QUICK NOTES ON INSTALLATION/USE: General ======= If you didn't compile Gnome yourself, make sure you have the appropriate -devel packages installed. If building from CVS, there is a script gdm-build.sh in the root of the tree that you can use to build gdm and then install it with "make install". The setup is like Red Hat. WARNING: gdm is a *daemon* -- not a common user application. It requires extensive knowledge about your system setup to install and configure. gdm isn't - and never will be - Plug and Play (i.e. ./configure ; make install). Security ======== For security reasons a dedicated user and group id are required for proper operation! This userid is used to run the GDM GUI programs required for login. All functionality that requires root authority is done by the GDM daemon process. This design ensures that if the GUI programs are somehow exploited, only the dedicated user privileges are available. By default GDM assumes the user and the group are called `gdm'. These are configured via the User and Group configuration options in the gdm.conf file. The user and group should be created before running "make install". Distributions and system administrators using GDM are expected to setup the dedicated user properly. It is recommended that this userid be configured to disallow login and to not have a default shell. Distributions and system administrators should set up the filesystem to ensure that the GDM user does not have read or write access to sensitive files. The necessity for a gdm userid/group is because the GDM user does require certain special permissions. It must be able to read and write Xauth keys to /var/lib/gdm. This directory should have root:gdm ownership and 1770 permissions. Running "make install" will set this directory to these values. You will need to modify the configure/Makefile if you want to use a different group than gdm. The GDM daemon process will reset this directory to proper ownership/permissions if it is somehow not set properly. The need to be able to write Xauth files is why user "nobody" is not appropriate for gdm. If the gdm user is set up properly and gdm user access is somehow exploited, this means that the GDM user should only be able to maliciously modify the Xauth keys causing potential Denial-Of-Service attacks. If a person gains the ability to run programs as the user gdm, it would be possible to snoop on running GDM processes, including usernames and passwords as they are being typed in. Therefore it is important to ensure that the gdm user is disallowed login and has no default shell. When reporting bugs you should first turn on debugging in gdm.conf. Your syslog daemon might not log debug information per default so you should make sure daemon.debug events are logged to a file. Include the resulting log in your bug report. It is known that debugging can sometimes cause unrelated problems due to the interaction with the syslog daemon, so it is not advisable that you run with the debug option all the time. (Not to mention it generates a LOT of spew) XDMCP is disabled by default since XDMCP can be exploited to create Denial-Of-Service attacks if a malicious user sends a flood of XDMCP requests to your computer. It may be enabled by setting "enable=true" in the "[xdmcp]" section of the gdm.conf file. The face browser reveals usernames on your system and should not be used unless the system is physically secure. In other words, it is a feature most appropriate for home use and is not recommended on systems that are for public use. Read the GDM documentation for more information about security: http://www.gnome.org/projects/gdm/ Configure Options ================= Configuration is done by editing the gdm.conf file (located in <prefix>/etc/gdm/gdm.conf). If no config file exists, make install will create one for you. The default HaltCommand and RebootCommand gdm.conf options may not be appropriate for your distribution. Distribution vendors who ship GDM are advised to modify these to the supported Halt/Reboot commands for their system. The correct HaltCommand for FreeBSD is "/sbin/halt -p" so the disks are synced on shutdown, and on other systems "/sbin/init 0" or /sbin/init 5" may be most appropriate. The correct RebootCommand for some systems may be "/sbin/init 6". Patches to improve the GDM configure script and how it sets these values by default would be accepted. On some systems "/sbin/init 0", "/sbin/init 5", or "/sbin/halt -p" may be If you want to add distribution-specific directories to the end of DefaultPath and RootDefaultPath, then use the --with-post-path configure option. Argument value should be a list of directories separated by ":" characters (no spaces). Make sure the --with-pam-prefix points to the prefix where the pam.conf file is located (default is sysconfdir - /etc). If you want accessibility to work and have AT programs like gok and gnopernicus installed to a different directory than EXPANDED_BINDIR, then use the --with-at-bindir configure option. If you want IPv6 enabled, use --enable-ipv6=yes option to configure. To assign a default face to a user for the face browser, place a (jpg, gif, png, xpm) image to the user's $HOME/.iface directory. The gdm.conf DefaultFace configuration option allows the system administrator to set up a default face image. For best a11y support on Linux, it is recommended use the --with-xevie configuration option so that the user's Xserver session is always started with the Xserver XEVIE extension. GOK works best when XEVIE is enabled. Read the GDM documentation for more information about configuring GDM: http://www.gnome.org/projects/gdm/ Distribution ============ Red Hat ------- If you want to install OVER RedHat or Ximian packages use, following configure options: --prefix=/usr --sysconfdir=/etc/X11 --localstatedir=/var --enable-console-helper --with-pam-prefix=/etc However, there is now a spec file so you can build an rpm by just doing rpm -ta gdm-<version>.tar.gz This should work on RedHat 6.x, 7.x, 8.x, 9 and perhaps later, and if you're very lucky then on your favorite other distribution, but no promises. GDM is not a trivial package so it's more likely it won't work in other places out of the box. Solaris ------- Configuring GDM with the "--with-post-path=/usr/openwin/bin" on Solaris is recommended. GDM includes code to integrate with /etc/logindevperm and Solaris audit API's. These interfaces are only supported on Solaris 10 and higher. GDM should not be used on Solaris 9 and earlier if auditing is needed. If using Solaris 9 or earlier, device permissions will not be set correctly on login since GDM only processes /etc/logindevperm on Solaris 10 and higher. The most annoying problem is that the user will likely not have access to audio input/output. This can be worked around by adding chown/chmod commands to each /dev device specified in /etc/logindevperm to the GDM PreSession and PostSession script to set the ownership and read/write permissions to the user on user login and back to root:root 0600 on logout. If someone wants to provide a patch to GDM to make it support processing /etc/logindevperm on Solaris 9 and lower to avoid the above workaround, then that would be great. Automatic Login On Solaris -------------------------- Automatic Login, if enabled on Solaris will still popup a GUI asking the user for a password. To set up automatic login so it doesn't require password, use the following /etc/pam.conf settings: gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 gdm-autologin account sufficient pam_allow.so.1 gdm-autologin session sufficient pam_allow.so.1 gdm-autologin password sufficient pam_allow.so.1 The above setup will cause no lastlog entry to be generated. If a lastlog entry is desired, then use the following for session: gdm-autologin session required pam_unix_session.so.1 If using Solaris 10 or lower, then you also need to compile the pam_allow.c code and install it to /usr/lib/security (or anywhere and provide the full path in /etc/pam.conf) and ensure it is owned by uid 0 and not group or world writable.