Brian Cameron wrote: > > Frank: > > On 12/27/09 11:26, Frank Batschulat wrote: >>> It makes more sense when the "face" mode is enabled >>> so you either click on a face/login name or click the button to type >>> one in: >>> http://defect.opensolaris.org/bz/show_bug.cgi?id=13568 >> >> What ? "face mode" - this is a non-starter. >> >> do we still remember that we have had a project called "Secure by >> Default" ? >> http://hub.opensolaris.org/bin/view/Community+Group+on/2006060101 >> >> "face mode" enables listing of all accounts available for login on a >> given system. >> No - I do not want that and I'm pretty sure, if OSOL/Solaris.Next >> ever ends up in production use, >> the people supposed to run it won't want to have that either. even >> the gdm(1M) man page >> mentions that. > > Since GDM is a GNOME application, it should not be a surprise that it > does provide options geared towards the typical GNOME desktop user, as > opposed to the typical OpenSolaris server user. > > That said, the Face Browser is disabled by default on OpenSolaris for > exactly the "Secure By Default" reasons you mention. Users who want to > use the Face Browser can enable it if they choose. > >> apparently you can restrict that sort of as gdm(1M) further mentions: >> >> <snip> >> greeter/IncludeAll=false (boolean) >> >> If true, then the face browser will show all users on >> the local machine. If false, the face browser will only >> show users who have recently logged in. >> <snip end> >> >> even that is too much. > > IncludeAll is set to false by default, but its setting is only used > if the user first enables the Face Browser. > >> besides, I suppose that there are a lot of users out there, that do >> not want or >> need things like "face mode", playing sound or movies on Login or >> similar >> gadgets. Heaven, this is Unix, this is Solaris, this runs on Servers.... > > There has been some discussion that perhaps it would make sense for > the OpenSolaris installer to ask users if they want the Face Browser > enabled or not. As you say, most people who use OpenSolaris as a server > probably do not want it on. However, many desktop users prefer the > Face Browser which is why most other Linux distros enable it by default. > > If the installer asked, then users could easily turn it on and get a > user experience more similar to what they find when using GNOME on > other distros. While OpenSolaris does tend to cater the configuration > more towards server users, but it is also good to support desktop users > reasonably. Such a change to the installer would be a good step > forward, I think. The focus of the installer is to ask the minimal set of questions needed to get a user up and running. Asking a user new to OpenSolaris if they want "face browser" enabled isn't reasonable because they don't know what it is. If they do enable it they might later decide they would like it disabled. They shouldn't have to go to the command line to do that.
It also has an impact on security that they are likely unaware of. It is reasonable to provide a system preferences GUI to cover face browser and other GDM settings. Frank (Ludolph)
