diff options
| author | George Lebl <jirka@5z.com> | 2003-08-07 00:45:24 +0000 |
|---|---|---|
| committer | George Lebl <jirka@src.gnome.org> | 2003-08-07 00:45:24 +0000 |
| commit | 5cacc8771c216740d520a68847df974a630ffe1a (patch) | |
| tree | 9b8e25be37a58bf4ea6a0154e547450497b5efc6 | |
| parent | 6b29c76db5aa5ec73327c77ec73bd07d54c15767 (diff) | |
| download | gdm-5cacc8771c216740d520a68847df974a630ffe1a.tar.gz | |
don't use the paths but let pam find modules itself
Wed Aug 06 17:40:27 2003 George Lebl <jirka@5z.com>
* gdmsetup-pam: don't use the paths but let pam find modules itself
* gui/gdmlogin.c, gui/greeter/greeter_item_ulist.c: limit number of
users at 100 (rather then 50) where it really becomes bad. We need
to handle this in a nicer way.
* daemon/xdmcp.c: make the globsessid default to rand() so that they
really differ from run to run, rather then just time(NULL). check
tcp wrappers for managed_forward and got_managed_forward (just to
be anal), also check tcp wrappers on forward query, the Alive packet
now gets sent with real info rather then just whatever keepalive
sent us (and thus follows the spec). Make sure the session id is
never zero as that can happen now. Send at most one unwilling packet
per second, and try to defer doing any actual work until after
we checked with tcp wrappers. Also add some more potential
debugging.
* daemon/verify-pam.c: translate the lowercase "username:" and
"password:", some modules seem to be using those.
* daemon/xdmcp.c, gui/gdmchooser.c: if the condition is not new
data to be read, don't try to run XdmcpFill
* docs/C/gdm.xml: more notes on security of XDMCP and using
MIT-MAGIC-COOKIE-1 added, plus a section on the TCP Wrappers,
though it kind of sucks.
| -rw-r--r-- | ChangeLog | 29 | ||||
| -rw-r--r-- | daemon/slave.c | 11 | ||||
| -rw-r--r-- | daemon/verify-pam.c | 6 | ||||
| -rw-r--r-- | daemon/xdmcp.c | 137 | ||||
| -rw-r--r-- | docs/C/gdm.xml | 65 | ||||
| -rw-r--r-- | gdmsetup-pam | 10 | ||||
| -rw-r--r-- | gui/gdmchooser.c | 3 | ||||
| -rw-r--r-- | gui/gdmlogin.c | 2 | ||||
| -rw-r--r-- | gui/greeter/greeter_item_ulist.c | 2 |
9 files changed, 216 insertions, 49 deletions
@@ -1,3 +1,32 @@ +Wed Aug 06 17:40:27 2003 George Lebl <jirka@5z.com> + + * gdmsetup-pam: don't use the paths but let pam find modules itself + + * gui/gdmlogin.c, gui/greeter/greeter_item_ulist.c: limit number of + users at 100 (rather then 50) where it really becomes bad. We need + to handle this in a nicer way. + + * daemon/xdmcp.c: make the globsessid default to rand() so that they + really differ from run to run, rather then just time(NULL). check + tcp wrappers for managed_forward and got_managed_forward (just to + be anal), also check tcp wrappers on forward query, the Alive packet + now gets sent with real info rather then just whatever keepalive + sent us (and thus follows the spec). Make sure the session id is + never zero as that can happen now. Send at most one unwilling packet + per second, and try to defer doing any actual work until after + we checked with tcp wrappers. Also add some more potential + debugging. + + * daemon/verify-pam.c: translate the