-
Notifications
You must be signed in to change notification settings - Fork 46
/
mdm.xml
6619 lines (5982 loc) · 269 KB
/
mdm.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd" [
<!ENTITY legal SYSTEM "legal.xml">
<!ENTITY version "2.20.4">
<!ENTITY date "03/10/2008">
<!ENTITY mdash "—">
<!ENTITY percnt "%">
]>
<article id="index" lang="en">
<articleinfo>
<title>MDM Display Manager Reference Manual</title>
<revhistory>
<revision>
<revnumber>0.0</revnumber>
<date>2007-01</date>
</revision>
</revhistory>
<abstract role="description">
<para>
MDM is the MDM Display Manager, a graphical login program.
</para>
</abstract>
<authorgroup>
<author>
<firstname>Martin</firstname><othername>K.</othername>
<surname>Petersen</surname>
<affiliation>
<address><email>mkp@mkp.net</email></address>
</affiliation>
</author>
<author>
<firstname>George</firstname><surname>Lebl</surname>
<affiliation>
<address><email>jirka@5z.com</email></address>
</affiliation>
</author>
<author role="maintainer">
<firstname>Brian</firstname><surname>Cameron</surname>
<affiliation>
<address><email>Brian.Cameron@Sun.COM</email></address>
</affiliation>
</author>
<author>
<firstname>Bill</firstname><surname>Haneman</surname>
<affiliation>
<address><email>Bill.Haneman@Sun.COM</email></address>
</affiliation>
</author>
</authorgroup>
<copyright>
<year>1998</year><year>1999</year><holder>Martin K. Petersen</holder>
</copyright>
<copyright>
<year>2001</year><year>2003</year><year>2004</year>
<holder>George Lebl</holder>
</copyright>
<copyright>
<year>2003</year> <holder>Red Hat, Inc.</holder>
</copyright>
<copyright>
<year>2003</year><year>2004</year><holder>Sun Microsystems, Inc.</holder>
</copyright>
&legal;
<releaseinfo>
This manual describes version &version; of the MDM Display Manager.
It was last updated on &date;.
</releaseinfo>
</articleinfo>
<sect1 id="preface">
<title>Terms and Conventions Used in This Manual</title>
<para>
This manual describes version &version; of the MDM Display Manager.
It was last updated on &date;.
</para>
<para>
Configurator - The configuration application
(<command>mdmsetup</command>).
</para>
<para>
MDM - MDM Display Manager. Used to describe the software package as a
whole. Sometimes also referred to as MDM2.
</para>
<para>
mdm - The MDM Display Manager daemon (<command>mdm</command>).
</para>
<para>
Greeter - The graphical login window (<command>mdmlogin</command> or
<command>mdmgreeter</command> or <command>mdmwebkit</command>).
</para>
<para>
GTK+ Greeter - The standard login window (<command>mdmlogin</command>).
</para>
<para>
PAM - Pluggable Authentication Mechanism
</para>
<para>
Themed Greeter - The themable login window (<command>mdmgreeter</command>).
</para>
<para>
Paths that start with a word in angle brackets are relative to the
installation prefix. I.e. <filename><share>/pixmaps/</filename>
refers to <filename><share>/pixmaps</filename> if MDM was configured
with <command>--prefix=/usr</command>. Normally also note that
MDM is installed with <command>--sysconfigdir=<etc>/X11</command>,
meaning any path to which we refer to as
<filename><etc>/mdm/PreSession</filename> usually means
<filename><etc/X11>/mdm/PreSession</filename>. Note that for
interoperability it is recommended that you use a --prefix of
<filename>/usr</filename> and a --sysconfdir of
<filename><etc>/X11</filename>.
</para>
</sect1>
<sect1 id="overview">
<title>Overview</title>
<sect2 id="introduction">
<title>
Introduction
</title>
<para>
The MDM Display Manager (MDM) is a display manager that
implements all significant features required for managing
attached and remote displays. MDM was written from scratch and
does not contain any XDM / X Consortium code.
</para>
<para>
Note that MDM is highly configurable, and many configuration
settings can affect security. Issues to be aware of are highlighted
in this document and in the MDM Configuration files.
