1nxagent(1)                    NX Agent (Xserver)                    nxagent(1)
2
3
4

NAME

6       nxagent - nested Xserver optimized for remote computing
7

SYNOPSIS

9       nxagent [options]
10

DESCRIPTION

12       nxagent is an X server for remote application/desktop access similar to
13       Xnest or Xephyr.
14
15       nxagent implements a very efficient compression of  the  X11  protocol,
16       called the NX protocol.
17
18       The  NX  protocol  increases performance when using X applications over
19       high latency and low bandwidth networks, while providing a local  (LAN-
20       like)  usage experience even if connecting from off-site locations (via
21       cable modem or GSM).
22
23       nxagent can be used standalone as a nested X server (with  NX  protocol
24       disabled),  but  its real benefits are gained when using it over remote
25       connections via the nxcomp compression library. The counterpart  appli‐
26       cation on the other end (i.e. the client) is called nxproxy.
27
28       When  used  in  proxy <-> agent mode, nxagent adds the feature of being
29       suspendible. Sessions can be started from  one  client,  suspended  and
30       then resumed from another (or the same) client.
31
32       nxagent  and nxproxy are utilized by various remote application/desktop
33       frameworks for providing server-side GUI application access from remote
34       client systems.
35
36       Currently,  nxagent  is  co-maintained  by three of these projects: The
37       Arctica Project, TheQVD and X2Go.
38

STARTING THE SERVER

40       nxagent should be run in user space.  Other  than  the  system's  local
41       X.org server, nxagent does not require to be run as root.  When bundled
42       with a remote application framework, you normally don't have to  launch
43       nxagent  manually. nxagent startup is usually managed by the underlying
44       framework (e.g. Arctica Session Manager, X2Go Server, etc.).
45
46       When nxagent starts up (e.g. by typing 'nxagent -ac :1' in  a  terminal
47       window),  it  typically  launches  in  "windowed desktop" mode. On your
48       local X server a new window appears being an X server itself.
49
50       However, nxagent also supports rootless (or seamless) application  mode
51       and a shadow session mode (similar to what VNC does).
52
53       Example: You can launch a complete desktop session inside this nested X
54       server now:
55
56       The Debian way...
57
58           $ export DISPLAY=:1
59           $ STARTUP=mate-session /etc/X11/Xsession
60
61       The Fedora / Gentoo / openSUSE way...
62
63           ### FIXME / TODO ###
64
65       However, nxagent also supports rootless (or seamless) application  mode
66       and a shadow session mode (similar to what VNC does).
67
68

OPTIONS

70       nxagent accepts a range of default X server options as described below.
71       Those default options have to be provided via the command line.
72
73       Furthermore, nxagent accepts some nx-X11  specific  options,  described
74       further below.
75
76       Last but not least, nxagent accepts several more options, the so-called
77       nx/nx options, provided via the $DISPLAY environment  variable  or  the
78       -options command line option. See below for further details.
79
80

