1nxagent(1)                    NX Agent (Xserver)                    nxagent(1)
2
3
4

NAME

6       nxagent - nested Xserver optimized for remote computing
7

SYNOPSIS

9       nxagent [options]
10

DESCRIPTION

12       nxagent is an X server for remote application/desktop access similar to
13       Xnest or Xephyr.
14
15       nxagent implements a very efficient compression of  the  X11  protocol,
16       called the NX protocol.
17
18       The  NX  protocol  increases performance when using X applications over
19       high latency and low bandwidth networks, while providing a local  (LAN-
20       like)  usage experience even if connecting from off-site locations (via
21       cable modem or GSM).
22
23       nxagent can be used standalone as a nested X server (with  NX  protocol
24       disabled),  but  its real benefits are gained when using it over remote
25       connections via the nxcomp compression library. The counterpart  appli‐
26       cation on the other end (i.e. the client) is called nxproxy.
27
28       When  used  in  proxy <-> agent mode, nxagent adds the feature of being
29       suspendible. Sessions can be started from  one  client,  suspended  and
30       then resumed from another (or the same) client.
31
32       nxagent  and nxproxy are utilized by various remote application/desktop
33       frameworks for providing server-side GUI application access from remote
34       client systems.
35
36       Currently,  nxagent  is  co-maintained  by three of these projects: The
37       Arctica Project, TheQVD and X2Go.
38

STARTING THE SERVER

40       nxagent should be run in user space.  Other  than  the  system's  local
41       X.org server, nxagent does not require to be run as root.  When bundled
42       with a remote application framework, you normally don't have to  launch
43       nxagent  manually. nxagent startup is usually managed by the underlying
44       framework (e.g. Arctica Session Manager, X2Go Server, etc.).
45
46       When nxagent starts up (e.g. by typing 'nxagent -ac :1' in  a  terminal
47       window),  it  typically  launches  in  "windowed desktop" mode. On your
48       local X server a new window appears being an X server itself.
49
50       However, nxagent also supports rootless (or seamless) application  mode
51       and a shadow session mode (similar to what VNC does).
52
53       Example: You can launch a complete desktop session inside this nested X
54       server now:
55
56       The Debian way...
57
58           $ export DISPLAY=:1
59           $ STARTUP=mate-session /etc/X11/Xsession
60
61       The Fedora / Gentoo / openSUSE way...
62
63           ### FIXME / TODO ###
64
65       However, nxagent also supports rootless (or seamless) application  mode
66       and a shadow session mode (similar to what VNC does).
67
68

OPTIONS

70       nxagent accepts a range of default X server options as described below.
71       Those default options have to be provided via the command line.
72
73       Furthermore, nxagent accepts some nx-X11  specific  options,  described
74       further below.
75
76       Last but not least, nxagent accepts several more options, the so-called
77       nx/nx options, provided via the $DISPLAY environment  variable  or  the
78       -options command line option. See below for further details.
79
80

