have such authorization). GDM does not do the actual shutdown/restart operation, but sends a message to ConsoleKit which does the work. Note that ConsoleKit also will only allow these operations if the requesting user (the "gdm" user in the situation where the user presses the button on the GDM login GUI) has RBAC permissions for the solaris.system.shutdown RBAC key. GDM calls /usr/lib/ck-get-x11-display-device to find out the associated TTY value of the Xserver on a given display after starting the Xserver. GDM calls /usr/bin/ck-history when using the Face Browser to show the most frequently logged in users first, making it easier for such users to log in quickly. The gdmdynamic program calls ck-seat-tool to actually start a dynamic display. 4.1.10 logindevperm Integration On Solaris, the logindevperm(4) interfaces are called after the user authenticates to ensure that the user has appropriate permissions after login. This is only done for users who are logging into the console. GDM checks to see if the associated device is "/dev/console" or a VT device (/dev/vt/*) and only calls logindevperm if one of these devices is being used. 4.1.11 SMF Integration GDM includes SMF integration files to start and stop GDM as a service, much like the previous version of GDM. It also makes use of ctrun(1) to ensure that any processes that crash in the user session do not cause the GDM service to restart. 4.1.12 /etc/default/login integration GDM supports the CONSOLE, PASSREQ, PATH, and SUPATH configuration options. When CONSOLE is set to "/dev/console", then root is only allowed to log in via the console, the settings for PATH or SUPATH are used as the default PATH for normal users (PATH) or the root user (SUPATH). When PASSREQ is "YES" then the PAM_DISALLOW_NULL_AUTHTOK flag is used when calling pam_authenticate and pam_acct_mgmt. 4.1.13 GDM Xsession Script The GDM Xsession script starts the user session. The user session is started by the process that does the PAM and audit work after pam_open_session(3PAM) is called, and before pam_close_session(3PAM) is called. The GDM Xsession script sources /etc/profile, /etc/xprofile, and $HOME/.profile before starting the user session. If the file does not exist on the system, it is not sourced. Any scripts in /etc/X11/xinit/xinitrc.d are sourced before starting the user session. This allows for distro specific startup configuration. The GDM Xsession script also calls xrdb to merge resources. On Solaris it will call "xrdb -merge $HOME/.Xresources" if such a file exists on the system. The Xsession script uses /usr/bin/zenity to display any error dialogs to the user. 4.1.14 Handling Of Dueling Login Applications ASARC 1994/437 discussed the issue of multiple login applications competing for the console. Dtlogin currently provides a poor "solution" whereby the user is requested to ignore the text based login prompt that was just displayed and to wait a few seconds for the dtlogin screen to appear. ASARC 1995/390 provided advisory information to the effect that the next version of this project would not be approved if it had not eliminated this problem. GDM plans to resolve this problem by making use of VT when it is available. This will provide users with a reasonable mechanism to "drop to console" on demand. 4.1.15 Regressions The new GDM does not support the degree of configurability that was supported by the older GDM. Many features were removed since they were seen as being unnecessary. Regressions worthy of note include the following: - GDM configuration interfaces have changed. Therefore users may need to reconfigure GDM if they desire the GUI to behave in a non-default manner. - GDM no longer supports managing Xnest/Xephyr login windows, so this feature and the "Login in a window" menu option is no longer available. - GDM no longer supports gdmgreeter style themes. The new GDM has more limited branding options, like changing the background image that is used. - GDM no longer provides the ability to start the chooser program from the login greeter GUI program. - GDM no longer provides the "gdmsetup" program, so there is no longer a GUI interface for configuring GDM. In