1nxagent(1)                    NX Agent (Xserver)                    nxagent(1)
2
3
4

NAME

6       nxagent - nested Xserver optimized for remote computing
7

SYNOPSIS

9       nxagent [options]
10

DESCRIPTION

12       nxagent is an X server for remote application/desktop access similar to
13       Xnest or Xephyr.
14
15       nxagent implements a very efficient compression of  the  X11  protocol,
16       called the NX protocol.
17
18       The  NX  protocol  increases performance when using X applications over
19       high latency and low bandwidth networks, while providing a local  (LAN-
20       like)  usage experience even if connecting from off-site locations (via
21       cable modem or GSM).
22
23       nxagent can be used standalone as a nested X server (with  NX  protocol
24       disabled),  but  its real benefits are gained when using it over remote
25       connections via the nxcomp compression library. The counterpart  appli‐
26       cation on the other end (i.e. the client) is called nxproxy.
27
28       When  used  in  proxy <-> agent mode, nxagent adds the feature of being
29       suspendible. Sessions can be started from  one  client,  suspended  and
30       then resumed from another (or the same) client.
31
32       nxagent  and nxproxy are utilized by various remote application/desktop
33       frameworks for providing server-side GUI application access from remote
34       client systems.
35
36       Currently,  nxagent  is  co-maintained  by three of these projects: The
37       Arctica Project, TheQVD and X2Go.
38

STARTING THE SERVER

40       nxagent should be run in user space.  Other  than  the  system's  local
41       X.org server, nxagent does not require to be run as root.  When bundled
42       with a remote application framework, you normally don't have to  launch
43       nxagent  manually. nxagent startup is usually managed by the underlying
44       framework (e.g. Arctica Session Manager, X2Go Server, etc.).
45
46       When nxagent starts up (e.g. by typing 'nxagent -ac :1' in  a  terminal
47       window),  it  typically  launches  in  "windowed desktop" mode. On your
48       local X server a new window appears being an X server itself.
49
50       However, nxagent also supports rootless (or seamless) application  mode
51       and a shadow session mode (similar to what VNC does).
52
53       Example: You can launch a complete desktop session inside this nested X
54       server now:
55
56       The Debian way...
57
58           $ export DISPLAY=:1
59           $ STARTUP=mate-session /etc/X11/Xsession
60
61       The Fedora / Gentoo / openSUSE way...
62
63           ### FIXME / TODO ###
64
65       However, nxagent also supports rootless (or seamless) application  mode
66       and a shadow session mode (similar to what VNC does).
67
68

OPTIONS

70       nxagent accepts a range of default X server options as described below.
71       Those default options have to be provided via the command line.
72
73       Furthermore, nxagent accepts some nx-X11  specific  options,  described
74       further below.
75
76       Last but not least, nxagent accepts several more options, the so-called
77       nx/nx options, provided via the $DISPLAY environment  variable  or  the
78       -options command line option. See below for further details.
79
80

