path: root/README.install

QUICK NOTES ON INSTALLATION/USE:

General
=======

If you didn't compile Gnome yourself, make sure you have the appropriate
-devel packages installed.

If building from CVS, there is a script gdm-build.sh in the root of the
tree that you can use to build gdm and then install it with "make install".
The setup is like Red Hat.

WARNING: gdm is a *daemon* -- not a common user application.  It
requires extensive knowledge about your system setup to install and
configure. gdm isn't - and never will be - Plug and Play
(i.e. ./configure ; make install). 

Security
========

For security reasons a dedicated user and group id are required for
proper operation!  This userid is used to run the GDM GUI programs
required for login.  All functionality that requires root authority
is done by the GDM daemon process.  This design ensures that if the
GUI programs are somehow exploited, only the dedicated user 
privileges are available.  By default GDM assumes the user and the
group are called `gdm'.  These are configured via the User and
Group configuration options in the gdm.conf file.  The user and
group should be created before running "make install".

Distributions and system administrators using GDM are expected to
setup the dedicated user properly.  It is recommended that this
userid be configured to disallow login and to not have a default
shell.  Distributions and system administrators should set up
the filesystem to ensure that the GDM user does not have read or
write access to sensitive files.

The necessity for a gdm userid/group is because the GDM user does
require certain special permissions.  It must be able to read and
write Xauth keys to /var/lib/gdm.  This directory should have
root:gdm ownership and 1770 permissions.  Running "make install"
will set this directory to these values.  You will need to 
modify the configure/Makefile if you want to use a different
group than gdm.  The GDM daemon process will reset this
directory to proper ownership/permissions if it is somehow not
set properly.  The need to be able to write Xauth files is why
user "nobody" is not appropriate for gdm.

If the gdm user is set up properly and gdm user access is somehow
exploited, this means that the GDM user should only be able to
maliciously modify the Xauth keys causing potential
Denial-Of-Service attacks.  If a person gains the ability to run
programs as the user gdm, it would be possible to snoop on running
GDM processes, including usernames and passwords as they are
being typed in.  Therefore it is important to ensure that 
the gdm user is disallowed login and has no default shell.

When reporting bugs you should first turn on debugging in
gdm.conf. Your syslog daemon might not log debug information per
default so you should make sure daemon.debug events are logged to a
file. Include the resulting log in your bug report.  It is known
that debugging can sometimes cause unrelated problems due to the
interaction with the syslog daemon, so it is not advisable that
you run with the debug option all the time.  (Not to mention
it generates a LOT of spew)

XDMCP is disabled by default since XDMCP can be exploited to
create Denial-Of-Service attacks if a malicious user sends a
flood of XDMCP requests to your computer.  It may be enabled
by setting "enable=true" in the "[xdmcp]" section of the
gdm.conf file.

The face browser reveals usernames on your system and should
not be used unless the system is physically secure.  In other
words, it is a feature most appropriate for home use and 
is not recommended on systems that are for public use.

Read the GDM documentation for more information about security:
http://www.gnome.org/projects/gdm/

Configure Options
=================

Configuration is done by editing the gdm.conf file (located in
<prefix>/etc/gdm/gdm.conf). If no config file exists, make install
will create one for you.

The default HaltCommand and RebootCommand gdm.conf options may
not be appropriate for your distribution.  Distribution vendors
who ship GDM are advised to modify these to the supported
Halt/Reboot commands for their system.  The correct HaltCommand
for FreeBSD is "/sbin/halt -p" so the disks are synced on shutdown,
and on other systems "/sbin/init 0" or /sbin/init 5" may be most
appropriate.  The correct RebootCommand for some systems may
be "/sbin/init 6".  Patches to improve the GDM configure script
and how it sets these values by default would be accepted.

On some systems "/sbin/init 0", "/sbin/init 5",
or "/sbin/halt -p" may be 

If you want to add distribution-specific directories to the end of
DefaultPath and RootDefaultPath, then use the --with-post-path
configure option.  Argument value should be a list of directories
separated by ":" characters (no spaces).

Make sure the --with-pam-prefix points to the prefix where the pam.conf
file is located (default is sysconfdir - /etc).

If you want accessibility to work and have AT programs like gok and
gnopernicus installed to a different directory than EXPANDED_BINDIR,
then use the --with-at-bindir configure option.

If you want IPv6 enabled, use --enable-ipv6=yes option to configure.

To assign a default face to a user for the face browser, place a
(jpg, gif, png, xpm) image to the user's $HOME/.iface directory.
The gdm.conf DefaultFace configuration option allows the system
administrator to set up a default face image.

For best a11y support on Linux, it is recommended use the
--with-xevie configuration option so that the user's Xserver
session is always started with the Xserver XEVIE extension.
GOK works best when XEVIE is enabled.

Read the GDM documentation for more information about configuring
GDM: http://www.gnome.org/projects/gdm/

Distribution
============

Red Hat
-------

If you want to install OVER RedHat or Ximian packages use,
following configure options:
--prefix=/usr --sysconfdir=/etc/X11 --localstatedir=/var
--enable-console-helper --with-pam-prefix=/etc
However, there is now a spec file so you can build an rpm by just doing

rpm -ta gdm-<version>.tar.gz

This should work on RedHat 6.x, 7.x, 8.x, 9 and perhaps later, and if you're
very lucky then on your favorite other distribution, but no promises.  GDM is
not a trivial package so it's more likely it won't work in other places out of
the box.

Solaris
-------

Configuring GDM with the "--with-post-path=/usr/openwin/bin" on Solaris
is recommended.

GDM includes code to integrate with /etc/logindevperm and Solaris audit API's.
These interfaces are only supported on Solaris 10 and higher.  GDM should not
be used on Solaris 9 and earlier if auditing is needed.

If using Solaris 9 or earlier, device permissions will not be set correctly
on login since GDM only processes /etc/logindevperm on Solaris 10 and higher.
The most annoying problem is that the user will likely not have access to
audio input/output.  This can be worked around by adding chown/chmod commands
to each /dev device specified in /etc/logindevperm to the GDM PreSession and
PostSession script to set the ownership and read/write permissions to the
user on user login and back to root:root 0600 on logout.   

If someone wants to provide a patch to GDM to make it support processing
/etc/logindevperm on Solaris 9 and lower to avoid the above workaround, then
that would be great.  

Automatic Login On Solaris
--------------------------

Automatic Login, if enabled on Solaris will still popup a GUI asking the user
for a password.  To set up automatic login so it doesn't require password,
use the following /etc/pam.conf settings:

       gdm-autologin auth  required    pam_unix_cred.so.1
       gdm-autologin auth  sufficient  pam_allow.so.1
       gdm-autologin account  sufficient  pam_allow.so.1
       gdm-autologin session  sufficient  pam_allow.so.1
       gdm-autologin password  sufficient  pam_allow.so.1 

The above setup will cause no lastlog entry to be generated.  If a lastlog
entry is desired, then use the following for session:

       gdm-autologin session required pam_unix_session.so.1 

If using Solaris 10 or lower, then you also need to compile the pam_allow.c
code and install it to /usr/lib/security (or anywhere and provide the full
path in /etc/pam.conf) and ensure it is owned by uid 0 and not group or
world writable.