STANDARD XSERVER OPTIONS

82       :displaynumber
83               The  X server runs as the given displaynumber, which by default
84               is 0.  If multiple X servers are to  run  simultaneously  on  a
85               host,  each must have a unique display number.  See the DISPLAY
86               NAMES section of the X(__miscmansuffix__) manual page to  learn
87               how to specify which display number clients should try to use.
88
89       -a number
90               sets  pointer  acceleration  (i.e.  the  ratio  of  how much is
91               reported to how much the user actually moved the pointer).
92
93       -ac     disables host-based access control mechanisms.  Enables  access
94               by  any host, and permits any host to modify the access control
95               list.  Use with extreme caution.  This option exists  primarily
96               for running test suites remotely.
97
98       -audit level
99               sets  the  audit  trail level.  The default level is 1, meaning
100               only connection rejections are reported.  Level 2  additionally
101               reports  all  successful  connections and disconnects.  Level 4
102               enables messages  from  the  SECURITY  extension,  if  present,
103               including  generation and revocation of authorizations and vio‐
104               lations of the security policy.  Level 0 turns  off  the  audit
105               trail.  Audit lines are sent as standard error output.
106
107       -auth authorization-file
108               specifies  a  file which contains a collection of authorization
109               records used to authenticate access.  See also the  xdm(1)  and
110               Xsecurity(__miscmansuffix__) manual pages.
111
112       -bs     disables backing store support on all screens.
113
114       -br     sets  the  default  root  window  to solid black instead of the
115               standard root weave pattern.
116
117       -c      turns off key-click.
118
119       c volume
120               sets key-click volume (allowable range: 0-100).
121
122       -cc class
123               sets the visual class for the root  window  of  color  screens.
124               The  class  numbers  are  as  specified in the X protocol.  Not
125               obeyed by all servers.
126
127       -co filename
128               This used to be the option for specifying the path to  the  RGB
129               color  database file. As the RGB color database is now embedded
130               into the binary this option has no effect but is kept for  com‐
131               patibility. Deprecated.
132
133       -core   causes the server to generate a core dump on fatal errors.
134
135       -displayfd fd
136               specifies  a  file descriptor in the launching process.  Rather
137               than specifying a display number, the X server will attempt  to
138               listen on successively higher display numbers, and upon finding
139               a free one, will write  the  port  number  back  on  this  file
140               descriptor  as  a newline-terminated string.  The -pn option is
141               ignored when using -displayfd.
142
143               nxagent specific:
144
145               (1) Other than in X.org's Xserver, you can  use  -displayfd  in
146               conjunction  with  an  explicit display number. If the explicit
147               display number is not available (i.e., already in use), nxagent
148               tries to figure out the next available display number,
149
150               e.g.:
151
152                  nxagent -displayfd 2 :50
153
154               (2)  If  -displayfd  <X> is given with <X> equaling 2 (STDERR),
155               then the display number string written to STDERR is  beautified
156               with some human-readable (machine-parseable) text.
157
158       -deferglyphs whichfonts
159               specifies  the  types  of  fonts  for  which  the server should
160               attempt to use deferred glyph loading.  whichfonts can  be  all
161               (all fonts), none (no fonts), or 16 (16 bit fonts only).
162
163       -dpi resolution
164               sets  the  resolution for all screens, in dots per inch.  To be
165               used when the server cannot determine the screen  size(s)  from
166               the hardware.
167
168       dpms    enables  DPMS  (display  power management services), where sup‐
169               ported.  The default state is platform and  configuration  spe‐
170               cific.
171
172       -dpms   disables DPMS (display power management services).  The default
173               state is platform and configuration specific.
174
175       -f volume
176               sets feep (bell) volume (allowable range: 0-100).
177
178       -fc cursorFont
179               sets default cursor font.
180
181       -fn font
182               sets the default font.
183
184       -fp fontPath
185               sets the search path for fonts.  This path is a comma separated
186               list  of directories which the X server searches for font data‐
187               bases.  See the FONTS section of  this  manual  page  for  more
188               information and the default list.
189
190       -help   prints a usage message.
191
192       -I      causes all remaining command line arguments to be ignored.
193
194       -maxbigreqsize size
195               sets the maximum big request to size MB.
196
197       -nolisten trans-type
198               disables a transport type.  For example, TCP/IP connections can
199               be disabled with -nolisten tcp.  This option may be issued mul‐
200               tiple times to disable listening to different transport types.
201
202       -noreset
203               prevents  a  server  reset  when  the last client connection is
204               closed.  This overrides  a  previous  -terminate  command  line
205               option.
206
207       -p minutes
208               sets screen-saver pattern cycle time in minutes.
209
210       -pn     permits the server to continue running if it fails to establish
211               all of its well-known sockets (connection points for  clients),
212               but establishes at least one.  This option is set by default.
213
214       -nopn   causes  the  server to exit if it fails to establish all of its
215               well-known sockets (connection points for clients).
216
217       -r      turns off auto-repeat.
218
219       r       turns on auto-repeat.
220
221       -s minutes
222               sets screen-saver timeout time in minutes.
223
224       -su     disables save under support on all screens.
225
226       -t number
227               sets pointer acceleration threshold in pixels (i.e.  after  how
228               many pixels pointer acceleration should take effect).
229
230       -terminate
231               causes the server to terminate at server reset, instead of con‐
232               tinuing to run.  This overrides  a  previous  -noreset  command
233               line option.
234
235       -to seconds
236               sets default connection timeout in seconds.
237
238       -tst    disables all testing extensions.
239
240       v       sets video-off screen-saver preference.
241
242       -v      sets video-on screen-saver preference.
243
244       -wm     forces  the  default  backing-store  of all windows to be When‐
245               Mapped.  This is a backdoor way  of  getting  backing-store  to
246               apply  to  all  windows.  Although all mapped windows will have
247               backing store, the backing store attribute  value  reported  by
248               the server for a window will be the last value established by a
249               client.  If it has never been set by a client, the server  will
250               report the default value, NotUseful.  This behavior is required
251               by the X protocol,  which  allows  the  server  to  exceed  the
252               client's  backing store expectations but does not provide a way
253               to tell the client that it is doing so.
254
255       [+-]xinerama
256               enables(+) or disables(-) XINERAMA provided via  the  PanoramiX
257               extension. This is set to off by default.
258
259       [+-]rrxinerama
260               enables(+)  or  disables(-)  XINERAMA  provided  via  the RandR
261               extension. By default, this feature is enabled. To disable XIN‐
262               ERAMA  completely, make sure to use both options (-xinerama and
263               -rrxinerama) on the command line.
264
265

SERVER DEPENDENT OPTIONS

267       nxagent additionally accepts the following non-standard options:
268
269       -logo   turns on the X Window System logo display in the  screen-saver.
270               There is currently no way to change this from a client.
271
272       nologo  turns off the X Window System logo display in the screen-saver.
273               There is currently no way to change this from a client.
274
275       -render
276
277               default|mono|gray|color
278
279               sets the color allocation policy that will be used by the  ren‐
280               der extension.
281
282               default selects  the  default  policy  defined  for the display
283                       depth of the X server.
284
285               mono    don't use any color cell.
286
287               gray    use a gray map of 13  color  cells  for  the  X  render
288                       extension.
289
290               color   use  a  color  cube of at most 4*4*4 colors (that is 64
291                       color cells).
292
293       -dumbSched
294               disables smart scheduling on platforms that support  the  smart
295               scheduler.
296
297       -schedInterval interval
298               sets the smart scheduler's scheduling interval to interval mil‐
299               liseconds.
300

