File gdm-remote-root-login-setting.patch of Package gdm.16051

diff -Npur gdm-3.10.0.1-old//common/gdm-settings-keys.h gdm-3.10.0.1/common/gdm-settings-keys.h
--- gdm-3.10.0.1-old//common/gdm-settings-keys.h	2015-06-16 16:58:55.000000000 +0800
+++ gdm-3.10.0.1/common/gdm-settings-keys.h	2015-06-16 17:00:56.000000000 +0800
@@ -42,6 +42,8 @@ G_BEGIN_DECLS
 #define GDM_KEY_INCLUDE_ALL "greeter/IncludeAll"
 
 #define GDM_KEY_DISALLOW_TCP "security/DisallowTCP"
+#define GDM_KEY_ALLOW_ROOT "security/AllowRoot"
+#define GDM_KEY_ALLOW_REMOTE_ROOT "security/AllowRemoteRoot"
 
 #define GDM_KEY_XDMCP_ENABLE "xdmcp/Enable"
 #define GDM_KEY_SHOW_LOCAL_GREETER "xdmcp/ShowLocalGreeter"
diff -Npur gdm-3.10.0.1-old//common/gdm-settings-system-backend.c gdm-3.10.0.1/common/gdm-settings-system-backend.c
--- gdm-3.10.0.1-old//common/gdm-settings-system-backend.c	2015-06-16 16:58:55.000000000 +0800
+++ gdm-3.10.0.1/common/gdm-settings-system-backend.c	2015-06-16 17:02:43.000000000 +0800
@@ -45,6 +45,7 @@
 #define SYSCONFIG_XDMCP_KEY             "DISPLAYMANAGER_REMOTE_ACCESS"
 #define SYSCONFIG_STARTS_XSERVER_KEY    "DISPLAYMANAGER_STARTS_XSERVER"
 #define SYSCONFIG_PASSWORDLESS_KEY      "DISPLAYMANAGER_PASSWORD_LESS_LOGIN"
+#define SYSCONFIG_XDMCP_ROOT_ENABLE_KEY "DISPLAYMANAGER_ROOT_LOGIN_REMOTE"
 
 /* Keys from sysconfig that have no equivalent in GDM:
  *   - DISPLAYMANAGER_ROOT_LOGIN_REMOTE
@@ -134,6 +135,18 @@ gdm_settings_system_backend_get_value (G
                                 val = g_strdup (tcp_open ? "false" : "true");
                         }
                 }
+        } else if (!strcasecmp (key, GDM_KEY_ALLOW_REMOTE_ROOT)) {
+                const gchar *new_val;
+
+                val = gdm_sysconfig_get_value ((const gchar **) priv->lines, SYSCONFIG_XDMCP_ROOT_ENABLE_KEY);
+
+                if (val && !strcasecmp (val, "yes"))
+                        new_val = "true";
+                else
+                        new_val = "false";
+
+                g_free (val);
+                val = g_strdup (new_val);
         } else if (!strcasecmp (key, GDM_KEY_XDMCP_ENABLE)) {
                 if (priv->dirty_xdmcp) {
                         val = g_strdup (priv->set_xdmcp ? "true" : "false");
diff -Npur gdm-3.10.0.1-old//daemon/gdm-session-worker.c gdm-3.10.0.1/daemon/gdm-session-worker.c
--- gdm-3.10.0.1-old//daemon/gdm-session-worker.c	2015-06-16 16:58:55.000000000 +0800
+++ gdm-3.10.0.1/daemon/gdm-session-worker.c	2015-06-16 17:00:02.000000000 +0800
@@ -72,6 +72,7 @@
 #include "gdm-session-auditor.h"
 #endif
 
+#include "gdm-settings-keys.h"
 #include "gdm-session-settings.h"
 
 #define GDM_SESSION_WORKER_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), GDM_TYPE_SESSION_WORKER, GdmSessionWorkerPrivate))
@@ -1248,10 +1249,45 @@ gdm_session_worker_authorize_user (GdmSe
 {
         int error_code;
         int authentication_flags;
+        char *username;
+        struct passwd *pwent = NULL;
 
         g_debug ("GdmSessionWorker: determining if authenticated user (password required:%d) is authorized to session",
                  password_is_required);
 
+        gdm_session_worker_get_username (worker, &username);
+        if (username) {
+                pwent = getpwnam (username);
+                g_free (username);
+        }
+
+        if (pwent && (pwent->pw_uid == GDM_SESSION_ROOT_UID)) {
+                gboolean allow_root;
+
+                gdm_settings_direct_get_boolean (GDM_KEY_ALLOW_ROOT, &allow_root);
+                if (!allow_root) {
+                        g_set_error (error,
+                                     GDM_SESSION_WORKER_ERROR,
+                                     GDM_SESSION_WORKER_ERROR_AUTHORIZING,
+                                     "%s", _("System administrator is not allowed to login."));
+                        gdm_session_worker_uninitialize_pam (worker, PAM_PERM_DENIED);
+                        return FALSE;
+                }
+                if (!worker->priv->display_is_local) {
+                        gboolean allow_remote_root;
+
+                        gdm_settings_direct_get_boolean (GDM_KEY_ALLOW_REMOTE_ROOT, &allow_remote_root);
+                        if (!allow_remote_root) {
+                                g_set_error (error,
+                                             GDM_SESSION_WORKER_ERROR,
+                                             GDM_SESSION_WORKER_ERROR_AUTHORIZING,
+                                             "%s", _("System administrator is not allowed to remote login."));
+                                gdm_session_worker_uninitialize_pam (worker, PAM_PERM_DENIED);
+                                return FALSE;
+                        }
+                }
+        }
+
         authentication_flags = 0;
 
         if (password_is_required) {
diff -Npur gdm-3.10.0.1-old//data/gdm.schemas.in.in gdm-3.10.0.1/data/gdm.schemas.in.in
--- gdm-3.10.0.1-old//data/gdm.schemas.in.in	2015-06-16 16:58:55.000000000 +0800
+++ gdm-3.10.0.1/data/gdm.schemas.in.in	2015-06-16 17:00:02.000000000 +0800
@@ -70,6 +70,19 @@
       <signature>b</signature>
       <default>true</default>
     </schema>
+
+    <schema>
+      <key>security/AllowRoot</key>
+      <signature>b</signature>
+      <default>true</default>
+    </schema>
+
+    <schema>
+      <key>security/AllowRemoteRoot</key>
+      <signature>b</signature>
+      <default>false</default>
+    </schema>
+
     <schema>
       <key>xdmcp/Enable</key>
       <signature>b</signature>