lowercase "username:" and + "password:", some modules seem to be using those. + + * daemon/xdmcp.c, gui/gdmchooser.c: if the condition is not new + data to be read, don't try to run XdmcpFill + + * docs/C/gdm.xml: more notes on security of XDMCP and using + MIT-MAGIC-COOKIE-1 added, plus a section on the TCP Wrappers, + though it kind of sucks. + Wed Aug 06 12:05:52 2003 George Lebl <jirka@5z.com> * configure.in, docs/C/gdm.xml: update version number diff --git a/daemon/slave.c b/daemon/slave.c index 9209b604..cfd0f902 100644 --- a/daemon/slave.c +++ b/daemon/slave.c @@ -4307,7 +4307,7 @@ gdm_slave_should_complain (void) static gchar * gdm_parse_enriched_login (const gchar *s, GdmDisplay *display) { - gchar cmd, *buffer, in_buffer[20]; + gchar cmd, in_buffer[20]; GString *str; gint pipe1[2], in_buffer_len; gchar **argv; @@ -4382,7 +4382,11 @@ gdm_parse_enriched_login (const gchar *s, GdmDisplay *display) else ve_unsetenv ("XAUTHORITY"); ve_setenv ("DISPLAY", display->name, TRUE); + if (display->type == TYPE_XDMCP) + ve_setenv ("REMOTE_HOST", display->hostname, TRUE); ve_setenv ("PATH", GdmRootPath, TRUE); + ve_setenv ("SHELL", "/bin/sh", TRUE); + ve_setenv ("RUNNING_UNDER_GDM", "true", TRUE); ve_unsetenv ("MAIL"); argv = ve_split (str->str); @@ -4422,10 +4426,7 @@ gdm_parse_enriched_login (const gchar *s, GdmDisplay *display) } } - buffer = str->str; - g_string_free (str, FALSE); - - return buffer; + return g_string_free (str, FALSE); } static void diff --git a/daemon/verify-pam.c b/daemon/verify-pam.c index c6e63c26..e040229a 100644 --- a/daemon/verify-pam.c +++ b/daemon/verify-pam.c @@ -84,12 +84,15 @@ perhaps_translate_message (const char *msg) if (hash == NULL) { /* Here we come with some fairly standard messages so that we have as much as possible translated. Should really be - translated in pam I suppose */ + translated in pam I suppose. This way we can "change" + some of these messages to be more sane. */ hash = g_hash_table_new (g_str_hash, g_str_equal); /* login: is whacked always translate to Username: */ g_hash_table_insert (hash, "login:", _("Username:")); g_hash_table_insert (hash, "Username:", _("Username:")); + g_hash_table_insert (hash, "username:", _("Username:")); g_hash_table_insert (hash, "Password:", _("Password:")); + g_hash_table_insert (hash, "password:", _("Password:")); g_hash_table_insert (hash, "You are required to change your password immediately (password aged)", _("You are required to change your password immediately (password aged)")); g_hash_table_insert (hash, "You are required to change your password immediately (root enforced)", _("You are required to change your password immediately (root enforced)")); g_hash_table_insert (hash, "Your account has expired; please contact your system administrator", _("Your account has expired; please contact your system administrator")); @@ -104,6 +107,7 @@ perhaps_translate_message (const char *msg) g_hash_table_insert (hash, "Password has been already used. Choose another.", _("Password has been already used. Choose another.")); g_hash_table_insert (hash, "You must wait longer to change your password", _("You must