Made comment nicer. Fix for bug 132629, now only display each language

Thu Mar 17 2:30:00 2005 Brian Cameron <Brian.Cameron@Sun.Com> * config/extract-shell.sh: Made comment nicer. * gui/gdmlanguages.c: Fix for bug 132629, now only display each language once. Adding Hong Kong to table. Also added Hong Kong to table. * gui/modules/keymouselistener.c: Fix message as per bug 167649. * README.intall: Added more security information and information about installing on Solaris.
author: Brian Cameron <Brian.Cameron@Sun.Com> 2005-03-17 22:06:39 +0000
committer: Brian Cameron <bcameron@src.gnome.org> 2005-03-17 22:06:39 +0000
commit: 1eb8e52ee503813856b97a19dda775a1839a82b3 (patch)
tree: e7886f966940d9e7f6277c32d793397c05458903 /README.install
parent: 0ff3df09fa0eb23811a38eb518302e8f81159737 (diff)
download: gdm-1eb8e52ee503813856b97a19dda775a1839a82b3.tar.gz
1 files changed, 123 insertions, 42 deletions
diff --git a/README.install b/README.install
index 2581e371..7db0ca12 100644
--- a/README.install
+++ b/README.install
@@ -1,58 +1,59 @@
 QUICK NOTES ON INSTALLATION/USE:
 
+General
+=======
+
 If you didn't compile Gnome yourself, make sure you have the appropriate
 -devel packages installed.
 
-============
-If you want to install OVER RedHat or Ximian packages use,
-following configure options:
---prefix=/usr --sysconfdir=/etc/X11 --localstatedir=/var
---enable-console-helper --with-pam-prefix=/etc
-However, there is now a spec file so you can build an rpm by just doing
-
-rpm -ta gdm-<version>.tar.gz
-
-This should work on RedHat 6.x, 7.x, 8.x, 9 and perhaps later, and if you're
-very lucky then on your favorite other distribution, but no promises.  GDM is
-not a trivial package so it's more likely it won't work in other places out of
-the box.
-
 If building from CVS, there is a script gdm-build.sh in the root of the
 tree that you can use to build gdm and then install it with "make install".
-The setup is a a redhat like one.
+The setup is like Red Hat.
 
-Definitely make sure the --with-pam-prefix points to the prefix where
-
-Also if you want IPv6, use --enable-ipv6=yes option to configure!
-
--George
-============
-
-WARNING: gdm is a *daemon* -- not a common user application. It
+WARNING: gdm is a *daemon* -- not a common user application.  It
 requires extensive knowledge about your system setup to install and
 configure. gdm isn't - and never will be - Plug and Play
 (i.e. ./configure ; make install). 
 
-For security reasons a dedicated user and group id are required for
-proper operation! gdm assumes that both the user and the group are
-called `gdm'. Create these before running make install.  You can
-change the name in gdm.conf, but it is advised that these are dedicated
-to the gdm daemon.  This user will have access to some gdm files and
-can cause gdm DoS attacks, so it is not be OK to just use the
-user `nobody'.  Also it should not be a user with other privilages
-as it is assumed that someone who may break the gtk frontend apps
-can gain `gdm' access.
-
-You should run ``make install'' as root to get the permissions right
-on the authentication directory.  ``make install'' assumes the user
-is named `gdm'
-
-Configuration is done by editing the gdm.conf file (located in
-<prefix>/etc/gdm/gdm.conf). If no config file exists, make install
-will create one for you.
+Security
+========
 
-Put (copy) your (jpg, gif, png, xpm) picture to ~/.face to make it
-appear in the face browser.
+For security reasons a dedicated user and group id are required for
+proper operation!  This userid is used to run the GDM GUI programs
+required for login.  All functionality that requires root authority
+is done by the GDM daemon process.  This design ensures that if the
+GUI programs are somehow exploited, only the dedicated user 
+privilidges are available.  By default GDM assumes the user and the
+group are called `gdm'.  These are configured via the User and
+Group configuration options in the gdm.conf file.  The user and
+group should be created before running "make install".
+
+Distributions and system admistrators using GDM are expected to
+setup the dedicated user properly.  It is recommended that this
+userid be configured to disallow login and to not have a default
+shell.  Distributions and system administrators should set up
+the filesystem to ensure that the GDM user does not have read or
+write access to sensitive files.
+
+The necessity for a gdm userid/group is because the GDM user does
+require certain special permissions.  It must be able to read and
+write Xauth keys to /var/lib/gdm.  This directory should have
+root:gdm ownership and 1770 permissions.  Running "make install"
+will set this directory to these values.  You will need to 
+modify the configure/Makefile if you want to use a different
+group than gdm.  The GDM daemon process will reset this
+directory to proper ownership/permissions if it is somehow not
+set properly.  The need to be able to write Xauth files is why
+user "nobody" is not appropriate for gdm.
+
+If the gdm user is set up properly and gdm user access is somehow
+exploited, this means that the GDM user should only be able to
+malicoiusly modify the Xauth keys causing potential
+Denial-Of-Service attacks.  If a person gains the ability to run
+programs as the user gdm, it would be possible to snoop on running
+GDM processes, including usernames and passwords as they are
+being typed in.  Therefore it is important to ensure that 
+the gdm user is disallowed login and has no default shell.
 
