The Configuration File - gdm.conf

[daemon]

AlwaysRestartServer

AlwaysRestartServer=false

If true, then gdm never tries to reuse existing X servers by reinitializing them. It will just kill the existing server and start over. Normally, just reinitializing is a nicer way to go but if the X server memory usage keeps growing this may be a safer option.

AutomaticLoginEnable

AutomaticLoginEnable=false

If the user given in AutomaticLogin should be logged in upon first bootup. No password will be asked. This is useful for single user workstations where local console security is not an issue. Also could be useful for public terminals, although there see TimedLogin.

AutomaticLogin

AutomaticLogin=

This user should be automatically logged in on first bootup. AutomaticLoginEnable must be true and this must be a valid user for this to happen. "root" can never be autologged in however and gdm will just refuse to do it even if you set it up.

Chooser

Chooser=bin/gdmchooser --disable-sound --disable-crash-dialog

Full path and name of the chooser executable followed by optional arguments.

Configurator

Configurator=bin/gdmconfig --disable-sound --disable-crash-dialog

The pathname to the configurator binary. If the greeter ConfigAvailable option is set to true then run this binary when somebody chooses Configuration from the system menu. Of course GDM will first ask for root password however. And it will never allow this to happen from a remote display.

DefaultPath

DefaultPath=/bin:/usr/bin:/usr/bin/X11:/usr/local/bin

Specifies the path which will be set in the user's session.

DisplayInitDir

DisplayInitDir=etc/gdm/Init

Directory containing the display init scripts. See the ``Script Directories'' section for more info.

FailsafeXServer

FailsafeXServer=

An X command line in case we can't start the normal X server. should probably be some sort of a script that runs an appropriate low resolution server that will just work. This is tried before the XKeepsCrashing script is run.

FlexibleXServers

FlexibleXServers=5

The maximum number of allowed flexible servers. These are servers that can be run using the /tmp/.gdm_socket socket connection. This is used for both full servers and for Xnest servers.

GnomeDefaultSession

GnomeDefaultSession=share/gnome/default.session

The filename which GDM should read if there is no per user GNOME session file, and the user has requested the Gnome Chooser session.

Greeter

Greeter=bin/gdmlogin --disable-sound --disable-crash-dialog

Full path and name of the greeter executable followed by optional arguments.

Group

Group=gdm

The group id under which gdmlogin/gdmchooser are run.

HaltCommand

HaltCommand=/sbin/shutdown -h now

Full path and arguments to command to be executed when user selects Halt from the System menu.

KillInitClients

KillInitClients=true

Determines whether GDM should kill X clients started by the init scripts when the user logs in.

LogDir

LogDir=var/gdm

Directory containing the log files for the individual displays. By default this is the same as the ServAuthDir.

PidFile

PidFile=var/run/gdm.pid

Name of the file containing the gdm process id.

PostSessionScriptDir

PostSessionScriptDir=etc/gdm/PostSession

Directory containing the scripts run after the user logs out. See the ``Script Directories'' section for more info.

PreSessionScriptDir

PreSessionScriptDir=etc/gdm/PreSession

Directory containing the scripts run before the user logs in. See the ``Script Directories'' section for more info.

RebootCommand

RebootCommand=/sbin/shutdown -r now

Full path and optional arguments to the program to be executed when user selects Reboot from the System menu.

RootPath

RootPath=/sbin:/usr/sbin:/bin:/usr/bin:/usr/bin/X11:/usr/local/bin

Specifies the path which will be set in the root's session and the {Init,PreSession,PostSession} scripts executed by GDM.

ServAuthDir

ServAuthDir=/var/gdm

Directory containing the X authentication files for the individual displays. Should be owned by gdm.gdm with permissions 750. This directory is also used for other private files that the daemon needs to store. Other user should not have any way to get into this directory and read/change it's contents.

SessionDir

SessionDir=etc/gdm/Sessions

Directory containing the scripts for all session types available on the system.