wait longer to change your password")); g_hash_table_insert (hash, "Sorry, passwords do not match", _("Sorry, passwords do not match")); + /* FIXME: what about messages which have some variables in them, perhaps try to do those as well */ } s = g_strstrip (g_strdup (msg)); ret = g_hash_table_lookup (hash, s); diff --git a/daemon/xdmcp.c b/daemon/xdmcp.c index c735dceb..43db8fdb 100644 --- a/daemon/xdmcp.c +++ b/daemon/xdmcp.c @@ -161,7 +161,7 @@ static void gdm_xdmcp_send_accept (GdmHostent *he /* eaten and freed */, static void gdm_xdmcp_send_decline (struct sockaddr_in *clnt_sa, const char *reason); static void gdm_xdmcp_send_refuse (struct sockaddr_in *clnt_sa, CARD32 sessid); static void gdm_xdmcp_send_failed (struct sockaddr_in *clnt_sa, CARD32 sessid); -static void gdm_xdmcp_send_alive (struct sockaddr_in *clnt_sa, CARD32 sessid); +static void gdm_xdmcp_send_alive (struct sockaddr_in *clnt_sa, CARD16 dspnum, CARD32 sessid); static void gdm_xdmcp_send_managed_forward (struct sockaddr_in *clnt_sa, struct sockaddr_in *origin); static void gdm_xdmcp_send_got_managed_forward (struct sockaddr_in *clnt_sa, @@ -171,6 +171,8 @@ static GdmDisplay *gdm_xdmcp_display_alloc (struct in_addr *addr, GdmHostent *he /* eaten and freed */, int displaynum); static GdmDisplay *gdm_xdmcp_display_lookup (CARD32 sessid); +static GdmDisplay *gdm_xdmcp_display_lookup_by_host (struct in_addr *addr, + int dspnum); static void gdm_xdmcp_display_dispose_check (const gchar *name); static void gdm_xdmcp_displays_check (void); static int gdm_xdmcp_displays_from_host (struct in_addr *addr); @@ -231,6 +233,23 @@ gdm_xdmcp_displays_from_host (struct in_addr *addr) return count; } +static GdmDisplay * +gdm_xdmcp_display_lookup_by_host (struct in_addr *addr, int dspnum) +{ + GSList *li; + + for (li = displays; li != NULL; li = li->next) { + GdmDisplay *disp = li->data; + if (disp->type == TYPE_XDMCP && + memcmp (&disp->addr, addr, sizeof (struct in_addr)) == 0 && + disp->dispnum == dspnum) { + return disp; + } + } + + return NULL; +} + gboolean gdm_xdmcp_init (void) @@ -241,8 +260,12 @@ gdm_xdmcp_init (void) if ( ! GdmXdmcp) return TRUE; - - globsessid = time (NULL); + + /* do we care that this is not the most random number? + no. All we care about that it is likely far enough + away from any previous run */ + srand (getpid () * time (NULL)); + globsessid = rand (); /* Fetch and store local hostname in XDMCP friendly format */ hostbuf[1023] = '\0'; @@ -335,7 +358,13 @@ gdm_xdmcp_decode_packet (GIOChannel *source, GIOCondition cond, gpointer data) static const char * const gdm_opcode_names[] = { "MANAGED_FORWARD", "GOT_MANAGED_FORWARD" }; - + + if (cond != G_IO_IN) + gdm_debug ("gdm_xdmcp_decode_packet: GIOCondition %d", (int)cond); + + if ( ! (cond & G_IO_IN)) + return TRUE; + if (!XdmcpFill (gdm_xdmcpfd, &buf, (XdmcpNetaddr)&clnt_sa, &sa_len)) { gdm_error (_("%s: Could not create XDMCP buffer!"), "gdm_xdmcp_decode_packet"); @@ -356,11 +385,11 @@ gdm_xdmcp_decode_packet (GIOChannel *source, GIOCondition cond, gpointer data) } if (header.opcode <= ALIVE) - gdm_debug ("gdm_xdmcp_decode: Received opcode %s from client %s", + gdm_debug ("gdm_xdmcp_decode_packet: Received opcode %s from client %s", opcode_names[header.opcode], inet_ntoa (clnt_sa.sin_addr)); if (header.opcode >= GDM_XDMCP_FIRST_OPCODE && header.opcode < GDM_XDMCP_LAST_OPCODE) - gdm_debug ("gdm_xdmcp_decode: Received opcode %s from client %s", + gdm_debug ("gdm_xdmcp_decode_packet: Received opcode %s from client %s", gdm_opcode_names[header.opcode - GDM_XDMCP_FIRST_OPCODE], inet_ntoa (clnt_sa.sin_addr)); @@ -383,7 +412,6 @@ gdm_xdmcp_decode_packet (GIOChannel *source, GIOCondition cond, gpointer data) break; case REQUEST: - gdm_xdmcp_displays_check(); /* Purge pending displays */ gdm_xdmcp_handle_request (&clnt_sa, header.length); break; @@ -432,9 +460,8 @@ gdm_xdmcp_handle_query (struct sockaddr_in *clnt_sa, gint len, gint type) /* Crude checksumming */ for (i = 0 ; i < clnt_authlist.length ; i++) { if (GdmDebug) { - char *s = g_new0 (char, clnt_authlist.length+1); - memcpy (s, clnt_authlist.data[i].data, clnt_authlist.length); - gdm_debug ("gdm_xdmcp_handle_query: authlist: %s", s); + char *s = g_strndup (clnt_authlist.data[i].data, clnt_authlist.length); + gdm_debug ("gdm_xdmcp_handle_query: authlist: %s", ve_sure_string (s)); g_free (s); } explen += 2+clnt_authlist.data[i].length; @@ -683,6 +710,14 @@ gdm_xdmcp_handle_forward_query (struct sockaddr_in *clnt_sa, gint len) ARRAYofARRAY8 clnt_authlist; gint i = 0, explen = 1; struct sockaddr_in disp_sa = {0}; + + /* Check with tcp_wrappers if client is allowed to access */ + if (! gdm_xdmcp_host_allow (clnt_sa)) { + gdm_error ("%s: Got FORWARD_QUERY from banned host %s", + "gdm_xdmcp_handle_forward query", + inet_ntoa (clnt_sa->sin_addr)); + return; + } /* Read display address */ if (! XdmcpReadARRAY8 (&buf, &clnt_addr)) { @@ -715,9 +750,8 @@ gdm_xdmcp_handle_forward_query (struct sockaddr_in *clnt_sa, gint len) for (i = 0 ; i < clnt_authlist.length ; i++) { if (GdmDebug) { - char *s = g_new0 (char, clnt_authlist.length+1); - memcpy (s, clnt_authlist.data[i].data, clnt_authlist.length); - gdm_debug ("gdm_xdmcp_handle_forward_query: authlist: %s", s); + char *s = g_strndup (clnt_authlist.data[i].data, clnt_authlist.length); + gdm_debug ("gdm_xdmcp_handle_forward_query: authlist: %s", ve_sure_string (s)); g_free (s); } explen += 2+clnt_authlist.data[i].length; @@ -837,6 +871,12 @@ gdm_xdmcp_send_unwilling (struct sockaddr_in *clnt_sa, gint type) { ARRAY8 status; XdmcpHeader header; + static time_t last_time = 0; + + /* only send at most one packet per second, + no harm done if we don't send it at all */ + if (last_time + 1 >= time (NULL)) + return; gdm_debug ("gdm_xdmcp_send_unwilling: Sending UNWILLING to %s", inet_ntoa (clnt_sa->sin_addr)); @@ -856,6 +896,8 @@ gdm_xdmcp_send_unwilling (struct sockaddr_in *clnt_sa, gint type) XdmcpWriteARRAY8 (&buf, &status); XdmcpFlush (gdm_xdmcpfd, &buf, (XdmcpNetaddr)clnt_sa, (int)sizeof (struct sockaddr_in)); + + last_time = time (NULL); } static void @@ -972,6 +1014,8 @@ gdm_xdmcp_handle_request (struct sockaddr_in *clnt_sa, gint len) inet_ntoa (clnt_sa->sin_addr)); return; } + + gdm_xdmcp_displays_check(); /* Purge pending displays */ /* Remote display