Comprehensive Guide to Customising
GDM and XSplash
Preface
This guide is my statement to those people who think that the new GDM login screen is un-customisable.
At the beginning of this month, I started playing around with a Netbook I bought back in August. Installed Karmic UNR, and started playing about with it.
One thing I was looking for in the first place was a consistency across the UI. From Splash Screen, to Login Screen, to Desktop.
Once that was sorted, and I picked up a thing or two about how GDM actually functions now, I then had the mad idea of turning GDM into a minimal desktop for the most basic functions I use everyday - XChat, Empathy and Browsing - and if I need to get to anything else - just login and I have the usual full control to the system and applications again.
Before you run anything. I regard all material in this guide to be reasonably safe in terms of security. If you do find a hole or flaw, please contact me with an appropriate fix, if possible.
Changing XSplash Background
Unfortunately, xsplash has the location of where the background it uses hard coded into the application. So you cannot alter this via changing a setting in a config file.
Fortunately for us though, we use a Debian system, and such systems are capable of a certain administrative feature called "diverting".
Code:
sudo dpkg-divert --local --rename --add /usr/share/images/xsplash/bg_2560x1600.jpg
This renames the file 'bg_2560x1600.jpg' to 'bg_2560x1600.jpg.distrib', and sets the package manager config in such a way that if an update of xsplash were to come through, it will save the file as the diverted name (so the locally created file will not be overwritten).
So that sorted out, just copy the image you want to that location:
Code:
sudo cp /usr/share/backgrounds/TheRainbowisDead.jpg /usr/share/images/xsplash/bg_2560x1600.jpg
And logout/login to see your new xsplash.
To restore this setting.
Code:
sudo unlink /usr/share/images/xsplash/bg_2560x1600.jpg
sudo dpkg-divert --rename --remove /usr/share/images/xsplash/bg_2560x1600.jpg
Backup GDM Default settings
Before making any changes, first we need to divert and backup the gconf settings file
Code:
sudo dpkg-divert --local --add /var/lib/gdm/.gconf.defaults/%gconf-tree.xml
sudo cp /var/lib/gdm/.gconf.defaults/%gconf-tree.xml /var/lib/gdm/.gconf.defaults/%gconf-tree.xml.distrib
If at all you need to reset these changes back to the Ubuntu defaults
Code:
sudo cp /var/lib/gdm/.gconf.defaults/%gconf-tree.xml.distrib /var/lib/gdm/.gconf.defaults/%gconf-tree.xml
Changing GDM Background and Theme
Now this could probably be done in a gconftool-2 command, but I prefer this method:
Code:
sudo cp /usr/share/applications/gnome-appearance-properties.desktop /usr/share/gdm/autostart/LoginWindow
Then logout, and you'll see an appearance window pop up.
Change it to how you prefer it, then close and login as usual.
When you have logged in after finishing the customising. Just remove the file to prevent it starting up every time.
Code:
sudo unlink /usr/share/gdm/autostart/LoginWindow/gnome-appearance-properties.desktop
Hacking GDM
GDM still has configuration options that you can edit in gconf. You can get the list here.
To run through what I consider to be the "interesting" ones in brief:
Disable User List
Code:
sudo -u gdm gconftool-2 --set /apps/gdm/simple-greeter/disable_user_list --type bool true
Disables the name list in the login screen.
Valid Values: true - false
Change Logo
Code:
sudo -u gdm gconftool-2 --set /apps/gdm/simple-greeter/logo_icon_name --type string "distributor-logo"
Changes the logo on the Login Window
Default Value: "computer"
Enable Compositing
Code:
sudo -u gdm gconftool-2 --set /apps/gdm/simple-greeter/wm_use_compiz --type bool true
Change default window manager from Metacity to Compiz. Probably just me, but that doesn't seem to take effect?
Valid Values: true - false
If your system's graphics card doesn't support 3D Acceleration (Older than 5 years?) then you can always enable simple compositing in Metacity.
Code:
sudo -u gdm gconftool-2 --set /apps/metacity/general/compositing_manager --type bool true
Valid Values: true - false
GDM and Compiz
If the above key change didn't make any difference to you (didn't to me). Don't worry, there is another way!
Now, to give a brief background, when gdm loads, it opens up all desktop applications inside the directory:
/usr/share/gdm/autostart/LoginWindow/
So any .desktop file kept in that directory will run whenever gdm loads.
So! Using the same divert trick as earlier, divert the metacity.desktop file.
