Bug 723708
Summary: | gdm can neither exclude from nor add to login users generated by the system | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | George Walsh <gjwalsh> |
Component: | gdm | Assignee: | Ray Strode [halfline] <rstrode> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 20 | CC: | ajsfedora, alfredo.maria.ferrari, amturnip, balay, caleb, cedric.olivier, christophe.drevet, dmr, fcbugz, filcole, g000g, gabriel, gene-redhat, goeran, igeorgex, imc, josdekloe, j.romildo, lpbrais, mail2benny, mak_s, manuelmongeg, marcus.moeller, mark.harfouche, matt, neil, nisapov, pb, plarsen, rh-bugz, rstrode, sagarun, samuel-rhbugs, Speeddymon, temp-2009-09-09, van.de.bugger |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-21 23:18:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
George Walsh
2011-07-20 20:35:38 UTC
Please see the thread at http://forums.fedoraforum.org/showthread.php?t=246103. This bug is affecting many people. Gene Even with the latest updates, this 'bug' is still exists. I've spent hours trying to work out why editing /etc/gdm/custom.conf has no effect when attempting to exclude users. My system has a 'test' user and a user that purely exists to run a weekly script - I really don't want these wasting valuable space in the Graphical login. In fact for security reasons, I would rather they were not advertised to the world. Thanks for further confirmation of my original report, Christian. Seems to me this would be a major annoyance to anyone who is doing some development work on a machine which is also handling mail and web services for an 'in-house' group. When 16 is released next month I intend to work around it by manipulating user account numbers and have done with it, since the dividing line is being moved up from 500 to 1000, and have done with it once and for all. This bug is terribly annoying. On a machine with >>10 accounts, if your one is at the end of the list you cannot login at all. Or a way of scrolling the list is provided, or the functionality of Include/Exclude is restored as soon as possible. BTW it affects i386 as well The following in /etc/gdm/custom.conf still has no apparent effect in Fedora 16. [greeter] Include= IncludeAll=false Exclude=me It's interesting to note that gdm appears to follow the rule set in /etc/login.defs (UID_MIN) - I am still running Fedora 15 (I can't move to Fedora 16 easily for a number of reasons) but in anticipation, migrated all personal user accounts to be above UID 1000 and then updated /etc/login.defs - gdm no longer displays the accounts with UIDs below 1000. This one is biting me too, custom.conf doesn't appear to have any effect. From some other things I have read, GDM3 has migrated to dconf/gsettings, and there are no equivalent settings for Include/Exclude/IncludeAll yet. There is a key to disable the userlist entirely, but it isn't honored yet. <sigh> Thanks, Matt, for helping me feel less isolated on this one. I have taken back some control of the gdm list by deciding which users to renumber from >= 500 to >= 1000. Heaven alone knows how many revisions and updates and rebuilds since I first filed this in July - with no attention at all to the simple matter of logging in. I'm not one to overly complain and I have been a Linux/Unix server user for years, but the fact that my servers lack a functional front door out-of-the-box is beyond comprehension. Rather like living in a house with a front door for which nobody owns a key and for which there is no key supplied anyway. The pity is that once inside, the decor and styling and efficiency is unbeatable. But in this day and age, few are they who will pound on an unfinished piece of rough plywood to gain entry ..... Any update on that? None whatsoever, Marcus. I really don't expect Fedora/Redhat to be able to do much about this after going on 6 months. Its a GNOME problem. Did I file a big with them? No, that would be a waste of both time and purpose. There are so many bugs untouched over there that I clearly, if sadly, came to the conclusion that a bug in GNOME's world requires not investigation on their part but extermination. They just haven't found the 'poison' to accomplish that yet. Too many narcissists in the GNOME household; far too much arrogance within a truly non-profit, idealistic product. Personally, I like GNOME 3 very much, and I would not change simply because nobody is maintaining gdm to any degree suggesting it is truly integrated with the desktop as a whole. Matter of fact, I've used GNOME all the way back to 2001. Hit by same problem on Fedora 16, can one change the version or clone the bug? /etc/gdm/custom.conf (while packaged with gdm RPM) is ignored at least regarding [greeter] settings. Same problem on generic gdm install on PLD. Neither the /etc/gdm/custom.conf nore /usr/share/gdm/gdm.schemas have any effect. This affects many many systems and is quite bothersome to some of my clients. It's still an issue (using /etc/gdm/custom.conf) for Fedora 16 and gdm-3.2.1.1-8.fc16.i686. Changing the setting from Configuration Editor (gui editor) to disable the list at all does not work either: Key name: /apps/gdm/simple-greeter/disable_user_list forgot to mention that the key value is 'true': Key name: /apps/gdm/simple-greeter/disable_user_list Key value: true (In reply to comment #14) > forgot to mention that the key value is 'true': > > Key name: /apps/gdm/simple-greeter/disable_user_list > Key value: true not working because this results in a user configuration only, not globally: # more /home/$USER/.gconf/apps/gdm/simple-greeter/%gconf.xml <?xml version="1.0"?