1nxagent(1) NX Agent (Xserver) nxagent(1)
2
3
4
6 nxagent - nested Xserver optimized for remote computing
7
9 nxagent [options]
10
12 nxagent is an X server for remote application/desktop access similar to
13 Xnest or Xephyr.
14
15 nxagent implements a very efficient compression of the X11 protocol,
16 called the NX protocol.
17
18 The NX protocol increases performance when using X applications over
19 high latency and low bandwidth networks, while providing a local (LAN-
20 like) usage experience even if connecting from off-site locations (via
21 cable modem or GSM).
22
23 nxagent can be used standalone as a nested X server (with NX protocol
24 disabled), but its real benefits are gained when using it over remote
25 connections via the nxcomp compression library. The counterpart appli‐
26 cation on the other end (i.e. the client) is called nxproxy.
27
28 When used in proxy <-> agent mode, nxagent adds the feature of being
29 suspendible. Sessions can be started from one client, suspended and
30 then resumed from another (or the same) client.
31
32 nxagent and nxproxy are utilized by various remote application/desktop
33 frameworks for providing server-side GUI application access from remote
34 client systems.
35
36 Currently, nxagent is co-maintained by three of these projects: The
37 Arctica Project, TheQVD and X2Go.
38
40 nxagent should be run in user space. Other than the system's local
41 X.org server, nxagent does not require to be run as root. When bundled
42 with a remote application framework, you normally don't have to launch
43 nxagent manually. nxagent startup is usually managed by the underlying
44 framework (e.g. Arctica Session Manager, X2Go Server, etc.).
45
46 When nxagent starts up (e.g. by typing 'nxagent -ac :1' in a terminal
47 window), it typically launches in "windowed desktop" mode. On your
48 local X server a new window appears being an X server itself.
49
50 However, nxagent also supports rootless (or seamless) application mode
51 and a shadow session mode (similar to what VNC does).
52
53 Example: You can launch a complete desktop session inside this nested X
54 server now:
55
56 The Debian way...
57
58 $ export DISPLAY=:1
59 $ STARTUP=mate-session /etc/X11/Xsession
60
61 The Fedora / Gentoo / openSUSE way...
62
63 ### FIXME / TODO ###
64
65 However, nxagent also supports rootless (or seamless) application mode
66 and a shadow session mode (similar to what VNC does).
67
68
70 nxagent accepts a range of default X server options as described below.
71 Those default options have to be provided via the command line.
72
73 Furthermore, nxagent accepts some nx-X11 specific options, described
74 further below.
75
76 Last but not least, nxagent accepts several more options, the so-called
77 nx/nx options, provided via the $DISPLAY environment variable or the
78 -options command line option. See below for further details.
79
80
82 :displaynumber
83 The X server runs as the given displaynumber, which by default
84 is 0. If multiple X servers are to run simultaneously on a
85 host, each must have a unique display number. See the DISPLAY
86 NAMES section of the X(__miscmansuffix__) manual page to learn
87 how to specify which display number clients should try to use.
88
89 -a number
90 sets pointer acceleration (i.e. the ratio of how much is
91 reported to how much the user actually moved the pointer).
92
93 -ac disables host-based access control mechanisms. Enables access
94 by any host, and permits any host to modify the access control
95 list. Use with extreme caution. This option exists primarily
96 for running test suites remotely.
97
98 -audit level
99 sets the audit trail level. The default level is 1, meaning
100 only connection rejections are reported. Level 2 additionally
101 reports all successful connections and disconnects. Level 4
102 enables messages from the SECURITY extension, if present,
103 including generation and revocation of authorizations and vio‐
104 lations of the security policy. Level 0 turns off the audit
105 trail. Audit lines are sent as standard error output.
106
107 -auth authorization-file
108 specifies a file which contains a collection of authorization
109 records used to authenticate access. See also the xdm(1) and
110 Xsecurity(__miscmansuffix__) manual pages.
111
112 -bs disables backing store support on all screens.
113
114 -br sets the default root window to solid black instead of the
115 standard root weave pattern.
116
117 -c turns off key-click.
118
119 c volume
120 sets key-click volume (allowable range: 0-100).
121
122 -cc class
123 sets the visual class for the root window of color screens.
124 The class numbers are as specified in the X protocol. Not
125 obeyed by all servers.
126
127 -co filename
128 This used to be the option for specifying the path to the RGB
129 color database file. As the RGB color database is now embedded
130 into the binary this option has no effect but is kept for com‐
131 patibility. Deprecated.
132
133 -core causes the server to generate a core dump on fatal errors.
134
135 -displayfd fd
136 specifies a file descriptor in the launching process. Rather
137 than specifying a display number, the X server will attempt to
138 listen on successively higher display numbers, and upon finding
139 a free one, will write the port number back on this file
140 descriptor as a newline-terminated string. The -pn option is
141 ignored when using -displayfd.
142
143 nxagent specific:
144
145 (1) Other than in X.org's Xserver, you can use -displayfd in
146 conjunction with an explicit display number. If the explicit
147 display number is not available (i.e., already in use), nxagent
148 tries to figure out the next available display number,
149
150 e.g.:
151
152 nxagent -displayfd 2 :50
153
154 (2) If -displayfd <X> is given with <X> equaling 2 (STDERR),
155 then the display number string written to STDERR is beautified
156 with some human-readable (machine-parseable) text.