STANDARD XSERVER OPTIONS

82       :displaynumber
83               The  X server runs as the given displaynumber, which by default
84               is 0.  If multiple X servers are to  run  simultaneously  on  a
85               host,  each must have a unique display number.  See the DISPLAY
86               NAMES section of the X(__miscmansuffix__) manual page to  learn
87               how to specify which display number clients should try to use.
88
89       -a number
90               sets  pointer  acceleration  (i.e.  the  ratio  of  how much is
91               reported to how much the user actually moved the pointer).
92
93       -ac     disables host-based access control mechanisms.  Enables  access
94               by  any host, and permits any host to modify the access control
95               list.  Use with extreme caution.  This option exists  primarily
96               for running test suites remotely.
97
98       -audit level
99               sets  the  audit  trail level.  The default level is 1, meaning
100               only connection rejections are reported.  Level 2  additionally
101               reports  all  successful  connections and disconnects.  Level 4
102               enables messages  from  the  SECURITY  extension,  if  present,
103               including  generation and revocation of authorizations and vio‐
104               lations of the security policy.  Level 0 turns  off  the  audit
105               trail.  Audit lines are sent as standard error output.
106
107       -auth authorization-file
108               specifies  a  file which contains a collection of authorization
109               records used to authenticate access.  See also the  xdm(1)  and
110               Xsecurity(__miscmansuffix__) manual pages.
111
112       -bs     disables backing store support on all screens.
113
114       -br     sets  the  default  root  window  to solid black instead of the
115               standard root weave pattern.
116
117       -c      turns off key-click.
118
119       c volume
120               sets key-click volume (allowable range: 0-100).
121
122       -cc class
123               sets the visual class for the root  window  of  color  screens.
124               The  class  numbers  are  as  specified in the X protocol.  Not
125               obeyed by all servers.
126
127       -co filename
128               This used to be the option for specifying the path to  the  RGB
129               color  database file. As the RGB color database is now embedded
130               into the binary this option has no effect but is kept for  com‐
131               patibility. Deprecated.
132
133       -core   causes the server to generate a core dump on fatal errors.
134
135       -displayfd fd
136               specifies  a  file descriptor in the launching process.  Rather
137               than specifying a display number, the X server will attempt  to
138               listen on successively higher display numbers, and upon finding
139               a free one, will write  the  port  number  back  on  this  file
140               descriptor  as  a newline-terminated string.  The -pn option is
141               ignored when using -displayfd.
142
143               nxagent specific:
144
145               (1) Other than in X.org's Xserver, you can  use  -displayfd  in
146               conjunction  with  an  explicit display number. If the explicit
147               display number is not available (i.e., already in use), nxagent
148               tries to figure out the next available display number,
149
150               e.g.:
151
152                  nxagent -displayfd 2 :50
153
154               (2)  If  -displayfd  <X> is given with <X> equaling 2 (STDERR),
155               then the display number string written to STDERR is  beautified
156               with some human-readable (machine-parseable) text.
157
158       -sync   This  option tells nxagent to synchronize its window and graph‐
159               ics operations with the real server.  This is a  useful  option
160               for debugging, but it will slow down nxagent's performance con‐
161               siderably.  It should not be used unless absolutely necessary.
162
163       -full   This option tells nxagent to utilize full regeneration of  real
164               server  objects  and reopen a new connection to the real server
165               each time nxagent regenerates.  The sample  server  implementa‐
166               tion regenerates all objects in the server when the last client
167               of this server  terminates.   When  this  happens,  nxagent  by
168               default  maintains  the same top-level window and the same real
169               server connection in each new generation.  If the user  selects
170               full regeneration, even the top-level window and the connection
171               to the real server will be regenerated for each server  genera‐
172               tion.
173
174       -class string
175               This  option  specifies  the default visual class of the nested
176               server.  It is similar to the -cc option from the set of  stan‐
177               dard  options except that it will accept a string rather than a
178               number for the visual class specification.  The string must  be
179               one of the following six values: StaticGray, GrayScale, Static‐
180               Color, PseudoColor, TrueColor, or  DirectColor.   If  both  the
181               -class  and  -cc  options  are  specified, the last instance of
182               either option takes precedence.  The class of the default  vis‐
183               ual  of  the nested server need not be the same as the class of
184               the default visual of the real server, but it must be supported
185               by the real server.  Use xdpyinfo(__appmansuffix__) to obtain a
186               list of supported visual classes  on  the  real  server  before
187               starting  nxagent.  If the user chooses a static class, all the
188               colors in the default color map will be preallocated.   If  the
189               user  chooses  a dynamic class, colors in the default color map
190               will be available to individual clients for allocation.
191
192       -deferglyphs whichfonts
193               specifies the types  of  fonts  for  which  the  server  should
194               attempt  to  use deferred glyph loading.  whichfonts can be all
195               (all fonts), none (no fonts), or 16 (16 bit fonts only).
196
197       -depth int
198               This option specifies the default visual depth  of  the  nested
199               server.   The  depth of the default visual of the nested server
200               need not be the same as the depth of the default visual of  the
201               real  server, but it must be supported by the real server.  Use
202               xdpyinfo(__appmansuffix__) to obtain a list of supported visual
203               depths on the real server before starting nxagent.
204
205       -geometry WxH+X+Y
206               This option specifies the geometry parameters for the top-level
207               nxagent window.  See “GEOMETRY SPECIFICATIONS” in  X(__miscman‐
208               suffix__) for a discusson of this option's syntax.  This window
209               corresponds to the root window of the nested server.  The width
210               W  and  height H specified with this option will be the maximum
211               width and height of each  top-level  nxagent  window.   nxagent
212               will  allow  the user to make any top-level window smaller, but
213               it will not actually change the size of the nested server  root
214               window.  If this option is not specified, nxagent will choose W
215               and H to be 3/4ths the dimensions of the  root  window  of  the
216               real server.
217
218       -dpi resolution
219               sets  the resolution for all screens, in dots per inch. If this
220               option is not specified nxagent will assume  96.  There's  also
221               -autodpi  which will clone the real server's dpi. Note that the
222               resolution specified via -dpi is a per session setting. It can‐
223               not  be  changed on reconnect! This means that clients may look
224               "wrong" when reconnecting a session that had been started  with
225               a different dpi than the current real xserver.
226
227       dpms    enables  DPMS  (display  power management services), where sup‐
228               ported.  The default state is platform and  configuration  spe‐
229               cific.
230
231       -dpms   disables DPMS (display power management services).  The default
232               state is platform and configuration specific.
233
234       -f volume
235               sets feep (bell) volume (allowable range: 0-100).
236
237       -fc cursorFont
238               sets default cursor font.
239
240       -fn font
241               sets the default font.
242
243       -fp fontPath
244               sets the search path for fonts.  This path is a comma separated
245               list  of directories which the X server searches for font data‐
246               bases.  See the FONTS section of  this  manual  page  for  more
247               information and the default list.
248
249       -help   prints a usage message.
250
251       -I      causes all remaining command line arguments to be ignored.
252
253       -maxbigreqsize size
254               sets the maximum big request to size MB.
255
256       -name string
257               This  option specifies the name of the top-level nxagent window
258               as string.  The default value is the program name.
259
260       -nolisten trans-type
261               disables a transport type.  For example, TCP/IP connections can
262               be disabled with -nolisten tcp.  This option may be issued mul‐
263               tiple times to disable listening to different transport types.
264
265       -noreset
266               prevents a server reset when  the  last  client  connection  is
267               closed.   This  overrides  a  previous  -terminate command line
268               option.
269
270       -p minutes
271               sets screen-saver pattern cycle time in minutes.
272
273       -pn     permits the server to continue running if it fails to establish
274               all  of its well-known sockets (connection points for clients),
275               but establishes at least one.  This option is set by default.
276
277       -nopn   causes the server to exit if it fails to establish all  of  its
278               well-known sockets (connection points for clients).
279
280       -r      turns off auto-repeat.
281
282       r       turns on auto-repeat.
283
284       -s minutes
285               sets screen-saver timeout time in minutes.
286
287       -su     disables save under support on all screens.
288
289       -t number
290               sets  pointer  acceleration threshold in pixels (i.e. after how
291               many pixels pointer acceleration should take effect).
292
293       -terminate
294               causes the server to terminate at server reset, instead of con‐
295               tinuing  to  run.   This  overrides a previous -noreset command
296               line option.
297
298       -to seconds
299               sets default connection timeout in seconds.
300
301       -tst    disables all testing extensions.
302
303       v       sets video-off screen-saver preference.
304
305       -v      sets video-on screen-saver preference.
306
307       -wm     forces the default backing-store of all  windows  to  be  When‐
308               Mapped.   This  is  a  backdoor way of getting backing-store to
309               apply to all windows.  Although all mapped  windows  will  have
310               backing  store,  the  backing store attribute value reported by
311               the server for a window will be the last value established by a
312               client.   If it has never been set by a client, the server will
313               report the default value, NotUseful.  This behavior is required
314               by  the  X  protocol,  which  allows  the  server to exceed the
315               client's backing store expectations but does not provide a  way
316               to tell the client that it is doing so.
317
318       [+-]xinerama
319               enables(+)  or  disables(-) XINERAMA provided via the PanoramiX
320               extension. This is set to off by default.
321
322       [+-]rrxinerama
323               enables(+) or  disables(-)  XINERAMA  provided  via  the  RandR
324               extension. By default, this feature is enabled. To disable XIN‐
325               ERAMA completely, make sure to use both options (-xinerama  and
326               -rrxinerama) on the command line.
327
328