STANDARD XSERVER OPTIONS

82       :displaynumber
83               The  X server runs as the given displaynumber, which by default
84               is 0.  If multiple X servers are to  run  simultaneously  on  a
85               host,  each must have a unique display number.  See the DISPLAY
86               NAMES section of the X(__miscmansuffix__) manual page to  learn
87               how to specify which display number clients should try to use.
88
89       -a number
90               sets  pointer  acceleration  (i.e.  the  ratio  of  how much is
91               reported to how much the user actually moved the pointer).
92
93       -ac     disables host-based access control mechanisms.  Enables  access
94               by  any host, and permits any host to modify the access control
95               list.  Use with extreme caution.  This option exists  primarily
96               for running test suites remotely.
97
98       -audit level
99               sets  the  audit  trail level.  The default level is 1, meaning
100               only connection rejections are reported.  Level 2  additionally
101               reports  all  successful  connections and disconnects.  Level 4
102               enables messages  from  the  SECURITY  extension,  if  present,
103               including  generation and revocation of authorizations and vio‐
104               lations of the security policy.  Level 0 turns  off  the  audit
105               trail.  Audit lines are sent as standard error output.
106
107       -auth authorization-file
108               specifies  a  file which contains a collection of authorization
109               records used to authenticate access.  See also the  xdm(1)  and
110               Xsecurity(__miscmansuffix__) manual pages.
111
112       -bs     disables backing store support on all screens.
113
114       -br     sets the default root window to solid black (default).
115
116       -wr     sets the default root window to solid white.
117
118       -c      turns off key-click.
119
120       c volume
121               sets key-click volume (allowable range: 0-100).
122
123       -cc class
124               sets  the  visual  class  for the root window of color screens.
125               The class numbers are as specified  in  the  X  protocol.   Not
126               obeyed by all servers.
127
128       -co filename
129               This  used  to be the option for specifying the path to the RGB
130               color database file. As the RGB color database is now  embedded
131               into  the binary this option has no effect but is kept for com‐
132               patibility. Deprecated.
133
134       -core   causes the server to generate a core dump on fatal errors.
135
136       -displayfd fd
137               specifies a file descriptor in the launching  process.   Rather
138               than  specifying a display number, the X server will attempt to
139               listen on successively higher display numbers, and upon finding
140               a  free  one,  will  write  the  port  number back on this file
141               descriptor as a newline-terminated string.  The -pn  option  is
142               ignored when using -displayfd.
143
144               nxagent specific:
145
146               (1)  Other  than  in X.org's Xserver, you can use -displayfd in
147               conjunction with an explicit display number.  If  the  explicit
148               display number is not available (i.e., already in use), nxagent
149               tries to figure out the next available display number,
150
151               e.g.:
152
153                  nxagent -displayfd 2 :50
154
155               (2) If -displayfd <X> is given with <X>  equaling  2  (STDERR),
156               then  the display number string written to STDERR is beautified
157               with some human-readable (machine-parseable) text.
158
159       -sync   This option tells nxagent to synchronize its window and  graph‐
160               ics  operations  with the real server.  This is a useful option
161               for debugging, but it will slow down nxagent's performance con‐
162               siderably.  It should not be used unless absolutely necessary.
163
164       -full   This  option tells nxagent to utilize full regeneration of real
165               server objects and reopen a new connection to the  real  server
166               each  time  nxagent regenerates.  The sample server implementa‐
167               tion regenerates all objects in the server when the last client
168               of  this  server  terminates.   When  this  happens, nxagent by
169               default maintains the same top-level window and the  same  real
170               server  connection in each new generation.  If the user selects
171               full regeneration, even the top-level window and the connection
172               to  the real server will be regenerated for each server genera‐
173               tion.
174
175       -class string
176               This option specifies the default visual class  of  the  nested
177               server.   It is similar to the -cc option from the set of stan‐
178               dard options except that it will accept a string rather than  a
179               number  for the visual class specification.  The string must be
180               one of the following six values: StaticGray, GrayScale, Static‐
181               Color,  PseudoColor,  TrueColor,  or  DirectColor.  If both the
182               -class and -cc options are  specified,  the  last  instance  of
183               either  option takes precedence.  The class of the default vis‐
184               ual of the nested server need not be the same as the  class  of
185               the default visual of the real server, but it must be supported
186               by the real server.  Use xdpyinfo(__appmansuffix__) to obtain a
187               list  of  supported  visual  classes  on the real server before
188               starting nxagent.  If the user chooses a static class, all  the
189               colors  in  the default color map will be preallocated.  If the
190               user chooses a dynamic class, colors in the default  color  map
191               will be available to individual clients for allocation.
192
193       -deferglyphs whichfonts
194               specifies  the  types  of  fonts  for  which  the server should
195               attempt to use deferred glyph loading.  whichfonts can  be  all
