How to hide users from the GDM login screen?

Question

I have recently added several new users, that I need for qmail. Now they appear in the box in the login screen and clutter it, and I have to scroll to find my user. How can I hide those users from the login box?

Answer 1

For newer GDM 3.X, old answers don't work, except for this one
The greeter setting in custom.conf is obsolete, i.e. it won't work anymore. One easy workaround if you want to avoid changing the uid of the user:

1. Open the terminal, and enter (replace user with the username you want to hide from the login screen):

   sudo nano /var/lib/AccountsService/users/user
   

2. Add the following to the file:

   [User]  
   Language=   
   XSession=gnome  
   SystemAccount=true  
   

3. Switch user or log out to test if user is not listed anymore.

Answer 2

Edit the file /etc/gdm/gdm.schema find the section that currently looks like this:

  <schema>
    <key>greeter/Exclude</key>
    <signature>s</signature>
    <default>bin,root,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,nobody4,noaccess,postgres,pvm,rpm,nfsnobody,pcap</default>
  </schema>

And to exclude a user called qmail for example add qmail to the default list so the section looks like this.

  <schema>
    <key>greeter/Exclude</key>
    <signature>s</signature>
    <default>qmail, bin,root,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,nobody4,noaccess,postgres,pvm,rpm,nfsnobody,pcap</default>
  </schema>

That will stop user qmail appearing in the gdm greeter. There used to be a nice GUI tool to do this but is has not been in Ubuntu for the last few releases.

The other alternative is to set the UID of the user to under 1000. Those are considered to be system accounts which are excluded in the GDM greeter too.

Answer 3

Hacky but you can modify the user's id so they don't show in the list:

sudo usermod -u 999 <username>

This works because users with id under 1000 are considered to be "system" users (i.e. not humans).

The only other way I know is to hide the list completely:

sudo -u gdm gconftool-2 --type bool --set /apps/gdm/simple-greeter/disable_user_list 'true'

Answer 4

Elaborating on Gilles's comment to the accepted answer, here's what I believe is the current "best practices" (Gnome-safe) way to do this. This change will also be reflected in the Gnome "Indicator Applet Session".

This method is that one suggested in the docs at the GDM website, and though both the site and Gilles show the addition of "nobody" to the exclude, I wanted to make sure that it was clear this is actually necessary (despite what the manpages or online docs explicitly offer). I've tested this on a couple of 10.10 systems to verify repeatability.

All we need to do is to make on one-line edit to /etc/gdm/custom.conf. Most other methods (making changes to default.conf, gdm.conf, etc.) are deprecated.

If you have an existing /etc/gdm/custom.conf, edit that file. Otherwise, copy over the example file :

sudo cp /usr/share/doc/gdm/examples/custom.conf /etc/gdm/custom.conf

In the [Greeter] section of /etc/gdm/custom.conf , add:

Exclude=user1,user2,nobody

Where "user1" and "user2" are the usernames or passwd file entries (e.g., qmail, squid, etc.) that you do not wish to show on the GDM "face browser".

Note : Under my version of Gnome/GDM (2.30), if you do not have "nobody" listed in the Exclude entry, then you will have a bogus login user nobody show up instead of user1 or user2.

N.B.#2 : The non-display of accounts with UID's below 1000 is a configurable parameter. By default, the MinimalUID value is set to 1000. If and only if the default setting IncludeAll=true is left in place and the Include directive is not changed to a non-empty value, does the GDM greeter scan the passwd file for entries with UID's greater than MinimalUID. Users with UID's above MinimalUID that are not in the Exclude list are then displayed.

I haven't tested whether the reverse setting, namely, that setting an Include=user1,user2 entry in custom.conf will work as presented. It should override any IncludeAll setting, and display only the users explicitly listed.

Answer 5

I wrote a script (gdm-greeter) this weekend. It works well on CentOS 6.2, I wonder if it will be useful for Ubuntu?

#!/bin/bash
#
# $LastChangedDate: 2012-02-17 09:13:10 +0100 (Fri, 17 Feb 2012) $
# $Revision: 1627 $
#

# Get the default exlude list
DefaultExclude=`sed 's,</schema>,#,' /etc/gdm/gdm.schemas | \
                tr '\n#' '#\n' | \
                grep '>greeter/Exclude<' | tr '\n#' '#\n' | \
                grep '<default>' | \
                sed -e 's,.*<default>,,' -e 's,</default>.*,,'`