SERVER DEPENDENT OPTIONS

330       nxagent additionally accepts the following non-standard options:
331
332       -logo   turns  on the X Window System logo display in the screen-saver.
333               There is currently no way to change this from a client.
334
335       nologo  turns off the X Window System logo display in the screen-saver.
336               There is currently no way to change this from a client.
337
338       -render
339
340               default|mono|gray|color
341
342               sets  the color allocation policy that will be used by the ren‐
343               der extension.
344
345               default selects the default  policy  defined  for  the  display
346                       depth of the X server.
347
348               mono    don't use any color cell.
349
350               gray    use  a  gray  map  of  13  color cells for the X render
351                       extension.
352
353               color   use a color cube of at most 4*4*4 colors  (that  is  64
354                       color cells).
355
356       -dumbSched
357               disables  smart  scheduling on platforms that support the smart
358               scheduler.
359
360       -schedInterval interval
361               sets the smart scheduler's scheduling interval to interval mil‐
362               liseconds.
363

NXAGENT SPECIFIC OPTIONS

365       The nx-X11 system adds the following command line arguments:
366
367       -forcenx
368               force  use  of  NX  protocol  messages  assuming  communication
369               through nxproxy
370
371       -nxrealwindowprop
372               set property NX_REAL_WINDOW for each X11 client inside nxagent,
373               providing  the window XID of the corresponding window object on
374               the X server that nxagent runs on
375
376       -reportwids
377               explicitly tell nxagent to report its  externally  exposed  X11
378               window  IDs  to  the session log (in machine readable form), so
379               that external parsers can obtain that information from there
380
381       -reportprivatewids
382               explicitly tell nxagent to report X11 window IDs of  internally
383               created  window objects to the session log (in machine readable
384               form), so that external parsers  can  obtain  that  information
385               from there; this creates a lot of output and may affect perfor‐
386               mance
387
388       -timeout int
389               auto-disconnect timeout in seconds (minimum allowed: 60)
390
391       -norootlessexit
392               don't exit if there are no clients in rootless mode
393
394       -autodpi
395               detect real server's DPI and set it in the agent  session;  the
396               -dpi  cmdline  option  overrides  -autodpi.   Note  that  using
397               -autodpi will also adapt the DPI on reconnect which will  cause
398               newly started clients respecting the new DPI while clients that
399               had been started before the reconnect still use  the  old  DPI.
400               This may lead to applications looking "weird".
401
402       -nomagicpixel
403               disable  magic  pixel  support  at  session startup, can be re-
404               enabled via nx/nx option on session resumption
405
406       -norender
407               disable the use of the render extension
408
409       -nocomposite
410               disable the use of the composite extension
411
412       -nopersistent
413               disable disconnection/reconnection to the X display on SIGHUP
414
415       -noshmem
416               disable use of shared memory extension
417
418       -shmem  enable use of shared memory extension
419
420       -noshpix
421               disable use of shared pixmaps
422
423       -shpix  enable use of shared pixmaps
424
425       -noignore
426               don't ignore pointer and keyboard  configuration  changes  man‐
427               dated by clients. As a result, configuration commands like dis‐
428               abling the keyboard bell (xset -b) will also affect the real  X
429               server.
430
431       -nokbreset
432               don't reset keyboard device if the session is resumed
433
434       -noxkblock
435               this  is  only relevant if you also specify -keyboard=query. In
436               that case nxagent will lock the keyboard settings  and  clients
437               will  get  an error when trying to change keyboard settings via
438               XKEYBOARD. With -noxkblock the lock is not applied and  clients
439               are allowed to change the keyboard settings through XKEYBOARD.
440
441       -tile WxH
442               size of image tiles (minimum allowed: 32x32)
443
444       -D      enable desktop mode (default)
445
446       -R      enable rootless mode
447
448       -S      enable shadow mode
449
450       -B      enable proxy binding mode
451
452       -version
453               show version information and exit
454
455       -options filename
456               path to an options file containing nx/nx options (see below).
457
458       Other  than the command line options, nxagent can be configured at ses‐
459       sion startup and at runtime (i.e. when resuming a suspended session) by
460       so-called nx/nx options.
461
462       As nx/nx options all options supported by nxcomp (see nxproxy man page)
463       and all nxagent nx/nx options (see below) can be used.  When  launching
464       an  nxcomp  based nxagent session (i.e. proxy <-> agent), you will nor‐
465       mally set the $DISPLAY variable like this:
466
467         $ export DISPLAY=nx/nx,listen=<proxy-port>,options=<options.file>:<nx-display-port>
468         $ nxagent <command-line-options> :<nx-display-port>
469
470       The value for <nx-display-port> is some value  of  a  not-yet-used  X11
471       display (e.g. :50).
472
473       Using  an  options  file is recommended, but you can also put available
474       nx/nx options (see below) into the  DISPLAY  variable  directly.  Note,
475       that the $DISPLAY variable field is of limited length.
476
477       As  <proxy-port>  you  can  pick an arbitrary (unused) TCP port or Unix
478       socket file path. This is the port / socket that you have to connect to
479       with the nxproxy application.
480
481       The right hand side of an option (the part following the "=" character)
482       can include URL encoded characters. It is required  to  URL  encode  at
483       least  ","  (as  %2D)  and  "="  (as %3D) to avoid wrong parsing of the
484       options string.
485
486       Available nxagent options (as an addition to nx/nx options supported by
487       nxcomp already):
488
489       options=<string>
490               read  options  from  file,  this text file can contain a single
491               loooong line with comma-separated nx/nx options
492
493       rootless=<bool>
494               start nxagent in rootless mode, matches -R given on the command
495               line, no-op when resuming (default: false)
496
497       geometry=<string>
498               desktop  geometry when starting or resuming a session, no-op in
499               rootless mode (default 66% of the underlying X server geometry)
500
501       resize=<bool>
502               set resizing support (default: true)
503
504       fullscreen=<bool>
505               start or resume a session in fullscreen mode (default: off)
506
507       keyboard=<string> or kbtype=<string>
508