196               (all fonts), none (no fonts), or 16 (16 bit fonts only).
197
198       -depth int
199               This  option  specifies  the default visual depth of the nested
200               server.  The depth of the default visual of the  nested  server
201               need  not be the same as the depth of the default visual of the
202               real server, but it must be supported by the real server.   Use
203               xdpyinfo(__appmansuffix__) to obtain a list of supported visual
204               depths on the real server before starting nxagent.
205
206       -geometry WxH+X+Y
207               This option specifies the geometry parameters for the top-level
208               nxagent  window.  See “GEOMETRY SPECIFICATIONS” in X(__miscman‐
209               suffix__) for a discusson of this option's syntax.  This window
210               corresponds to the root window of the nested server.  The width
211               W and height H specified with this option will be  the  maximum
212               width  and  height  of  each top-level nxagent window.  nxagent
213               will allow the user to make any top-level window  smaller,  but
214               it  will not actually change the size of the nested server root
215               window.  If this option is not specified, nxagent will choose W
216               and  H  to  be  3/4ths the dimensions of the root window of the
217               real server.
218
219       -dpi resolution
220               sets the resolution for all screens, in dots per inch. If  this
221               option  is  not  specified nxagent will assume 96. There's also
222               -autodpi which will clone the real server's dpi. Note that  the
223               resolution specified via -dpi is a per session setting. It can‐
224               not be changed on reconnect! This means that clients  may  look
225               "wrong"  when reconnecting a session that had been started with
226               a different dpi than the current real xserver.
227
228       dpms    enables DPMS (display power management  services),  where  sup‐
229               ported.   The  default state is platform and configuration spe‐
230               cific.
231
232       -dpms   disables DPMS (display power management services).  The default
233               state is platform and configuration specific.
234
235       -f volume
236               sets feep (bell) volume (allowable range: 0-100).
237
238       -fc cursorFont
239               sets default cursor font.
240
241       -fn font
242               sets the default font.
243
244       -fp fontPath
245               sets the search path for fonts.  This path is a comma separated
246               list of directories which the X server searches for font  data‐
247               bases.   See  the  FONTS  section  of this manual page for more
248               information and the default list.
249
250       -help   prints a usage message.
251
252       -I      causes all remaining command line arguments to be ignored.
253
254       -maxbigreqsize size
255               sets the maximum big request to size MB.
256
257       -name string
258               This option specifies the name of the top-level nxagent  window
259               as string.  The default value is the program name.
260
261       -nolisten trans-type
262               disables a transport type.  For example, TCP/IP connections can
263               be disabled with -nolisten tcp.  This option may be issued mul‐
264               tiple times to disable listening to different transport types.
265
266       -noreset
267               prevents  a  server  reset  when  the last client connection is
268               closed.  This overrides  a  previous  -terminate  command  line
269               option.
270
271       -p minutes
272               sets screen-saver pattern cycle time in minutes.
273
274       -pn     permits the server to continue running if it fails to establish
275               all of its well-known sockets (connection points for  clients),
276               but establishes at least one.  This option is set by default.
277
278       -nopn   causes  the  server to exit if it fails to establish all of its
279               well-known sockets (connection points for clients).
280
281       -r      turns off auto-repeat.
282
283       r       turns on auto-repeat.
284
285       -s minutes
286               sets screen-saver timeout time in minutes.
287
288       -su     disables save under support on all screens.
289
290       -t number
291               sets pointer acceleration threshold in pixels (i.e.  after  how
292               many pixels pointer acceleration should take effect).
293
294       -terminate
295               causes the server to terminate at server reset, instead of con‐
296               tinuing to run.  This overrides  a  previous  -noreset  command
297               line option.
298
299       -to seconds
300               sets default connection timeout in seconds.
301
302       -tst    disables all testing extensions.
303
304       v       sets video-off screen-saver preference.
305
306       -v      sets video-on screen-saver preference.
307
308       -wm     forces  the  default  backing-store  of all windows to be When‐
309               Mapped.  This is a backdoor way  of  getting  backing-store  to
310               apply  to  all  windows.  Although all mapped windows will have
311               backing store, the backing store attribute  value  reported  by
312               the server for a window will be the last value established by a
313               client.  If it has never been set by a client, the server  will
314               report the default value, NotUseful.  This behavior is required
315               by the X protocol,  which  allows  the  server  to  exceed  the
316               client's  backing store expectations but does not provide a way
317               to tell the client that it is doing so.
318
319       [+-]xinerama
320               enables(+) or disables(-) XINERAMA provided via  the  PanoramiX
321               extension. This is set to off by default.
322
323       [+-]rrxinerama
324               enables(+)  or  disables(-)  XINERAMA  provided  via  the RandR
325               extension. By default, this feature is enabled. To disable XIN‐
326               ERAMA  completely, make sure to use both options (-xinerama and
327               -rrxinerama) on the command line.
328
329

