On Fri, Mar 30, 2012 at 14:59:08 +0200, Joachim Backes <joachim.backes(a)rhrk.uni-kl.de&gt; wrote: >Anybody sees this too: After applying all F17 updates (including >gnome-3.4... packages), the GDM login window presents the mysql server >account on the login screen. Why that? Because mysql has a normal shell. I think the scheme used is better than using just uid. I also wonder about why some of services have valid shells. I know that Tom Lane indicated that postgres has a shell intentionally as it helps to be able to su to postgres to do some tasks. Probably mysql is expected to be used the same way 9as tom packages both). But there were other ones that seemed suspect to me. The ones I wasn't using I changed to have a shell of /sbin/nologin.

Hi, ----- Original Message ----- > Anybody sees this too: After applying all F17 updates (including > gnome-3.4... packages), the GDM login window presents the mysql > server > account on the login screen. Why that? The issue arised, becase we no longer filter users less than UID_MIN in /etc/login.defs See https://bugs.freedesktop.org/show_bug.cgi?id=44408 for more backstory. We made that change because users were disappearing from their user lists on upgrades, since the default for UID_MIN changed in Fedora. We rationalized the change as legitimate, and the previous behavior as wrong because UID_MIN is documented only for user creation, not for user filtering. I think maybe the solution is to filter out disabled users from the user list. This is a little complicated, because we can't query the system for disabled users, afaik. We can only do heuristics like getspnam() and look at sp_pwdp, but I don't think it will cover every case. Anyway worth thinking about more. why not offer to 'root' user a list of users that can be displayed or not

Hi, > on gdm? why not filtering out by defaul the famous non-human users, > like > mysql and postgresql? We could do that, but it's not a very scalable or upstream friendly answer (since different upstreams might have different account names for these users).

2012/3/30 Ray Strode <rstrode(a)redhat.com&gt; > why not offer to 'root' user a list of users that can be displayed or not on gdm? why not filtering out by defaul the famous non-human users, like mysql and postgresql?

Are you sure? I went to /bin, made "ln -s bash mysql-bash" and changed the login shell for the mysql account in /etc/passwd to /bin/mysql-bash, but the login for mysql still shows up on the login screen :-)

On 03/31/2012 05:17 PM, Bruno Wolff III wrote: > I found the code used. It is in the accountsservices package, not gdm as > expected. > > There is a list of excluded users and any users with a shell that has > a basename of false or "nologin" are also excepted. > > The list of excluded users is currently: > bin, root, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, > nobody, nobody4, noaccess, postgres, pvm, rpm, nfsnobody, pcap Hi Bruno, thanks for your clarification. So my proposal: why not extend this hard coded list by a second (dynamic) one administratable by the fedora admin?

On Sat, 2012-03-31 at 12:26 -0500, Bruno Wolff III wrote: > On Sat, Mar 31, 2012 at 18:40:46 +0200, >    Joachim Backes <joachim.backes(a)rhrk.uni-kl.de&gt; wrote: > >On 03/31/2012 05:17 PM, Bruno Wolff III wrote: > >> I found the code used. It is in the accountsservices package, not gdm as > >> expected. > >> > >> There is a list of excluded users and any users with a shell that has > >> a basename of false or "nologin" are also excepted. > >> > >> The list of excluded users is currently: > >> bin, root, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, > >> nobody, nobody4, noaccess, postgres, pvm, rpm, nfsnobody, pcap > > > >Hi Bruno, > > > >thanks for your clarification. So my proposal: why not extend this hard > >coded list by a second (dynamic) one administratable by the fedora admin? > > I think you can as there was code to add more logins to the list. I think > it uses dconf keys to do it, which are a bit of a pain to set, especially > for gdm instead of the current user. No, gdm doesn't currently do its own filtering on top, except for excluding 'gdm' and uid 0.