John: > The list seems overly static. Why not have a configuration file for > GDM that has an allow/deny type of syntax?
The old GDM had such configuration keys for specifying that users be allowed or denied inclusion on the Face Browers. However, the new GDM does not yet support this sort of configuration. If we think it is needed, we could work with the upstream community to add this feature back. Brian > Brian Cameron wrote: >> >> Casper: >> >>>>> nobody:x:60001:60001:NFS Anonymous Access User:/: >>>>> noaccess:x:60002:60002:No Access User:/: >>>>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: >>>> >>>> Since these users do not have valid shells specified, these would not >>>> be shown. >>> >>> These actually have a valid shell (the default shell, /bin/sh, is >>> used when >>> the password shell lists the empty string for the shell). >> >> Looking more closely at the GDM code, I see that it has a hardcoded list >> of users to not show in the face browser. These include: >> >> "bin" >> "root" >> "daemon" >> "adm" >> "lp" >> "sync" >> "shutdown" >> "halt" >> "mail" >> "news" >> "uucp" >> "operator" >> "nobody" >> GDM_USERNAME (normally the "gdm" user) >> "postgres" >> "pvm" >> "rpm" >> "nfsnobody" >> "pcap" >> >>> Can gdm determine which users are locked? >> >> No. GDM currently excluses users under MinimalUID (100), users without >> valid shells, and users in the above list. >> >> It should not be hard to add extra logic to avoid adding other users >> if appropriate. For example, is there a way to check which users are >> locked? I am sure code could be added to exclude other types of >> appropriate users. >> >>> Does gdm read /etc/passwd directly (to find out the "local" accounts?) >>> >>> Or does gdm use getent()? (This lists all users in files, nis, nis+ and >>> possibly LDAP) >> >> It uses fgetpwent(), so it does not use nsswitch.conf. >> >>>>> What about when NIS or LDAP is in use ? Do we really want GDM >>>>> attempting >>>>> to display 38,000+ accounts ? >>>> >>>> As I explain above, this should not be an issue. >>> >>> So no getent? >>> >>> How does gdm detect which users logged in before? >> >> ConsoleKit (LSARC 2009/432) keeps track of users that are logged in >> in the /var/log/ConsoleKit/history file which is owned by (root:root) >> and has 644 permissions. The ck-history program is used by GDM to >> figure out which users to display. >> >> Brian >>