StandardXServer

StandardXServer=/usr/bin/X11/X

Full path and arguments to the standard X server command. This is used when gdm cannot find any other definition, and it's used as the default and failsafe fallback in a number of places. This should be able to run some sort of X server.

SuspendCommand

SuspendCommand=

Full path and arguments to command to be executed when user selects Suspend from the System menu. If empty there is no such menu item.

TimedLoginEnable

TimedLoginEnable=false

If the user given in TimedLogin should be logged in after a number of seconds (set with TimedLoginDelay) of inactivity on the login screen. This is useful for public access terminals or perhaps even home use. If the user uses the keyboard or browses the menus, the timeout will be reset to TimedLoginDelay or 30 seconds, whichever is higher. Note that no password will be asked for this user so you should be careful.

TimedLogin

TimedLogin=

This is the user that should be logged in after a specified number of seconds of inactivity. This can never be "root" and gdm will refuse to log in root this way.

TimedLoginDelay

TimedLoginDelay=30

This is the delay before the TimedLogin user will be logged in. It must be greater then or equal to 10.

User

User=gdm

The username under which gdmlogin / gdmchooser are run.

UserAuthDir

UserAuthDir=

The directory where user's .Xauthority file should be saved. When nothing is specfied the user's home directory is used.

UserAuthFBDir

UserAuthFBDir=/tmp

If GDM fails to update the user's .Xauthority file a fallback cookie is created in this directory.

UserAuthFile

UserAuthFile=.Xauthority

Name of the file used for storing user cookies.

XKeepsCrashing

XKeepsCrashing=etc/gdm/XKeepsCrashing

A script to run in case X keeps crashing. This is for running An X configuration. The first argument will be one of the programs specified in XKeepsCrashingConfigurators, the first one that exists. If none of those exist, this script will not be run. The second argument is a temporary filename that can be used for any purpose within the script. The rest of the arguments are translated messages. Please see the standard installed script for further details.

In case FailsafeXServer is setup, that will be tried first. and this only used as a backup if even that server keeps crashing.

XKeepsCrashingConfigurators

XKeepsCrashingConfigurators=/usr/bin/X11/XF86Setup /usr/bin/X11/Xconfigurator

A list of programs to try which will do X configuration for the user. These are run from the XKeepsCrashing script. The first one on this list that exists is used.

Xnest

Xnest=/usr/bin/X11/Xnest

The full path and arguments to the Xnest command. This is used for the flexible Xnest servers. This way the user can start new login screens in a nested window. Of course you must have the Xnest server from your X server packages installed for this to work.

[security]

AllowRoot

AllowRoot=true

Allow root (privilaged user) to log in through GDM. Set this to false if you want to disallow such logins.

On systems that support PAM, this parameter is not as useful as you can use PAM to do the same thing, and in fact do even more. However it is still followed, so you should probably leave it true for PAM systems.

AllowRemoteRoot

AllowRemoteRoot=true

Allow root (privilaged user) to log in remotely through GDM. Set this to false if you want to disallow such logins. Remote logins are any logins that come in through the xdmcp.

On systems that support PAM, this parameter is not as useful as you can use PAM to do the same thing, and in fact do even more. However it is still followed, so you should probably leave it true for PAM systems.

AllowRemoteAutoLogin

AllowRemoteAutoLogin=false

Allow the timed login to work remotely. That is, remote connections through XDMCP will be allowed to log into the "TimedLogin" user by letting the login window time out, just like the local user on the first console.

Note that this can make a system quite insecure, and thus is off by default.

RelaxPermissions

RelaxPermissions=0

By default GDM ignores files and directories writable to other users than the owner.

Changing the value of RelaxPermissions makes it possible to alter this behaviour:

0 - Paranoia option. Only accepts user owned files and directories.

1 - Allow group writable files and directories.

2 - Allow world writable files and directories.

