FreeBSD Manual Pages
sesman.ini(5) sesman.ini(5) NAME sesman.ini - Configuration file for xrdp-sesman(8) DESCRIPTION sesman.ini consists of several sections. Each section starts with the section name in square brackets, followed by a list of parameter=value lines. Following sections are recognized: [Globals] Global configuration [Logging] Logging subsystem [Sessions] Session management [Security] Access control [Chansrv] Settings for xrdp-chansrv(8) [ChansrvLogging] Logging settings for xrdp-chansrv(8) [SessionVariables] Environment variables for the session All parameters and values (except for file names and paths) are case insensitive, and are described in detail below. If any parameter is specified more than once, the last entry will be used. Options speci- fied outside their proper section will be ignored. GLOBALS Following parameters can be used in the [Globals] section. ListenPort=path-to-socket UNIX domain socket for xrdp-sesman(8) to listen on. The default value of this setting is 'sesman.socket'. An absolute path can be specified by starting this parameter with a '/'. In this instance, the system administrator is re- sponsible for ensuring the socket can only be created by a suit- ably privileged process. If the parameter does not start with a '/', a name within /var/run/xrdp/<uid> is used. EnableUserWindowManager=[true|false] If set to 1, true or yes, this option enables user specific startup script. That is, xrdp-sesman will execute the script specified by UserWindowManager if it exists. UserWindowManager=filename Path of the startup script relative to the user's home direc- tory. If present and enabled by EnableUserWindowManager, that script is executed instead of DefaultWindowManager. DefaultWindowManager=filename Full path or relative path of the default startup script used by xrdp-sesman to start a session. If the path is not a full path, it will be resolved as relative path to /usr/local/etc/xrdp. If not specified, defaults to /usr/local/etc/xrdp/startwm.sh. ReconnectScript=filename Full path or relative path if the script which executed when users reconnects to the existing session. If the path is not a full path, it will be resolved as relative path to /usr/lo- cal/etc/xrdp. If not specified, defaults to /usr/lo- cal/etc/xrdp/reconnectwm.sh. AlwaysRunReconnect=[yes|no] If set to 1, true or yes, the ReconnectScript will be run for the initial connection to a session, as well as all reconnects. LOGGING Following parameters can be used in the [Logging] and [ChansrvLogging] sections. LogFile=filename Log file path. It can be either absolute or relative. If not specified, defaults to ./sesman.log. If set to <stdout>, log will go to stdout. Use for debugging only It is ignored in the [ChansrvLogging] section since the channel server creates one log file per display and instead uses the following log file naming convention xrdp-chansrv.${DIS- PLAY}.log. For details of the chansrv log file location, see LogFilePath. LogFilePath=string Directory for storing the chansrv log file. This setting only applies to chansrv. The sesman log file is always created in /var/log. Created if it doesn't exist. If first character is not a '/', this is relative to $HOME, where chansrv is normally started. The following substitutions are made in this string:- %U - Username %u - Numeric UID %% - Percent character This is most useful if you are using NFS-mounted home directo- ries, and wish to move the chansrv log file to the local disk. If this parameter isn't specified, the log file is stored in one of the following locations :- - $CHANSRV_LOG_PATH - $XDG_DATA_HOME/xrdp - $HOME/.local/share/xrdp LogLevel=level This option can have one of the following values: CORE or 0 - Log only core messages. Those messages are logged regardless of the selected logging level. ERROR or 1 - Log only error messages. WARNING, WARN or 2 - Logs warnings and error messages. INFO or 3 - Log errors, warnings and informational messages. DEBUG or 4 - Log everything. If xrdp-sesman is compiled in debug mode, this options will output many more low-level messages. EnableSyslog=[true|false] If set to 1, true or yes, this option enables logging to syslog. SyslogLevel=level Logging level for syslog. It can have the same values as LogLevel. Defaults to DEBUG. EnableConsole=[true|false] If set to 1, true or yes, this option enables logging to the console (ie. stdout). ConsoleLevel=level Logging level for the console. It can have the same values as LogLevel. Defaults to DEBUG. EnableProcessId=[true|false] If set to 1, true or yes, this option enables logging the process id in all log messages. Defaults to false. SESSIONS Following parameters can be used in the [Sessions] section. X11DisplayOffset=number The first X display number available for xrdp-sesman. This pre- vents xrdp-sesman from interfering with real X11 servers. If not specified, defaults to 10. MaxSessions=number Sets the maximum number of simultaneous sessions. If not set or set to 0, unlimited session are allowed. MaxDisplayNumber=number Sets the maximum number which can be assigned to an X11 $DIS- PLAY. The default is compatible with IANA TCP port allocations. If you are not allowing TCP connections to your X servers you may safely increase this number. KillDisconnected=[true|false] If set to 1, true or