> <gconf> <entry name="disable_user_list" mtime="1336193113" type="bool" value="true"/> </gconf> where to apply this globally? Still an issue in Fedora 17. Matter of fact, I renumbered the user I want hidden from >=1000 to >=500 and it still appears, so there is now a new regression. I'll be filing a new bug report for that one. Bug 834134 submitted As an update, I even went as far as changing the user's UID to <500 and changed /etc/login.defs so that SYS_UID_MIN and SYS_GID_MIN were both 501 ... Still appears. The only way I've found to easily exclude the user from the login screen was to change their shell to something like /bin/false, /sbin/nologin, /dev/null, etc. One more update. I also setup /etc/security/access.conf to deny all local access to the account, and made sure that that worked in a virtual console (had to create a copy of system-auth-ac, and symlink system-auth to that copy, per the pam docs). Then I rebooted and gdm still showed the account. This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Changed release to F17 as this one is still valid. Fedora 17 work-around to this issue: # ln -s /bin/bash /usr/local/sbin/nologin # edit /etc/passwd # Update login shell to /usr/local/sbin/nologin Then the login for the particular user(s) will no longer appear via GDM but you can still login by selecting "other" and entering the login and password. Still a bug in F18 (x86_64)... For anyone just finding this, it appears to have been broken during a change here: http://git.gnome.org/browse/gdm/commit/gui/simple-greeter/gdm-user-chooser-widget.c?id=ec034f78dcb27baf240658323892ac2a665c6580 It is getting worked on,though, here: https://bugs.freedesktop.org/show_bug.cgi?id=56729 This goes all the way back to July 2011. What I finally did for my small development team is move their user accounts to the 1000+ range. Always, of course there were those whose feathers were ruffled, unwilling to appreciate that I meant them no disrespect because they were not among the 6 users gdm was able to display. But hey, it provided a better 'filter' of sorts for gdm's selection process. I have, however, always felt that the 'front door' should work faultlessly. First impressions and all that. I was looking at Mageia the other day (I came to Fedora from Mandriva a few years back, after all. They have addressed that issue in their upcoming V3 by simply adding a scroll function to the gdm display manager. Could we maybe consider doing that much at least? In the meantime FWIW, a fully loaded and functioning server with f18 is doing splendidly, oce you manage to 'get inside'. Thanks for all the comments and suggestions on this bug made over these past many months. George even the users with less than 1000 UID are shown on my computer...... this is super annoying when you create users to run websites in a more sandboxed manner.... GDM ignores settings in /etc/gdm/custom.conf, specifically, I've tried: [greeter] Exclude=someuser and [greeter] IncludeAll=false and it still lists ALL usernames. I have yet to find some other, more preferred method to have gdm hide usernames on the login greeter. Clearly, I'm either missing something, or the configurability of gdm is horribly broken. For those still searching, here's a workaround to make the gdm greeter screen display a simple "Username:" prompt instead of divulging a list of users: As root, create and edit a file e.g. "/etc/dconf/db/gdm.d/01-local-settings". Minimally, it should contain: ### # local system-wide customizations [org/gnome/login-screen] disable-user-list=true ### and then run "dconf update". Once you logout or restart gdm, your happiness quotient will improve. This worked for me in f18. See also: https://ask.fedoraproject.org/question/3515/solved-how-do-i-disable-user-list-in-gdm This workaround, IMHO, should be included in a future update of the graphical system-config-* tools so that one can make changes to the greeter easily from the GUI. On F16 - I was able to use uid/gid < 500 - and avoid the user listed in gdm. Now this machine is upgraded to f18 - and the user gets listed. :( Interestingly there is one user 'mysql in /etc/passwd with /bin/bash - but doesn't get listed by gdm? (In reply to comment #22) > Fedora 17 work-around to this issue: > > # ln -s /bin/bash /usr/local/sbin/nologin > > # edit /etc/passwd # Update login shell to /usr/local/sbin/nologin > > Then the login for the particular user(s) will no longer appear via GDM > but you can still login by selecting "other" and entering the login and > password. Works on F18. Thanks! This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Still a bug in F19. See Comment 24 for the upstream proposed patch. Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. I don't know whether this is current or not (I still have not had the chance to update my box from Fedora 16), but for anyone with this issue (only wanting to show certain users on the new greeter), I achieved it with a hack to /usr/share/gnome-shell/js/gdm/loginDialog.js Look for the "addUser" function; at the end of all the normal "don't do it, just return" initial lines, add a custom one. The relevant snippet in mine looks like: let userName = user.get_user_name(); if (!userName) return; if (userName != "user1" && userName != "user2" && userName != "user3") return; this.removeUser(user); (the addition is the bit with no indent) This is still a problem in Fedora 19. Reopening And the same problem persists in Fedora 20. Still no effect at all of changing the file /etc/gdm/custom.conf And what's worse, the workaround mentioned in comment #22 does no longer seem to work for me... Meanwhile the "ongoing" work mentiond in comment #24 seems to be still ongoing. I understand this is a gnome issue, not a Fedora one, so we probably have to wait for upstream. Are there any suggestions for a new workaround to exclude a single user from the list in gdm? a simple workaround that works for me now (contrary to what is mentioned in comment #26) is to manually change the user id to a free number below 1000. I have used 501 and this hides the user in the greeter. For convenience I also assigned this user a group id below 1000 (also 501). Don't know if that makes any difference. That should work fine for you. From experience though, you'll need to remember the