RetryDelay

RetryDelay=3

The number of seconds GDM should wait before reactivating the entry field after a failed login.

SessionMaxFile

SessionMaxFile=524288

GDM will refuse to read session files bigger than this number (specified in bytes). This can be bigger then UserMaxFile, since these are never read into memory, and so it is harder to "attack" gdm in this way.

In addition to the size check both gdm and gdmlogin are extremely picky about accessing files in user directories. Neither will follow symlinks and they can optionally refuse to read files and directories writable by other than the owner. See the RelaxPermissions option for more info.

However for the session files, GDM is not as picky. If you set RelaxPermissions to 0, GDM will assume it to be 1 for the case of session files. This is unfortunately because the session files would then never be able to be read in.

UserMaxFile

UserMaxFile=65536

GDM will refuse to read/write files bigger than this number (specified in bytes).

In addition to the size check both gdm and gdmlogin are extremely picky about accessing files in user directories. Neither will follow symlinks and they can optionally refuse to read files and directories writable by other than the owner. See the RelaxPermissions option for more info.

VerboseAuth

VerboseAuth=true

Specifies whether GDM should print authentication errors in the message field in the greeter. Unlike in the past having this option be true is no longer a security risk. It will not specify if username or password was wrong, as both result in the same error. However it will give a different error when for example root login is disallowed and root logs in, or if a user with a disabled login tries to log in (only after the user succeeds). No verbose information about the login is given until a user is verified.

[xdmcp]

DisplaysPerHost

DisplaysPerHost=1

To prevent attackers from filling up the pending queue, GDM will only allow one connection for each remote machine. If you want to provide display services to machines with more than one screen, you should increase the DisplaysPerHost value accordingly.

Note that the number of connections from the local machine is unlimited. Only remote connections are limited by this number.

Enable

Enable=false

Setting this to true enables XDMCP support allowing remote displays/X terminals to be managed by GDM.

gdm listens for requests on UDP port 177. See the Port option for more information.

If GDM is compiled to support it, access from remote displays can be controlled using the TCP Wrappers library. The service name is gdm

You should add

gdm: .my.domain

to your /etc/hosts.allow. See the hosts_access(5) man page for details.

Please note that XDMCP is not a particularly secure protocol and that it is a good idea to block UDP port 177 on your firewall unless you really need it.

HonorIndirect

HonorIndirect=true

Enables XDMCP INDIRECT choosing (i.e. remote execution of gdmchooser) for X-terminals which don't supply their own display browser.

MaxPending

MaxPending=4

To avoid denial of service attacks, GDM has fixed size queue of pending connections. Only MaxPending displays can start at the same time.

Please note that this parameter does *not* limit the number of remote displays which can be managed. It only limits the number of displays initiating a connection simultaneously.

MaxPendingIndirect

MaxPendingIndirect=4

GDM will only provide MaxPendingIndirect displays with host choosers simultaneously.

MaxSessions

MaxSessions=16

Determines the maximum number of remote display connections which will be managed simultaneously. I.e. the total number of remote displays that can use your host.

MaxWait

MaxWait=30

When GDM is ready to manage a display an ACCEPT packet is sent to it containing a unique session id which will be used in future XDMCP conversations.

GDM will then place the session id in the pending queue waiting for the display to respond with a MANAGE request.

If no response is received within MaxWait seconds, GDM will declare the display dead and erase it from the pending queue freeing up the slot for other displays.

MaxWaitIndirect

MaxWaitIndirect=30

The MaxWaitIndirect parameter determines the maximum number of seconds between the time where a user chooses a host and the subsequent indirect query where the user is connected to the host. When the timeout is exceeded, the information about the chosen host is removed and the indirect slot freed up for under displays.

Port

Port=177

The UDP port number gdm should listen to for XDMCP requests. Don't change this unless you know what you're doing.