some ways this is a good thing since the old gdmsetup could only be run with root privileges. The gdmsetup program has long needed to be rewritten to be more sensible about requiring privilege to run, such as using RBAC on Solaris or PolicyKit on Linux to allow any authorized user to configure the login screen. Note that Canonical is currently in the process of writing a new "gdmsetup" program and it should be available in the near future. It currently uses PolicyKit, so some work will be needed to make it work with RBAC on Solaris instead. However, it is expected that this feature will be reintroduced in the following GNOME release cycle. - GDM no longer provides gesture listeners, so that accessibility programs can not be launched on-demand. Instead such programs can be configured to be always on or always off. GDM does also provide a dialog where users can turn on/off accessibility programs. However, this is obviously only useful to users who can navigate the GUI. - While GDM does provide a /usr/share/xsessions/xterm.desktop file so that users can log into a terminal window, this is not a true "Failsafe Session". This xterm.desktop file will start a user session that still runs the /etc/gdm/Xsession script and that sources the user's $HOME/.profile. So, this cannot be used to correct configuration errors in the user's $HOME/.profile. Users will need to use an alternative mechanism, such as VT switching, to do this sort of thing. 4.2. Interfaces: Exported Interfaces Stability Comments --------------------------------------- ----------- ------------- SUNWgnome-display-mgr Uncommitted Package name. SUNWgnome-display-mgr-root Uncommitted Package name. svc:/application/graphical-login/gdm:default Uncommitted GDM FMRI /var/svc/manifest/application/graphical-login/gdm.xml Project SMF manifest Private integration /lib/svc/method/svc-gdm Volatile SMF integration startup, stop, and restart, script. /usr/bin/gdm-screenshot Volatile See 4.1.1. /usr/bin/gdmdynamic Obsolete See 4.1.1. Volatile /usr/bin/gdmflexiserver Volatile See 4.1.1. /usr/sbin/gdm-binary Volatile See 4.1.1. /usr/sbin/gdm-stop Volatile See 4.1.1. /usr/lib/gdm-crash-logger Volatile See 4.1.1. /usr/lib/gdm-host-chooser Volatile See 4.1.1. /usr/lib/gdm-session-worker Volatile See 4.1.1. /usr/lib/gdm-simple-chooser Volatile See 4.1.1. /usr/lib/gdm-simple-greeter Volatile See 4.1.1. /usr/lib/gdm-simple-slave Volatile See 4.1.1. /usr/lib/gdm-user-switch-applet Volatile See 4.1.1. Only delivered after VT integrates. /usr/lib/gdm-xdmcp-chooser-slave Volatile See 4.1.1. /usr/share/gdm/gdb-cmd See 4.1.1. /usr/share/gdm/autostart/LoginWindow Uncommitted See 4.1.2. /etc/gdm/custom.conf Uncommitted See 4.1.3. /etc/gdm/gdm.schemas Uncommitted GConf configuration for server. See 4.1.3. /etc/gconf/schemas/gdm-simple-greeter.schemas Uncommitted GConf configuration for greeter. See 4.1.4. /etc/gdm/Init/Default Uncommitted See 4.1.5. /etc/gdm/PostLogin/Default Uncommitted See 4.1.5. /etc/gdm/PreSession/Default Uncommitted See 4.1.5. /etc/gdm/PostSession/Default Uncommitted See 4.1.5. /etc/gdm/Xwilling Uncommitted See 4.1.5. No file is shipped by default. /etc/gdm/Xsession Uncommitted See 4.1.13. /etc/X11/xinit/xinitrc.d Uncommitted See 4.1.13. /usr/share/xsessions Uncommitted See 4.1.6 /usr/share/xsessions/xterm.desktop Uncommitted See 4.1.6 /var/cache/gdm Volatile Cached face images and dmrc files. See 4.1.6. /var/lib/gdm Uncommitted $HOME directory for "gdm" user. See 4.1.6. /var/lib/gdm/.gconf.mandatory/%gconf-tree.xml Uncommitted See 4.1.6 /var/lib/gdm/.gconf.path Uncommitted See 4.1.6 $HOME/.dmrc Volatile See 4.1.6. $HOME/.face Volatile See 4.1.6 /usr/share/gdm/gdm-greeter-login-window.glade Volatile Glade file /usr/share/gnome-2.0/ui/GNOME_FastUserSwitchApplet.xml Volatile UI XML file. Only delivered after VT integrates. /usr/share/gnome/help/gdm Volatile Help files /usr/share/icons/hicolor/ Volatile Icons for GDM /usr/share/pixmaps/faces/ Volatile Face images for face browser /usr/lib/bonobo/servers/GNOME_FastUserSwitchApplet.server Volatile Bonobo applet integration. Only delivered after VT integrates. /etc/dbus-1/system.d/gdm.conf Volatile D-Bus