509               query|clone|<model>/<layout>|rmlvo/<rules>#<model>#<lay‐
510               out>#<variant>#<options>
511
512
513               query   use  the  default  XKB  keyboard layout (see below) and
514                       only allow clients to query the  settings  but  prevent
515                       any  changes.  query  is  especially helpful for setups
516                       where you need to set/modify the actual keyboard layout
517                       using  core X protocol functions (e.g. via xmodmap). It
518                       is used for MacOS X clients  to  handle  some  keyboard
519                       problems that are special for this platform.  Note that
520                       in this case XKEYBOARD will always report  the  default
521                       layout which will most likely not match the experienced
522                       settings.
523
524               clone   ask the real X server for the keyboard  settings  using
525                       XKEYBOARD  protocol  functions  and clone them. This is
526                       the recommended setting. For compatibility  reasons  it
527                       is not the default.
528
529               <model>/<layout>
530                       use the given model and layout. A value of null/null is
531                       equivalent to clone. You can not modify keyboard rules,
532                       variant  or options this way. Instead preset values are
533                       used. These are base for rules and  empty  strings  for
534                       variant and options.
535
536               rmlvo/<rules>#<model>#<layout>#<variant>#<options>
537                       configure   the   keyboard   according   to  the  rmlvo
538                       (Rules+Model+Layout+Variant+Options) description  given
539                       after  the  /  and  separated by #. This can be used to
540                       fully pass the keyboard configuration of nxagent  right
541                       after           the           start.           Example:
542                       rmlvo/base#pc105#de,us#nodeadkeys#lv3:rwin_switch
543
544
545
546              If keyboard is omitted the internal defaults of nxagent will  be
547              used  (rules:  base, layout: us, model: pc102, empty variant and
548              options).
549
550
551       keyconv=<string>
552               set keycode conversion mode
553
554               auto|on|off
555
556               by default (auto) nxagent will activate keycode  conversion  if
557               it  detects  an  evdev  XKEYBOARD setup on the client side (the
558               standard on linux systems nowadays). Keycode  conversion  means
559               that certain keycodes are mapped to make the keyboard appear as
560               an pc105 model. Using off this conversion can be suppressed and
561               with on it will be forced.
562
563
564       clipboard=<string>
565
566               both|client|server|none
567
568               enable  /  disable (set to: none) clipboard support, uni-direc‐
569               tional (server or client) or bi-directional (both, default set‐
570               ting) support
571
572       streaming=<int>
573               streaming  support  for  images,  not fully implemented yet and
574               thus non-functional
575
576       backingstore=<int>
577               disable or enforce backing  store  support  (default:  Backing‐
578               StoreUndefined)
579
580       composite=<int>
581               enable  or  disable  Composite  support  in  nxagent  (default:
582               enabled)
583
584       xinerama=<int>
585               enable  or  disable  XINERAMA  support  in  nxagent   (default:
586               enabled)
587
588       shmem=<bool>
589               enable using shared memory
590
591       shpix=<bool>
592               enable shared pixmaps support
593
594       client=<string>
595               type of connecting operating system (supported: linux, windows,
596               solaris and macosx)
597
598       shadow=<int>
599               start nxagent in shadow mode, matches -S given on  the  command
600               line, no-op when resuming (default: false)
601
602       shadowuid=<int>
603               unique identifier for the shadow session
604
605       shadowmode=<string>
606               full access (set to 1) or viewing-only (set to 0, default)
607
608       defer=<int>
609               defer  image  updates  (enabled for all connection types except
610               LAN), accepts values 0, 1 and 2
611
612               The default value can be set via the command line (-defer). The
613               value  provided as nx/nx option is set when resuming a session,
614               thus it overrides the command line default.
615
616       tile=<string>
617               set the tile size in pixels (<W>x<H>) for bitmap data sent over
618               the wire
619
620               The  default value can be set via the command line (-tile). The
621               value provided as nx/nx option is set when resuming a  session,
622               thus it overrides the command line default.
623
624       menu=<int>
625               support  pulldown  menu  in  nxagent session (only available on
626               proxy <-> agent remote sessions)
627
628       magicpixel=<bool>
629               enable/disable magic pixel support in fullscreen mode (default:
630               1, enabled)
631
632       autodpi=<bool>
633               enable/disable  deriving  session  DPI  automatically from real
634               server (default: 0, disabled); only  takes  effect  on  session
635               startups, gets ignored when reconnecting to a suspended session
636
637       sleep=<int>
638               delay  X  server  operations when suspended (provided in msec),
639               set to 0 to keep nxagent session  fully  functional  when  sus‐
640               pended (e.g. useful when mirroring an nxagent session via VNC)
641
642       tolerancechecks=<string>
643
644               strict|safe|risky|bypass
645
646               strict  means  that  the number of internal and external pixmap
647                       formats must match exactly and  every  internal  pixmap
648                       format  must be available in the external pixmap format
649                       array. This is the default.
650
651               safe    means that the number of pixmap formats might  diverge,
652                       but  all  internal pixmap formats must also be included
653                       in the external pixmap formats array.  This  is  recom‐
654                       mended, because it allows clients with more pixmap for‐
655                       mats to still connect, but not lose functionality.
656
657               risky   means that the internal pixmap formats array is allowed
658                       to  be  smaller than the external pixmap formats array,
659                       but at least one pixmap  format  must  be  included  in
660                       both. This is potentially unsafe.
661
662               bypass  means  that all of these checks are essentially deacti‐
663                       vated. This is a very bad idea.
664
665       If you want to use nxagent as a replacement for Xnest or Xephyr you can
666       pass options like this:
667
668         $ echo nx/nx,fullscreen=1$DISPLAY >/tmp/opt
669         $ nxagent <command-line-options> -options /tmp/opt :<nx-display-port>
670
671