NXAGENT SPECIFIC OPTIONS

302       The nx-X11 system adds the following command line arguments:
303
304       -forcenx
305               force  use  of  NX  protocol  messages  assuming  communication
306               through nxproxy
307
308       -nxrealwindowprop
309               set property NX_REAL_WINDOW for each X11 client inside nxagent,
310               providing the window XID of the corresponding window object  on
311               the X server that nxagent runs on
312
313       -reportwids
314               explicitly  tell  nxagent  to report its externally exposed X11
315               window IDs to the session log (in machine  readable  form),  so
316               that external parsers can obtain that information from there
317
318       -reportprivatewids
319               explicitly  tell nxagent to report X11 window IDs of internally
320               created window objects to the session log (in machine  readable
321               form),  so  that  external  parsers can obtain that information
322               from there; this creates a lot of output and may affect perfor‐
323               mance
324
325       -timeout int
326               auto-disconnect timeout in seconds (minimum allowed: 60)
327
328       -norootlessexit
329               don't exit if there are no clients in rootless mode
330
331       -autodpi
332               detect  real  server's DPI and set it in the agent session; the
333               -dpi <dpi> cmdline option overrides -autodpi
334
335       -nomagicpixel
336               disable magic pixel support at  session  startup,  can  be  re-
337               enabled via nx/nx option on session resumption
338
339       -norender
340               disable the use of the render extension
341
342       -nocomposite
343               disable the use of the composite extension
344
345       -nopersistent
346               disable disconnection/reconnection to the X display on SIGHUP
347
348       -noshmem
349               disable use of shared memory extension
350
351       -shmem  enable use of shared memory extension
352
353       -noshpix
354               disable use of shared pixmaps
355
356       -shpix  enable use of shared pixmaps
357
358       -noignore
359               don't  ignore  pointer  and keyboard configuration changes man‐
360               dated by clients. As a result, configuration commands like dis‐
361               abling  the keyboard bell (xset -b) will also affect the real X
362               server.
363
364       -nokbreset
365               don't reset keyboard device if the session is resumed
366
367       -noxkblock
368               this is only relevant if you also specify  -keyboard=query.  In
369               that  case  nxagent will lock the keyboard settings and clients
370               will get an error when trying to change keyboard  settings  via
371               XKEYBOARD.  With -noxkblock the lock is not applied and clients
372               can change the keyboard settings through XKEYBOARD.
373
374       -tile WxH
375               size of image tiles (minimum allowed: 32x32)
376
377       -D      enable desktop mode (default)
378
379       -R      enable rootless mode
380
381       -S      enable shadow mode
382
383       -B      enable proxy binding mode
384
385       -version
386               show version information and exit
387
388       -options filename
389               path to an options file containing nx/nx options (see below).
390
391       Other than the command line options, nxagent can be configured at  ses‐
392       sion startup and at runtime (i.e. when resuming a suspended session) by
393       so-called nx/nx options.
394
395       As nx/nx options all options supported by nxcomp (see nxproxy man page)
396       and  all nxagent nx/nx options (see below) can be used.  When launching
397       an nxcomp based nxagent session (i.e. proxy <-> agent), you  will  nor‐
398       mally set the $DISPLAY variable like this:
399
400         $ export DISPLAY=nx/nx,listen=<proxy-port>,options=<options.file>:<nx-display-port>
401         $ nxagent <command-line-options> :<nx-display-port>
402
403       The  value  for  <nx-display-port>  is some value of a not-yet-used X11
404       display (e.g. :50).
405
406       Using an options file is recommended, but you can  also  put  available
407       nx/nx  options  (see  below)  into the DISPLAY variable directly. Note,
408       that the $DISPLAY variable field is of limited length.
409
410       As <proxy-port> you can pick an arbitrary (unused)  TCP  port  or  Unix
411       socket file path. This is the port / socket that you have to connect to
412       with the nxproxy application.
413
414       The right hand side of an option (the part following the "=" character)
415       can  include  URL  encoded  characters. It is required to URL encode at
416       least "," (as %2D) and "=" (as %3D)  to  avoid  wrong  parsing  of  the
417       options string.
418
419       Available nxagent options (as an addition to nx/nx options supported by
420       nxcomp already):
421
422       options=<string>
423               read options from file, this text file  can  contain  a  single
424               loooong line with comma-separated nx/nx options
425
426       rootless=<bool>
427               start nxagent in rootless mode, matches -R given on the command
428               line, no-op when resuming (default: false)
429
430       geometry=<string>
431               desktop geometry when starting or resuming a session, no-op  in
432               rootless mode (default 66% of the underlying X server geometry)
433
434       resize=<bool>
435               set resizing support (default: true)
436
437       fullscreen=<bool>
438               start or resume a session in fullscreen mode (default: off)
439
440       keyboard=<string> or kbtype=<string>
441
442               query|<model>/<layout>
443
444
445               query   use  the  default  XKB  keyboard layout (see below) and
446                       only allow clients to query the  settings  but  prevent
447                       any  changes.  query  is  especially helpful for setups
448                       where you need to set/modify the actual keyboard layout