integration. /var/log/gdm Volatile Contains log files for all running Xservers. /var/run/gdm Volatile Contains Xauth cookies for all running sessions. See 4.1.6. DESKTOP_SESSION Uncommitted See 4.1.7. GDMSESSION Uncommitted See 4.1.7. GDM_LANG Uncommitted See 4.1.7. GDM_KEYBOARD_LAYOUT Uncommitted See 4.1.7. Removed Interfaces Stability Comments ---------------------------- ----------------- ----------------------- Note section 4.1.15 which discusses regressions associated with these obsolete interfaces. Also note that GDM interfaces were defined as Volatile in "LSARC 2008/207 GNOME 2.22". /usr/bin/gdmXnest Obsolete Volatile GDM no longer supports managing Xnest style logins. /usr/bin/gdmXnestchooser Obsolate Volatile "" /usr/bin/gdmphotosetup Obsolate Volatile User photos are now selected via the "About Me" capplet /usr/bin/gdmthemetester Obsolate Volatile gdmgreeter style themes no longer supported. /usr/sbin/gdmsetup Obsolate Volatile GDM no longer supports configuration GUI. /usr/lib/gdmchooser Obsolate Volatile Replaced with new chooser. /usr/lib/gdmgreeter Obsolete Volatile Replaced with new greeter. /usr/lib/gdmlogin Obsolete Volatile Replaced with new greeter. /usr/lib/gtk-2.0/modules/libdwellmouselistener.so Obsolete Volatile No longer supports a11y gestures. /usr/lib/gtk-2.0/modules/libkeymouselistener.so Obsolete Volatile No longer supports a11y gestures. /usr/share/gdm/BuiltInSessions/default.desktop Obsolete Volatile This provided a session option for users to login via an .Xinitrc script. A user who wanted this could easily define their own to do the same thing. Removed from upstream because few people use it. /usr/share/gdm/applications/gdmflexiserver-xnest.desktop Obsolete Volatile See gdmXnest above. /usr/share/gdm/applications/gdmphotosetup.desktop Obsolete Volatile See gdmphotsetup above. /usr/share/gdm/applications/gdmsetup.desktop Obsolete Volatile See gdmsetup above. /usr/share/gdm/defaults.conf Obsolete Volatile Defaults now stored in GConf. /usr/share/gdm/factory-defaults.conf Obsolete Volatile Ditto /usr/share/gdm/gdmchooser.glade Obsolete Volatile No longer needed. /usr/share/gdm/gdmphotosetup.glade Obsolete Volatile No longer needed. /usr/share/gdm/gdmsetup.glade Obsolete Volatile No longer needed. /usr/share/gdm/themes Obsolete Volatile No longer support gdmgreeter style themes. /usr/share/gdm/gdmprefetchlist Obsolete Volatile No longer supported. /usr/share/gdm/locale.alias Obsolete Volatile No longer needed. /etc/X11/gdm/modules/AccessDwellMouseEvents Obsolete Volatile No longer supports a11y gestures. /etc/X11/gdm/modules/AccessKeyMouseEvents Obsolete Volatile Ditto. /etc/X11/gdm/modules/factory-AccessDwellMouseEvents Obsolete Volatile Ditto. /etc/X11/gdm/modules/factory-AccessKeyMouseEvents Obsolete Volatile Ditto. GDM Configuration options Obsolete Volatile Refer [1]. Imported Interfaces Stability Comments ---------------------------- --------------- ----------------------- /var/dt/sdtlogin/$DISPLAY Contracted ASARC 1995/390 chkauthattr Stable PSARC 1997/332 X11 Standard PSARC 1998/299 XDMCP Standard X.org X Display Manager Control Protocol /usr/X11/bin/Xserver Standard PSARC 1998/299 /usr/lib/gnome-settings-daemon External LSARC 2001/352 /usr/bin/metacity External LSARC 2001/420 /usr/lib/at-spi-registryd Evolving LSARC 2001/650 /usr/bin/gok External LSARC 2002/292 /usr/bin/magnifier (GNOME-mag) External PSARC 2002/525 /usr/bin/zenity Volatile LSARC 2004/456 /var/svc/profile/upgrade Contracted PSARC 2002/547 Solaris Auditing Contracted PSARC 2003/397 /etc/logindevperm Contracted PSARC 2003/612 Tamarack (HAL) Volatile PSARC 2005/399 /usr/bin/orca Committed LSARC 2005/504 GNOME Base Libraries Committed LSARC 2006/202 D-Bus & dbus-glib Volatile LSARC 2006/368 Virtual Console Committed PSARC 2006/591 PSARC 2008/515 GNOME Power Manager Volatile LSARC 2007/702 libwrap Committed PSARC 2000/488, PSARC 2008/164 GDM System user homedir Uncommitted PSARC 2008/662 ConsoleKit Volatile LSARC 2009/432 /usr/lib/ck-get-x11-display-device Volatile LSARC 2009/432 See 4.1.13. XDG_SESSION_COOKIE Volatile LSARC 2009/432 solaris.system.shutdown key ? ????? ????