Darren: >>> 2. Default using face browser >>> >>> What is the definition of a system account ? >> >> I appreciate your concern about how the Face Browser works, since it >> never worked very well with the old GDM, especially in environments >> where NIS/LDAP is used. >> >> However, the new face browser is much more intelligent. It uses the >> following logic to filter out system users: >> >> - Filters out all accounts under 100. >> - Filters out all accounts that do not have a valid shell > > What is the definition of a valid shell ?
GDM calls fgetpwent(), and checks the value of pwent->pw_shell. It then calls getusershell() and if the pwent->pw_shell is in the list returned by getusershell() it is considered a valid shell. However, if the shell is "/sbin/nologin" or "/bin/false", then it is considered an invalid shell, even if getusershell() returns these as valid shells. >> - It only adds users that are in /etc/passwd and users that have logged >> in previously. So, no users will be shown who are NIS/LDAP users >> unless they have logged in previously. > > So it bypasses nsswitch to lookup users ? Right, by using fgetpwent(). >> Note when the Face Browser is shown, you can click on the "Other" >> (meaning "Other User") button and enter the username and password. >> If you enter a username that is not a system user (UID<100), then >> that user will show-up in the face browser in subsequent logins. >> The list of recent users is managed by ConsoleKit and stored in >> the file /var/log/ConsoleKit/history, so there is a unique history >> per-machine. > > That seems reasonable, and means that it could actually be useful on > some Sun Ray deployments as well. Yes. Actually, as the GDM maintainer, I have heard from a number of thin-client/terminal-server sysadmins that they like to use this feature. I have heard that people like to use it with up to several hundred users. > How many faces does it attempt to show ? Is there a limit in the history > file at which it chooses to show none ? No, it will show all the users. Note that if the user starts typing while the Face Browser is expecting the user to click on a user, it will automatically scroll the list to users that start with the entry typed. So it is fairly easy to find a specific username even if the list is long. >>> The reason I ask is because the GNOME users and groups tool gets this >>> wrong on Solaris. It correctly hides by default all those accounts with >>> a uid < 100 but it doesn't hide the other reserved system accounts: >>> >>> nobody:x:60001:60001:NFS Anonymous Access User:/: >>> noaccess:x:60002:60002:No Access User:/: >>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: The "nobody" user is filtered out by default, though the other users would not be. >> Since these users do not have valid shells specified, these would not >> be shown. > > Yes they do they have /bin/sh as their shell because that is what an > empty field means for /etc/passwd. > > passwd(4): > > login-shell is the user's initial shell program. If this > field is empty, the default shell is > /usr/bin/sh. > > Lets not discuss here if that makes sense for those accounts or not though. If there are other mechanisms that GDM should use to filter out users, please let me know and we can fix the code to do additional filtering. >>> Does the face browser need to read anything in the users home dir ? If >>> so it must be disabled by default since it can cause a downgrade attack >>> if the users home directory is supposed to be mounted with Kerberos by >>> default (but can fall back to sys). We have gone to great lengths over >>> the years to ensure that no login program ever touches the users home >>> directory until after pam_authenticate() and pam_setcred() have returned >>> PAM_SUCCESS. >> >> Yes, the user's image file is loaded from the user's $HOME directory >> before authentication. > > Is there an ability to place these elsewhere ? Not currently, but that could be an enhancement. >> As I explained before, we can disable the Face Browser if we want by >> default. All other distros turn on the Face Browser by default, and >> users disable it when needed. Note that if we choose to turn on the >> Face Browser by default, that the Sun Ray install process would turn >> it off. I think many of the cases where the Face Browser would not be >> desired would be in Sun Ray environments (e.g. Trusted Solaris). So, >> if we choose to turn on the Face Browser by default, many users who do >> not want it (e.g. Sun Ray users) would have it turned off by default. >> >> But, if it is a requirement that Solaris by default does not touch the >> user's $HOME directory before authentication, then the Face Browser >> would need to be turned off by default. Do we want to be different >> than other distros in this regard because of this kerberos requirement? > > That is good question. > The security part of me says off. > The on Sun network part of me says off > (NFS kerberos home dir/privacy/Huge Sun Ray deployment) > The "keeping up with the jones" part of me says turn it on > The MacOS X user in me says turn it on. > > So that's a 50/50 split vote from me :-) This is probably a good topic for the inception review. I'm sure we can decide what the best system default is. >> Obsolete interface, but I could add a mention in the onepager that >> this has an impact on the SUNWgnome-themes package if you think >> that is interesting. > > Not necessary given you've mentioned it in the email thread. I went ahead and added the following text to section "4.5 Dependencies" just so this is more clear in the onepager. Note that the GDM themes previously delivered to /usr/share/gdm/themes by the SUNWgnome-themes package will no longer be delivered once the new GDM is integrated, since they will no longer be used. Brian
