I have recently added several new users, that I need for qmail. Now they appear in the box in the login screen and clutter it, and I have to scroll to find my user. How can I hide those users from the login box?
28 Answers
For newer GDM 3.X, old answers don't work, except for this one
The greeter setting in custom.conf is obsolete, i.e. it won't work anymore. One easy workaround if you want to avoid changing the uid of the user:
Open the terminal, and enter (replace
userwith the username you want to hide from the login screen):sudo nano /var/lib/AccountsService/users/userAdd the following to the file:
[User] Language= XSession=gnome SystemAccount=trueSwitch user or log out to test if
useris not listed anymore.
Edit the file /etc/gdm/gdm.schema find the section that currently looks like this:
<schema> <key>greeter/Exclude</key> <signature>s</signature> <default>bin,root,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,nobody4,noaccess,postgres,pvm,rpm,nfsnobody,pcap</default> </schema>And to exclude a user called qmail for example add qmail to the default list so the section looks like this.
<schema> <key>greeter/Exclude</key> <signature>s</signature> <default>qmail, bin,root,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,nobody4,noaccess,postgres,pvm,rpm,nfsnobody,pcap</default> </schema>That will stop user qmail appearing in the gdm greeter. There used to be a nice GUI tool to do this but is has not been in Ubuntu for the last few releases.
The other alternative is to set the UID of the user to under 1000. Those are considered to be system accounts which are excluded in the GDM greeter too.
7Hacky but you can modify the user's id so they don't show in the list:
sudo usermod -u 999 <username>This works because users with id under 1000 are considered to be "system" users (i.e. not humans).
The only other way I know is to hide the list completely:
sudo -u gdm gconftool-2 --type bool --set /apps/gdm/simple-greeter/disable_user_list 'true' 3 Elaborating on Gilles's comment to the accepted answer, here's what I believe is the current "best practices" (Gnome-safe) way to do this. This change will also be reflected in the Gnome "Indicator Applet Session".
This method is that one suggested in the docs at the GDM website, and though both the site and Gilles show the addition of "nobody" to the exclude, I wanted to make sure that it was clear this is actually necessary (despite what the manpages or online docs explicitly offer). I've tested this on a couple of 10.10 systems to verify repeatability.
All we need to do is to make on one-line edit to /etc/gdm/custom.conf. Most other methods (making changes to default.conf, gdm.conf, etc.) are deprecated.
If you have an existing /etc/gdm/custom.conf, edit that file.
Otherwise, copy over the example file :
sudo cp /usr/share/doc/gdm/examples/custom.conf /etc/gdm/custom.confIn the [Greeter] section of /etc/gdm/custom.conf , add:
Exclude=user1,user2,nobodyWhere "user1" and "user2" are the usernames or passwd file entries (e.g., qmail, squid, etc.) that you do not wish to show on the GDM "face browser".
Note : Under my version of Gnome/GDM (2.30), if you do not have "nobody" listed in the Exclude entry, then you will have a bogus login user nobody show up instead of user1 or user2.
N.B.#2 : The non-display of accounts with UID's below 1000 is a configurable parameter. By default, the MinimalUID value is set to 1000. If and only if the default setting IncludeAll=true is left in place and the Include directive is not changed to a non-empty value, does the GDM greeter scan the passwd file for entries with UID's greater than MinimalUID. Users with UID's above MinimalUID that are not in the Exclude list are then displayed.
I haven't tested whether the reverse setting, namely, that setting an Include=user1,user2 entry in custom.conf will work as presented. It should override any IncludeAll setting, and display only the users explicitly listed.
I wrote a script (gdm-greeter) this weekend. It works well on CentOS 6.2, I wonder if it will be useful for Ubuntu?