</para>
</sect2>
<sect2 id="stability">
<title>
Interface Stability
</title>
<para>
The key/value pairs defined in the MDM configuration files and
the location of these files are considered "stable" interfaces
should only change in ways that are backwards compatible. Note that
this includes functionality like the MDM scripts (Init, PreSession,
PostSession, PostLogin, XKeepsCrashing, etc.); directory locations
(ServAuthDir, etc.), system applications (SoundProgram), etc.
Some configuration values depend on OS interfaces may need to be
modified to work on a given OS. Typical examples are HaltCommand,
RebootCommand, CustomCommands, SuspendCommand, StandardXServer, Xnest,
SoundProgram, and the "command" value for each
<filename>server-foo</filename>.
</para>
<para>
Command-line interfaces for MDM programs installed to
<filename><bin></filename> and <filename><sbin></filename>
are considered stable. Refer to your distribution documentation to see
if there are any distribution-specific changes to these MDM interfaces
and what support exists for them.
</para>
</sect2>
<sect2 id="daemonov">
<title>The MDM Daemon</title>
<para>
The MDM daemon is responsible for managing displays on the system.
This includes authenticating users, starting the user session, and
terminating the user session. MDM is configurable and the ways it can
be configured are described in the "Configuring MDM" section
of this document. The <filename>Init</filename>,
<filename>PostLogin</filename>, <filename>PreSession</filename>,
and <filename>PostSession</filename> scripts discussed below are
discussed in this "Configuring MDM section".
</para>
<para>
The MDM daemon supports a UNIX domain socket protocol which can be used
to control aspects of its behavior and to query information. This
protocol is described in the "Controlling MDM" section of
this document.
</para>
<para>
MDM can be asked to manage a display a number of ways. Attached
displays are always managed when MDM starts and will be restarted when
a user's session is finished. Remote displays can be requested via
XDMCP, flexible displays via the <command>mdmflexiserver</command>
command, and dynamic displays via the <command>mdmdynamic</command>
command. Displays that are started on request are not restarted on
session exit.
</para>
<para>
When the MDM daemon is asked to manage a display, it will fork an
X server process, then run the <filename>Init</filename> script as the
root user, and start the login GUI dialog as a slave process on the
display. MDM can be configured to use either
<command>mdmgreeter</command> (the default) or
<command>mdmlogin</command> as the GUI dialog program. The
<command>mdmlogin</command> program supports accessibility while the
<command>mdmgreeter</command> program supports greater themeability.
The GUI dialog is run as the unpriviledged "mdm" user/group
which is described in the "Security" section below. The GUI
dialog communicates with the daemon via a sockets protocol and via
standard input/output. The slave, for example passes the username and
password information to the MDM daemon via standard input/output so
the daemon can handle the actual authentication.
</para>
<para>
The login GUI dialog screen allows the user to select which session
they wish to start and which language they wish to use. Sessions are
defined by files that end in the .desktop extension and more
information about these files can be found in the
"Configuration" section. The user enters their name and
password and if these successfully authenticate, MDM will start the
requested session for the user. It is possible to configure MDM to
avoid the authentication process by turning on the Automatic or Timed
Login features in the MDM configuration. The login GUI can also be
configured to provide additional features to the user, such as the
Face Browser; the ability to halt, restart, or suspend the system;
and/or edit the login configuration (after entering the root password).
</para>
<para>
MDM uses Pluggable Authentication Modules (PAM) for
authentication. After authenticating a user, the daemon runs the
<filename>PostLogin</filename> script as root, and forks a slave
process to start the requested session. This slave process runs the
<filename>PreSession</filename> script as root, sets up the user's
environment, and starts the requested session. MDM keeps track of the
user's default session and language in the user's
<filename>~/.dmrc</filename> and will use these defaults if the user
did not pick a session or language in the login GUI. When the user's session exits, the MDM
daemon will run the <filename>PostSession</filename> script as root.
</para>
<para>
Note that, by default, MDM uses the "mdm" service name for
normal login and the "mdm-autologin" service name for
automatic login. The <filename>PamStack</filename> configuration
option can be used to specify a different service name. For example,
if "foo" is specified, then MDM will use the "foo"
service name for normal login and "foo-autologin" for
automatic login.