449                       using  core X protocol functions (e.g. via xmodmap). It
450                       is used for MacOS X clients  to  handle  some  keyboard
451                       problems that are special for this platform.  Note that
452                       in this case XKEYBOARD will always report  the  default
453                       layout which will most likely not match the experienced
454                       settings.
455
456               <model>/<layout>
457                       use the given model and layout. You can not modify key‐
458                       board  rules, variant or options. Instead preset values
459                       are used. These are xfree86 for rules and empty strings
460                       for variant and options.
461
462
463
464              If  keyboard is omitted the internal defaults of nxagent will be
465              used (rules: xfree86, layout: us, model:  pc102,  empty  variant
466              and options).
467
468
469       keyconv=<string>
470               set keycode conversion mode
471
472               auto|on|off
473
474               by  default  (auto) nxagent will activate keycode conversion if
475               it detects an evdev XKEYBOARD setup on  the  client  side  (the
476               standard  on  linux systems nowadays). Keycode conversion means
477               that certain keycodes are mapped to make the keyboard appear as
478               an pc105 model. Using off this conversion can be suppressed and
479               with on it will be forced.
480
481
482       clipboard=<string>
483
484               both|client|server|none
485
486               enable / disable (set to: none) clipboard  support,  uni-direc‐
487               tional (server or client) or bi-directional (both, default set‐
488               ting) support
489
490       streaming=<int>
491               streaming support for images, not  fully  implemented  yet  and
492               thus non-functional
493
494       backingstore=<int>
495               disable  or  enforce  backing  store support (default: Backing‐
496               StoreUndefined)
497
498       composite=<int>
499               enable  or  disable  Composite  support  in  nxagent  (default:
500               enabled)
501
502       xinerama=<int>
503               enable   or  disable  XINERAMA  support  in  nxagent  (default:
504               enabled)
505
506       shmem=<bool>
507               enable using shared memory
508
509       shpix=<bool>
510               enable shared pixmaps support
511
512       client=<string>
513               type of connecting operating system (supported: linux, windows,
514               solaris and macosx)
515
516       shadow=<int>
517               start  nxagent  in shadow mode, matches -S given on the command
518               line, no-op when resuming (default: false)
519
520       shadowuid=<int>
521               unique identifier for the shadow session
522
523       shadowmode=<string>
524               full access (set to 1) or viewing-only (set to 0, default)
525
526       defer=<int>
527               defer image updates (enabled for all  connection  types  except
528               LAN), accepts values 0, 1 and 2
529
530               The default value can be set via the command line (-defer). The
531               value provided as nx/nx option is set when resuming a  session,
532               thus it overrides the command line default.
533
534       tile=<string>
535               set the tile size in pixels (<W>x<H>) for bitmap data sent over
536               the wire
537
538               The default value can be set via the command line (-tile).  The
539               value  provided as nx/nx option is set when resuming a session,
540               thus it overrides the command line default.
541
542       menu=<int>
543               support pulldown menu in nxagent  session  (only  available  on
544               proxy <-> agent remote sessions)
545
546       magicpixel=<bool>
547               enable/disable magic pixel support in fullscreen mode (default:
548               1, enabled)
549
550       autodpi=<bool>
551               enable/disable deriving session  DPI  automatically  from  real
552               server  (default:  0,  disabled);  only takes effect on session
553               startups, gets ignored when reconnecting to a suspended session
554
555       sleep=<int>
556               delay X server operations when suspended  (provided  in  msec),
557               set  to  0  to  keep nxagent session fully functional when sus‐
558               pended (e.g. useful when mirroring an nxagent session via VNC)
559
560       tolerancechecks=<string>
561
562               strict|safe|risky|bypass
563
564               strict  means that the number of internal and  external  pixmap
565                       formats  must  match  exactly and every internal pixmap
566                       format must be available in the external pixmap  format
567                       array. This is the default.
568
569               safe    means  that the number of pixmap formats might diverge,
570                       but all internal pixmap formats must also  be  included
571                       in  the  external  pixmap formats array. This is recom‐
572                       mended, because it allows clients with more pixmap for‐
573                       mats to still connect, but not lose functionality.
574
575               risky   means that the internal pixmap formats array is allowed
576                       to be smaller than the external pixmap  formats  array,
577                       but  at  least  one  pixmap  format must be included in
578                       both. This is potentially unsafe.
579
580               bypass  means that all of these checks are essentially  deacti‐
581                       vated. This is a very bad idea.
582
583       If you want to use nxagent as a replacement for Xnest or Xephyr you can
584       pass options like this:
585
586         $ echo nx/nx,fullscreen=1$DISPLAY >/tmp/opt
587         $ nxagent <command-line-options> -options /tmp/opt :<nx-display-port>
588
589