#!/bin/bash
#
# $LastChangedDate: 2012-02-17 09:13:10 +0100 (Fri, 17 Feb 2012) $
# $Revision: 1627 $
#
# Get the default exlude list
DefaultExclude=`sed 's,</schema>,#,' /etc/gdm/gdm.schemas | \ tr '\n#' '#\n' | \ grep '>greeter/Exclude<' | tr '\n#' '#\n' | \ grep '<default>' | \ sed -e 's,.*<default>,,' -e 's,</default>.*,,'`
# Get the Exclude list from the config
eval `grep '^Exclude=' /etc/gdm/custom.conf 2> /dev/null`
# If empty copy the default
if [ "$Exclude" = "" ]
then Exclude=$DefaultExclude
fi
# Collect all user accounts with a shell
Users="`grep 'sh$' /etc/passwd | awk -F: '{print $1}' | \ sort | tr '\n' ',' | sed 's/,$//'`"
#------------------------------------------------------------------------------
# The functions area
PlaceExclude() # $1 new exclude string
{ # Create a .bak file if [ ! -f /etc/gdm/custom.conf.bak ] then cp /etc/gdm/custom.conf /etc/gdm/custom.conf.bak fi # Create a tmp file without the Exclude string cat /etc/gdm/custom.conf | tr '[\n' '\n[' | \ sed -e 's/^\(greeter[]].*\)[[]Exclude=[^[]*\([[].*\)/\1\2/' | \ tr '[\n' '\n[' > /tmp/custom.conf.$$ # If the tmp file is there and we have non default Exclude if [ -f /tmp/custom.conf.$$ ] then if [ "$1" = "$DefaultExclude" ] then cat /tmp/custom.conf.$$ > /etc/gdm/custom.conf else # Place the new Exclude string cat /tmp/custom.conf.$$ | tr '[\n' '\n[' | \ sed -e "s/^greeter[]][[][[]/greeter][Exclude=$1[[/" | \ tr '[\n' '\n[' > /etc/gdm/custom.conf fi fi rm -f cat /tmp/custom.conf.$$
}
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Command area
add() # Cmd (Add a user to the greeter {<user>
{ UserFilter=`echo $Users | sed 's/,/|/g'` if ! echo $1 | egrep -w $UserFilter &> /dev/null then echo "Error: user $1 unknown" echo return 1 fi # Only work with the users not in the default exclude list Filter=`echo $DefaultExclude | sed 's/,/|/g'` Hidden=`echo $Exclude | tr ',' '\n' | egrep -vw "$Filter" | tr '\n' ','` # Check if we need to do something if ! echo $Hidden | tr ',' '\n' | grep -w $1 &> /dev/null then echo echo "User $1 is not hidden" echo else # Remove the user from the exclude PlaceExclude "`echo $Exclude | tr ',' '\n' | grep -vw $1 | \ tr '\n' ',' | sed 's/,$//'`" # Tell the action echo "User $1 added to the greeter" echo fi
}
del() # Cmd (Delete/hide a user from the greeter {<user>
{ UserFilter=`echo $Users | sed 's/,/|/g'` if ! echo $1 | egrep -w $UserFilter &> /dev/null then echo "Error: user $1 unknown" echo return 1 fi # Check if we need to do something if echo $Exclude | tr ',' '\n' | grep -w $1 &> /dev/null then echo echo "User $1 is already excluded from the greeter" echo else # Exclude the user PlaceExclude "$1,$Exclude" # Tell the action echo "User $1 hidden from the greeter" echo fi
}
hide() # CMD (Delete/hide a user from the greeter {<user>
{ del $1
}
hidden() # Cmd (List the hidden users {
{ Filter=`echo $DefaultExclude | sed 's/,/|/g'` Hidden=`echo $Exclude | tr ',' '\n' | egrep -vw "$Filter" | tr '\n' ','` if [ ${#Hidden} -eq 0 ] then echo "No hidden users" echo else echo echo "Users hidden from the greeter:" echo echo $Hidden | tr ',' '\n' | sed 's/^/ /' fi
}
users() # Cmd (List the users in the greeter {
{ Filter=`echo $Exclude | sed 's/,/|/g'` Greeters=`echo $Users | tr ',' '\n' | egrep -vw "$Filter" | tr '\n' ','` if [ ${#Greeters} -eq 0 ] then echo "No users in the greeter" echo else echo echo "Users in the greeter:" echo echo $Greeters | tr ',' '\n' | sed 's/^/ /' fi
}
list() # CMD (List the users in the greeter {
{ users
}
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Framework area
help() # Cmd (Command help {[command]
{ if [ "$1" = "" ] then CMD=help else CMD=$1 fi if ! grep \^${CMD}*\(\).*#.*Cmd $0 > /dev/null 2>&1 then ( echo echo "Error: unknown cmd" echo ) >&2 else ( echo echo "Usage: `basename $0` $CMD `grep \^${CMD}*\(\).*#.*Cmd $0 | \ sed 's/.* {//g'`" echo ) >&2 fi
}
#
# Main
#
if [ "$1" != "" ] && grep -i $1\(\).*#.*Cmd $0 > /dev/null 2>&1
then $*
else echo echo "Usage: `basename $0` command [parm1] [parm2] [..]" echo echo " Available Commands:" echo grep \^[0-9a-z_A-Z]*\(\).*#.*Cmd $0 | \ awk -F\( '{printf "%-16s %s\n",$1,$3}' | sed 's/ {.*//g' | sort echo
fi 0 I'd have to agree that the most accepted answer here is close, but not dead on.