157
158 -sync This option tells nxagent to synchronize its window and graph‐
159 ics operations with the real server. This is a useful option
160 for debugging, but it will slow down nxagent's performance con‐
161 siderably. It should not be used unless absolutely necessary.
162
163 -full This option tells nxagent to utilize full regeneration of real
164 server objects and reopen a new connection to the real server
165 each time nxagent regenerates. The sample server implementa‐
166 tion regenerates all objects in the server when the last client
167 of this server terminates. When this happens, nxagent by
168 default maintains the same top-level window and the same real
169 server connection in each new generation. If the user selects
170 full regeneration, even the top-level window and the connection
171 to the real server will be regenerated for each server genera‐
172 tion.
173
174 -class string
175 This option specifies the default visual class of the nested
176 server. It is similar to the -cc option from the set of stan‐
177 dard options except that it will accept a string rather than a
178 number for the visual class specification. The string must be
179 one of the following six values: StaticGray, GrayScale, Static‐
180 Color, PseudoColor, TrueColor, or DirectColor. If both the
181 -class and -cc options are specified, the last instance of
182 either option takes precedence. The class of the default vis‐
183 ual of the nested server need not be the same as the class of
184 the default visual of the real server, but it must be supported
185 by the real server. Use xdpyinfo(__appmansuffix__) to obtain a
186 list of supported visual classes on the real server before
187 starting nxagent. If the user chooses a static class, all the
188 colors in the default color map will be preallocated. If the
189 user chooses a dynamic class, colors in the default color map
190 will be available to individual clients for allocation.
191
192 -deferglyphs whichfonts
193 specifies the types of fonts for which the server should
194 attempt to use deferred glyph loading. whichfonts can be all
195 (all fonts), none (no fonts), or 16 (16 bit fonts only).
196
197 -depth int
198 This option specifies the default visual depth of the nested
199 server. The depth of the default visual of the nested server
200 need not be the same as the depth of the default visual of the
201 real server, but it must be supported by the real server. Use
202 xdpyinfo(__appmansuffix__) to obtain a list of supported visual
203 depths on the real server before starting nxagent.
204
205 -geometry WxH+X+Y
206 This option specifies the geometry parameters for the top-level
207 nxagent window. See “GEOMETRY SPECIFICATIONS” in X(__miscman‐
208 suffix__) for a discusson of this option's syntax. This window
209 corresponds to the root window of the nested server. The width
210 W and height H specified with this option will be the maximum
211 width and height of each top-level nxagent window. nxagent
212 will allow the user to make any top-level window smaller, but
213 it will not actually change the size of the nested server root
214 window. If this option is not specified, nxagent will choose W
215 and H to be 3/4ths the dimensions of the root window of the
216 real server.
217
218 -dpi resolution
219 sets the resolution for all screens, in dots per inch. If this
220 option is not specified nxagent will assume 96. There's also
221 -autodpi which will clone the real server's dpi. Note that the
222 resolution specified via -dpi is a per session setting. It can‐
223 not be changed on reconnect! This means that clients may look
224 "wrong" when reconnecting a session that had been started with
225 a different dpi than the current real xserver.
226
227 dpms enables DPMS (display power management services), where sup‐
228 ported. The default state is platform and configuration spe‐
229 cific.
230
231 -dpms disables DPMS (display power management services). The default
232 state is platform and configuration specific.
233
234 -f volume
235 sets feep (bell) volume (allowable range: 0-100).
236
237 -fc cursorFont
238 sets default cursor font.
239
240 -fn font
241 sets the default font.
242
243 -fp fontPath
244 sets the search path for fonts. This path is a comma separated
245 list of directories which the X server searches for font data‐
246 bases. See the FONTS section of this manual page for more
247 information and the default list.
248
249 -help prints a usage message.
250
251 -I causes all remaining command line arguments to be ignored.
252
253 -maxbigreqsize size
254 sets the maximum big request to size MB.
255
256 -name string
257 This option specifies the name of the top-level nxagent window
258 as string. The default value is the program name.
259
260 -nolisten trans-type
261 disables a transport type. For example, TCP/IP connections can
262 be disabled with -nolisten tcp. This option may be issued mul‐
263 tiple times to disable listening to different transport types.
264
265 -noreset
266 prevents a server reset when the last client connection is
267 closed. This overrides a previous -terminate command line
268 option.
269
270 -p minutes
271 sets screen-saver pattern cycle time in minutes.
272
273 -pn permits the server to continue running if it fails to establish
274 all of its well-known sockets (connection points for clients),
275 but establishes at least one. This option is set by default.
276
277 -nopn causes the server to exit if it fails to establish all of its
278 well-known sockets (connection points for clients).
279
280 -r turns off auto-repeat.
281
282 r turns on auto-repeat.
283
284 -s minutes
285 sets screen-saver timeout time in minutes.
286
287 -su disables save under support on all screens.
288
289 -t number
290 sets pointer acceleration threshold in pixels (i.e. after how
291 many pixels pointer acceleration should take effect).