XDMCP OPTIONS

673       X  servers  that  support  XDMCP have the following options.  See the X
674       Display Manager Control Protocol specification for more information.
675
676       -query hostname
677               enables XDMCP and sends Query packets to  the  specified  host‐
678               name.
679
680       -broadcast
681               enable  XDMCP and broadcasts BroadcastQuery packets to the net‐
682               work.  The first responding display manager will be chosen  for
683               the session.
684
685       -multicast [address [hop count]]
686               Enable  XDMCP  and multicast BroadcastQuery packets to the net‐
687               work.  The first responding display manager is chosen  for  the
688               session.   If an address is specified, the multicast is sent to
689               that address.  If no address is  specified,  the  multicast  is
690               sent to the default XDMCP IPv6 multicast group.  If a hop count
691               is specified, it is used as the maximum hop count for the  mul‐
692               ticast.   If no hop count is specified, the multicast is set to
693               a maximum of 1 hop, to prevent the multicast from being  routed
694               beyond the local network.
695
696       -indirect hostname
697               enables  XDMCP  and send IndirectQuery packets to the specified
698               hostname.
699
700       -port port-number
701               uses the specified port-number for XDMCP  packets,  instead  of
702               the  default.  This option must be specified before any -query,
703               -broadcast, -multicast, or -indirect options.
704
705       -from local-address
706               specifies the local address to connect from (useful if the con‐
707               necting  host  has  multiple  network  interfaces).  The local-
708               address may be expressed in any form  acceptable  to  the  host
709               platform's gethostbyname(3) implementation.
710
711       -once   causes  the  server  to  terminate (rather than reset) when the
712               XDMCP session ends.
713
714       -class display-class
715               XDMCP has an additional  display  qualifier  used  in  resource
716               lookup  for  display-specific  options.   This option sets that
717               value, by default it is "MIT-Unspecified" (not  a  very  useful
718               value).
719
720       -cookie xdm-auth-bits
721               When  testing  XDM-AUTHENTICATION-1,  a  private  key is shared
722               between the server and the manager.  This option sets the value
723               of that private data (not that it is very private, being on the
724               command line!).
725
726       -displayID display-id
727               Yet another XDMCP specific value, this one allows  the  display
728               manager  to  identify  each  display  so that it can locate the
729               shared key.
730
731

XKEYBOARD OPTIONS

733       X servers that support the XKEYBOARD (a.k.a.  "XKB")  extension  accept
734       the  following options.  All layout files specified on the command line
735       must be located in the XKB base directory or a subdirectory, and speci‐
736       fied as the relative path from the XKB base directory.  The default XKB
737       base directory is /usr/share/X11/xkb.
738
739       [+-]kb  enables(+) or disables(-) the XKEYBOARD extension.
740
741       [+-]accessx [ timeout [ timeout_mask [ feedback [ options_mask ] ] ] ]
742               enables(+) or disables(-) AccessX key sequences.
743
744       -xkbdir directory
745               base directory for keyboard layout files.  This option  is  not
746               available  for setuid X servers (i.e., when the X server's real
747               and effective uids are different).
748
749       -ardelay milliseconds
750               sets the autorepeat delay (length of time in milliseconds  that
751               a key must be depressed before autorepeat starts).
752
753       -arinterval milliseconds
754               sets  the  autorepeat  interval (length of time in milliseconds
755               that should elapse between autorepeat-generated keystrokes).
756
757       -xkbmap filename
758               loads keyboard description in filename on server startup.
759
760

