How does GDM know the face pictures of users with encrypted home directories?

Asked by cornware-cjp on 2011-02-16

I am always keeping an eye on the security of my PC, and I recently found something that doesn't make sense, or at least it might be an opportunity to learn more about the security model of Ubuntu.

It looks like the user's face picture is stored in "$HOME/.face". I can not find any other place where this is stored, and it would look strange to me if it were stored in multiple places. This face picture is visible in GDM, so it seems to me that GDM retrieves the face pictures from the $HOME/.face file of each user. But how does this work if the user has an encrypted home directory?

I checked it, and as long as a user has not logged in, his/her encrypted home directory is not mounted, and .face is not present. As far as I understand, an encrypted home directory can not be mounted without either the user's password or the key that was given to the user when the encrypted home directory was created. Does GDM have access to one of them before log-in? If that is the case, are they saved somewhere on disk, and wouldn't this break the whole concept of an encrypted home directory?

Links to locations in the GDM source code would also be appreciated. I've already downloaded the code.

Question information

English Edit question
Ubuntu gdm Edit question
No assignee Edit question
Last query:
Last reply:

I don't know the answer to your question and I don't have a system with encrypted home directories (or with face pictures enabled) to investigate this, but two things come to mind:

(1) Is this information useful?

(2) Have you checked to see if GDM makes a copy and puts it in /var/cache/gdm/<username>? (This comes to mind after reading bug 479671.)

cornware-cjp (cjp) said : #2

(1) The text looks familiar; I think I've already seen it. It's not useful, or at least it does not answer my question. It refers to /usr/share/pixmap/faces, but that directory only contains the pictures to choose from, and nothing to indicate which picture was chosen by which user.

(2) Thanks. I checked it, and yes, it does contain the face pictures. How did you know about the existence of that directory? I didn't find it in the docs, and not in the doc from (1) either.

I suppose the existence of (2) explains a lot. Question remains of course why the .face file is still there, and what happen if both files are different. And the fact that I couldn't find (2) might indicate a lack of documentation (or that I have been too lazy in my search for documentation of course).

"How did you know about the existence of that directory?"

By reading bug 479671.

I'm posting this as a comment rather than an answer, to deliberately leave this question's status as Open. Hopefully someone else can step in and answer your other questions. Presumably, the .face file in the home directory is the file that is user-controllable, and since data in /var/cache is, as that directory's name suggests, cached and subject to change., it's important to have a source file somewhere. Perhaps the .face file is also used (or potentially used) for more than the GDM face browser.

But your other questions remain, and here is a possibly faithful (possibly not) recasting of them: How is the face picture in /var/cache/gdm/<username> kept in sync with the face picture at .face? Where, if anywhere (besides the source code) is this behavior documented, and is it (a) universal GDM behavior, (b) Debian-specific behavior (inherited by Ubuntu), or (c) Ubuntu-specific behavior?

You might consider changing your face picture and checking immediately to see if the face picture at in /var/cache/gdm/<username> has changed to match it. If it hasn't, then immediately log out (separately, try keeping this user logged in but returning to the login screen) and see if the face has changed there. If the /var/cache/gdm/<username>-contained copy does instantly match the .face file, then try *manually* editing the .face file and see how readily the copy in /var/cache/gdm/<username> is matched.

Also, it seems that with an encrypted home directory, the device and inode numbers of the .face file could not possibly (both) match the device and inode numbers of the file in /var/cache/gdm/<username> (i.e. they could not both be hard links to the same file), but it might be worthwhile to just check and see. (Also check to see if the .face file is perhaps a symbolic link to the file in /var/cache/gdm/<username>.)

cornware-cjp (cjp) said : #4

I agree with your recasting of my question.

I experimented a bit as you suggested, with the following results:

When I change the face with the standard Ubuntu GUI application (through the indicator applet), the ~/.face file changes immediately, but the /var/cache/gdm/<user>/face file does not change.

Next, when I choose to switch user (without logging out), the old picture is still visible in the GDM menu.

Next, when I log out, the new picture suddenly becomes visible in GDM. When logging in again, it turns out that /var/cache/gdm/<user>/face is changed, so that it matches ~/.face.

The same results apply when I manually edit ~/.face with the GIMP, instead of selecting a face in the standard way.

It seems that GDM synchronizes /var/cache/gdm/<user>/face with ~/.face when the user logs out.


If you wish to verify your (already quite strong) hypothesis, you might check the source code for GDM in Ubuntu (for the branch corresponding to whichever release of Ubuntu you're running / interested in), which you can browse (no need to actually download it) at

If you need help with that or have other questions, please feel free to post again. If you consider this question answered to your liking, please mark it as Solved. (If you will only consider it resolved once you've actually examined the source, then feel free to leave its status as it is, for the time being.)

Can you help with this problem?

Provide an answer of your own, or ask cornware-cjp for more information if necessary.

To post a message you must log in.