Hide Forgot
Description of problem: According to DISA's RHEL5 STIG (see <http://iase.disa.mil/stigs/os/unix/red_hat.html>) I need to make sure that the X server is started with the additional command line arguments "-s 15 -audit 4." (If they ever put out a RHEL6 STIG I expect this to be in there too.) Under RHEL5 (gdm 2.16) this is accomplished by editing /etc/gdm/custom.conf. But gdm 2.30 as included under RHEL6.1 does not pay attention to settings in /etc/gdm/custom.conf regarding server startup, because gdm was rewritten as of version 2.22 <http://live.gnome.org/GDM/2.22/Configuration>. (Some people in Bug 452528 took a year to figure this out under Fedora; this bug is substantially similar to that one.) Steps to Reproduce: 1. Add the following to /etc/gdm/custom.conf, as the STIG prescribes: [server-Standard] name=Standard server command=/usr/bin/Xorg -br -audit 4 -s 15 chooser=false handled=true flexible=true priority=0 2. Restart gdm by some means. 3. Run ps auxfwww. See that the switches to Xorg do not contain "-audit 4 -s 15". 4. See that the X server is started by gdm-simple-slave according to the process tree. 5. Run strings on gdm-simple-slave; find among them "/usr/bin/Xorg -br -verbose", an apparent hard-coding of the server switches to use. Version of pertinent packages: gdm-libs-2.30.4-32.el6.i686 gdm-2.30.4-32.el6.i686 gdm-plugin-smartcard-2.30.4-32.el6.i686 Additional comments: I have filed this bug here because (a) RHEL has greater compliance goals than your average Linux distro; (b) the GNOME folks are on to gdm 3.2 or some such, so they don't likely want to hear about my problems with gdm 2.x.
According to http://projects.gnome.org/gdm/ "The latest stable release is 2.30.x." But according to the Wikipedia page about gdm, the latest stable release is 3.2. Loosely related: gnome bug 570472, https://bugzilla.gnome.org/show_bug.cgi?id=570472, "GDM does not handle old configuration." It appears that Gnome bug 586777, https://bugzilla.gnome.org/show_bug.cgi?id=586777, "Allow specifying how local X server is started," is closely related to this bug. It points to a wiki page which I can't fetch; the comment with the link was written in 2009, and the wiki was spammed in 2010 according to some messages on osol-discuss. So it appears that some time in 2009 gdm may have ceased starting the X server, and ConsoleKit does it instead now, using /etc/ConsoleKit/displays.d. A visit to http://www.freedesktop.org/wiki/Software/ConsoleKit yields the warning that ConsoleKit is no longer actively maintained; it appears that while they were maintaining it they did not manage to document what files exactly should go in /etc/ConsoleKit/displays.d, and what their contents should be. I'm changing the component to ConsoleKit, and changing the title to match what I now understand the problem to be. Relevant packages now: ConsoleKit-0.4.1-3.el6.i686
Humbly apologizing for the extra email traffic caused, I now change the module back to gdm: I've found the code which I believe composes the X server command line and runs the X server, and it's in gdm, not in ConsoleKit. The bit about displays.d came from http://mail.gnome.org/archives/gdm-list/2011-March/msg00012.html and http://ubuntuforums.org/showthread.php?t=1549793 .
OK. I could change daemon/gdm-server.c, in function gdm_server_init, at line 1000, where server->priv->command is first set, in order to add the required switches at build time. That would require a new release of the package any time the command line switches changed. Or I could look up a value in the GDM configuration using gdm_settings_direct_get_string. This would appear to be as secure as older versions of GDM were, which looked up their X server commands in this way, and much more flexible and general than hard-coding the command in. But I'd have to decide on a suitable key. Older versions of GDM than 2.20 had things like so in /etc/gdm/custom.conf: [servers] 0=Standard [server-Standard] command=/usr/local/bin/X -audit 0 (from https://bugzilla.gnome.org/show_bug.cgi?id=570472) But there is no need to be so flexible here. For one thing, the key under the servers section was, IIRC, a display number. Now, I believe we have a rather more dynamic setup, thanks to user switching, where more servers could be started at the drop of a hat, and so it no longer makes sense to say, "for display 1, use this different X server." So it could go like [rhel-x-server] command=/usr/local/bin/X -audit 0
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative.
we actually do use -audit 4 by default now and the screensaver timeout can be adjusted from within the session. devnack
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.