</para>
<para>
For those looking at the code, the mdm_verify_user function in
<filename>daemon/verify-pam.c</filename> is used for normal login
and the mdm_verify_setup_user function is used for automatic login.
</para>
</sect2>
<sect2 id="displaytypes">
<title>Different Display Types</title>
<para>
MDM supports three different display types: attached displays,
flexible displays, and XDMCP remote displays. The
"X Server Definitions" subsection of the
"Configuration" section explains how the X server is
configured for different displays.
</para>
<para>
Attached (also known as local or static) displays are always started by
the daemon, and when they die or are killed, they are restarted. MDM
can run as many of these as needed. MDM can also manage displays on
which it does not manage a GUI login, thus MDM can be used for
supporting X terminals. The "Attached DISPLAY Configuration"
subsection of the "Configuration" section describes how
attached displays are defined.
</para>
<para>
Flexible (also known as on-demand) displays are only available to users
logged on the console. Starting a flexible display will lock the
current user session and will show a new login screen over the current
running session. If at least one flexible display is already running,
and the user requests another, then a dialog will display showing
existing flexible displays. The user can choose to switch back to a
previous display or start a new flexible display. If the user switches
back to a previous display, they will need to enter the password in the
lock screen program to return to their session. The MDM configuration
file specifies the maximum number of flexible displays allowed on the
system.
</para>
<para>
Flexible displays may be started by running the
<command>mdmflexiserver</command> command, or via calling the MDM
socket protocol directly. Some lock screen programs provide a button
to start a new flexible session. This allows a user to start a new
session even if the screen was left locked. Flexible displays are not
restarted when the user session ends. Flexible displays require virtual
terminal (VT) support in the kernel.
</para>
<para>
The <filename>FlexibleXServers</filename>,
<filename>FirstVT=7</filename>, <filename>VTAllocation</filename>,
and <filename>FlexiReapDelayMinutes</filename> configuration settings
are used to configure how flexible displays operate.
</para>
<para>
Nested displays are available to users even if not logged in on the
console. Nested displays launch a login screen in a window in the
user's current session. This can be useful if the user has more
than one account on a machine and wishes to login to the other
account without disrupting their current session. Nested displays
may be started by running the <command>mdmflexiserver -n</command>
command or via calling the MDM socket protocol directly. Nested
displays require that the X server supports a nested X server command
like Xnest or Xephyr. The <filename>Xnest</filename> configuration
option is used to configure how nested displays are started.
</para>
<para>
The <command>mdmdynamic</command> is similar to
<command>mdmflexiserver</command> in the sense that it allows the
user to manage displays dynamically. However displays started with
<command>mdmdynamic</command> are treated as attached displays, so
they are restarted automatically when the session exits. This
command is intended to be used in multi-user server environments
(many displays connected to a single server). In other words,
this command allows the displays to be managed without hardcoding
the display information in the "Attached DISPLAY
Configuration" section of the configuration file. This
is useful to support the ability of adding new displays to the
server without needing to restart MDM, for example.
</para>
<para>
The last display type is the XDMCP remote displays which are described
in the next section. Remote hosts can connect to MDM and present the
login screen if this is enabled. Some things are different for
remote sessions. For example, the Actions menu which allows you to
shut down, restart, suspend, or configure MDM are not shown.
</para>
</sect2>
<sect2 id="xdmcp">
<title>
XDMCP
</title>
<para>
The MDM daemon can be configured to listen for and manage X Display
Manage Protocol (XDMCP) requests from remote displays. By default
XDMCP support is turned off, but can be enabled if desired. If MDM is
built with TCP Wrapper support, then the daemon will only grant access
to hosts specified in the MDM service section in the TCP Wrappers
configuration file.
</para>
<para>
MDM includes several measures making it more resistant to denial of
service attacks on the XDMCP service. A lot of the protocol
parameters, handshaking timeouts etc. can be fine tuned. The defaults
should work for most systems, however. Do not change them unless you
know what you are doing.
</para>
<para>
MDM listens to UDP port 177 and will respond to QUERY and
BROADCAST_QUERY requests by sending a WILLING packet to the originator.