PingInterval

PingInterval=5

Interval in which to ping the X server in minutes. If the X server doesn't return before the next time we ping it, the connection is stopped and the session ended. This is a combination of the xdm PingInterval and PingTimeout.

Willing

Willing=etc/gdm/Xwilling

When the server sends a WILLING packet back after a QUERY it sends a string that gives the current status of this server. The default message is the system ID, but it is possible to create a script that displays customized message. If this script doesn't exist or this key is empty the default message is sent. If this script succeeds and produces some output, the first line of it's output is sent (and only the first line). It runs at most once every 3 seconds to prevent possible denial of service by flooding the server with QUERY packets.

[gui]

Gtkrc

Gtkrc=

Path to a gtkrc containing the theme for use in gdmlogin / gdmchooser.

MaxIconWidth

MaxIconWidth=128

Specifies the maximum icon width (in pixels) that the face browser will display. Icons larger than this will be scaled.

MaxIconHeight

MaxIconHeight=128

Specifies the maximum icon height (in pixels) that the face browser will display. Icons larger than this will be scaled.

[greeter]

Browser

Browser=true

Set to true to enable the face browser. See the ``Greeter'' section for more information on the face browser.

ConfigAvailable

ConfigAvailable=true

Allow the configurator to be run from the greeter. Note that the user will need to type in the root password before the configurator is run however. See the Configurator option in the daemon section.

DefaultFace

DefaultFace=share/pixmaps/nophoto.png

Default icon file for users without a personal picture in ~/gnome/photo. The image must be in an Imlib supported format and the file must be readable for the gdm user.

DefaultLocale

DefaultLocale=english

This language is used for the session unless nothing is specified in ~user/.gnome/gdm and the user didn't select a language in the Locale menu in the greeter.

Exclude

Exclude=bin,daemon,adm,lp,sync,shutdown,halt,mail,...

Comma-separated list of usernames to exclude from the face browser. The excluded users will still be able to log in.

Font

Font=-adobe-helvetica-bold-r-normal-*-*-180-*-*-*-*-*-*

Font to use for the welcome message in the greeter.

GlobalFaceDir

GlobalFaceDir=share/faces/

Systemwide directory for face files. The sysadmin can place icons for users here without touching their homedirs. Faces are named after their users' logins.

I.e. <GlobalFaceDir>/johndoe would contain the face icon for the user ``johndoe''. No image format extension should be specified.

The face images must be stored in Imlib supported formats and they must be readable for the GDM user.

A user's own icon file will always take precedence over the sysadmin provided one.

Icon

Icon=share/pixmaps/gdm.xpm

Icon to use for gdmlogin when it's in the iconified state. The image must be in an Imlib supported format and it must be readable for the GDM user. If no file is specified the iconify feature is disabled.

LocaleFile

LocaleFile=etc/gdm/locale.alias

File in GNU locale format with entries for all supported languages on the system.

Logo

Logo=share/pixmaps/gnome-logo-large.png

Image file to display in the logo box. The file must be in an Imlib supported format and it must be readable by the GDM user. If no file is specified the logo feature is disabled.

Quiver

Quiver=true

Controls whether gdmlogin should shake the display when an incorrect username/password is entered.

SystemMenu

SystemMenu=false

Turns the Shutdown/Halt menu on/off.

TitleBar

TitleBar=true

Display the title bar in the greeter.

Use24Clock

Use24Clock=false

Force the use of 24 hour clock even if the locale would default to a 12 hour clock. In some locales that normally use 24 hour format (like cs_CZ) this setting has no effect.

Welcome

Welcome=Welcome to %n

Controls which text to display next to the logo image in the greeter. The following control chars are supported:

%% — the `%' character

%d — display's hostname

%h — Fully qualified hostname

%m — machine (processor type)

%n — Nodename (i.e. hostname without .domain)

%r — release (OS version)

%s — sysname (i.e. OS)

XineramaScreen

XineramaScreen=0

If the Xinerama extension is active the login window will be centered on this physical screen (use 0 for the first screen, 1 for the second..).

