In RHEL-6, the gnome login screen displays all user accounts. Apparently this behavior of the gdm greeter was inherited from Fedora. This may not be a problem with personal desktops/laptops but, in an enterprise class Linux like RHEL, it could constitute a security vulnerability. I saw complaints from users as early as in Fedora 9. Alan has filed a bugzila against RHEL-6.
It is possible to disable it. Problem is … it is not easy to do it. The following command (one-liner) will disable the gdm greeter’s listing of users:
sudo -u gdm gconftool-2 --type bool --set /apps/gdm/simple-greeter \\ /disable_user_list true
By the way, you can see the set value by:
sudo -u gdm gconftool-2 --get /apps/gdm/simple-greeter/disable_user_list
Note that the command was run as gdm. Running the same gconftool-2 command as root would not work. Alternatively, you can modify the systemwide configuration. It will be just easy if you manually edit the file /etc/gconf/gconf.xml.defaults/%gconf-tree.xml
and change the boolean for disable_user_list from false to true.
(1) A simpler way to make the change to “/etc/gconf/gconf.xml.defaults/” is through gcconftool-2:
gconftool-2 /apps/gdm/simple-greeter/disable_user_list –config-source xml:readwrite:/etc/gconf/gconf.xml.defaults –set –type=boolean true
(1) From using Fedora, I thought that the configuration to be edited for this change was under “/etc/gconf/gconf.xml.mandatory/” and not “/etc/gconf/gconf.xml.defaults/”. They both work.
Not unexpectedly, whatever’s set in “*mandatory” trumps whatever’s set in “*defaults”.
I’m unsure of the difference between the two. I tried to over-ride “*defaults” through “~/.gconf” but it didn’t work.
Thanks, Tom, for your useful note.
I tried this and each time the user list keeps coming back. This is with RHEL 6. Very frustrating. I need this user list to simply go away.
Try this as root :
gconftool-2 –direct –config-source=`gconftool-2 –get-default-source` –set /apps/gdm/simple-greeter/disable_user_list –type bool TRUE
It worked through a init 3 && init 5 . Check after a gdm update though.
On Debian 7 this command generates 2 errors; I needed it because Denian 7 was also displaying ID less than 1000; but have kicking it a around has gone back to the old behavior of hiding ID less than 1000 🙂
This doesn’t generate any errors,but it doesn’t do anything either:
gconftool-2 –direct –config-source=`gconftool-2 –get-default-source` –set /apps/gdm/simple-greeter/disable_user_list –type bool TRUE
It’s still the default in RHEL 7/CentOS 7. The mechanism to change it is different though see section 10.4.4 of the RHEL Desktop Migration & Administration manual.
One more wrinkle – even with disable_user_list set to true, the gdm3 greeter goes looking at all known users home directories on startup. This would be a real pain if you have a lot of users whose directories are remote (auto)mounted – it creates a significant delay on my system with less than 30 users! It would be nice to have a key like gdm2’s [greeter] IncludeAll = false, but I can’t find the equivalent key in gdm3’s settings.
For the record, gdm3 does seem to honour the [greeter] IncludeAll setting and the RHEL 7/CentOS 7 file to set this in is etc/gdm/custom.conf.