292
293 -terminate
294 causes the server to terminate at server reset, instead of con‐
295 tinuing to run. This overrides a previous -noreset command
296 line option.
297
298 -to seconds
299 sets default connection timeout in seconds.
300
301 -tst disables all testing extensions.
302
303 v sets video-off screen-saver preference.
304
305 -v sets video-on screen-saver preference.
306
307 -wm forces the default backing-store of all windows to be When‐
308 Mapped. This is a backdoor way of getting backing-store to
309 apply to all windows. Although all mapped windows will have
310 backing store, the backing store attribute value reported by
311 the server for a window will be the last value established by a
312 client. If it has never been set by a client, the server will
313 report the default value, NotUseful. This behavior is required
314 by the X protocol, which allows the server to exceed the
315 client's backing store expectations but does not provide a way
316 to tell the client that it is doing so.
317
318 [+-]xinerama
319 enables(+) or disables(-) XINERAMA provided via the PanoramiX
320 extension. This is set to off by default.
321
322 [+-]rrxinerama
323 enables(+) or disables(-) XINERAMA provided via the RandR
324 extension. By default, this feature is enabled. To disable XIN‐
325 ERAMA completely, make sure to use both options (-xinerama and
326 -rrxinerama) on the command line.
327
328
330 nxagent additionally accepts the following non-standard options:
331
332 -logo turns on the X Window System logo display in the screen-saver.
333 There is currently no way to change this from a client.
334
335 nologo turns off the X Window System logo display in the screen-saver.
336 There is currently no way to change this from a client.
337
338 -render
339
340 default|mono|gray|color
341
342 sets the color allocation policy that will be used by the ren‐
343 der extension.
344
345 default selects the default policy defined for the display
346 depth of the X server.
347
348 mono don't use any color cell.
349
350 gray use a gray map of 13 color cells for the X render
351 extension.
352
353 color use a color cube of at most 4*4*4 colors (that is 64
354 color cells).
355
356 -dumbSched
357 disables smart scheduling on platforms that support the smart
358 scheduler.
359
360 -schedInterval interval
361 sets the smart scheduler's scheduling interval to interval mil‐
362 liseconds.
363
365 The nx-X11 system adds the following command line arguments:
366
367 -forcenx
368 force use of NX protocol messages assuming communication
369 through nxproxy
370
371 -nxrealwindowprop
372 set property NX_REAL_WINDOW for each X11 client inside nxagent,
373 providing the window XID of the corresponding window object on
374 the X server that nxagent runs on
375
376 -reportwids
377 explicitly tell nxagent to report its externally exposed X11
378 window IDs to the session log (in machine readable form), so
379 that external parsers can obtain that information from there
380
381 -reportprivatewids
382 explicitly tell nxagent to report X11 window IDs of internally
383 created window objects to the session log (in machine readable
384 form), so that external parsers can obtain that information
385 from there; this creates a lot of output and may affect perfor‐
386 mance
387
388 -timeout int
389 auto-disconnect timeout in seconds (minimum allowed: 60)
390
391 -norootlessexit
392 don't exit if there are no clients in rootless mode
393
394 -autodpi
395 detect real server's DPI and set it in the agent session; the
396 -dpi cmdline option overrides -autodpi. Note that using
397 -autodpi will also adapt the DPI on reconnect which will cause
398 newly started clients respecting the new DPI while clients that
399 had been started before the reconnect still use the old DPI.
400 This may lead to applications looking "weird".
401
402 -nomagicpixel
403 disable magic pixel support at session startup, can be re-
404 enabled via nx/nx option on session resumption
405
406 -norender
407 disable the use of the render extension
408
409 -nocomposite
410 disable the use of the composite extension
411
412 -nopersistent
413 disable disconnection/reconnection to the X display on SIGHUP
414
415 -noshmem
416 disable use of shared memory extension
417
418 -shmem enable use of shared memory extension
419
420 -noshpix
421 disable use of shared pixmaps
422
423 -shpix enable use of shared pixmaps
424
425 -noignore
426 don't ignore pointer and keyboard configuration changes man‐
427 dated by clients. As a result, configuration commands like dis‐
428 abling the keyboard bell (xset -b) will also affect the real X
429 server.
430
431 -nokbreset
432 don't reset keyboard device if the session is resumed
433
434 -noxkblock
435 this is only relevant if you also specify -keyboard=query. In
436 that case nxagent will lock the keyboard settings and clients
437 will get an error when trying to change keyboard settings via
438 XKEYBOARD. With -noxkblock the lock is not applied and clients
439 are allowed to change the keyboard settings through XKEYBOARD.
440
441 -tile WxH
442 size of image tiles (minimum allowed: 32x32)
443
444 -D enable desktop mode (default)
445
446 -R enable rootless mode
447
448 -S enable shadow mode
449
450 -B enable proxy binding mode
451
452 -version
453 show version information and exit
454
455 -options filename
456 path to an options file containing nx/nx options (see below).
457
458 Other than the command line options, nxagent can be configured at ses‐
459 sion startup and at runtime (i.e. when resuming a suspended session) by
460 so-called nx/nx options.