SECURITY EXTENSION OPTIONS

762       X servers that support the  SECURITY  extension  accept  the  following
763       option:
764
765       -sp filename
766               causes  the server to attempt to read and interpret filename as
767               a security policy file with the format  described  below.   The
768               file is read at server startup and reread at each server reset.
769
770       The  syntax  of  the security policy file is as follows.  Notation: "*"
771       means zero or more occurrences of the preceding element, and "+"  means
772       one or more occurrences.  To interpret <foo/bar>, ignore the text after
773       the /; it is used to distinguish between instances of <foo> in the next
774       section.
775
776       <policy file> ::= <version line> <other line>*
777
778       <version line> ::= <string/v> '\n'
779
780       <other line > ::= <comment> | <access rule> | <site policy> | <blank line>
781
782       <comment> ::= # <not newline>* '\n'
783
784       <blank line> ::= <space> '\n'
785
786       <site policy> ::= sitepolicy <string/sp> '\n'
787
788       <access rule> ::= property <property/ar> <window> <perms> '\n'
789
790       <property> ::= <string>
791
792       <window> ::= any | root | <required property>
793
794       <required property> ::= <property/rp> | <property with value>
795
796       <property with value> ::= <property/rpv> = <string/rv>
797
798       <perms> ::= [ <operation> | <action> | <space> ]*
799
800       <operation> ::= r | w | d
801
802       <action> ::= a | i | e
803
804       <string> ::= <dbl quoted string> | <single quoted string> | <unquoted string>
805
806       <dbl quoted string> ::= <space> " <not dqoute>* " <space>
807
808       <single quoted string> ::= <space> ' <not squote>* ' <space>
809
810       <unquoted string> ::= <space> <not space>+ <space>
811
812       <space> ::= [ ' ' | '\t' ]*
813
814       Character sets:
815
816       <not newline> ::= any character except '\n'
817       <not dqoute>  ::= any character except "
818       <not squote>  ::= any character except '
819       <not space>   ::= any character except those in <space>
820
821       The semantics associated with the above syntax are as follows.
822
823       <version  line>,  the first line in the file, specifies the file format
824       version.  If the server does not recognize the version  <string/v>,  it
825       ignores  the  rest of the file.  The version string for the file format
826       described here is "version-1" .
827
828       Once past the <version line>, lines that do not match the above  syntax
829       are ignored.
830
831       <comment> lines are ignored.
832
833       <sitepolicy> lines are currently ignored.  They are intended to specify
834       the site policies used by the XC-QUERY-SECURITY-1 authorization method.
835
836       <access rule> lines specify how the server should  react  to  untrusted
837       client  requests that affect the X Window property named <property/ar>.
838       The rest of this section describes the  interpretation  of  an  <access
839       rule>.
840
841       For  an  <access  rule>  to apply to a given instance of <property/ar>,
842       <property/ar> must be on a window that is in the set of windows  speci‐
843       fied  by  <window>.   If  <window>  is  any, the rule applies to <prop‐
844       erty/ar> on any window.  If <window>  is  root,  the  rule  applies  to
845       <property/ar> only on root windows.
846
847       If  <window> is <required property>, the following apply.  If <required
848       property> is a <property/rp>, the rule applies when the window also has
849       that <property/rp>, regardless of its value.  If <required property> is
850       a <property with value>, <property/rpv> must also have the value speci‐
851       fied  by <string/rv>.  In this case, the property must have type STRING
852       and format 8, and should contain one or more  null-terminated  strings.
853       If any of the strings match <string/rv>, the rule applies.
854
855       The  definition of string matching is simple case-sensitive string com‐
856       parison with one elaboration: the occurrence of the  character  '*'  in
857       <string/rv> is a wildcard meaning "any string."  A <string/rv> can con‐
858       tain multiple wildcards anywhere in  the  string.   For  example,  "x*"
859       matches  strings  that begin with x, "*x" matches strings that end with
860       x, "*x*" matches strings containing x, and "x*y*" matches strings  that
861       start with x and subsequently contain y.
862
863       There  may  be  multiple <access rule> lines for a given <property/ar>.
864       The rules are tested in the order that they appear in  the  file.   The
865       first rule that applies is used.
866
867       <perms>  specify operations that untrusted clients may attempt, and the
868       actions that the server should take in response to those operations.
869
870       <operation> can be r (read), w (write), or d (delete).   The  following
871       table shows how X Protocol property requests map to these operations in
872       The Open Group server implementation.
873
874       GetProperty    r, or r and d if delete = True
875       ChangeProperty w
876       RotateProperties    r and w
877       DeleteProperty d
878       ListProperties none, untrusted clients can always list all properties
879
880       <action> can be a (allow), i (ignore), or e (error).  Allow means  exe‐
881       cute  the request as if it had been issued by a trusted client.  Ignore
882       means treat the request as a no-op.  In the case of GetProperty, ignore
883       means return an empty property value if the property exists, regardless
884       of its actual value.  Error means do not execute the request and return
885       a  BadAtom  error with the atom set to the property name.  Error is the
886       default action for all properties, including those not  listed  in  the
887       security policy file.
888
889       An  <action> applies to all <operation>s that follow it, until the next
890       <action> is encountered.  Thus, irwad  means  ignore  read  and  write,
891       allow delete.
892
893       GetProperty  and  RotateProperties may do multiple operations (r and d,
894       or r and w).  If different actions apply to the  operations,  the  most
895       severe  action  is  applied  to  the whole request; there is no partial
896       request execution.  The severity ordering is: allow < ignore  <  error.
897       Thus,  if  the  <perms>  for  a  property  are ired (ignore read, error
898       delete), and an untrusted client attempts GetProperty on that  property
899       with  delete  =  True,  an error is returned, but the property value is
900       not.  Similarly, if any of the properties in a RotateProperties do  not
901       allow  both  read  and write, an error is returned without changing any
902       property values.
903
904       Here is an example security policy file.
905
906       version-1
907
908       # Allow reading of application resources, but not writing.
909       property RESOURCE_MANAGER     root      ar iw
910       property SCREEN_RESOURCES     root      ar iw
911
912       # Ignore attempts to use cut buffers.  Giving errors causes apps to crash,
913       # and allowing access may give away too much information.
914       property CUT_BUFFER0          root      irw
915       property CUT_BUFFER1          root      irw
916       property CUT_BUFFER2          root      irw
917       property CUT_BUFFER3          root      irw
918       property CUT_BUFFER4          root      irw
919       property CUT_BUFFER5          root      irw
920       property CUT_BUFFER6          root      irw
921       property CUT_BUFFER7          root      irw
922
923       # If you are using Motif, you probably want these.
924       property _MOTIF_DEFAULT_BINDINGS        rootar iw
925       property _MOTIF_DRAG_WINDOW   root      ar iw
926       property _MOTIF_DRAG_TARGETS  any       ar iw
927       property _MOTIF_DRAG_ATOMS    any       ar iw
928       property _MOTIF_DRAG_ATOM_PAIRS         anyar iw
929
930       # The next two rules let xwininfo -tree work when untrusted.
931       property WM_NAME              any       ar
932
933       # Allow read of WM_CLASS, but only for windows with WM_NAME.
934       # This might be more restrictive than necessary, but demonstrates
935       # the <required property> facility, and is also an attempt to
936       # say "top level windows only."
937       property WM_CLASS             WM_NAME   ar
938
939       # These next three let xlsclients work untrusted.  Think carefully
940       # before including these; giving away the client machine name and command
941       # may be exposing too much.
942       property WM_STATE             WM_NAME   ar
943       property WM_CLIENT_MACHINE    WM_NAME   ar
944       property WM_COMMAND           WM_NAME   ar
945
946       # To let untrusted clients use the standard colormaps created by
947       # xstdcmap, include these lines.
948       property RGB_DEFAULT_MAP      root      ar
949       property RGB_BEST_MAP         root      ar
950       property RGB_RED_MAP          root      ar
951       property RGB_GREEN_MAP        root      ar
952       property RGB_BLUE_MAP         root      ar
953       property RGB_GRAY_MAP         root      ar
954
955       # To let untrusted clients use the color management database created
956       # by xcmsdb, include these lines.
957       property XDCCC_LINEAR_RGB_CORRECTION    rootar
958       property XDCCC_LINEAR_RGB_MATRICES      rootar
959       property XDCCC_GRAY_SCREENWHITEPOINT    rootar
960       property XDCCC_GRAY_CORRECTION          rootar
961
962       # To let untrusted clients use the overlay visuals that many vendors
963       # support, include this line.
964       property SERVER_OVERLAY_VISUALS         rootar
965
966       # Dumb examples to show other capabilities.
967
968       # oddball property names and explicit specification of error conditions
969       property "property with spaces"         'property with "'aw er ed
970
971       # Allow deletion of Woo-Hoo if window also has property OhBoy with value
972       # ending in "son".  Reads and writes will cause an error.
973       property Woo-Hoo              OhBoy = "*son"ad
974
975

