Casper: >>> nobody:x:60001:60001:NFS Anonymous Access User:/: >>> noaccess:x:60002:60002:No Access User:/: >>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: >> >> Since these users do not have valid shells specified, these would not >> be shown. > > These actually have a valid shell (the default shell, /bin/sh, is used when > the password shell lists the empty string for the shell).
Looking more closely at the GDM code, I see that it has a hardcoded list of users to not show in the face browser. These include: "bin" "root" "daemon" "adm" "lp" "sync" "shutdown" "halt" "mail" "news" "uucp" "operator" "nobody" GDM_USERNAME (normally the "gdm" user) "postgres" "pvm" "rpm" "nfsnobody" "pcap" > Can gdm determine which users are locked? No. GDM currently excluses users under MinimalUID (100), users without valid shells, and users in the above list. It should not be hard to add extra logic to avoid adding other users if appropriate. For example, is there a way to check which users are locked? I am sure code could be added to exclude other types of appropriate users. > Does gdm read /etc/passwd directly (to find out the "local" accounts?) > > Or does gdm use getent()? (This lists all users in files, nis, nis+ and > possibly LDAP) It uses fgetpwent(), so it does not use nsswitch.conf. >>> What about when NIS or LDAP is in use ? Do we really want GDM attempting >>> to display 38,000+ accounts ? >> >> As I explain above, this should not be an issue. > > So no getent? > > How does gdm detect which users logged in before? ConsoleKit (LSARC 2009/432) keeps track of users that are logged in in the /var/log/ConsoleKit/history file which is owned by (root:root) and has 644 permissions. The ck-history program is used by GDM to figure out which users to display. Brian