</para>
<para>
MDM can also be configured to honor INDIRECT queries and present a
host chooser to the remote display. MDM will remember the user's
choice and forward subsequent requests to the chosen manager. MDM
also supports an extension to the protocol which will make it forget
the redirection once the user's connection succeeds. This extension
is only supported if both daemons are MDM. It is transparent and
will be ignored by XDM or other daemons that implement XDMCP.
</para>
<para>
If XDMCP seems to not be working, make sure that all machines are
specified in <filename>/etc/hosts</filename>.
</para>
<para>
Refer to the "Security" section for information about
security concerns when using XDMCP.
</para>
</sect2>
<sect2 id="secureremote">
<title>
Securing Remote Connection Through SSH
</title>
<para>
As explained in the "Security" section, XDMCP does not use
any kind of encryption and as such is inherently insecure. As XDMCP
uses UDP as a network transport layer, it is not possible to simply
secure it through an SSH tunnel.
</para>
<para>
To remedy this problem, MDM can be configured at compilation-time with
the option --enable-secureremote, in which case MDM proposes as a
built-in session a session called "Secure Remote Connection".
Starting such a session allows the user to enter the name or the
address of the host on which to connect; provided the said host runs an
SSH server, the user then gets connected to the server on which the
default X session is started and displayed on the local host.
</para>
<para>
Using this session allows a much more secure network connection and
only necessitates to have an SSH server running on the remote host.
</para>
</sect2>
<sect2 id="gtkgreeter">
<title>The GTK+ Greeter</title>
<para>
The GTK+ Greeter is the default graphical user interface that is
presented to the user. The greeter contains a menu at the top, an
optional face browser, an optional logo and a text entry widget.
This greeter has full accessibility support, and should be used
by users with accessibility needs.
</para>
<para>
The text entry field is used for entering logins, passwords,
passphrases etc. <command>mdmlogin</command> is controlled by the
underlying daemon and is basically stateless. The daemon controls the
greeter through a simple protocol where it can ask the greeter for a
text string with echo turned on or off. Similarly, the daemon can
change the label above the text entry widget to correspond to the
value the authentication system wants the user to enter.
</para>
<para>
The menu bar in the top of the greeter enables the user to select the
requested session type/desktop environment, select an appropriate
locale/language, halt/restart/suspend the computer, configure MDM
(given the user knows the root password), change the GTK+ theme, or
start an XDMCP chooser.
</para>
<para>
The greeter can optionally display a logo in the login window. The
image must be in a format readable to the gdk-pixbuf library (GIF,
JPG, PNG, TIFF, XPM and possibly others), and it must be readable to
the MDM user. See the <filename>Logo</filename> option in the
reference section below for details.
</para>
</sect2>
<sect2 id="themedgreeter">
<title>The GDM Greeter</title>
<para>
The GDM Greeter is a greeter interface that takes up the whole
screen and is very themable. Themes can be selected and new themes
can be installed by the configuration application or by setting the
<filename>GraphicalTheme</filename> configuration key. The Themed
Greeter is much like the GTK+ Greeter in that it is controlled by
the underlying daemon, is stateless, and is controlled by the
daemon using the same simple protocol.
</para>
<para>
The look and feel of this greeter is really controlled by the theme and
so the user interface elements that are present may be different. The
only thing that must always be present is the text entry field as
described above in the GTK+ Greeter. The theme can include buttons
that allow the user to select an appropriate locale/language,
halt/restart/suspend the computer, configure MDM (given the user
knows the root password), or start an XDMCP chooser.
</para>
<para>
You can always get a menu of available actions by pressing the F10 key.
This can be useful if the theme doesn't provide certain buttons when
you wish to do some action allowed by the MDM configuration.
</para>
</sect2>
<sect2 id="facebrowser">
<title>The MDM Face Browser</title>
<para>
MDM supports a face browser which will display a list of users who
can login and an icon for each user. Starting with version 2.18.1
the <filename>Browser</filename> configuration option must be set
to "true" for this function to be available. In previous
versions it was only required when using the GTK+ Greeter. When
using the Themed Greeter, the Face Browser is only available if the
MDM theme includes a "userlist" item type.
