This page is here so we can keep a list of things one needs to do in order to install a basic debian-desktop. The goal is to shorten this list integrating things into debian. For more details see the subpages of DebianDesktop.


When prompted by "tasksel" select the following task:

 * desktop-environment

After base-config is done there are some things left to do:

Default group memberships

Add additional user accounts you may need (with "adduser <NAME>"). (adduser #240855)

You can statically add the users into appropriate groups by iterating "adduser <NAME> <GROUP>".

Yet, a more appropriate way to add many/all users by default is to use pam_group that dynamically adds users to groups during authentification (see below for instructions).

You probably want some users to be members of some of the following groups: audio, plugdev, camera, video, floppy, cdrom, tape and maybe scanner, fax, dip (for "dial-ip", ppp connections to Internet with pon/poff as set up by pppconfig) or dialout (full serial ports/modem access).

Beware, there are some groups you don't want to have your users in! (i.e. like games (for game apps to keep high-scores) or disk (raw disk access), see /usr/share/doc/base-passwd/users-and-groups).

Users that should be allowed to use (pmount'ed) usb sticks etc. need to be a member of the plugdev group.

To enable pam_group you can add it to /etc/pam.d/common-auth like this

echo "auth    optional        pam_group.so" >> /etc/pam.d/common-auth

then configure /etc/security/group.conf similar to this:

login;*;*;Al0000-2400;users,cdrom,floppy,plugdev,audio,dip
kdm;*;*;Al0000-2400;users,cdrom,floppy,plugdev,audio,dip,video
gdm;*;*;Al0000-2400;users,cdrom,floppy,plugdev,audio,dip,video

In GNOME, devices will pop up automatically for users in the plugdev group: IMPORTANT NOTE: This procedure doesn't work anymore on Debian Lenny, does anybody know how to recover it?

KDE 3.3 shipped with Sarge unfortunately does not yet listen to hal-events or support pmount. The devices won't show up automatically. However plugdev users will be able to handle them manualy using pmount/pumount if installed.

In order to make USB pens automaticly appear in KDE 3.3's devices tab (or on the desktop if configured so in Desktop Properties) you can install the updfstab or the hotplug-mount.pl (create an autofs map instead of modifying the fstab) script from http://ccomb.free.fr/wiki/wakka.php?wiki=UsbMassStorageEnglish to handle the automatic mounting.

Shared Directories

This is handy to easily share files, pictures, shared documents, etc. on multi-user systems (family PCs etc.).

Because Debian uses a user private group (UPG) scheme by default, the default permissions for new files (umask) can be set to allow write access to the group.

To create groups use "addgroup <GROUPNAME>" as root. For example on your home PC you could create a group "family" and add the appropriate users to it.

Then create a family group directory: Do "mkdir /home/family", give it to the group with "chown :family /home/family" and change its permissions for example with  chmod u+rwx,g+rws,o-rwx /home/family  to a privately shared set-group-id directory (in octal notation: 2770).

Finally, change the default umask to 002. Unless libpam-umask is installed (see below), this has to be set in /etc/profile and /etc/login.defs . Now family group members can work with each other's files in the group directory without permission hassle.

If you've already got an existing directory full of files (pictures/music/whatever), this script might save you some time.


  • Security Note: It is not always a good idea to change your umask. This will set any new file created as group writable. Depending on what part of the system you're in, this could be a bad thing. UPG Schemes do take most of the worry away; just be cognizant of these facts when you create files in any 'special' directories.

There is another (more complicated) way to do this as well, using Access Control Lists (ACLs). Check here and here for more information.

In a nutshell:
apt-get install acl
sarge kernels: filesystems supported -> ext2,ext3,jfs,xfs
etch kernels support: ext2,ext3,reiserfs,jfs,xfs,nfs (with module nfs_acl)
change /etc/fstab options for drive you want to use acls on
ie
/dev/hda5       /pub       ext3    defaults,acl    0       0
cd /pub
mkdir family
setfacl -m d:u::rwx,d:g:family:rw,d:m:rw,d:o:--- family
        this will set the umask of the family directory such that all files created will be -rw-rw----+ and all directories created will be drwxrwS---+. This might not be entirely correct. At the very least, NFS has to be configured for ACLs, or an NFS server on Sarge and NFS Client in Etch can't handle ACLs.
"getfacl family" will show you the permissions.


  • Good information James. Can you be more specific about your security concerns? Maybe move ACL stuff to a separtate page like ?FilesystemAccessControlLists and reference it from this how to? MultiUserManagement translation may also be of interest for you. Have you subscribed this page?

Information about user private groups. A pretty good permissions primer can be found at: "http://linsec.ca/filesystems.php"

CUPS Printing System

(default package selection) Install and configure the CUPS printing system packages as described on ?DebianCUPS.

Start /usr/lib/openoffice/spadmin as root "add printer" and import your printers setup from /etc/foomatic/cups.

Default package selection

(synaptic only recommending)) "apt-get install libgnome2-perl" if you want the Gnome debconf frontend to actually work when you install packages. You may need to configure debconf to use "GNOME" frontend with "dpkg-reconfigure debconf" (Doesn't Synaptic let debconf start in appropriate mode within GNOME?).

(default package selection) Start up Synaptic and find, select and install the following packages:

  • anacron (desktops/laptops don't usually run all the time (at night, weekends, etc.) (alternatively fcron?)
  • If you need localized fonts: xfonts-base-transcoded and xfonts-*dpi-transcoded
  • zip and unzip
  • mc (midnight commander console filemanager)
  • ssh-askpass (lets ssh use a graphical password prompt window when run under X)

Are the following actually needed? For what benefit? They are non-free anyway:

  • x-ttcidfont-conf (needed for the next)
  • msttcorefonts (to display some webpages and documents correctly)


  • Now some configuring:

To actually make use of the private user groups in debian you have to set the default to "umask 002" in /etc/login.defs, /etc/profile and other shell config files, or better: install libpam-umask and you can centrally set a real system wide default umask with a line like this in /etc/pam.d/common-session:

session    optional     pam_umask.so umask=002

(In this case don't forget to remove any umask lines from /etc/login.defs, /etc/profile etc.)

There is currently a bug (Bug #336214) in gdm which will prevent the umask settings above from working if you are using gdm (the Debian default) as your login manager. To work around this bug, edit /etc/gdm/Xsession and add the line

umask 002

just after the line containing "Beginning session setup..."

The central settings for KDE in /etc/kde3 could also need some tweaking:

  • set CUPS as default printing system (Put the following into /etc/kde3/kdeprintrc)

  ["General"]
  PrintSystem=cups
  • If you like, make $HOME to be your Desktop for consistency. (Put the following into /etc/kde3/kdeglobals)

   ["Paths"]
   Desktop=$HOME
   Trash=$HOME/Trash/
  • If you need particular KDE system defaults like proxy, javascript and cookie policy etc., set them in the same way, too. http://www.kde.org/areas/sysadmin has more info about the configuration files, including making settings immutable to users.

...have fun! And if you encounter bugs search the net, if the bug is not already filed, find the appropriate package and the file a bug against it, if it concerns Debian simply use the "reportbug" utility for that.

Troubleshooting

For manual setup of the graphic you can use dpkg-reconfigure xserver-xfree86.

An alternative automatic configuration of the x-server is to install xdebconfigurator, run it, and then dexconf to generate a valid ?XF86config.

Things that have already been integrated

  • autoconfiguration of the xserver