461
462 As nx/nx options all options supported by nxcomp (see nxproxy man page)
463 and all nxagent nx/nx options (see below) can be used. When launching
464 an nxcomp based nxagent session (i.e. proxy <-> agent), you will nor‐
465 mally set the $DISPLAY variable like this:
466
467 $ export DISPLAY=nx/nx,listen=<proxy-port>,options=<options.file>:<nx-display-port>
468 $ nxagent <command-line-options> :<nx-display-port>
469
470 The value for <nx-display-port> is some value of a not-yet-used X11
471 display (e.g. :50).
472
473 Using an options file is recommended, but you can also put available
474 nx/nx options (see below) into the DISPLAY variable directly. Note,
475 that the $DISPLAY variable field is of limited length.
476
477 As <proxy-port> you can pick an arbitrary (unused) TCP port or Unix
478 socket file path. This is the port / socket that you have to connect to
479 with the nxproxy application.
480
481 The right hand side of an option (the part following the "=" character)
482 can include URL encoded characters. It is required to URL encode at
483 least "," (as %2D) and "=" (as %3D) to avoid wrong parsing of the
484 options string.
485
486 Available nxagent options (as an addition to nx/nx options supported by
487 nxcomp already):
488
489 options=<string>
490 read options from file, this text file can contain a single
491 loooong line with comma-separated nx/nx options
492
493 rootless=<bool>
494 start nxagent in rootless mode, matches -R given on the command
495 line, no-op when resuming (default: false)
496
497 geometry=<string>
498 desktop geometry when starting or resuming a session, no-op in
499 rootless mode (default 66% of the underlying X server geometry)
500
501 resize=<bool>
502 set resizing support (default: true)
503
504 fullscreen=<bool>
505 start or resume a session in fullscreen mode (default: off)
506
507 keyboard=<string> or kbtype=<string>
508
509 query|clone|<model>/<layout>|rmlvo/<rules>#<model>#<lay‐
510 out>#<variant>#<options>
511
512
513 query use the default XKB keyboard layout (see below) and
514 only allow clients to query the settings but prevent
515 any changes. query is especially helpful for setups
516 where you need to set/modify the actual keyboard layout
517 using core X protocol functions (e.g. via xmodmap). It
518 is used for MacOS X clients to handle some keyboard
519 problems that are special for this platform. Note that
520 in this case XKEYBOARD will always report the default
521 layout which will most likely not match the experienced
522 settings.
523
524 clone ask the real X server for the keyboard settings using
525 XKEYBOARD protocol functions and clone them. This is
526 the recommended setting. For compatibility reasons it
527 is not the default.
528
529 <model>/<layout>
530 use the given model and layout. A value of null/null is
531 equivalent to clone. You can not modify keyboard rules,
532 variant or options this way. Instead preset values are
533 used. These are base for rules and empty strings for
534 variant and options.
535
536 rmlvo/<rules>#<model>#<layout>#<variant>#<options>
537 configure the keyboard according to the rmlvo
538 (Rules+Model+Layout+Variant+Options) description given
539 after the / and separated by #. This can be used to
540 fully pass the keyboard configuration of nxagent right
541 after the start. Example:
542 rmlvo/base#pc105#de,us#nodeadkeys#lv3:rwin_switch
543
544
545
546 If keyboard is omitted the internal defaults of nxagent will be
547 used (rules: base, layout: us, model: pc102, empty variant and
548 options).
549
550
551 keyconv=<string>
552 set keycode conversion mode
553
554 auto|on|off
555
556 by default (auto) nxagent will activate keycode conversion if
557 it detects an evdev XKEYBOARD setup on the client side (the
558 standard on linux systems nowadays). Keycode conversion means
559 that certain keycodes are mapped to make the keyboard appear as
560 an pc105 model. Using off this conversion can be suppressed and
561 with on it will be forced.
562
563
564 clipboard=<string>
565
566 both|client|server|none
567
568 enable / disable (set to: none) clipboard support, uni-direc‐
569 tional (server or client) or bi-directional (both, default set‐
570 ting) support
571
572 streaming=<int>
573 streaming support for images, not fully implemented yet and
574 thus non-functional
575
576 backingstore=<int>
577 disable or enforce backing store support (default: Backing‐
578 StoreUndefined)
579
580 composite=<int>
581 enable or disable Composite support in nxagent (default:
582 enabled)
583
584 xinerama=<int>
585 enable or disable XINERAMA support in nxagent (default:
586 enabled)
587
588 shmem=<bool>
589 enable using shared memory
590
591 shpix=<bool>
592 enable shared pixmaps support
593
594 client=<string>
595 type of connecting operating system (supported: linux, windows,
596 solaris and macosx)
597
598 shadow=<int>
599 start nxagent in shadow mode, matches -S given on the command
600 line, no-op when resuming (default: false)
601
602 shadowuid=<int>
603 unique identifier for the shadow session
604
605 shadowmode=<string>
606 full access (set to 1) or viewing-only (set to 0, default)
607
608 defer=<int>
609 defer image updates (enabled for all connection types except
610 LAN), accepts values 0, 1 and 2
611
612 The default value can be set via the command line (-defer). The
613 value provided as nx/nx option is set when resuming a session,
614 thus it overrides the command line default.