number */ if (! XdmcpReadCARD16 (&buf, &clnt_dspnum)) { @@ -1068,10 +1112,13 @@ gdm_xdmcp_handle_request (struct sockaddr_in *clnt_sa, gint len) XdmcpDisposeARRAY16 (&clnt_conntyp); return; } - - gdm_debug ("gdm_xdmcp_handle_request: xdmcp_pending=%d, MaxPending=%d, xdmcp_sessions=%d, MaxSessions=%d", - xdmcp_pending, GdmMaxPending, xdmcp_sessions, GdmMaxSessions); + if (GdmDebug) { + char *s = g_strndup (clnt_manufacturer.data, clnt_manufacturer.length); + gdm_debug ("gdm_xdmcp_handle_request: xdmcp_pending=%d, MaxPending=%d, xdmcp_sessions=%d, MaxSessions=%d, ManufacturerID=%s", + xdmcp_pending, GdmMaxPending, xdmcp_sessions, GdmMaxSessions, ve_sure_string (s)); + g_free (s); + } /* Check if ok to manage display */ if (mitauth && @@ -1251,15 +1298,20 @@ gdm_xdmcp_handle_manage (struct sockaddr_in *clnt_sa, gint len) return; } - gdm_debug ("gdm_xdmcp_handle_manage: Got Display=%d, SessionID=%ld from %s", - (int)clnt_dspnum, (long)clnt_sessid, inet_ntoa (clnt_sa->sin_addr)); - /* Display Class */ if (! XdmcpReadARRAY8 (&buf, &clnt_dspclass)) { gdm_error (_("%s: Could not read Display Class"), "gdm_xdmcp_handle_manage"); return; } + + if (GdmDebug) { + char *s = g_strndup (clnt_dspclass.data, clnt_dspclass.length); + gdm_debug ("gdm_xdmcp_handle_manage: Got Display=%d, SessionID=%ld Class=%s from %s", + (int)clnt_dspnum, (long)clnt_sessid, ve_sure_string (s), inet_ntoa (clnt_sa->sin_addr)); + g_free (s); + } + d = gdm_xdmcp_display_lookup (clnt_sessid); if (d != NULL && @@ -1330,6 +1382,14 @@ gdm_xdmcp_handle_managed_forward (struct sockaddr_in *clnt_sa, gint len) "Got MANAGED_FORWARD from %s", inet_ntoa (clnt_sa->sin_addr)); + /* Check with tcp_wrappers if client is allowed to access */ + if (! gdm_xdmcp_host_allow (clnt_sa)) { + gdm_error ("%s: Got MANAGED_FORWARD from banned host %s", + "gdm_xdmcp_handle_request", + inet_ntoa (clnt_sa->sin_addr)); + return; + } + /* Hostname */ if ( ! XdmcpReadARRAY8 (&buf, &clnt_address)) { gdm_error (_("%s: Could not read address"), @@ -1386,6 +1446,14 @@ gdm_xdmcp_handle_got_managed_forward (struct sockaddr_in *clnt_sa, gint len) "Got GOT_MANAGED_FORWARD from %s", inet_ntoa (clnt_sa->sin_addr)); + /* Check with tcp_wrappers if client is allowed to access */ + if (! gdm_xdmcp_host_allow (clnt_sa)) { + gdm_error ("%s: Got GOT_MANAGED_FORWARD from banned host %s", + "gdm_xdmcp_handle_request", + inet_ntoa (clnt_sa->sin_addr)); + return; + } + /* Hostname */ if ( ! XdmcpReadARRAY8 (&buf, &clnt_address)) { gdm_error (_("%s: Could not read address"), @@ -1467,7 +1535,7 @@ gdm_xdmcp_handle_keepalive (struct sockaddr_in *clnt_sa, gint len) gdm_debug ("gdm_xdmcp_handle_keepalive: Got KEEPALIVE from %s", inet_ntoa (clnt_sa->sin_addr)); - + /* Check with tcp_wrappers if client is allowed to access */ if (! gdm_xdmcp_host_allow (clnt_sa)) { gdm_error (_("%s: Got KEEPALIVE from banned host %s"), @@ -1490,24 +1558,38 @@ gdm_xdmcp_handle_keepalive (struct sockaddr_in *clnt_sa, gint len) return; } - gdm_xdmcp_send_alive (clnt_sa, clnt_sessid); + gdm_xdmcp_send_alive (clnt_sa, clnt_dspnum, clnt_sessid); } static void -gdm_xdmcp_send_alive (struct sockaddr_in *clnt_sa, CARD32 sessid) +gdm_xdmcp_send_alive (struct sockaddr_in *clnt_sa, CARD16 dspnum, CARD32 sessid) { XdmcpHeader header; + GdmDisplay *d; + int send_running = 0; + CARD32 send_sessid = 0; - gdm_debug ("Sending ALIVE to %ld", (long)sessid); + d = gdm_xdmcp_display_lookup (sessid); + if (d == NULL) + d = gdm_xdmcp_display_lookup_by_host (&(clnt_sa->sin_addr), dspnum); + + if (d != NULL) { + send_sessid = d->sessionid; + if (d->dispstat == XDMCP_MANAGED) + send_running = 1; + } + + gdm_debug ("Sending ALIVE to %ld (running %d, sessid %ld)", + (long)sessid, send_running, (long)send_sessid); header.version = XDM_PROTOCOL_VERSION; header.opcode = (CARD16) ALIVE; header.length = 5; XdmcpWriteHeader (&buf, &header); - XdmcpWriteCARD8 (&buf, 1); - XdmcpWriteCARD32 (&buf, sessid); + XdmcpWriteCARD8 (&buf, send_running); + XdmcpWriteCARD32 (&buf, send_sessid); XdmcpFlush (gdm_xdmcpfd, &buf, (XdmcpNetaddr)clnt_sa, (int)sizeof (struct sockaddr_in)); } @@ -1568,6 +1650,8 @@ gdm_xdmcp_display_alloc (struct in_addr *addr, d->console = FALSE; d->dispstat = XDMCP_PENDING; d->sessionid = globsessid++; + if (d->sessionid == 0) + d->sessionid = globsessid++; d->acctime = time (NULL); d->dispnum = displaynum; @@ -1678,6 +1762,7 @@ static void gdm_xdmcp_displays_check (void) { GSList *dlist; + time_t curtime = time (NULL); dlist = displays; while (dlist != NULL) { @@ -1686,7 +1771,7 @@ gdm_xdmcp_displays_check (void) if (d != NULL && d->type == TYPE_XDMCP && d->dispstat == XDMCP_PENDING && - time (NULL) > d->acctime + GdmMaxManageWait) { + curtime > d->acctime + GdmMaxManageWait) { gdm_debug ("gdm_xdmcp_displays_check: Disposing session id %ld", (long)d->sessionid); gdm_display_dispose (d); diff --git a/docs/C/gdm.xml b/docs/C/gdm.xml index 21af5fb1..61648b6b 100644 --- a/docs/C/gdm.xml +++ b/docs/C/gdm.xml @@ -277,8 +277,15 @@ <para> GDM only supports the MIT-MAGIC-COOKIE-1 authentication - system. Little is gained from the other schemes, and no - effort has been made to implement them so far. + system. Normally little is gained from the other schemes, + and no effort has been made to implement them so far. + Because of this the cookies go over the wire as + clear text, and thus you should be careful about what + network you use this on. If snooping is possible + and undesirable, then you had better use ssh for tunneling + an X connection anyway rather then using GDM's XDMCP. + It is a planned feature to support ssh instead of XDMCP + inside GDM. </para> <para> @@ -299,13 +306,54 @@ </para> <para> + In addition to UDP port 177, you should also block all the + X server ports (TCP ports 6000 + display number) on the firewall + as well. Do note that various places in GDM will use display + numbers 20 and higher (for example the on demand server stuff). + X is not a very safe protocol for leaving on the net, and XDMCP + is even less safe. + </para> + + <para> Even though your display is protected by cookies the XEvents and thus the keystrokes typed when entering passwords will still go over the wire in clear text. It is trivial to capture these. You should also be aware that cookies, if placed on an NFS mounted