# Get the Exclude list from the config
eval `grep '^Exclude=' /etc/gdm/custom.conf 2> /dev/null`

# If empty copy the default
if [ "$Exclude" = "" ]
then
   Exclude=$DefaultExclude
fi

# Collect all user accounts with a shell
Users="`grep 'sh$' /etc/passwd | awk -F: '{print $1}' | \
        sort | tr '\n' ',' | sed 's/,$//'`"


#------------------------------------------------------------------------------

# The functions area

PlaceExclude() # $1 new exclude string
{
   # Create a .bak file
   if [ ! -f /etc/gdm/custom.conf.bak ]
   then
      cp /etc/gdm/custom.conf /etc/gdm/custom.conf.bak
   fi

   # Create a tmp file without the Exclude string
   cat /etc/gdm/custom.conf | tr '[\n' '\n[' | \
   sed -e 's/^\(greeter[]].*\)[[]Exclude=[^[]*\([[].*\)/\1\2/' | \
   tr '[\n' '\n[' > /tmp/custom.conf.$$

   # If the tmp file is there and we have non default Exclude
   if [ -f /tmp/custom.conf.$$ ]
   then
      if [ "$1" = "$DefaultExclude" ]
      then
         cat /tmp/custom.conf.$$ > /etc/gdm/custom.conf
      else
         # Place the new Exclude string
         cat /tmp/custom.conf.$$ | tr '[\n' '\n[' | \
         sed -e "s/^greeter[]][[][[]/greeter][Exclude=$1[[/" | \
         tr '[\n' '\n[' > /etc/gdm/custom.conf
      fi
   fi
   rm -f cat /tmp/custom.conf.$$
}

#------------------------------------------------------------------------------
#------------------------------------------------------------------------------

# Command area

add() # Cmd (Add a user to the greeter {<user>
{
   UserFilter=`echo $Users | sed 's/,/|/g'`
   if ! echo $1 | egrep -w $UserFilter &> /dev/null
   then
      echo "Error: user $1 unknown"
      echo
      return 1
   fi

   # Only work with the users not in the default exclude list
   Filter=`echo $DefaultExclude | sed 's/,/|/g'`
   Hidden=`echo $Exclude | tr ',' '\n' | egrep -vw "$Filter" | tr '\n' ','`

   # Check if we need to do something
   if ! echo $Hidden | tr ',' '\n' | grep -w $1 &> /dev/null
   then
      echo
      echo "User $1 is not hidden"
      echo
   else
      # Remove the user from the exclude
      PlaceExclude "`echo $Exclude | tr ',' '\n' | grep -vw $1 | \
                     tr '\n' ',' | sed 's/,$//'`"

      # Tell the action
      echo "User $1 added to the greeter"
      echo
   fi
}

del() # Cmd (Delete/hide a user from the greeter {<user>
{
   UserFilter=`echo $Users | sed 's/,/|/g'`
   if ! echo $1 | egrep -w $UserFilter &> /dev/null
   then
      echo "Error: user $1 unknown"
      echo
      return 1
   fi

   # Check if we need to do something
   if echo $Exclude | tr ',' '\n' | grep -w $1 &> /dev/null
   then
      echo
      echo "User $1 is already excluded from the greeter"
      echo
   else
      # Exclude the user
      PlaceExclude "$1,$Exclude"

      # Tell the action
      echo "User $1 hidden from the greeter"
      echo
   fi
}

hide() # CMD (Delete/hide a user from the greeter {<user>
{
   del $1
}

hidden() # Cmd (List the hidden users {
{
   Filter=`echo $DefaultExclude | sed 's/,/|/g'`
   Hidden=`echo $Exclude | tr ',' '\n' | egrep -vw "$Filter" | tr '\n' ','`

   if [ ${#Hidden} -eq 0 ]
   then
      echo "No hidden users"
      echo
   else
      echo
      echo "Users hidden from the greeter:"
      echo
      echo $Hidden | tr ',' '\n' | sed 's/^/   /'
   fi
}

users() # Cmd (List the users in the greeter {
{
   Filter=`echo $Exclude | sed 's/,/|/g'`
   Greeters=`echo $Users | tr ',' '\n' | egrep -vw "$Filter" | tr '\n' ','`

   if [ ${#Greeters} -eq 0 ]
   then
      echo "No users in the greeter"
      echo
   else
      echo
      echo "Users in the greeter:"
      echo
      echo $Greeters | tr ',' '\n' | sed 's/^/   /'
   fi
}

list() # CMD (List the users in the greeter {
{
   users
}
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------