NETWORK CONNECTIONS

977       The X server supports client connections via a platform-dependent  sub‐
978       set  of  the  following transport types: TCPIP, Unix Domain sockets and
979       several varieties of SVR4 local connections.   See  the  DISPLAY  NAMES
980       section of the X(__miscmansuffix__) manual page to learn how to specify
981       which transport type clients should try to use.
982
983

GRANTING ACCESS

985       The X server implements a platform-dependent subset  of  the  following
986       authorization  protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1, XDM-
987       AUTHORIZATION-2,  SUN-DES-1,  and  MIT-KERBEROS-5.   See   the   Xsecu‐
988       rity(__miscmansuffix__) manual page for information on the operation of
989       these protocols.
990
991       Authorization data required by the above protocols  is  passed  to  the
992       server  in  a  private  file  named with the -auth command line option.
993       Each time the server is about to accept the first  connection  after  a
994       reset  (or  when  the server is starting), it reads this file.  If this
995       file contains any authorization records, the local host is not automat‐
996       ically allowed access to the server, and only clients which send one of
997       the authorization records contained in the file in the connection setup
998       information  will  be  allowed  access.   See the Xau manual page for a
999       description of the binary format of this file.  See xauth(1) for  main‐
1000       tenance of this file, and distribution of its contents to remote hosts.
1001
1002       The  X  server  also uses a host-based access control list for deciding
1003       whether or not to accept  connections  from  clients  on  a  particular
1004       machine.   If no other authorization mechanism is being used, this list
1005       initially consists of the host on which the server is running  as  well
1006       as  any  machines listed in the file /etc/Xn.hosts, where n is the dis‐
1007       play number of the server.  Each line of the file should contain either
1008       an  Internet hostname (e.g. expo.lcs.mit.edu) or a complete name in the
1009       format family:name as described in the  xhost(1)  manual  page.   There
1010       should be no leading or trailing spaces on any lines.  For example:
1011
1012               joesworkstation
1013               corporate.company.com
1014               star::
1015               inet:bigcpu
1016               local:
1017
1018       Users  can  add  or  remove  hosts from this list and enable or disable
1019       access control using the xhost command from the  same  machine  as  the
1020       server.
1021
1022       If  the  X  FireWall  Proxy  (xfwp) is being used without a sitepolicy,
1023       host-based authorization must be turned on for clients to  be  able  to
1024       connect to the X server via the xfwp.  If xfwp is run without a config‐
1025       uration file and thus no sitepolicy is defined, if xfwp is using  an  X
1026       server  where xhost + has been run to turn off host-based authorization
1027       checks, when a client tries to connect to this X server via xfwp, the X
1028       server  will  deny  the  connection.   See xfwp(1) for more information
1029       about this proxy.
1030
1031       The X protocol intrinsically does not have any notion of window  opera‐
1032       tion  permissions or place any restrictions on what a client can do; if
1033       a program can connect to a display, it has full run of the  screen.   X
1034       servers that support the SECURITY extension fare better because clients
1035       can be designated untrusted via the authorization they use to  connect;
1036       see  the xauth(1) manual page for details.  Restrictions are imposed on
1037       untrusted clients that curtail the mischief they can do.  See the SECU‐
1038       RITY extension specification for a complete list of these restrictions.
1039
1040       Sites  that  have better authentication and authorization systems might
1041       wish to make use of the hooks in the libraries and the server  to  pro‐
1042       vide additional security models.
1043