yes, every session will be killed within DisconnectedTimeLimit seconds after the user disconnects. This setting currently only works with xorgxrdp sessions. DisconnectedTimeLimit=number Sets the time limit for KillDisconnected to a value greater than 60. Values less than 60 are to be overridden with 60. This setting currently only works with xorgxrdp sessions. IdleTimeLimit=number Sets the time limit (in seconds) before an idle session is dis- connected. Idle means no keyboard inputs and no mouse moves/clicks here. If set to 0, idle sessions will never be disconnected by timeout. This works only with xorgxrdp ses- sions. Moreover, xorgxrdp must be v0.2.9 or later. Policy=[Default|Separate|{UBDI}] Session allocation policy. Used to decide when to allocate a new session. Set to one of the following values: Default - Currently the same as "UB" for all session types Separate - All sessions are separate. Sessions can never be re- joined, and will need to be cleaned up manually, or automatically by setting other sesman options. Alternatively combine one-or-more of the following options U - Sessions are separated per user B - Sessions are separated by bits-per-pixel D - Sessions are separated by initial display size I - Sessions are separated by IP address N - Sessions are separated by an instance name specified on startup Note that the U and B criteria cannot be turned off. DisplaySize refers to the initial geometry of a connection, as actual dis- play sizes can change dynamically. StartupWaitTime=number Milliseconds to wait to ensure the session has started. The de- fault is 1500 milli-seconds. Making this larger does not increase the session startup time, but will increase the time for the first connection to a ses- sion. The value can be set to zero. If this is done, sessions which fail early will not be reported to the user. SECURITY Following parameters can be used in the [Security] section. AllowRootLogin=[true|false] If set to 1, true or yes, enables root login on the terminal server. MaxLoginRetry=number The number of login attempts that are allowed on terminal server. If set to 0, unlimited attempts are allowed. If not specified, defaults to 3. XAuthorityInSystemDir=[no|yes] If set to no (the default), XAUTHORITY will not be set for ses- sions, and the X11 authfile will be $HOME/.Xauthority. If set to yes, xrdp will point XAUTHORITY to a file in a system directory private to the logged-in user (currently /var/run/xrdp/<uid>/Xauthority). You may wish to use this if $HOME is NFS-mounted, or you are ex- periencing other applications overwriting the default file. TerminalServerUsers=group Only the users belonging to the specified group are allowed to login on terminal server. If unset or set to an invalid or non-existent group, login for all users is enabled. TerminalServerAdmins=group Members of this group can use the xrdp-sesadmin command to ad- minister sessions started by other users. The root user is al- ways considered to be in this group. RestrictOutboundClipboard=[all|none|text|file|image] If set to all, will restrict the clipboard outbound from the server, to prevent data copied inside the xrdp session to be pasted in the client. Default value is none. In addition, you can control text/file/image transfer restrictions respectively. It also accepts comma separated list such as text,file,image. none - No restriction about copying inbound clipboard data. all - Restrict to copy inbound clipboard data. text - Restrict to copy only inbound text clipboard data. file - Restrict to copy only inbound file clipboard data. image - Restrict to copy only inbound image clipboard data. To keep compatibility, the following aliases are also available. true - an alias of all. false - an alias of none. yes - an alias of all. RestrictInboundClipboard=[none|all|text|file|image] If set to all, will restrict the clipboard inbound from the client, to prevent data copied inside the client to be pasted in the xrdp session. Default value is none. In addition, you can control text/file/image transfer restrictions respectively. It also accepts comma separated list such as text,file,image. none - No restriction about copying inbound clipboard data. all - Restrict to copy inbound clipboard data. text - Restrict to copy only inbound text clipboard data. file - Restrict to copy only inbound file clipboard data. image - Restrict to copy only inbound image clipboard data. To keep compatibility, the following aliases are also available. true - an alias of all. false - an alias of none. yes - an alias of all. AlwaysGroupCheck=[true|false] If set to 1, true or yes:- - For normal logins, require group membership even if the group specified in TerminalServerUsers doesn't exist. - An error message may be generated when any user authenticates if the group specified in TerminalServerAdmins doesn't exist. This is because the system is unable to check whether the user is an administrator. AllowAlternateShell=[true|false] If set to 0, false or no, prevent usage of alternate shells by users. PassShellAsEnv=<name-of-environment-variable> If this is set, alternate shells are not actioned directly, but passed in to the default window manager in the specified envi- ronment variable. This allows the system manager more control over exactly what alternate shells are