SERVER DEPENDENT OPTIONS

331       nxagent additionally accepts the following non-standard options:
332
333       -logo   turns on the X Window System logo display in the  screen-saver.
334               There is currently no way to change this from a client.
335
336       nologo  turns off the X Window System logo display in the screen-saver.
337               There is currently no way to change this from a client.
338
339       -render
340
341               default|mono|gray|color
342
343               sets the color allocation policy that will be used by the  ren‐
344               der extension.
345
346               default selects  the  default  policy  defined  for the display
347                       depth of the X server.
348
349               mono    don't use any color cell.
350
351               gray    use a gray map of 13  color  cells  for  the  X  render
352                       extension.
353
354               color   use  a  color  cube of at most 4*4*4 colors (that is 64
355                       color cells).
356
357       -dumbSched
358               disables smart scheduling on platforms that support  the  smart
359               scheduler.
360
361       -schedInterval interval
362               sets the smart scheduler's scheduling interval to interval mil‐
363               liseconds.
364

NXAGENT SPECIFIC OPTIONS

366       The nx-X11 system adds the following command line arguments:
367
368       -forcenx
369               force  use  of  NX  protocol  messages  assuming  communication
370               through nxproxy
371
372       -autograb
373               enable  autograb  mode on nxagent startup. The autograb feature
374               can be toggled via nxagent keystrokes
375
376       -nxrealwindowprop
377               set property NX_REAL_WINDOW for each X11 client inside nxagent,
378               providing  the window XID of the corresponding window object on
379               the X server that nxagent runs on
380
381       -reportwids
382               explicitly tell nxagent to report its  externally  exposed  X11
383               window  IDs  to  the session log (in machine readable form), so
384               that external parsers can obtain that information from there
385
386       -reportprivatewids
387               explicitly tell nxagent to report X11 window IDs of  internally
388               created  window objects to the session log (in machine readable
389               form), so that external parsers  can  obtain  that  information
390               from there; this creates a lot of output and may affect perfor‐
391               mance
392
393       -timeout int
394               auto-disconnect timeout in seconds (minimum allowed: 60)
395
396       -norootlessexit
397               don't exit if there are no clients in rootless mode
398
399       -autodpi
400               detect real server's DPI and set it in the agent  session;  the
401               -dpi  cmdline  option  overrides  -autodpi.   Note  that  using
402               -autodpi will also adapt the DPI on reconnect which will  cause
403               newly started clients respecting the new DPI while clients that
404               had been started before the reconnect still use  the  old  DPI.
405               This may lead to applications looking "weird".
406
407       -nomagicpixel
408               disable  magic  pixel  support  at  session startup, can be re-
409               enabled via nx/nx option on session resumption
410
411       -norender
412               disable the use of the render extension
413
414       -nocomposite
415               disable the use of the composite extension
416
417       -nopersistent
418               disable disconnection/reconnection to the X display on SIGHUP
419
420       -noshmem
421               disable use of shared memory extension
422
423       -shmem  enable use of shared memory extension
424
425       -noshpix
426               disable use of shared pixmaps
427
428       -shpix  enable use of shared pixmaps
429
430       -noignore
431               don't ignore pointer and keyboard  configuration  changes  man‐
432               dated by clients. As a result, configuration commands like dis‐
433               abling the keyboard bell (xset -b) will also affect the real  X
434               server.
435
436       -nokbreset
437               don't reset keyboard device if the session is resumed
438
439       -noxkblock
440               this  is  only relevant if you also specify -keyboard=query. In
441               that case nxagent will lock the keyboard settings  and  clients
442               will  get  an error when trying to change keyboard settings via
443               XKEYBOARD. With -noxkblock the lock is not applied and  clients
444               are allowed to change the keyboard settings through XKEYBOARD.
445
446       -tile WxH
447               size of image tiles (minimum allowed: 32x32)
448
449       -D      enable desktop mode (default)
450
451       -R      enable rootless mode
452
453       -S      enable shadow mode
454
455       -B      enable proxy binding mode
456
457       -version
458               show version information and exit
459
460       -options filename
461               path to an options file containing nx/nx options (see below).
462
463       Other  than the command line options, nxagent can be configured at ses‐
464       sion startup and at runtime (i.e. when resuming a suspended session) by