XDMCP OPTIONS

591       X servers that support XDMCP have the following  options.   See  the  X
592       Display Manager Control Protocol specification for more information.
593
594       -query hostname
595               enables  XDMCP  and  sends Query packets to the specified host‐
596               name.
597
598       -broadcast
599               enable XDMCP and broadcasts BroadcastQuery packets to the  net‐
600               work.   The first responding display manager will be chosen for
601               the session.
602
603       -multicast [address [hop count]]
604               Enable XDMCP and multicast BroadcastQuery packets to  the  net‐
605               work.   The  first responding display manager is chosen for the
606               session.  If an address is specified, the multicast is sent  to
607               that  address.   If  no  address is specified, the multicast is
608               sent to the default XDMCP IPv6 multicast group.  If a hop count
609               is  specified, it is used as the maximum hop count for the mul‐
610               ticast.  If no hop count is specified, the multicast is set  to
611               a  maximum of 1 hop, to prevent the multicast from being routed
612               beyond the local network.
613
614       -indirect hostname
615               enables XDMCP and send IndirectQuery packets to  the  specified
616               hostname.
617
618       -port port-number
619               uses  the  specified  port-number for XDMCP packets, instead of
620               the default.  This option must be specified before any  -query,
621               -broadcast, -multicast, or -indirect options.
622
623       -from local-address
624               specifies the local address to connect from (useful if the con‐
625               necting host has  multiple  network  interfaces).   The  local-
626               address  may  be  expressed  in any form acceptable to the host
627               platform's gethostbyname(3) implementation.
628
629       -once   causes the server to terminate (rather  than  reset)  when  the
630               XDMCP session ends.
631
632       -class display-class
633               XDMCP  has  an  additional  display  qualifier used in resource
634               lookup for display-specific options.   This  option  sets  that
635               value,  by  default  it is "MIT-Unspecified" (not a very useful
636               value).
637
638       -cookie xdm-auth-bits
639               When testing XDM-AUTHENTICATION-1,  a  private  key  is  shared
640               between the server and the manager.  This option sets the value
641               of that private data (not that it is very private, being on the
642               command line!).
643
644       -displayID display-id
645               Yet  another  XDMCP specific value, this one allows the display
646               manager to identify each display so  that  it  can  locate  the
647               shared key.
648
649

XKEYBOARD OPTIONS

651       X  servers  that  support the XKEYBOARD (a.k.a. "XKB") extension accept
652       the following options.  All layout files specified on the command  line
653       must be located in the XKB base directory or a subdirectory, and speci‐
654       fied as the relative path from the XKB base directory.  The default XKB
655       base directory is /usr/share/X11/xkb.
656
657       [+-]kb  enables(+) or disables(-) the XKEYBOARD extension.
658
659       [+-]accessx [ timeout [ timeout_mask [ feedback [ options_mask ] ] ] ]
660               enables(+) or disables(-) AccessX key sequences.
661
662       -xkbdir directory
663               base  directory  for keyboard layout files.  This option is not
664               available for setuid X servers (i.e., when the X server's  real
665               and effective uids are different).
666
667       -ardelay milliseconds
668               sets  the autorepeat delay (length of time in milliseconds that
669               a key must be depressed before autorepeat starts).
670
671       -arinterval milliseconds
672               sets the autorepeat interval (length of  time  in  milliseconds
673               that should elapse between autorepeat-generated keystrokes).
674
675       -xkbmap filename
676               loads keyboard description in filename on server startup.
677
678