permitted. This will override any setting of the same environment variable in the [SessionVariables] section. XorgNoNewPrivileges=[true|false] Only applicable on Linux. If set to 0, false or no, do not use the kernel's no_new_privs restriction when invoking the Xorg X11 server. The use of no_new_privs is intended to prevent issues due to a setuid Xorg executable. However, if a kernel security module (such as AppArmor) is used to confine xrdp, no_new_privs may interfere with transitions between confinement domains. SessionSockdirGroup=group Sets the group owner of the directories containing session sock- ets. For normal operation with sesman, set this to 'root' for maximum security. If you are using xrdp to connect to VNC sessions with X server sockets or chansrv sockets in the local sockets dir, set this to the runtime_group in xrdp.ini. If you do not do this, xrdp will not be able to connect to your sessions. X11 SERVER Following parameters can be used in the [Xvnc] and [Xorg] sections. param=string Multiple param lines are supported. This first line specifies the path to the X11 server executable. Following lines specify command line arguments passed to the X11 server. CHANSRV Following parameters can be used in the [Chansrv] section. FuseMountName=string Directory for drive redirection. Created if it doesn't exist. If not specified, defaults to xrdp_client. If first character is not a '/', this is relative to $HOME. The following substitutions are made in this string:- %U - Username %u - Numeric UID %d - Numeric display number (ex 10) %D - Display environment variable (ex :10.0) %% - Percent character 1) The directory path permissions MUST be configured correctly by the system administrator or the system itself - xrdp-chan- srv will not do this for you (although it will create the fi- nal directories owned by the user). 2) The desktop may not automatically display a link for the redirected drive. To fix this, consult the docs for your cho- sen desktop. FuseMountNameColonCharReplacement=string Character to replace colon in redirected drive mount point names. If not specified no colon will not be replaced. If empty then colon will be replaced by null character. If longer than one character, only first character used. Only last colon replaced. FuseDirectIO=[false|true] Defaults to false. Set to true to disable page caching in FUSE when opening files on a redirected drive. Direct I/O can impact the performance of file operations. FileUmask=mode Additional umask to apply to files in the FuseMountName direc- tory. The default value of 077 prevents other users on the sys- tem from reading files on your redirected drives. This may not be appropriate for all environments, and so you can change this value to allow other users to access your remote files if re- quired. EnableFuseMount=[true|false] Defaults to true. Set to false to disable xrdp-chansrv's use of the FUSE system feature, even if it has been built with this feature enabled. Setting this value to false will disable the following applica- tion features:- - drive redirection - copying-and-pasting of files UseNautilus3FlistFormat=[false|true] Defaults to false. Set to true to make file copy-paste compati- ble with Nautilus from GNOME 3 versions later than 3.29.92. Do not use this for any other reason. This setting will be removed in a later version of xrdp, when GNOME 3 is no longer supported. FuseRootReportMaxFree=[false|true] The existing FUSE implementation reports free space on remote drives in a way which can confuse some file managers if they check for free space at the FUSE mountpoint before copying files. KDE Dolphin is affected by this, and will report 'no space available' when trying to copy to remote drives. Setting this option will cause the FUSE fileystem to report a very large amount of free space for the root of the FUSE mount- point. This will allow Dolphin to copy files to remote drives, but introduces a risk that the remote filesystem will run out of space during the copy. This setting will be removed in a later version of xrdp, when remote drives receive unique mountpoints. SoundNumSilentFramesAAC=number Sets the number of silent frames which are sent to client before close message is sent, when AAC is selected. If set to 0, no silent frame is sent. If not specified, defaults to 4. SoundNumSilentFramesMP3=number Sets the number of silent frames which are sent to client before close message is sent, when MP3 is selected. If set to 0, no silent frame is sent. If not specified, defaults to 2. SoundMsecDoNotSend=number Sets the duration(msec). Sound data is not send to client during number millisecond(s) after close message is sent, when AAC/MP3 is selected. If set to 0, all the data is sent. If not speci- fied, defaults to 1000. SESSIONS VARIABLES All entries in the [SessionVariables] section are set as environment variables in the user's session. FILES /usr/local/etc/xrdp-devel/sesman.ini SEE ALSO xrdp-sesman(8), xrdp-sesrun(8), xrdp(8), xrdp.ini(5) For more info on xrdp see <http://www.xrdp.org/> xrdp team 0.10.80.b20260203-4d9dde8 sesman.ini(5)
NAME | DESCRIPTION | GLOBALS | LOGGING | SESSIONS | SECURITY | X11 SERVER | CHANSRV | SESSIONS VARIABLES | FILES | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sesman.ini&sektion=5&manpath=FreeBSD+Ports+15.1.quarterly>