615
616 tile=<string>
617 set the tile size in pixels (<W>x<H>) for bitmap data sent over
618 the wire
619
620 The default value can be set via the command line (-tile). The
621 value provided as nx/nx option is set when resuming a session,
622 thus it overrides the command line default.
623
624 menu=<int>
625 support pulldown menu in nxagent session (only available on
626 proxy <-> agent remote sessions)
627
628 magicpixel=<bool>
629 enable/disable magic pixel support in fullscreen mode (default:
630 1, enabled)
631
632 autodpi=<bool>
633 enable/disable deriving session DPI automatically from real
634 server (default: 0, disabled); only takes effect on session
635 startups, gets ignored when reconnecting to a suspended session
636
637 sleep=<int>
638 delay X server operations when suspended (provided in msec),
639 set to 0 to keep nxagent session fully functional when sus‐
640 pended (e.g. useful when mirroring an nxagent session via VNC)
641
642 tolerancechecks=<string>
643
644 strict|safe|risky|bypass
645
646 strict means that the number of internal and external pixmap
647 formats must match exactly and every internal pixmap
648 format must be available in the external pixmap format
649 array. This is the default.
650
651 safe means that the number of pixmap formats might diverge,
652 but all internal pixmap formats must also be included
653 in the external pixmap formats array. This is recom‐
654 mended, because it allows clients with more pixmap for‐
655 mats to still connect, but not lose functionality.
656
657 risky means that the internal pixmap formats array is allowed
658 to be smaller than the external pixmap formats array,
659 but at least one pixmap format must be included in
660 both. This is potentially unsafe.
661
662 bypass means that all of these checks are essentially deacti‐
663 vated. This is a very bad idea.
664
665 If you want to use nxagent as a replacement for Xnest or Xephyr you can
666 pass options like this:
667
668 $ echo nx/nx,fullscreen=1$DISPLAY >/tmp/opt
669 $ nxagent <command-line-options> -options /tmp/opt :<nx-display-port>
670
671
673 X servers that support XDMCP have the following options. See the X
674 Display Manager Control Protocol specification for more information.
675
676 -query hostname
677 enables XDMCP and sends Query packets to the specified host‐
678 name.
679
680 -broadcast
681 enable XDMCP and broadcasts BroadcastQuery packets to the net‐
682 work. The first responding display manager will be chosen for
683 the session.
684
685 -multicast [address [hop count]]
686 Enable XDMCP and multicast BroadcastQuery packets to the net‐
687 work. The first responding display manager is chosen for the
688 session. If an address is specified, the multicast is sent to
689 that address. If no address is specified, the multicast is
690 sent to the default XDMCP IPv6 multicast group. If a hop count
691 is specified, it is used as the maximum hop count for the mul‐
692 ticast. If no hop count is specified, the multicast is set to
693 a maximum of 1 hop, to prevent the multicast from being routed
694 beyond the local network.
695
696 -indirect hostname
697 enables XDMCP and send IndirectQuery packets to the specified
698 hostname.
699
700 -port port-number
701 uses the specified port-number for XDMCP packets, instead of
702 the default. This option must be specified before any -query,
703 -broadcast, -multicast, or -indirect options.
704
705 -from local-address
706 specifies the local address to connect from (useful if the con‐
707 necting host has multiple network interfaces). The local-
708 address may be expressed in any form acceptable to the host
709 platform's gethostbyname(3) implementation.
710
711 -once causes the server to terminate (rather than reset) when the
712 XDMCP session ends.
713
714 -class display-class
715 XDMCP has an additional display qualifier used in resource
716 lookup for display-specific options. This option sets that
717 value, by default it is "MIT-Unspecified" (not a very useful
718 value).
719
720 -cookie xdm-auth-bits
721 When testing XDM-AUTHENTICATION-1, a private key is shared
722 between the server and the manager. This option sets the value
723 of that private data (not that it is very private, being on the
724 command line!).
725
726 -displayID display-id
727 Yet another XDMCP specific value, this one allows the display
728 manager to identify each display so that it can locate the
729 shared key.
730
731
733 X servers that support the XKEYBOARD (a.k.a. "XKB") extension accept
734 the following options. All layout files specified on the command line
735 must be located in the XKB base directory or a subdirectory, and speci‐
736 fied as the relative path from the XKB base directory. The default XKB
737 base directory is /usr/share/X11/xkb.
738
739 [+-]kb enables(+) or disables(-) the XKEYBOARD extension.
740
741 [+-]accessx [ timeout [ timeout_mask [ feedback [ options_mask ] ] ] ]
742 enables(+) or disables(-) AccessX key sequences.
743
744 -xkbdir directory
745 base directory for keyboard layout files. This option is not
746 available for setuid X servers (i.e., when the X server's real
747 and effective uids are different).
748
749 -ardelay milliseconds
750 sets the autorepeat delay (length of time in milliseconds that
751 a key must be depressed before autorepeat starts).
752
753 -arinterval milliseconds
754 sets the autorepeat interval (length of time in milliseconds
755 that should elapse between autorepeat-generated keystrokes).
756
757 -xkbmap filename
758 loads keyboard description in filename on server startup.