SECURITY EXTENSION OPTIONS

680       X  servers  that  support  the  SECURITY extension accept the following
681       option:
682
683       -sp filename
684               causes the server to attempt to read and interpret filename  as
685               a  security  policy  file with the format described below.  The
686               file is read at server startup and reread at each server reset.
687
688       The syntax of the security policy file is as  follows.   Notation:  "*"
689       means  zero or more occurrences of the preceding element, and "+" means
690       one or more occurrences.  To interpret <foo/bar>, ignore the text after
691       the /; it is used to distinguish between instances of <foo> in the next
692       section.
693
694       <policy file> ::= <version line> <other line>*
695
696       <version line> ::= <string/v> '\n'
697
698       <other line > ::= <comment> | <access rule> | <site policy> | <blank line>
699
700       <comment> ::= # <not newline>* '\n'
701
702       <blank line> ::= <space> '\n'
703
704       <site policy> ::= sitepolicy <string/sp> '\n'
705
706       <access rule> ::= property <property/ar> <window> <perms> '\n'
707
708       <property> ::= <string>
709
710       <window> ::= any | root | <required property>
711
712       <required property> ::= <property/rp> | <property with value>
713
714       <property with value> ::= <property/rpv> = <string/rv>
715
716       <perms> ::= [ <operation> | <action> | <space> ]*
717
718       <operation> ::= r | w | d
719
720       <action> ::= a | i | e
721
722       <string> ::= <dbl quoted string> | <single quoted string> | <unquoted string>
723
724       <dbl quoted string> ::= <space> " <not dqoute>* " <space>
725
726       <single quoted string> ::= <space> ' <not squote>* ' <space>
727
728       <unquoted string> ::= <space> <not space>+ <space>
729
730       <space> ::= [ ' ' | '\t' ]*
731
732       Character sets:
733
734       <not newline> ::= any character except '\n'
735       <not dqoute>  ::= any character except "
736       <not squote>  ::= any character except '
737       <not space>   ::= any character except those in <space>
738
739       The semantics associated with the above syntax are as follows.
740
741       <version line>, the first line in the file, specifies the  file  format
742       version.   If  the server does not recognize the version <string/v>, it
743       ignores the rest of the file.  The version string for the  file  format
744       described here is "version-1" .
745
746       Once  past the <version line>, lines that do not match the above syntax
747       are ignored.
748
749       <comment> lines are ignored.
750
751       <sitepolicy> lines are currently ignored.  They are intended to specify
752       the site policies used by the XC-QUERY-SECURITY-1 authorization method.
753
754       <access  rule>  lines  specify how the server should react to untrusted
755       client requests that affect the X Window property named  <property/ar>.
756       The  rest  of  this  section describes the interpretation of an <access
757       rule>.
758
759       For an <access rule> to apply to a  given  instance  of  <property/ar>,
760       <property/ar>  must be on a window that is in the set of windows speci‐
761       fied by <window>.  If <window> is  any,  the  rule  applies  to  <prop‐
762       erty/ar>  on  any  window.   If  <window>  is root, the rule applies to
763       <property/ar> only on root windows.
764
765       If <window> is <required property>, the following apply.  If  <required
766       property> is a <property/rp>, the rule applies when the window also has
767       that <property/rp>, regardless of its value.  If <required property> is
768       a <property with value>, <property/rpv> must also have the value speci‐
769       fied by <string/rv>.  In this case, the property must have type  STRING
770       and  format  8, and should contain one or more null-terminated strings.
771       If any of the strings match <string/rv>, the rule applies.
772
773       The definition of string matching is simple case-sensitive string  com‐
774       parison  with  one  elaboration: the occurrence of the character '*' in
775       <string/rv> is a wildcard meaning "any string."  A <string/rv> can con‐
776       tain  multiple  wildcards  anywhere  in  the string.  For example, "x*"
777       matches strings that begin with x, "*x" matches strings that  end  with
778       x,  "*x*" matches strings containing x, and "x*y*" matches strings that
779       start with x and subsequently contain y.
780
781       There may be multiple <access rule> lines for  a  given  <property/ar>.
782       The  rules  are  tested in the order that they appear in the file.  The
783       first rule that applies is used.
784
785       <perms> specify operations that untrusted clients may attempt, and  the
786       actions that the server should take in response to those operations.
787
788       <operation>  can  be r (read), w (write), or d (delete).  The following
789       table shows how X Protocol property requests map to these operations in
790       The Open Group server implementation.
791
792       GetProperty    r, or r and d if delete = True
793       ChangeProperty w
794       RotateProperties    r and w
795       DeleteProperty d
796       ListProperties none, untrusted clients can always list all properties
797
798       <action>  can be a (allow), i (ignore), or e (error).  Allow means exe‐
799       cute the request as if it had been issued by a trusted client.   Ignore
800       means treat the request as a no-op.  In the case of GetProperty, ignore
801       means return an empty property value if the property exists, regardless
802       of its actual value.  Error means do not execute the request and return
803       a BadAtom error with the atom set to the property name.  Error  is  the
804       default  action  for  all properties, including those not listed in the
805       security policy file.
806
807       An <action> applies to all <operation>s that follow it, until the  next
808       <action>  is  encountered.   Thus,  irwad  means ignore read and write,
809       allow delete.
810
811       GetProperty and RotateProperties may do multiple operations (r  and  d,
812       or  r  and  w).  If different actions apply to the operations, the most
813       severe action is applied to the whole  request;  there  is  no  partial
814       request  execution.   The severity ordering is: allow < ignore < error.
815       Thus, if the <perms> for  a  property  are  ired  (ignore  read,  error
816       delete),  and an untrusted client attempts GetProperty on that property
817       with delete = True, an error is returned, but  the  property  value  is
818       not.   Similarly, if any of the properties in a RotateProperties do not
819       allow both read and write, an error is returned  without  changing  any
820       property values.
821
822       Here is an example security policy file.
823
824       version-1
825
826       # Allow reading of application resources, but not writing.
827       property RESOURCE_MANAGER     root      ar iw
828       property SCREEN_RESOURCES     root      ar iw
829
830       # Ignore attempts to use cut buffers.  Giving errors causes apps to crash,
831       # and allowing access may give away too much information.
832       property CUT_BUFFER0          root      irw
833       property CUT_BUFFER1          root      irw
834       property CUT_BUFFER2          root      irw
835       property CUT_BUFFER3          root      irw
836       property CUT_BUFFER4          root      irw
837       property CUT_BUFFER5          root      irw
838       property CUT_BUFFER6          root      irw
839       property CUT_BUFFER7          root      irw
840
841       # If you are using Motif, you probably want these.
842       property _MOTIF_DEFAULT_BINDINGS        rootar iw
843       property _MOTIF_DRAG_WINDOW   root      ar iw
844       property _MOTIF_DRAG_TARGETS  any       ar iw
845       property _MOTIF_DRAG_ATOMS    any       ar iw
846       property _MOTIF_DRAG_ATOM_PAIRS         anyar iw
847
848       # The next two rules let xwininfo -tree work when untrusted.
849       property WM_NAME              any       ar
850
851       # Allow read of WM_CLASS, but only for windows with WM_NAME.
852       # This might be more restrictive than necessary, but demonstrates
853       # the <required property> facility, and is also an attempt to
854       # say "top level windows only."
855       property WM_CLASS             WM_NAME   ar
856
857       # These next three let xlsclients work untrusted.  Think carefully
858       # before including these; giving away the client machine name and command
859       # may be exposing too much.
860       property WM_STATE             WM_NAME   ar
861       property WM_CLIENT_MACHINE    WM_NAME   ar
862       property WM_COMMAND           WM_NAME   ar
863
864       # To let untrusted clients use the standard colormaps created by
865       # xstdcmap, include these lines.
866       property RGB_DEFAULT_MAP      root      ar
867       property RGB_BEST_MAP         root      ar
868       property RGB_RED_MAP          root      ar
869       property RGB_GREEN_MAP        root      ar
870       property RGB_BLUE_MAP         root      ar
871       property RGB_GRAY_MAP         root      ar
872
873       # To let untrusted clients use the color management database created
874       # by xcmsdb, include these lines.
875       property XDCCC_LINEAR_RGB_CORRECTION    rootar
876       property XDCCC_LINEAR_RGB_MATRICES      rootar
877       property XDCCC_GRAY_SCREENWHITEPOINT    rootar
878       property XDCCC_GRAY_CORRECTION          rootar
879
880       # To let untrusted clients use the overlay visuals that many vendors
881       # support, include this line.
882       property SERVER_OVERLAY_VISUALS         rootar
883
884       # Dumb examples to show other capabilities.
885
886       # oddball property names and explicit specification of error conditions
887       property "property with spaces"         'property with "'aw er ed
888
889       # Allow deletion of Woo-Hoo if window also has property OhBoy with value
890       # ending in "son".  Reads and writes will cause an error.
891       property Woo-Hoo              OhBoy = "*son"ad
892
893