</para>
<para>
By default, the face browser is disabled since revealing usernames on
the login screen is not appropriate on many systems for security
reasons. Also MDM requires some setup to specify which users should
be visible. Setup can be done on the "Users" tab in
<command>mdmsetup</command>. This feature is most practical to use
on a system with a smaller number of users.
</para>
<para>
The icons used by MDM can be installed globally by the sysadmin or can
be located in the users' home directories. If installed globally
they should be in the <filename><share>/pixmaps/faces/</filename>
directory (though this can be configured with the
<filename>GlobalFaceDir</filename> configuration option) and the
filename should be the name of the user, optionally with a
<filename>.png</filename> appended. Face icons placed in the global
face directory must be readable to the MDM user. However, the daemon,
proxies user pictures to the greeter and thus those do not have be be
readable by the "mdm" user, but root.
</para>
<para>
Users may run the <command>mdmphotosetup</command> command to
configure the image to use for their userid. This program properly
scales the file down if it is larger than the
<filename>MaxIconWidth</filename> or
<filename>MaxIconHeight</filename> configuration options and places the
icon in a file called <filename>~/.face</filename>. Although
<command>mdmphotosetup</command> scales user images automatically,
this does not guarantee that user images are properly scaled since
a user may create their <filename>~/.face</filename> file by hand.
</para>
<para>
MDM will first look for the user's face image in
<filename>~/.face</filename>. If not found, it will try
<filename>~/.face.icon</filename>. If still not found, it will
use the value defined for "face/picture=" in the
<filename>~/.gnome2/mdm</filename> file. Lastly, it will try
<filename>~/.gnome2/photo</filename> and
<filename>~/.gnome/photo</filename> which are deprecated and
supported for backwards compatibility.
</para>
<para>
If a user has no defined face image, MDM will use the
"stock_person" icon defined in the current GTK+ theme. If no
such image is defined, it will fallback to the image specified in the
<filename>DefaultFace</filename> configuration option, normally
<filename><share>/pixmaps/nobody.png</filename>.
</para>
<para>
Please note that loading and scaling face icons located in user home
directories can be a very time-consuming task. Since it not
practical to load images over NIS or NFS, MDM does not attempt to
load face images from remote home directories. Furthermore, MDM will
give up loading face images after 5 seconds of activity and will
only display the users whose pictures it has gotten so far. The
<filename>Include</filename> configuration option can be used to
specify a set of users who should appear on the face browser. As
long as the users to include is of a reasonable size, there should
not be a problem with MDM being unable to access the face images.
To work around such problems, it is recommended to place face images
in the directory specified by the <filename>GlobalFaceDir</filename>
configuration option.
</para>
<para>
To control the users who get displayed in the face browser, there are
a number of configuration options that can be used. If the
<filename>IncludeAll</filename> option is set to true, then the
password file will be scanned and all users will be displayed. If
<filename>IncludeAll</filename> option is set to false, then the
<filename>Include</filename> option should contain a list of users
separated by commas. Only the users specified will be displayed.
Any user listed in the <filename>Exclude</filename> option and users
whose UID's is lower than <filename>MinimalUID</filename> will be
filtered out regardless of the <filename>IncludeAll</filename>
setting. <filename>IncludeAll</filename> is not recommended
for systems where the passwords are loaded over a network (such as
when NIS is used), since it can be very slow to load more than a
small number of users over the network..
</para>
<para>
When the browser is turned on, valid usernames on the computer are
inherently exposed to a potential intruder. This may be a bad idea if
you do not know who can get to a login screen. This is especially
true if you run XDMCP (turned off by default).
</para>
</sect2>
<sect2 id="logging">
<title>Logging</title>
<para>
MDM itself will use syslog to log errors or status. It can also log
debugging information, which can be useful for tracking down problems
if MDM is not working properly. This can be enabled in the
configuration file.
</para>
<para>
Output from the various X servers is stored in the MDM log directory,
which is configurable, but is usually
<filename><var>/log/mdm/</filename>. The output from the
session can be found in a file called
<filename><display>.log</filename>. Four older files are also
stored with <filename>.1</filename> through
<filename>.4</filename> appended. These will be rotated as new
sessions on that display are started. You can use these logs to view
what the X server said when it started up.