759
760
762 X servers that support the SECURITY extension accept the following
763 option:
764
765 -sp filename
766 causes the server to attempt to read and interpret filename as
767 a security policy file with the format described below. The
768 file is read at server startup and reread at each server reset.
769
770 The syntax of the security policy file is as follows. Notation: "*"
771 means zero or more occurrences of the preceding element, and "+" means
772 one or more occurrences. To interpret <foo/bar>, ignore the text after
773 the /; it is used to distinguish between instances of <foo> in the next
774 section.
775
776 <policy file> ::= <version line> <other line>*
777
778 <version line> ::= <string/v> '\n'
779
780 <other line > ::= <comment> | <access rule> | <site policy> | <blank line>
781
782 <comment> ::= # <not newline>* '\n'
783
784 <blank line> ::= <space> '\n'
785
786 <site policy> ::= sitepolicy <string/sp> '\n'
787
788 <access rule> ::= property <property/ar> <window> <perms> '\n'
789
790 <property> ::= <string>
791
792 <window> ::= any | root | <required property>
793
794 <required property> ::= <property/rp> | <property with value>
795
796 <property with value> ::= <property/rpv> = <string/rv>
797
798 <perms> ::= [ <operation> | <action> | <space> ]*
799
800 <operation> ::= r | w | d
801
802 <action> ::= a | i | e
803
804 <string> ::= <dbl quoted string> | <single quoted string> | <unquoted string>
805
806 <dbl quoted string> ::= <space> " <not dqoute>* " <space>
807
808 <single quoted string> ::= <space> ' <not squote>* ' <space>
809
810 <unquoted string> ::= <space> <not space>+ <space>
811
812 <space> ::= [ ' ' | '\t' ]*
813
814 Character sets:
815
816 <not newline> ::= any character except '\n'
817 <not dqoute> ::= any character except "
818 <not squote> ::= any character except '
819 <not space> ::= any character except those in <space>
820
821 The semantics associated with the above syntax are as follows.
822
823 <version line>, the first line in the file, specifies the file format
824 version. If the server does not recognize the version <string/v>, it
825 ignores the rest of the file. The version string for the file format
826 described here is "version-1" .
827
828 Once past the <version line>, lines that do not match the above syntax
829 are ignored.
830
831 <comment> lines are ignored.
832
833 <sitepolicy> lines are currently ignored. They are intended to specify
834 the site policies used by the XC-QUERY-SECURITY-1 authorization method.
835
836 <access rule> lines specify how the server should react to untrusted
837 client requests that affect the X Window property named <property/ar>.
838 The rest of this section describes the interpretation of an <access
839 rule>.
840
841 For an <access rule> to apply to a given instance of <property/ar>,
842 <property/ar> must be on a window that is in the set of windows speci‐
843 fied by <window>. If <window> is any, the rule applies to <prop‐
844 erty/ar> on any window. If <window> is root, the rule applies to
845 <property/ar> only on root windows.
846
847 If <window> is <required property>, the following apply. If <required
848 property> is a <property/rp>, the rule applies when the window also has
849 that <property/rp>, regardless of its value. If <required property> is
850 a <property with value>, <property/rpv> must also have the value speci‐
851 fied by <string/rv>. In this case, the property must have type STRING
852 and format 8, and should contain one or more null-terminated strings.
853 If any of the strings match <string/rv>, the rule applies.
854
855 The definition of string matching is simple case-sensitive string com‐
856 parison with one elaboration: the occurrence of the character '*' in
857 <string/rv> is a wildcard meaning "any string." A <string/rv> can con‐
858 tain multiple wildcards anywhere in the string. For example, "x*"
859 matches strings that begin with x, "*x" matches strings that end with
860 x, "*x*" matches strings containing x, and "x*y*" matches strings that
861 start with x and subsequently contain y.
862
863 There may be multiple <access rule> lines for a given <property/ar>.
864 The rules are tested in the order that they appear in the file. The
865 first rule that applies is used.
866
867 <perms> specify operations that untrusted clients may attempt, and the
868 actions that the server should take in response to those operations.
869
870 <operation> can be r (read), w (write), or d (delete). The following
871 table shows how X Protocol property requests map to these operations in
872 The Open Group server implementation.
873
874 GetProperty r, or r and d if delete = True
875 ChangeProperty w
876 RotateProperties r and w
877 DeleteProperty d
878 ListProperties none, untrusted clients can always list all properties
879
880 <action> can be a (allow), i (ignore), or e (error). Allow means exe‐
881 cute the request as if it had been issued by a trusted client. Ignore
882 means treat the request as a no-op. In the case of GetProperty, ignore
883 means return an empty property value if the property exists, regardless
884 of its actual value. Error means do not execute the request and return
885 a BadAtom error with the atom set to the property name. Error is the
886 default action for all properties, including those not listed in the
887 security policy file.
888
889 An <action> applies to all <operation>s that follow it, until the next
890 <action> is encountered. Thus, irwad means ignore read and write,
891 allow delete.
892
893 GetProperty and RotateProperties may do multiple operations (r and d,
894 or r and w). If different actions apply to the operations, the most
895 severe action is applied to the whole request; there is no partial
896 request execution. The severity ordering is: allow < ignore < error.