NETWORK CONNECTIONS

895       The  X server supports client connections via a platform-dependent sub‐
896       set of the following transport types: TCPIP, Unix  Domain  sockets  and
897       several  varieties  of  SVR4  local connections.  See the DISPLAY NAMES
898       section of the X(__miscmansuffix__) manual page to learn how to specify
899       which transport type clients should try to use.
900
901

GRANTING ACCESS

903       The  X  server  implements a platform-dependent subset of the following
904       authorization protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1,  XDM-
905       AUTHORIZATION-2,   SUN-DES-1,   and  MIT-KERBEROS-5.   See  the  Xsecu‐
906       rity(__miscmansuffix__) manual page for information on the operation of
907       these protocols.
908
909       Authorization  data  required  by  the above protocols is passed to the
910       server in a private file named with  the  -auth  command  line  option.
911       Each  time  the  server is about to accept the first connection after a
912       reset (or when the server is starting), it reads this  file.   If  this
913       file contains any authorization records, the local host is not automat‐
914       ically allowed access to the server, and only clients which send one of
915       the authorization records contained in the file in the connection setup
916       information will be allowed access.  See the  Xau  manual  page  for  a
917       description  of the binary format of this file.  See xauth(1) for main‐
918       tenance of this file, and distribution of its contents to remote hosts.
919
920       The X server also uses a host-based access control  list  for  deciding
921       whether  or  not  to  accept  connections  from clients on a particular
922       machine.  If no other authorization mechanism is being used, this  list
923       initially  consists  of the host on which the server is running as well
924       as any machines listed in the file /etc/Xn.hosts, where n is  the  dis‐
925       play number of the server.  Each line of the file should contain either
926       an Internet hostname (e.g. expo.lcs.mit.edu) or a complete name in  the
927       format  family:name  as  described  in the xhost(1) manual page.  There
928       should be no leading or trailing spaces on any lines.  For example:
929
930               joesworkstation
931               corporate.company.com
932               star::
933               inet:bigcpu
934               local:
935
936       Users can add or remove hosts from this  list  and  enable  or  disable
937       access  control  using  the  xhost command from the same machine as the
938       server.
939
940       If the X FireWall Proxy (xfwp) is  being  used  without  a  sitepolicy,
941       host-based  authorization  must  be turned on for clients to be able to
942       connect to the X server via the xfwp.  If xfwp is run without a config‐
943       uration  file  and thus no sitepolicy is defined, if xfwp is using an X
944       server where xhost + has been run to turn off host-based  authorization
945       checks, when a client tries to connect to this X server via xfwp, the X
946       server will deny the connection.   See  xfwp(1)  for  more  information
947       about this proxy.
948
949       The  X protocol intrinsically does not have any notion of window opera‐
950       tion permissions or place any restrictions on what a client can do;  if
951       a  program  can connect to a display, it has full run of the screen.  X
952       servers that support the SECURITY extension fare better because clients
953       can  be designated untrusted via the authorization they use to connect;
954       see the xauth(1) manual page for details.  Restrictions are imposed  on
955       untrusted clients that curtail the mischief they can do.  See the SECU‐
956       RITY extension specification for a complete list of these restrictions.
957
958       Sites that have better authentication and authorization  systems  might
959       wish  to  make use of the hooks in the libraries and the server to pro‐
960       vide additional security models.
961