directory, are prone to eavesdropping too. </para> + </sect2> + <sect2 id="xdmcpaccess"> + <title> + XDMCP Access Control + </title> + + <para> + XDMCP access control is done using TCP wrappers. It is possible + to compile GDM without TCP wrappers however, so you should test + your configuration to see if they work. + </para> + + <para> + You should use the daemon name <filename>gdm</filename> in the + <filename>/etc/hosts.allow</filename> and + <filename>/etc/hosts.deny</filename> files. For example to + deny computers from <filename>.evil.domain</filename> from logging in, then + add + <screen> + gdm: .evil.domain + </screen> + to <filename>/etc/hosts.deny</filename>. See the + <filename>hosts_access(5)</filename> man page for details. + </para> + + <para> + Even though GDM now tries + very hard to ignore things coming from banned hosts you should + not rely on the TCP Wrappers for complete protection. It is really + best to block UDP port 177 (and all the X ports which are TCP ports + 6000 + the display number of course) on your firewall. + </para> </sect2> <sect2 id="stdgreeter"> @@ -1552,14 +1600,11 @@ <para> You should add - </para> - - <screen> - gdm: .my.domain - </screen> - - <para> - to your <filename>/etc/hosts.allow</filename>. See the + <screen> + gdm: .my.domain + </screen> + to your <filename>/etc/hosts.allow</filename>, depending on your + TCP Wrappers configuration. See the <filename>hosts_access(5)</filename> man page for details. </para> diff --git a/gdmsetup-pam b/gdmsetup-pam index 44b01cfc..ecb84946 100644 --- a/gdmsetup-pam +++ b/gdmsetup-pam @@ -1,6 +1,6 @@ #%PAM-1.0 -auth sufficient /lib/security/pam_rootok.so -auth required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_permit.so -session optional /lib/security/pam_xauth.so -account required /lib/security/pam_permit.so +auth sufficient pam_rootok.so +auth required pam_stack.so service=system-auth +session required pam_permit.so +session optional pam_xauth.so +account required pam_permit.so diff --git a/gui/gdmchooser.c b/gui/gdmchooser.c index b075d2ff..08f76e00 100644 --- a/gui/gdmchooser.c +++ b/gui/gdmchooser.c @@ -384,6 +384,9 @@ gdm_chooser_decode_packet (GIOChannel *source, GdmChooserHost *gh; int pipe_buf; + if ( ! (condition & G_IO_IN)) + return TRUE; + if (! XdmcpFill (sockfd, &buf, (XdmcpNetaddr) &clnt_sa, &sa_len)) return TRUE; diff --git a/gui/gdmlogin.c b/gui/gdmlogin.c index e32b88fa..435077c4 100644 --- a/gui/gdmlogin.c +++ b/gui/gdmlogin.c @@ -3224,7 +3224,7 @@ gdm_login_users_init (void) while (pwent != NULL) { /* FIXME: fix properly, see bug #111830 */ - if (number_of_users > 50) { + if (number_of_users > 100) { user = gdm_login_user_alloc ("", 9999 /*fake uid*/, "/", diff --git a/gui/greeter/greeter_item_ulist.c b/gui/greeter/greeter_item_ulist.c index 20526ae1..1d6ef2e1 100644 --- a/gui/greeter/greeter_item_ulist.c +++ b/gui/greeter/greeter_item_ulist.c @@ -270,7 +270,7 @@ gdm_greeter_users_init (void) while (pwent != NULL) { /* FIXME: fix properly, see bug #111830 */ - if (number_of_users > 50) { + if (number_of_users > 100) { user = gdm_greeter_user_alloc ("", 9999 /*fake uid*/, "/", |