user you change to < 1000 will not appear in your users & groups displays when you are managing their accounts. Obvious, I know, but it can be frustrating when you are looking for a user in your user display and that user has apparently not answered roll call :-) Easy to get by switching the filter off and on, but these are the nuisance things which were not thought out at the time. Probably would help if the gdm script included a warning comment to 'enforce' what has become general practice. I don't see the problem anymore, simply because user password and shadow files are maintained across linux installs or updates on our server and we reorganized our uid/gid 2 years ago to isolate all login accounts to uid > 1000. Assume you are doing the same. If you must bite a bullet, best to do it right away. Much less painful. Far better prognosis, too. GJW You can try editing/creating /var/lib/AccountsService/users/{theUserYouWantToExclude} with this content: [User] Language= XSession=gnome SystemAccount=true It seems setting SystemAccount to true has the same effect as creating/changing the userid to < 1000, but in this case it is flagged as a system account while keeping the original userid. (In reply to tony from comment #40) > You can try editing/creating > /var/lib/AccountsService/users/{theUserYouWantToExclude} with this content: thanks. The UID<1000 trick actually stopped working for me on Fedora 20, don't know why, but editing this file and marking the account as SystemAccount does the trick. So this F15 bug is still open with F20? I ran into this too - either close it and say WHY this feature is needed, or make a simple change to the login code. Peter: There are so many comments and variations on this messy gdm bug, and having seen it closed and reopened over the past 3 years (and 6 fedora revs) I have wiped my hands of it. Not my place to make 'simple changes', nor to substantiate the need for a functioning gdm in a gnome-centric distro. So I have marked this closed from my point of view as the original reporter of the bug. Others are then free to report their experiences, hopefully with a new bug so I am no longer copied on it. Hopefully, GNOME will have addressed this with the coming 3.14 release this week and it will be embedded in f21 as a result. George (In reply to George Walsh from comment #43) Thanks George. I appreciate the feedback. > Peter: > > There are so many comments and variations on this messy gdm bug, and having > seen it closed and reopened over the past 3 years (and 6 fedora revs) I have > wiped my hands of it. It's been closed without explaining why a simple feature like excluding certain users could not be fixed? That's the gist of my question. We shouldn't keep an issue open for 3 years that's not being worked on. > > Not my place to make 'simple changes', nor to substantiate the need for a > functioning gdm in a gnome-centric distro. Conceptually filtering out content based on a list of names is not complex code. If you already have a loop that gets system users to display, checking against a simple list retrieved from the configuration before showing the user list isn't rocket science. While I emphasize about not trivilaizing bugs, over complicating them isn't working either. I would like to understand why this issue cannot be addressed. Are we talking to the wrong group? Should this be filed with gnome and not fedora/red hat? If so, I'll be happy to create a entry on bugzilla.gnome.org and link it here. However, when I look around it seems this still works in some distros so it looks more like a non-generic gnome bug. But if there is a doubt it seems to be the right initial approach. At worst, gnome.org can reject it as NOTABUG and we're back to discussing where in Fedora to fix this. > So I have marked this closed from my point of view as the original reporter > of the bug. I appreciate you reporting the issue. I wish more would do what you did. What is missing seems to be someone who can triage this from a technical perspective and assign it to the right technical resource. > Others are then free to report their experiences, hopefully with a new bug > so I am no longer copied on it. 10-4. I have no problem opening a new issue on this. From one community member to another, again thanks for your effort on this long lasting bug. > Hopefully, GNOME will have addressed this with the coming 3.14 release this > week and it will be embedded in f21 as a result. The only problem I have with that sentence is "hopefully". Nothing just happens and as I pointed out, other distros seems to not suffer from this issue (could be they use a very old version of gdm). > > George Thanks again for reporting this initially. The case with other distros is likely that those distros fixed it in their own builds of gdm. The fact that in 4+ releases of fedora, this hasn't been fixed, tells me either it's not a priority for them or, as per the norm, fedora doesn't fix bugs in upstream code, only in the code they add on top of upstream. Which means that they're waiting for upstream to fix and that won't happen until it's reported upstream. (In reply to Thomas Spear from comment #45) > The case with other distros is likely that those distros fixed it in their > own builds of gdm. The fact that in 4+ releases of fedora, this hasn't been > fixed, tells me either it's not a priority for them or, as per the norm, > fedora doesn't fix bugs in upstream code, only in the code they add on top > of upstream. Which means that they're waiting for upstream to fix and that > won't happen until it's reported upstream. Then shouldn't this bug have been marked with a bug report on bugzilla.gnome.org where the issue was described directly to the upstream? It makes no sense to wait for a solution for a problem that hasn't been filed - or at least linked. I just added the link to this issue on gnome's bugzilla to let others know to go there to continue the push for a fix. |