</para>
<para>
The output from the user session is redirected to
<filename>~/.xsession-errors</filename>
before even the <filename>PreSession</filename> script is started. So
it is not really necessary to redirect this again in the session setup
script. As is usually done. If the user session lasted less then
10 seconds, MDM assumes that the session crashed and allows the user to
view this file in a dialog before returning to the login screen.
This way the user can view the session errors from the last session
and correct the problem this way.
</para>
<para>
You can suppress the 10 second warning by returning code 66 from the
<filename>Xsession</filename>script or from your session binary (the
default <filename>Xsession</filename> script propagates those codes
back). This is useful if you have some sort of special logins for
which it is not an error to return less then 10 seconds later, or if
you setup the session to already display some error message and the
MDM message would be confusing and redundant.
</para>
<para>
The session output is piped through the MDM daemon and so the
<filename>~/.xsession-errors</filename> file is capped at about
200 kilobytes by MDM to prevent a possible denial of service attack
on the session. An application could perhaps on reading some wrong
data print out warnings or errors on the stderr or stdout. This could
perhaps fill up the user's home directory making it necessary to log
out and back into their session to clear this. This could be
especially nasty if quotas are set. MDM also correctly traps the XFSZ
signal and stops writing the file, which would lead to killed sessions
if the file was redirected in the old fashioned way from the script.
</para>
<para>
Note that some distributors seem to override the
<filename>~/.xsession-errors</filename> redirection and do it
themselves in their own Xsession script (set by the
<filename>BaseXsession</filename> configuration key) which means that
MDM will not be able to trap the output and cap this file. You also
lose output from the <filename>PreSession</filename> script which can
make debugging things harder to figure out as perhaps useful output
of what is wrong will not be printed out. See the description of the
<filename>BaseXsession</filename> configuration key for more
information, especially on how to handle multiple display managers
using the same script.
</para>
<para>
Note that if the session is a failsafe session, or if MDM can't open
this file for some reason, then a fallback file will be created in the
<filename>/tmp</filename> directory named
<filename>/tmp/xses-<user>.XXXXXX</filename> where the
<filename>XXXXXX</filename> are some random characters.
</para>
<para>
If you run a system with quotas set, it would be good to delete the
<filename>~/.xsession-errors</filename> in the
<filename>PostSession</filename> script. Such that this log file
doesn't unnecessarily stay around.
</para>
</sect2>
<sect2 id="fileaccess">
<title>Accessing Files</title>
<para>
In general MDM is very reluctant regarding reading/writing of user
files (such as the <filename>~/.dmrc</filename>,
<filename>~/.face</filename>,
<filename>~/.xsession-errors</filename>, and
<filename>~/.Xauthority</filename> files). For instance it refuses to
access anything but regular files. Links, sockets and devices are
ignored. The value of the <filename>RelaxPermissions</filename>
parameter determines whether MDM should accept files writable by the
user's group or others. These are ignored by default.
</para>
<para>
All operations on user files are done with the effective user id of the
user. If the sanity check fails on the user's
<filename>.Xauthority</filename> file, a fallback cookie is created in
the directory specified by the <filename>UserAuthFBDir</filename>
configuration setting (<filename>/tmp</filename> by default).
</para>
<para>
Finally, the sysadmin can specify the maximum file size MDM should
accept, and, if the face browser is enabled, a tunable maximum icon
size is also enforced. On large systems it is still advised to turn
off the face browser for performance reasons. Looking up icons in
home directories, scaling and rendering face icons can take a long
time.
</para>
</sect2>
<sect2 id="performance">
<title>MDM Performance</title>
<para>
To speed performance it is possible to build MDM so that it will
preload libraries when MDM first displays a greeter program. This
has been shown to speed first time login since these libraries can
be loaded into memory while the user types in their username and
password.
</para>
<para>
To use this feature, configure MDM with the
<command>--with-prefetch</command> option. This will cause MDM to
install the <command>mdmprefetch</command> program to the
<filename>libexecdir</filename> directory, install the
<filename>mdmprefetchlist</filename> to the
<filename><etc>/mdm</filename> directory, and set the
<filename>PreFetchProgram</filename> configuration variable so that the
<command>mdmprefetch</command> program is called with the default
<filename>mdmprefetchlist</filename> file. The default
<filename>mdmprefetchlist</filename> file was optimized
for a GNOME desktop running on Solaris, so may need fine-tuning on
other systems. Alternative prefetchlist files can be contributed
to the "mdm" category in
<ulink type="http" url="http://bugzilla.gnome.org/">bugzilla.gnome.org</ulink>,
so that they can be included in future MDM releases.
