--- gdm-2.30.1/common/gdm-common.h-orig	2009-03-30 14:58:43.821340000 -0500
+++ gdm-2.30.1/common/gdm-common.h	2009-03-30 14:58:03.958286000 -0500
@@ -52,6 +52,8 @@ gboolean       gdm_string_hex_decode    
                                           int            insert_at);
 char          *gdm_generate_random_bytes (gsize          size,
                                           GError       **error);
+char          *gdm_read_default          (gchar *key);
+
 
 G_END_DECLS
 
--- gdm-2.30.1/common/gdm-common.c-orig	2009-03-30 14:59:24.837987000 -0500
+++ gdm-2.30.1/common/gdm-common.c	2009-03-30 15:00:41.625204000 -0500
@@ -27,6 +27,7 @@
 #include <fcntl.h>
 #include <sys/wait.h>
 #include <pwd.h>
+#include <deflt.h>
 
 #include <glib.h>
 #include <glib/gi18n.h>
@@ -470,3 +471,27 @@ gdm_generate_random_bytes (gsize    size
         close (fd);
         return bytes;
 }
+
+/*
+ * gdm_read_default
+ *
+ * This function is used to support systems that have the /etc/default/login
+ * interface to control programs that affect security.  This is a Solaris
+ * thing, though some users on other systems may find it useful.
+ */
+gchar *
+gdm_read_default (gchar *key)
+{
+    gchar *retval = NULL;
+
+    if (defopen ("/etc/default/login") == 0) {
+       int flags = defcntl (DC_GETFLAGS, 0);
+
+       TURNOFF (flags, DC_CASE);
+       (void) defcntl (DC_SETFLAGS, flags);  /* ignore case */
+       retval = g_strdup (defread (key));
+       (void) defopen ((char *)NULL);
+    }
+    return retval;
+}
+
--- gdm-2.30.1/daemon/gdm-session-direct.c-orig	2010-04-26 14:52:23.950164465 -0500
+++ gdm-2.30.1/daemon/gdm-session-direct.c	2010-04-26 14:52:49.618142348 -0500
@@ -2310,6 +2310,8 @@ gdm_session_direct_set_environment_varia
 static void
 setup_session_environment (GdmSessionDirect *session)
 {
+        struct passwd *passwd_entry;
+        char *path_str = NULL;
         const char *locale;
 
         gdm_session_direct_set_environment_variable (session,
@@ -2347,15 +2349,20 @@ setup_session_environment (GdmSessionDir
         }
 
 
+        passwd_entry = getpwnam (session->priv->selected_user);
+        if (passwd_entry != NULL && passwd_entry->pw_uid == 0)
+                path_str = gdm_read_default ("SUPATH=");
+
+        if (path_str == NULL)
+                path_str = gdm_read_default ("PATH=");
+
+        if (path_str == NULL)
+                path_str = GDM_SESSION_DEFAULT_PATH;
+
         /* FIXME: We do this here and in the session worker.  We should consolidate
          * somehow.
          */
-        gdm_session_direct_set_environment_variable (session,
-                                                     "PATH",
-                                                     strcmp (BINDIR, "/usr/bin") == 0?
-                                                     GDM_SESSION_DEFAULT_PATH :
-                                                     BINDIR ":" GDM_SESSION_DEFAULT_PATH);
-
+        gdm_session_direct_set_environment_variable (session, "PATH", path_str);
 }
 
 static void
--- gdm-2.30.1/daemon/gdm-session-worker.c-orig	2010-04-26 14:52:34.008619408 -0500
+++ gdm-2.30.1/daemon/gdm-session-worker.c	2010-04-26 14:52:49.616650736 -0500
@@ -1354,9 +1354,28 @@ gdm_session_worker_authorize_user (GdmSe
 {
         int error_code;
         int authentication_flags;
+        char *consoleonly;
 
         g_debug ("GdmSessionWorker: determining if authenticated user is authorized to session");
 
+        consoleonly = gdm_read_default ("CONSOLE=");
+
+        if ((consoleonly != NULL) &&
+            (strcmp (consoleonly, "/dev/console") == 0)) {
+
+                if (worker->priv->hostname != NULL && worker->priv->hostname[0] != '\0') {
+                        struct passwd *passwd_entry;
+
+                        passwd_entry = getpwnam (worker->priv->username);
+                        if (passwd_entry->pw_uid == 0) {
+                                error_code = PAM_PERM_DENIED;
+                 
+                                g_debug ("The system administrator is not allowed to log in remotely");
+                                goto out;
+                        }
+                }
+        }
+
         authentication_flags = 0;
 
         if (password_is_required) {
@@ -1583,6 +1602,7 @@ gdm_session_worker_accredit_user (GdmSes
         gid_t    gid;
         char    *shell;
         char    *home;
+        char    *path_str;
         int      error_code;
 
         ret = FALSE;
@@ -1623,17 +1643,17 @@ gdm_session_worker_accredit_user (GdmSes
                                                                 home,
                                                                 shell);
 
-        /* Let's give the user a default PATH if he doesn't already have one
-         */
-        if (!gdm_session_worker_environment_variable_is_set (worker, "PATH")) {
-                if (strcmp (BINDIR, "/usr/bin") == 0) {
-                        gdm_session_worker_set_environment_variable (worker, "PATH",
-                                                                     GDM_SESSION_DEFAULT_PATH);
-                } else {
-                        gdm_session_worker_set_environment_variable (worker, "PATH",
-                                                                     BINDIR ":" GDM_SESSION_DEFAULT_PATH);
-                }
-        }
+        path_str = NULL;
+        if (uid == 0)
+                path_str = gdm_read_default ("SUPATH=");
+
+        if (path_str == NULL)
+                path_str = gdm_read_default ("PATH=");
+
+        if (path_str == NULL)
+                path_str = GDM_SESSION_DEFAULT_PATH;
+
+        gdm_session_worker_set_environment_variable (worker, "PATH", path_str);
 
         if (! _change_user (worker, uid, gid)) {
                 g_debug ("GdmSessionWorker: Unable to change to user");
@@ -2141,6 +2161,14 @@ do_setup (GdmSessionWorker *worker)
 {
         GError  *error;
         gboolean res;
+        char    *passreq;
+
+        passreq = gdm_read_default ("PASSREQ=");
+
+        if ((passreq != NULL) && g_ascii_strcasecmp (passreq, "YES") == 0)
+                worker->priv->password_is_required = TRUE;
+        else
+                worker->priv->password_is_required = FALSE;
 
         error = NULL;
         res = gdm_session_worker_initialize_pam (worker,