I just licked this problem myself, and the answer for me was to alter the following gdm.schema entry:
(original)
<schema> <key>greeter/IncludeAll</key> <signature>b</signature> <default>true</default> </schema>
(after my edit)
<schema> <key>greeter/IncludeAll</key> <signature>b</signature> <default>false</default> </schema>The effect of this is that all user-listing is disabled, which if I'm interpreting the original question correctly, is actually what the OP (gruszczy) was intending to do. This eliminates the need to craft a long line of excludes, as all userIDs regardless of UID number are excluded regardless once this setting is altered. I've personally applied this setting to 3 separate CentOS 6.2 servers at work that are occasionally accessed via XDMCP (using xrdp > vnc-server > xinetd > gdm > gnome) over RDP, which allows some of our less experienced Linux admins work on these systems with minimal training.
All of that said, while I do agree that an inexperienced sysadmin should learn from the beginning to work from a personal account (maybe with sudo access) rather than as root, if you have the experience to work with that account properly, there's no harm in doing so. Just make sure you know what you're doing before hand. In the case of my other sysadmins, I've added CentrifyDC for Active Directory support to all of these systems and configured the systems so that the AD-UserIDs can be used for desktop sessions while maintaining the user's AD Security Group rights. But personally, since I engineered all of these servers and have used Linux for over 15 years now, I think nothing of using root to speed things along. In fact, I tend to enable root on systems where it's been disabled just so that I can use that account and cut to the chase with getting things done. The main thing there, really, is just to make a habit of creating a backup copy of any file before you alter it. That will safe guard against most mishaps and allow you to recover the system should you perform an edit that would otherwise cause the system to become inaccessible (just boot to a live CD and fix up what needs to be fixed up).
IMHO, I believe that the mantra of 'never login as root' is really just there to protect the n00bie sysadmins from themselves. But if you reach a level of competence with Linux to the point where you can engineer a system from any Linux OS in a very short amount of time and it work every time, then there's no reason to live by the 'never login as root' mantra because by that point you're ready to handle the responsibility that comes along with using that account. This is especially true in environments that use CentrifyDC for AD support, because 'root' becomes the local sysadmin account and is (usually) enabled automatically. So, I find it best to cut to the chase and make the setting of the root account's password as one of the very first tasks I do on any deployment nowadays. Sure, I could do the whole 'login as my own ID, then sudo up', but I personally don't feel the need to do things that way. Your own mileage may vary...
Change the user login shell to an empty string in /etc/passwd
For Example, change:
# Change
example:x:2001:2001:Example User,,,:/home/example:/bin/bash
# To
example:x:2001:2001:Example User,,,:/home/example:I restarted my display manager and observed this taking effect.
sudo service lightdm restart
# (or gdm, mdm, ...)It took me weeks to identify this as the reason why users were hidden in the display manager login greeter. It is apparent that /var/lib/AccountService/users is being ignored by MDM, and assumedly GDM as well. I didn't go as far as to add an Exclude=user1,user2 or an Include=user3 under [greeter] in /etc/mdm/mdm.conf, or create an /etc/mdm/custom.conf, as a another box was hiding users added via useradd just fine, while users added with adduser were shown. Setting the login shell to /bin/false denies all login to that user, which I still wish to su as. But that also hides the user in the login screen if you want that user to be plain inaccessible.
This worked for me on Zorin 16 - gdm3
Uncomment the line which says disable-user-list=true in /etc/gdm3/greeter.dconf-defaults
nano /etc/gdm3/greeter.dconf-defaults
# - Disable user list
disable-user-list=trueThen
/etc/gdm3/greeter.dconf-defaults