SIGNALS

1045       The X server attaches special meaning to the following signals:
1046
1047       SIGHUP  This  signal  causes  the  server to close all existing connec‐
1048               tions, free all resources, and restore  all  defaults.   It  is
1049               sent  by  the  display  manager  whenever  the main user's main
1050               application (usually an xterm or window manager) exits to force
1051               the server to clean up and prepare for the next user.
1052
1053       SIGTERM This signal causes the server to exit cleanly.
1054
1055       SIGUSR1 This signal is used quite differently from either of the above.
1056               When the server starts, it checks to see if  it  has  inherited
1057               SIGUSR1 as SIG_IGN instead of the usual SIG_DFL.  In this case,
1058               the server sends a SIGUSR1 to its parent process after  it  has
1059               set  up  the various connection schemes.  Xdm uses this feature
1060               to recognize when connecting to the server is possible.
1061

FONTS

1063       The X server  can  obtain  fonts  from  directories  and/or  from  font
1064       servers.   The  list  of directories and font servers the X server uses
1065       when trying to open a font is controlled by the font path.
1066
1067       The default font path is __default_font_path__ .
1068
1069       The font path can be set with the -fp option or by  xset(1)  after  the
1070       server has started.
1071

FILES

1073       /etc/Xn.hosts                 Initial  access  control list for display
1074                                     number n
1075
1076       /usr/share/fonts/X11/misc,
1077                                         /usr/share/fonts/X11/75dpi,
1078                                         /usr/share/fonts/X11/100dpi    Bitmap
1079                                     font directories
1080
1081       /usr/share/fonts/X11/Type1    Outline font directories
1082
1083       /usr/share/nx/rgb             Color database
1084
1085       /tmp/.X11-unix/Xn             Unix domain socket for display number n
1086
1087       /tmp/rcXn                     Kerberos  5 replay cache for display num‐
1088                                     ber n
1089

SEE ALSO

1091       Protocols: X Window System Protocol, NX  Compression  Protocol,  The  X
1092       Font Service Protocol, X Display Manager Control Protocol
1093
1094       Fonts:  bdftopcf(1), mkfontdir(1), mkfontscale(1), xfs(1), xlsfonts(1),
1095       xfontsel(1), xfd(1), X Logical Font Description Conventions
1096
1097       Security:  Xsecurity(__miscmansuffix__),  xauth(1),   Xau(1),   xdm(1),
1098       xhost(1), xfwp(1), Security Extension Specification
1099
1100       Starting the server: xdm(1), xinit(1)
1101
1102       Controlling the server once started: xset(1), xsetroot(1), xhost(1)
1103
1104       Server-specific  man  pages:  Xdec(1),  XmacII(1),  Xsun(1),  Xnest(1),
1105       Xvfb(1), XFree86(1), XDarwin(1).
1106
1107       Server internal documentation: Definition of the Porting Layer for  the
1108       X v11 Sample Server
1109

AUTHORS

1111       The  first sample X server was originally written by Susan Angebranndt,
1112       Raymond Drewry, Philip Karlton, and Todd Newman, from Digital Equipment
1113       Corporation,  with support from a large cast.  It has since been exten‐
1114       sively rewritten by Keith Packard and Bob  Scheifler,  from  MIT.  Dave
1115       Wiggins took over post-R5 and made substantial improvements.
1116
1117       The  first implementation of nx-X11 (version 1.x up to 3.5.x) was writ‐
1118       ten by NoMachine (maintained until 2011).
1119
1120       The current implementation of nx-X11 is maintained by various projects,
1121       amongst others The Arctica Project, TheQVD (Qindel Group) and X2Go.
1122
1123       This  manual  page  was  written by Per Hansen <spamhans@yahoo.de>, and
1124       modified by Marcelo  Boveto  Shima  <marceloshima@gmail.com>  and  Mike
1125       Gabriel   <mike.gabriel@das-netzwerkteam.de>.  In  2016,  the  original
1126       Xserver.man page shipped with nx-X11 was merged into  the  nxagent  man
1127       page and received a major update by Mike Gabriel <mike.gabriel@das-net‐
1128       zwerkteam.de>.
1129
1130
1131
1132Version 3.5.99.20                  Apr 2019                         nxagent(1)
Impressum