# Framework area

help() # Cmd (Command help {[command]
{
   if [ "$1" = "" ]
   then
      CMD=help
   else
      CMD=$1
   fi

   if ! grep \^${CMD}*\(\).*#.*Cmd $0 > /dev/null 2>&1
   then
   (
      echo
      echo "Error: unknown cmd"
      echo
   ) >&2
   else
   (
      echo
      echo "Usage: `basename $0` $CMD `grep \^${CMD}*\(\).*#.*Cmd $0 | \
                    sed 's/.* {//g'`"
      echo
   ) >&2
   fi
}

#
# Main
#

if [ "$1" != "" ] && grep -i $1\(\).*#.*Cmd $0 > /dev/null 2>&1
then
   $*
else
   echo
   echo "Usage: `basename $0` command [parm1] [parm2] [..]"
   echo
   echo "  Available Commands:"
   echo
   grep \^[0-9a-z_A-Z]*\(\).*#.*Cmd $0  | \
   awk -F\( '{printf "%-16s %s\n",$1,$3}' | sed 's/ {.*//g' | sort
   echo
fi

Answer 6

I'd have to agree that the most accepted answer here is close, but not dead on.

I just licked this problem myself, and the answer for me was to alter the following gdm.schema entry:

(original)
<schema>
      <key>greeter/IncludeAll</key>
      <signature>b</signature>
      <default>true</default>
    </schema>

(after my edit)
<schema>
      <key>greeter/IncludeAll</key>
      <signature>b</signature>
      <default>false</default>
    </schema>

The effect of this is that all user-listing is disabled, which if I'm interpreting the original question correctly, is actually what the OP (gruszczy) was intending to do. This eliminates the need to craft a long line of excludes, as all userIDs regardless of UID number are excluded regardless once this setting is altered. I've personally applied this setting to 3 separate CentOS 6.2 servers at work that are occasionally accessed via XDMCP (using xrdp > vnc-server > xinetd > gdm > gnome) over RDP, which allows some of our less experienced Linux admins work on these systems with minimal training.

All of that said, while I do agree that an inexperienced sysadmin should learn from the beginning to work from a personal account (maybe with sudo access) rather than as root, if you have the experience to work with that account properly, there's no harm in doing so. Just make sure you know what you're doing before hand. In the case of my other sysadmins, I've added CentrifyDC for Active Directory support to all of these systems and configured the systems so that the AD-UserIDs can be used for desktop sessions while maintaining the user's AD Security Group rights. But personally, since I engineered all of these servers and have used Linux for over 15 years now, I think nothing of using root to speed things along. In fact, I tend to enable root on systems where it's been disabled just so that I can use that account and cut to the chase with getting things done. The main thing there, really, is just to make a habit of creating a backup copy of any file before you alter it. That will safe guard against most mishaps and allow you to recover the system should you perform an edit that would otherwise cause the system to become inaccessible (just boot to a live CD and fix up what needs to be fixed up).

IMHO, I believe that the mantra of 'never login as root' is really just there to protect the n00bie sysadmins from themselves. But if you reach a level of competence with Linux to the point where you can engineer a system from any Linux OS in a very short amount of time and it work every time, then there's no reason to live by the 'never login as root' mantra because by that point you're ready to handle the responsibility that comes along with using that account. This is especially true in environments that use CentrifyDC for AD support, because 'root' becomes the local sysadmin account and is (usually) enabled automatically. So, I find it best to cut to the chase and make the setting of the root account's password as one of the very first tasks I do on any deployment nowadays. Sure, I could do the whole 'login as my own ID, then sudo up', but I personally don't feel the need to do things that way. Your own mileage may vary...

Answer 7

This worked for me on Zorin 16 - gdm3

Uncomment the line which says disable-user-list=true in /etc/gdm3/greeter.dconf-defaults

nano /etc/gdm3/greeter.dconf-defaults
- Disable user list
disable-user-list=true

Then

/etc/gdm3/greeter.dconf-defaults

Answer 8

Change the user login shell to an empty string in /etc/passwd

For Example, change:

# Change
example:x:2001:2001:Example User,,,:/home/example:/bin/bash
To
example:x:2001:2001:Example User,,,:/home/example:

I restarted my display manager and observed this taking effect.

sudo service lightdm restart
# (or gdm, mdm, ...)

---

It took me weeks to identify this as the reason why users were hidden in the display manager login greeter. It is apparent that /var/lib/AccountService/users is being ignored by MDM, and assumedly GDM as well. I didn't go as far as to add an Exclude=user1,user2 or an Include=user3 under [greeter] in /etc/mdm/mdm.conf, or create an /etc/mdm/custom.conf, as a another box was hiding users added via useradd just fine, while users added with adduser were shown. Setting the login shell to /bin/false denies all login to that user, which I still wish to su as. But that also hides the user in the login screen if you want that user to be plain inaccessible.