897 Thus, if the <perms> for a property are ired (ignore read, error
898 delete), and an untrusted client attempts GetProperty on that property
899 with delete = True, an error is returned, but the property value is
900 not. Similarly, if any of the properties in a RotateProperties do not
901 allow both read and write, an error is returned without changing any
902 property values.
903
904 Here is an example security policy file.
905
906 version-1
907
908 # Allow reading of application resources, but not writing.
909 property RESOURCE_MANAGER root ar iw
910 property SCREEN_RESOURCES root ar iw
911
912 # Ignore attempts to use cut buffers. Giving errors causes apps to crash,
913 # and allowing access may give away too much information.
914 property CUT_BUFFER0 root irw
915 property CUT_BUFFER1 root irw
916 property CUT_BUFFER2 root irw
917 property CUT_BUFFER3 root irw
918 property CUT_BUFFER4 root irw
919 property CUT_BUFFER5 root irw
920 property CUT_BUFFER6 root irw
921 property CUT_BUFFER7 root irw
922
923 # If you are using Motif, you probably want these.
924 property _MOTIF_DEFAULT_BINDINGS rootar iw
925 property _MOTIF_DRAG_WINDOW root ar iw
926 property _MOTIF_DRAG_TARGETS any ar iw
927 property _MOTIF_DRAG_ATOMS any ar iw
928 property _MOTIF_DRAG_ATOM_PAIRS anyar iw
929
930 # The next two rules let xwininfo -tree work when untrusted.
931 property WM_NAME any ar
932
933 # Allow read of WM_CLASS, but only for windows with WM_NAME.
934 # This might be more restrictive than necessary, but demonstrates
935 # the <required property> facility, and is also an attempt to
936 # say "top level windows only."
937 property WM_CLASS WM_NAME ar
938
939 # These next three let xlsclients work untrusted. Think carefully
940 # before including these; giving away the client machine name and command
941 # may be exposing too much.
942 property WM_STATE WM_NAME ar
943 property WM_CLIENT_MACHINE WM_NAME ar
944 property WM_COMMAND WM_NAME ar
945
946 # To let untrusted clients use the standard colormaps created by
947 # xstdcmap, include these lines.
948 property RGB_DEFAULT_MAP root ar
949 property RGB_BEST_MAP root ar
950 property RGB_RED_MAP root ar
951 property RGB_GREEN_MAP root ar
952 property RGB_BLUE_MAP root ar
953 property RGB_GRAY_MAP root ar
954
955 # To let untrusted clients use the color management database created
956 # by xcmsdb, include these lines.
957 property XDCCC_LINEAR_RGB_CORRECTION rootar
958 property XDCCC_LINEAR_RGB_MATRICES rootar
959 property XDCCC_GRAY_SCREENWHITEPOINT rootar
960 property XDCCC_GRAY_CORRECTION rootar
961
962 # To let untrusted clients use the overlay visuals that many vendors
963 # support, include this line.
964 property SERVER_OVERLAY_VISUALS rootar
965
966 # Dumb examples to show other capabilities.
967
968 # oddball property names and explicit specification of error conditions
969 property "property with spaces" 'property with "'aw er ed
970
971 # Allow deletion of Woo-Hoo if window also has property OhBoy with value
972 # ending in "son". Reads and writes will cause an error.
973 property Woo-Hoo OhBoy = "*son"ad
974
975
977 The X server supports client connections via a platform-dependent sub‐
978 set of the following transport types: TCPIP, Unix Domain sockets and
979 several varieties of SVR4 local connections. See the DISPLAY NAMES
980 section of the X(__miscmansuffix__) manual page to learn how to specify
981 which transport type clients should try to use.
982
983
985 The X server implements a platform-dependent subset of the following
986 authorization protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1, XDM-
987 AUTHORIZATION-2, SUN-DES-1, and MIT-KERBEROS-5. See the Xsecu‐
988 rity(__miscmansuffix__) manual page for information on the operation of
989 these protocols.
990
991 Authorization data required by the above protocols is passed to the
992 server in a private file named with the -auth command line option.
993 Each time the server is about to accept the first connection after a
994 reset (or when the server is starting), it reads this file. If this
995 file contains any authorization records, the local host is not automat‐
996 ically allowed access to the server, and only clients which send one of
997 the authorization records contained in the file in the connection setup
998 information will be allowed access. See the Xau manual page for a
999 description of the binary format of this file. See xauth(1) for main‐
1000 tenance of this file, and distribution of its contents to remote hosts.
1001
1002 The X server also uses a host-based access control list for deciding
1003 whether or not to accept connections from clients on a particular
1004 machine. If no other authorization mechanism is being used, this list
1005 initially consists of the host on which the server is running as well
1006 as any machines listed in the file /etc/Xn.hosts, where n is the dis‐
1007 play number of the server. Each line of the file should contain either
1008 an Internet hostname (e.g. expo.lcs.mit.edu) or a complete name in the
1009 format family:name as described in the xhost(1) manual page. There
1010 should be no leading or trailing spaces on any lines. For example:
1011
1012 joesworkstation
1013 corporate.company.com
1014 star::
1015 inet:bigcpu
1016 local:
1017
1018 Users can add or remove hosts from this list and enable or disable
1019 access control using the xhost command from the same machine as the
1020 server.