 When reporting bugs you should first turn on debugging in
 gdm.conf. Your syslog daemon might not log debug information per
@@ -63,4 +64,84 @@ interaction with the syslog daemon, so it is not advisable that
 you run with the debug option all the time.  (Not to mention
 it generates a LOT of spew)
 
+XDMCP is disabled by default since XDMCP can be exploited to
+create Denial-Of-Service attacks if a malicous user sends a
+flood of XDMCP requests to your computer.  It may be enabled
+by setting "enable=true" in the "[xdmcp]" section of the
+gdm.conf file.
+
+The face browser reveals usernames on your system and should
+not be used unless the system is physically secure.  In other
+words, it is a feature most appropriate for home use and 
+is not recommended on systems that are for public use.
+
+Read the GDM documentation for more information about security:
+http://yippi.hypermall.com/gdm/
+
+Configure Options
+=================
+
+Configuration is done by editing the gdm.conf file (located in
+<prefix>/etc/gdm/gdm.conf). If no config file exists, make install
+will create one for you.
+
+If you want to add distribution-specific directories to the end of
+DefaultPath and RootDefaultPath, then use the --with-post-path
+configure option.  Argument value should be a list of directories
+separated by ":" characters (no spaces).
+
+Make sure the --with-pam-prefix points to the prefix where the pam.conf
+file is located (default is sysconfdir - /etc).
+
+If you want accessibility to work and have AT programs like gok and
+gnopernicus installed to a different directory than EXPANDED_BINDIR,
+then use the --with-at-bindir configure optin.
+
+If you want IPv6 enabled, use --enable-ipv6=yes option to configure.
+
+To assign a default face to a user for the face browser, place a
+(jpg, gif, png, xpm) image to the user's $HOME/.iface directory.
+The gdm.conf DefaultFace configuration option allows the system
+administrator to set up a default face image.
+
+Read the GDM documentation for more information about configuring
+GDM: http://yippi.hypermall.com/gdm/
+
+Distribution
+============
+
+Red Hat
+-------
+
+If you want to install OVER RedHat or Ximian packages use,
+following configure options:
+--prefix=/usr --sysconfdir=/etc/X11 --localstatedir=/var
+--enable-console-helper --with-pam-prefix=/etc
+However, there is now a spec file so you can build an rpm by just doing
+
+rpm -ta gdm-<version>.tar.gz
+
+This should work on RedHat 6.x, 7.x, 8.x, 9 and perhaps later, and if you're
+very lucky then on your favorite other distribution, but no promises.  GDM is
+not a trivial package so it's more likely it won't work in other places out of
+the box.
+
+Solaris
+-------
+
+GDM includes code to integrate with /etc/logindevperm and Solaris audit API's.
+These interfaces are only supported on Solaris 10 and higher.  GDM should not
+be used on Solaris 9 and earlier if auditing is needed.
+
+If using Solaris 9 or earlier, device permissions will not be set correctly
+on login since GDM only processes /etc/logindevperm on Solaris 10 and higher.
+The most annoying problem is that the user will likely not have access to
+audio input/output.  This can be worked around by adding chown/chmod commands
+to each /dev device specified in /etc/logindevperm to the GDM PreSession and
+PostSession script to set the ownership and read/write permissions to the
+user on user login and back to root:root 0600 on logout.   
+
+If someone wants to provide a patch to GDM to make it support processing
+/etc/logindevperm on Solaris 9 and lower to avoid the above workaround, then
+that would be great.
author	Brian Cameron <Brian.Cameron@Sun.Com>	2005-03-17 22:06:39 +0000
committer	Brian Cameron <bcameron@src.gnome.org>	2005-03-17 22:06:39 +0000
commit	1eb8e52ee503813856b97a19dda775a1839a82b3 (patch)
tree	e7886f966940d9e7f6277c32d793397c05458903 /README.install
parent	0ff3df09fa0eb23811a38eb518302e8f81159737 (diff)
download	gdm-1eb8e52ee503813856b97a19dda775a1839a82b3.tar.gz