Jan 022011
 

In RHEL-6, the gnome login screen displays all user accounts. Apparently this behavior of the gdm greeter was inherited from Fedora. This may not be a problem with personal desktops/laptops but, in an enterprise class Linux like RHEL, it could constitute a security vulnerability. I saw complaints from users as early as in Fedora 9. Alan has filed a bugzila against RHEL-6.

It is possible to disable it. Problem is … it is not easy to do it. The following command (one-liner) will disable the gdm greeter’s listing of users:

sudo -u gdm gconftool-2 --type bool --set /apps/gdm/simple-greeter \\
/disable_user_list true

By the way, you can see the set value by:

sudo -u gdm gconftool-2 --get /apps/gdm/simple-greeter/disable_user_list

Note that the command was run as gdm. Running the same gconftool-2 command as root would not work. Alternatively, you can modify the systemwide configuration. It will be just easy if you manually edit the file /etc/gconf/gconf.xml.defaults/%gconf-tree.xml and change the boolean for disable_user_list from false to true.

  8 Responses to “gnome login shows all valid user accounts — disable it”

  1. (1) A simpler way to make the change to “/etc/gconf/gconf.xml.defaults/” is through gcconftool-2:

    gconftool-2 /apps/gdm/simple-greeter/disable_user_list –config-source xml:readwrite:/etc/gconf/gconf.xml.defaults –set –type=boolean true

    (1) From using Fedora, I thought that the configuration to be edited for this change was under “/etc/gconf/gconf.xml.mandatory/” and not “/etc/gconf/gconf.xml.defaults/”. They both work.

    Not unexpectedly, whatever’s set in “*mandatory” trumps whatever’s set in “*defaults”.

    I’m unsure of the difference between the two. I tried to over-ride “*defaults” through “~/.gconf” but it didn’t work.

  2. Thanks, Tom, for your useful note.

  3. I tried this and each time the user list keeps coming back. This is with RHEL 6. Very frustrating. I need this user list to simply go away.

  4. Try this as root :

    gconftool-2 –direct –config-source=`gconftool-2 –get-default-source` –set /apps/gdm/simple-greeter/disable_user_list –type bool TRUE

    It worked through a init 3 && init 5 . Check after a gdm update though.

  5. On Debian 7 this command generates 2 errors; I needed it because Denian 7 was also displaying ID less than 1000; but have kicking it a around has gone back to the old behavior of hiding ID less than 1000 🙂

    This doesn’t generate any errors,but it doesn’t do anything either:
    gconftool-2 –direct –config-source=`gconftool-2 –get-default-source` –set /apps/gdm/simple-greeter/disable_user_list –type bool TRUE

  6. It’s still the default in RHEL 7/CentOS 7. The mechanism to change it is different though see section 10.4.4 of the RHEL Desktop Migration & Administration manual.

  7. One more wrinkle – even with disable_user_list set to true, the gdm3 greeter goes looking at all known users home directories on startup. This would be a real pain if you have a lot of users whose directories are remote (auto)mounted – it creates a significant delay on my system with less than 30 users! It would be nice to have a key like gdm2’s [greeter] IncludeAll = false, but I can’t find the equivalent key in gdm3’s settings.

  8. For the record, gdm3 does seem to honour the [greeter] IncludeAll setting and the RHEL 7/CentOS 7 file to set this in is etc/gdm/custom.conf.

Sorry, the comment form is closed at this time.