1021
1022 If the X FireWall Proxy (xfwp) is being used without a sitepolicy,
1023 host-based authorization must be turned on for clients to be able to
1024 connect to the X server via the xfwp. If xfwp is run without a config‐
1025 uration file and thus no sitepolicy is defined, if xfwp is using an X
1026 server where xhost + has been run to turn off host-based authorization
1027 checks, when a client tries to connect to this X server via xfwp, the X
1028 server will deny the connection. See xfwp(1) for more information
1029 about this proxy.
1030
1031 The X protocol intrinsically does not have any notion of window opera‐
1032 tion permissions or place any restrictions on what a client can do; if
1033 a program can connect to a display, it has full run of the screen. X
1034 servers that support the SECURITY extension fare better because clients
1035 can be designated untrusted via the authorization they use to connect;
1036 see the xauth(1) manual page for details. Restrictions are imposed on
1037 untrusted clients that curtail the mischief they can do. See the SECU‐
1038 RITY extension specification for a complete list of these restrictions.
1039
1040 Sites that have better authentication and authorization systems might
1041 wish to make use of the hooks in the libraries and the server to pro‐
1042 vide additional security models.
1043
1045 The X server attaches special meaning to the following signals:
1046
1047 SIGHUP This signal causes the server to close all existing connec‐
1048 tions, free all resources, and restore all defaults. It is
1049 sent by the display manager whenever the main user's main
1050 application (usually an xterm or window manager) exits to force
1051 the server to clean up and prepare for the next user.
1052
1053 SIGTERM This signal causes the server to exit cleanly.
1054
1055 SIGUSR1 This signal is used quite differently from either of the above.
1056 When the server starts, it checks to see if it has inherited
1057 SIGUSR1 as SIG_IGN instead of the usual SIG_DFL. In this case,
1058 the server sends a SIGUSR1 to its parent process after it has
1059 set up the various connection schemes. Xdm uses this feature
1060 to recognize when connecting to the server is possible.
1061
1063 The X server can obtain fonts from directories and/or from font
1064 servers. The list of directories and font servers the X server uses
1065 when trying to open a font is controlled by the font path.
1066
1067 The default font path is __default_font_path__ .
1068
1069 The font path can be set with the -fp option or by xset(1) after the
1070 server has started.
1071
1073 /etc/Xn.hosts Initial access control list for display
1074 number n
1075
1076 /usr/share/fonts/X11/misc,
1077 /usr/share/fonts/X11/75dpi,
1078 /usr/share/fonts/X11/100dpi Bitmap
1079 font directories
1080
1081 /usr/share/fonts/X11/Type1 Outline font directories
1082
1083 /usr/share/nx/rgb Color database
1084
1085 /tmp/.X11-unix/Xn Unix domain socket for display number n
1086
1087 /tmp/rcXn Kerberos 5 replay cache for display num‐
1088 ber n
1089
1091 Protocols: X Window System Protocol, NX Compression Protocol, The X
1092 Font Service Protocol, X Display Manager Control Protocol
1093
1094 Fonts: bdftopcf(1), mkfontdir(1), mkfontscale(1), xfs(1), xlsfonts(1),
1095 xfontsel(1), xfd(1), X Logical Font Description Conventions
1096
1097 Security: Xsecurity(__miscmansuffix__), xauth(1), Xau(1), xdm(1),
1098 xhost(1), xfwp(1), Security Extension Specification
1099
1100 Starting the server: xdm(1), xinit(1)
1101
1102 Controlling the server once started: xset(1), xsetroot(1), xhost(1)
1103
1104 Server-specific man pages: Xdec(1), XmacII(1), Xsun(1), Xnest(1),
1105 Xvfb(1), XFree86(1), XDarwin(1).
1106
1107 Server internal documentation: Definition of the Porting Layer for the
1108 X v11 Sample Server
1109
1111 The first sample X server was originally written by Susan Angebranndt,
1112 Raymond Drewry, Philip Karlton, and Todd Newman, from Digital Equipment
1113 Corporation, with support from a large cast. It has since been exten‐
1114 sively rewritten by Keith Packard and Bob Scheifler, from MIT. Dave
1115 Wiggins took over post-R5 and made substantial improvements.
1116
1117 The first implementation of nx-X11 (version 1.x up to 3.5.x) was writ‐
1118 ten by NoMachine (maintained until 2011).
1119
1120 The current implementation of nx-X11 is maintained by various projects,
1121 amongst others The Arctica Project, TheQVD (Qindel Group) and X2Go.
1122
1123 This manual page was written by Per Hansen <spamhans@yahoo.de>, and
1124 modified by Marcelo Boveto Shima <marceloshima@gmail.com> and Mike
1125 Gabriel <mike.gabriel@das-netzwerkteam.de>. In 2016, the original
1126 Xserver.man page shipped with nx-X11 was merged into the nxagent man
1127 page and received a major update by Mike Gabriel <mike.gabriel@das-net‐
1128 zwerkteam.de>.
1129
1130
1131
1132Version 3.5.99.20 Apr 2019 nxagent(1)