BackgroundColor

BackgroundColor=#007777

If the BackgroundType is 2, use this color in the background of the greeter. Also use it as the back of transparent images set on the background and if the BackgroundRemoteOnlyColor is set and this is a remote display.

BackgroundImage

BackgroundImage=somefile.png

If the BackgroundType is 1, then display this file as the bacground in the greeter.

BackgroundProgram

BackgroundProgram=/usr/bin/xeyes

If set this program will be run in the background while the login window is being displayed. Note that not all programs will run this way, since gdm does not usually have a home directory. You could set up home directory for the gdm user if you wish to run applications which require it.

BackgroundRemoteOnlyColor

BackgroundRemoteOnlyColor=true

On remote displays only set the color background. This is to make network load lighter. The BackgroundProgram is also not run.

BackgroundScaleToFit

BackgroundScaleToFit=true

Scale background image to fit the screen.

BackgroundType

BackgroundType=2

The type of background to set. 0 is none, 1 is image and 2 is color.

SetPosition

SetPosition=true

If true the position of the login window is determined by PositionX/PositionY.

PositionX

PositionX=200

The horizontal position of the login window.

PositionY

PositionY=100

The vertical position of the login window.

ShowGnomeChooserSession

ShowGnomeChooserSession=true

Should the greeter show the Gnome Chooser session, when a session named 'Gnome' session is also present

ShowGnomeFailsafeSession

ShowGnomeFailsafeSession=true

Should the greeter show the Gnome Failsafe session in the sessions list.

ShowXtermFailsafeSession

ShowXtermFailsafeSession=true

Should the greeter show the Xterm Failsafe session in the sessions list.

[chooser]

Broadcast

Broadcast=true

If true, the chooser will broadcast a query to the local network and collect responses. This way the chooser will always show all available managers on the network. If you need to add some hosts not local to this network, or if you don't want to use Broadcast, you can list them in the Hosts key.

DefaultHostImage

DefaultHostImage=share/pixmaps/nohost.png

File name for the default host icon. This image will be displayed if no icon is specified for a given host. The file must be in an Imlib supported format and it must be readable for the GDM user.

HostImageDir

HostImageDir=share/hosts

Repository for host icon files. The sysadmin can place icons for remote hosts here and they will appear in gdmchooser.

The file name must match the fully qualified name (FQDN) for the host. The icons must be stored in Imlib supported formats and they must be readable to the gdm user.

Hosts

Hosts=host1,host2

The hosts which should be listed in the chooser. The chooser will only list them if they respond. This is done in addition to broadcast (if Broadcast is set), so you need not list hosts on the local network. This is useful if your networking setup doesn't allow all hosts to be reachable by a broadcast packet.

ScanTime

ScanTime=3

Specifies how many seconds the chooser should wait for replies to its BROADCAST_QUERY.

[server-Standard]

name

name=Standard server

The name that will be displayed to the user.

command

command=/usr/bin/X11/X

The command to execute, with full path to the binary of the X server, and any extra arguments needed.

flexible

flexible=true

Indicates if this server is available as a choice when a user wishes to run a flexible server.

[servers]

0

0=Standard

Control section for local X servers. Each line indicates the local display number and the command that needs to be run to start the X server(s).

The command can either be a path to an X executable, or a name of one of the server definitions. This can be followed by some arguments that should be passed to the X server when executed.

The gdm daemon doesn't enforce the numbers to be in order or for them to be "packed". However when you use the GUI configurator, the servers will always start from 0 and go up by 1. That is, leaving no holes.

GDM will splice "-auth <ServAuthDir>/:n.Xauth :n", where n is the display number. Inside the command line before all other arguments before running the server.

On some systems it is necessary for gdm to know on which virtual consoles to run the X server. In this case, (if running XFree86) add "vt7" to the command line for example to run on virtual console 7.