</para>
</sect2>
</sect1>
<sect1 id="security">
<title>Security</title>
<sect2 id="PAM">
<title>
PAM
</title>
<para>
MDM uses PAM for login authentication, though if your machine does not
support PAM you can build MDM to work with the password database and
the crypt library function.
</para>
<para>
PAM stands for Pluggable Authentication Module, and is used by most
programs that request authentication on your computer. It allows the
administrator to configure different authentication behavior for
different programs.
</para>
<para>
Some MDM features (like turning on automatic login) may require that
you update your PAM configuration. PAM configuration has different,
but similar, interfaces on different operating systems, so check your
pam.d or pam.conf man page for details. Be sure that you read the
PAM documentation (e.g. pam.d/pam.conf man page) and are comfortable
with the security implications of any changes you intend to make to
your configuration.
</para>
<para>
If there is no entry for MDM in your system's PAM configuration file,
then features like automatic login may not work. Not having an entry
will cause MDM to use default behavior, conservative settings are
recommended and probably shipped with your distribution.
</para>
<para>
If you wish to make MDM work with other types of authentication
mechanisms (such as a SmartCard), then you should implement this by
using a PAM service module for the desired authentication type rather
than by trying to modify the MDM code directly. Refer to the PAM
documentation on your system. This issue has been discussed on the
<address><email>mdm-list@gnome.org</email></address> mail list,
so you can refer to the list archives for more information.
</para>
<para>
For example, an effective way to implement such an exotic
authentication mechanism would be to have a daemon running
on the server listening to the authentication device (e.g.
USB key, fingerprint reader, etc.). When the device
announces that it has received input, then the daemon can
set the <filename>PamStack</filename> configuration value
using per-display configuration, and restart the greeter
with the PAM stack that works with this device. This avoids
needing to hack the display manager code directly to support
the feature.
</para>
</sect2>
<sect2 id="utmpwtmp">
<title>
utmp/wtmp
</title>
<para>
MDM generates utmp and wtmp User Accounting Database entries upon
session login and logout. The utmp database contains user access
and accounting information that is accessed by commands such as
<command>finger</command>, <command>last</command>,
<command>login</command>, and <command>who</command>. The wtmp
database contains the history of user access and accounting
information for the utmp database.
</para>
<para>
MDM 2.18 and earlier would run the X server <command>sessreg</command>
program from the default MDM <command>PreSession</command> and
<command>PostSession</command> scripts. Starting with MDM 2.20, MDM
interacts with the UTMP and WTMP databases directly and supports the
following configuration options.
</para>
<para>
When doing utmp processing, MDM supports configurability on how the
ut_line value is set. Programs that access the database assume that
this value is an actual device, so MDM will set the device as follows.
If the display is attached and has an associated Virtual Terminal (VT)
device, then this device will be used. Otherwise, if an attached
display in the <command>[servers]</command> specifies a device name,
then this value will be used. Otherwise attached displays will default
to the <filename>UtmpLineAttached</filename> value in the MDM
configuration. Remote displays will default to the
<filename>UtmpLineRemote</filename> value in the MDM configuration.
Device values must begin with "/dev/".
</para>
<para>
MDM also supports the <filename>UtmpPseudoDevice</filename>
configuration option. If this configuration setting is true, then MDM
will ensure that the specified device exists and will create a pseudo
device if the device does not exist. A pseudo device is a symlink to
<filename>/dev/null</filename>. If
<filename>UtmpPseudoDevice</filename> is true, and the device does
already exist, MDM checks to see if the device is a symlink to
<filename>/dev/null</filename>. If so, then MDM will update the access
time of the symlink. This ensures that programs that check the access
time of the device will get a reasonable value for the last time the
device was accessed. If the <filename>UtmpPseudoDevice</filename>
configuration option is false, then MDM will only set the ut_line
value as specified regardless of whether the device exists or not.