/??? User environment variables Standard e.g. HOME, SHELL, etc. See 4.1.7. /etc/default/login ? See 4.1.12 /etc/profile ? See 4.1.13. /etc/xprofile ? See 4.1.13. $HOME/.profile ? See 4.1.13. 4.3. Doc Impact: Man pages are needed. 4.4. Packaging & Delivery: SUNWgnome-display-mgr, SUNWgnome-display-mgr-root - packages for GDM 4.5. Dependencies: LSARC 2003/261 GDM2 - GNOME Display Manager LSARC 2005/417 GDM2 as default Solaris Display Manager PSARC 2006/591 Virtual Console PSARC 2008/033 Removal of Xsun PSARC 2008/515 Virtual Console Update PSARC 2008/662 GDM System user home directory LSARC 2009/432 ConsoleKit Since VT support requires driver support, user switching features will not work on systems where the graphics driver does not support VT. Note that the GDM themes previously delivered to /usr/share/gdm/themes by the SUNWgnome-themes package will no longer be delivered once the new GDM is integrated, since they will no longer be used. 4.6. L10N Impact: The Desktop team and the G11N team are working together to evaluate and provide I18N/L10N support. 4.7. Security Impact: GDM makes use of PAM to ensure that username and password information is handled in a secure manner. GDM GUI programs are run as the "gdm" user to ensure that if they are exploited in any way, the user does not gain privilege. The "gdm" user is configured to have minimal privileges necessary for the login GUI programs to run. The "gdm" user does have the authority to read Xauth keys for all running Xservers, so if this user were exploited there would be some risk since it would be possible to snoop or affect programs running on any Xserver on the system. Xserver Xauth keys are only accessible by the user who owns them, the root user and the gdm user to ensure that they are kept as secure as possible. The /var/lib/gdm and /var/log/gdm directories are owned by root:gdm and do not have world read/execute/write permissions so that normal users cannot access or tamper with files in these directories. GDM scripts and configuration files in the /etc and /usr/share directories can only be modified by a user with root privilege. GDM D-Bus IPC communication is only allowed by processes started by the GDM daemon, so normal users can not interact with GDM via D-Bus. GDM makes use of logindevperm to manage device permissions for users logging into the console or via Virtual Terminals. GDM sets default XDMCP configuration in a manner that helps to avoid denial-of-service type attacks. The security/DisallowTCP configuration is set to "false" by default in the GDM configuration. The Xserver "options/tcp_listen" SMF property controls whether "-nolisten tcp" is added to the command line or not. When starting the Xserver, it uses the /var/dt/sdtlogin/$DISPLAY interface to drop the Xserver to user permissions, so it is more secure. Refer to the following cases which relate to how Shutdown and Reboot are managed in the desktop. GDM makes use of RBAC so that the Shut Down and Reboot options are only available if the "gdm" user has authorization for the solaris.system.shutdown RBAC key. The system default is that the "gdm" user does not have such authorization. The following cases relate to how Shut Down and Reboot functions work with the Desktop stack. LSARC 2007/702 GNOME Power Manager PSARC 2008/021 HAL Power Management Support PSARC 2008/034 Defining Workstation Owner Infrastructure LSARC 2008/262 GNOME shutdown dialog 5. Reference Documents: [1] ./unsupported-defaults.conf File showing configuration options no longer supported. GDM Website: http://projects.gnome.org/gdm/ Current GDM 2.27.4 Documentation: http://library.gnome.org/admin/gdm/2.27/gdm.html GDM Wiki: http://live.gnome.org/GDM GDM Redesign Information: http://live.gnome.org/GDM/NewDesign FreeDesktop Desktop Base Directory Specification: http://www.freedesktop.org/wiki/Specifications/basedir-spec FreeDesktop Desktop Entry Specification: http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec FreeDesktop Startup Notification Specification: http://www.freedesktop.org/wiki/Specifications/startup-notification-spec FreeDesktop Autostart Specification: http://www.freedesktop.org/wiki/Specifications/autostart-spec