SIGNALS

963       The X server attaches special meaning to the following signals:
964
965       SIGHUP  This signal causes the server to  close  all  existing  connec‐
966               tions,  free  all  resources,  and restore all defaults.  It is
967               sent by the display  manager  whenever  the  main  user's  main
968               application (usually an xterm or window manager) exits to force
969               the server to clean up and prepare for the next user.
970
971       SIGTERM This signal causes the server to exit cleanly.
972
973       SIGUSR1 This signal is used quite differently from either of the above.
974               When  the  server  starts, it checks to see if it has inherited
975               SIGUSR1 as SIG_IGN instead of the usual SIG_DFL.  In this case,
976               the  server  sends a SIGUSR1 to its parent process after it has
977               set up the various connection schemes.  Xdm uses  this  feature
978               to recognize when connecting to the server is possible.
979

FONTS

981       The  X  server  can  obtain  fonts  from  directories  and/or from font
982       servers.  The list of directories and font servers the  X  server  uses
983       when trying to open a font is controlled by the font path.
984
985       The default font path is __default_font_path__ .
986
987       The  font  path  can be set with the -fp option or by xset(1) after the
988       server has started.
989

FILES

991       /etc/Xn.hosts                 Initial access control list  for  display
992                                     number n
993
994       /usr/share/fonts/X11/misc,
995                                         /usr/share/fonts/X11/75dpi,
996                                         /usr/share/fonts/X11/100dpi    Bitmap
997                                     font directories
998
999       /usr/share/fonts/X11/Type1    Outline font directories
1000
1001       /usr/share/nx/rgb             Color database
1002
1003       /tmp/.X11-unix/Xn             Unix domain socket for display number n
1004
1005       /tmp/rcXn                     Kerberos 5 replay cache for display  num‐
1006                                     ber n
1007

SEE ALSO

1009       Protocols:  X  Window  System  Protocol, NX Compression Protocol, The X
1010       Font Service Protocol, X Display Manager Control Protocol
1011
1012       Fonts: bdftopcf(1), mkfontdir(1), mkfontscale(1), xfs(1),  xlsfonts(1),
1013       xfontsel(1), xfd(1), X Logical Font Description Conventions
1014
1015       Security:   Xsecurity(__miscmansuffix__),   xauth(1),  Xau(1),  xdm(1),
1016       xhost(1), xfwp(1), Security Extension Specification
1017
1018       Starting the server: xdm(1), xinit(1)
1019
1020       Controlling the server once started: xset(1), xsetroot(1), xhost(1)
1021
1022       Server-specific  man  pages:  Xdec(1),  XmacII(1),  Xsun(1),  Xnest(1),
1023       Xvfb(1), XFree86(1), XDarwin(1).
1024
1025       Server  internal documentation: Definition of the Porting Layer for the
1026       X v11 Sample Server
1027

AUTHORS

1029       The first sample X server was originally written by Susan  Angebranndt,
1030       Raymond Drewry, Philip Karlton, and Todd Newman, from Digital Equipment
1031       Corporation, with support from a large cast.  It has since been  exten‐
1032       sively  rewritten  by  Keith  Packard and Bob Scheifler, from MIT. Dave
1033       Wiggins took over post-R5 and made substantial improvements.
1034
1035       The first implementation of nx-X11 (version 1.x up to 3.5.x) was  writ‐
1036       ten by NoMachine (maintained until 2011).
1037
1038       The current implementation of nx-X11 is maintained by various projects,
1039       amongst others The Arctica Project, TheQVD (Qindel Group) and X2Go.
1040
1041       This manual page was written by  Per  Hansen  <spamhans@yahoo.de>,  and
1042       modified  by  Marcelo  Boveto  Shima  <marceloshima@gmail.com> and Mike
1043       Gabriel  <mike.gabriel@das-netzwerkteam.de>.  In  2016,  the   original
1044       Xserver.man  page  shipped  with nx-X11 was merged into the nxagent man
1045       page and received a major update by Mike Gabriel <mike.gabriel@das-net‐
1046       zwerkteam.de>.
1047
1048
1049
1050Version 3.5.99.17                  Nov 2018                         nxagent(1)
Impressum