Code:
sudo dpkg-divert --local --rename --add /usr/share/gdm/autostart/LoginWindow/metacity.desktop
Then copy over the compiz.desktop file.
Code:
sudo cp /usr/share/app-install/desktop/compiz.desktop /usr/share/gdm/autostart/LoginWindow
This should be doable with any window manager within reason. (ie: mutter). Although feel free to see if any other will work too.
GDM and Network Connectivity
Before we can connect to the Net, we need the Network Manager applet.
Simple to install:
Code:
sudo cp /usr/share/app-install/desktop/nm-applet.desktop /usr/share/gdm/autostart/LoginWindow
Then to set it up, logout and enter in the passphrase/key for your network (presuming you are wireless). Then when asked for a password for a default keyring, leave it blank and just press 'Create'.
You will be prompted with the message: "Store passwords unencrypted?", just select "Use Unsafe Storage" and the password will be kept in clear text.
This is essential if you don't want to be bugged by entering in a keyring password every time - and it isn't quite as insecure as it seems. Although the password will be in clear text, permissions deny any user except 'root' and 'gdm' from reading the file.
GDM and Firefox, XChat, Empathy
This little trick in this guide is essentially turning GDM into a minimal desktop session, useful for doing quick web searches, or asking quick questions to friends without the need to login entirely!
First, we insert Firefox. Now, I prefer to put it into the taskbar using 'alltray'.
Code:
sudo apt-get install alltray
Then copy over the desktop icon.
Code:
sudo cp /usr/share/app-install/desktop/firefox.desktop /usr/share/gdm/autostart/LoginWindow/
And alter it so it open firefox with alltray:
Code:
sudo sed -i 's/^Exec=/Exec=alltray /' /usr/share/gdm/autostart/LoginWindow/firefox.desktop
Now, when you come to the login screen, Firefox will be in a tray icon.
The exact same procedure is used for XChat and Empathy too.
Code:
sudo cp /usr/share/app-install/desktop/xchat.desktop /usr/share/gdm/autostart/LoginWindow/
sudo sed -i 's/^Exec=/Exec=alltray /' /usr/share/gdm/autostart/LoginWindow/xchat.desktop
Although, in the case of Empathy, you will have two tray icons if you run the 'sed' command.
Code:
sudo cp /usr/share/app-install/desktop/empathy.desktop /usr/share/gdm/autostart/LoginWindow/
sudo sed -i 's/^Exec=/Exec=alltray /' /usr/share/gdm/autostart/LoginWindow/empathy.desktop
Of the above though - realistically you should only be needing firefox, as you can use it as both an IRC and IM client through either addons or web-based services.
GDM Hardening
This last section of this is all about hardening GDM and reducing as many security breaches as possible.
What is already restricted?
GDM itself already comes as pretty restrictive by default.
- GDM's Home Directory has the permission 750.
- URL Handlers are disabled.
- Save to Disk is disabled.
- Printer Setup and Printing is disabled.
- Lock Screen is disabled.
- Command Line is disabled. Shell is set to /bin/true
- The Majority of Keybindings are disabled.
- Desktop and File Browsing is disabled.
What else can be done?
If anyone has anything more to add, please comment.
Firefox Tweaking
- Install security addons. I recommend No Script.
- Open about:config and set 'browser.privatebrowsing.autostart' to True.
Disallow Root Logins
For reasons beyond me, GDM doesn't seem to deny root logins.
This can be fixed though.
Code:
gksu gedit /etc/pam.d/gdm
And put below the #%PAM-1.0
Code:
auth required pam_succeed_if.so user != root quiet
Alternatively, you could use what I believe to be the default behaviour of GDM 2.20
Code:
auth required pam_succeed_if.so uid >= 1000 quiet
auth required pam_succeed_if.so user != nobody quiet
Last Words
As GDM is part of the boot process, you may want to optimise all the changes you've made. Ubuntu Karmic uses ureadahead to carry out the profiling, and all you have to do to schedule a re-profile of the preload cache is by running:
Code:
sudo rm /var/lib/ureadahead/*pack
Then reboot twice, and your boot process with be optimised again.
So! turns out if you put your mind to it, you can make something out of nothing much. Hope you all enjoy the guide as much as I did creating it.
Thanks for reading.
Regards
Iain
TODO:
- AppArmor
- Firefox doesn't close cleanly by itself.
- Rather than alltray - perhaps tray shortcuts instead?
- Enable window switching.
- Login Sounds