</para>
</sect2>
<sect2 id="mdmuser">
<title>The MDM User</title>
<para>
For security reasons a dedicated user and group id are required for
proper operation! The need to be able to write Xauth files is why user
"nobody" is not appropriate for mdm.
</para>
<para>
The MDM daemon normally runs as root, as does the slave. However MDM
should also have a dedicated user id and a group id which it uses for
its graphical interfaces such as <command>mdmgreeter</command> and
<command>mdmlogin</command>. These are configured via the
<filename>User</filename> and <filename>Group</filename>
configuration options in the MDM configuration files. The user and
group should be created before running "make install". By
default MDM assumes the user and the group are called "mdm".
</para>
<para>
This userid is used to run the MDM GUI programs required for login.
All functionality that requires root authority is done by the MDM
daemon process. This design ensures that if the GUI programs are
somehow exploited, only the dedicated user privileges are available.
</para>
<para>
It should however be noted that the MDM user and group have some
privileges that make them somewhat dangerous. For one, they have
access to the X server authorization directory. It must be able to
read and write Xauth keys to <filename><var>/lib/mdm</filename>.
This directory should have root:mdm ownership and 1770 permissions.
Running "make install" will set this directory to these
values. The MDM daemon process will reset this directory to proper
ownership/permissions if it is somehow not set properly.
</para>
<para>
The danger is that someone who gains the MDM user/group privileges can
then connect to any session. So you should not, under any
circumstances, make this some user/group which may be easy to get
access to, such as the user <filename>nobody</filename>. Users who
gain access to the "mdm" user could also modify the Xauth
keys causing Denial-Of-Service attacks. Also if a person gains the
ability to run programs as the user "mdm", it would be
possible to snoop on running MDM processes, including usernames and
passwords as they are being typed in.
</para>
<para>
Distributions and system administrators using MDM are expected to setup
the dedicated user properly. It is recommended that this userid be
configured to disallow login and to not have a default shell.
Distributions and system administrators should set up the filesystem to
ensure that the MDM user does not have read or write access to
sensitive files.
</para>
</sect2>
<sect2 id="xauth">
<title>X Server Authentication Scheme</title>
<para>
The X server authorization directory (the
<filename>ServAuthDir</filename>) is used for a host of random
internal data in addition to the X server authorization files, and the
naming is really a relic of history. MDM daemon enforces this
directory to be owned by <filename>root.mdm</filename> with the
permissions of 1770. This way, only root and the MDM group have write
access to this directory, but the MDM group cannot remove the root
owned files from this directory, such as the X server authorization
files.
</para>
<para>
MDM by default doesn't trust the X server authorization directory and
treats it in the same way as the temporary directory with respect to
creating files. This way someone breaking the MDM user cannot mount
attacks by creating links in this directory. Similarly the X server
log directory is treated safely, but that directory should really be
owned and writable only by root.
</para>
<para>
MDM only supports the MIT-MAGIC-COOKIE-1 X server authentication
scheme. Normally little is gained from the other schemes, and no
effort has been made to implement them so far. Be especially
careful about using XDMCP because the X server authentication cookie
goes over the wire as clear text. If snooping is possible, then an
attacker could simply snoop your authentication password as you log in,
regardless of the authentication scheme being used. If snooping is
possible and undesirable, then you should use ssh for tunneling an X
connection rather then using XDMCP. You could think of XDMCP as a sort
of graphical telnet, having the same security issues.
</para>
<para>
On the upside, MDM's random number generation is very conservative and
MDM goes to extraordinary measures to truly get a 128 bit random
number, using hardware random number generators (if available), plus
the current time (in microsecond precision), a 20 byte array of
pseudorandom numbers, process pid's, and other random information
(possibly using <filename>/dev/audio</filename> or
<filename>/dev/mem</filename> if hardware random generators are not
available) to create a large buffer and then run MD5 digest on this.
Obviously, all this work is wasted if you send this cookie over an open
network or store it on an NFS directory (see
<filename>UserAuthDir</filename> configuration key). So be careful
about where you use remote X display.
</para>
</sect2>
<sect2 id="firewall">
<title>Firewall Security</title>
<para>
Even though MDM tries to outsmart potential attackers trying to take