465       so-called nx/nx options.
466
467       As nx/nx options all options supported by nxcomp (see nxproxy man page)
468       and all nxagent nx/nx options (see below) can be used.  When  launching
469       an  nxcomp  based nxagent session (i.e. proxy <-> agent), you will nor‐
470       mally set the $DISPLAY variable like this:
471
472         $ export DISPLAY=nx/nx,listen=<proxy-port>,options=<options.file>:<nx-display-port>
473         $ nxagent <command-line-options> :<nx-display-port>
474
475       The value for <nx-display-port> is some value  of  a  not-yet-used  X11
476       display (e.g. :50).
477
478       Using  an  options  file is recommended, but you can also put available
479       nx/nx options (see below) into the  DISPLAY  variable  directly.  Note,
480       that the $DISPLAY variable field is of limited length.
481
482       As  <proxy-port>  you  can  pick an arbitrary (unused) TCP port or Unix
483       socket file path. This is the port / socket that you have to connect to
484       with the nxproxy application.
485
486       The right hand side of an option (the part following the "=" character)
487       can include URL encoded characters. It is required  to  URL  encode  at
488       least  ","  (as  %2D)  and  "="  (as %3D) to avoid wrong parsing of the
489       options string.
490
491       Available nxagent options (as an addition to nx/nx options supported by
492       nxcomp already):
493
494       options=<string>
495               read  options  from  file,  this text file can contain a single
496               loooong line with comma-separated nx/nx options
497
498       rootless=<bool>
499               start nxagent in rootless mode, matches -R given on the command
500               line, no-op when resuming (default: false)
501
502       geometry=<string>
503               desktop  geometry when starting or resuming a session, no-op in
504               rootless mode (default 66% of the underlying X server geometry)
505
506       resize=<bool>
507               set resizing support (default: true)
508
509       fullscreen=<bool>
510               start or resume a session in fullscreen mode (default: off)
511
512       keyboard=<string> or kbtype=<string>
513
514               query|clone|<model>/<layout>|rmlvo/<rules>#<model>#<lay‐
515               out>#<variant>#<options>
516
517
518               query   use  the  default  XKB  keyboard layout (see below) and
519                       only allow clients to query the  settings  but  prevent
520                       any  changes.  query  is  especially helpful for setups
521                       where you need to set/modify the actual keyboard layout
522                       using  core X protocol functions (e.g. via xmodmap). It
523                       is used for MacOS X clients  to  handle  some  keyboard
524                       problems that are special for this platform.  Note that
525                       in this case XKEYBOARD will always report  the  default
526                       layout which will most likely not match the experienced
527                       settings.
528
529               clone   ask the real X server for the keyboard  settings  using
530                       XKEYBOARD  protocol  functions  and clone them. This is
531                       the recommended setting. For compatibility  reasons  it
532                       is not the default.
533
534               <model>/<layout>
535                       use the given model and layout. A value of null/null is
536                       equivalent to clone. You can not modify keyboard rules,
537                       variant  or options this way. Instead preset values are
538                       used. These are base for rules and  empty  strings  for
539                       variant and options.
540
541               rmlvo/<rules>#<model>#<layout>#<variant>#<options>
542                       configure   the   keyboard   according   to  the  rmlvo
543                       (Rules+Model+Layout+Variant+Options) description  given
544                       after  the  /  and  separated by #. This can be used to
545                       fully pass the keyboard configuration of nxagent  right
546                       after           the           start.           Example:
547                       rmlvo/base#pc105#de,us#nodeadkeys#lv3:rwin_switch
548
549
550
551              If keyboard is omitted the internal defaults of nxagent will  be
552              used  (rules:  base, layout: us, model: pc102, empty variant and
553              options).
554
555
556       keyconv=<string>
557               set keycode conversion mode
558
559               auto|on|off
560
561               by default (auto) nxagent will activate keycode  conversion  if
562               it  detects  an  evdev  XKEYBOARD setup on the client side (the
563               standard on linux systems nowadays). Keycode  conversion  means
564               that certain keycodes are mapped to make the keyboard appear as
565               an pc105 model. Using off this conversion can be suppressed and
566               with on it will be forced.
567
568
569       clipboard=<string>
570
571               both|client|server|none
572
573               enable  /  disable (set to: none) clipboard support, uni-direc‐
574               tional (server or client) or bi-directional (both, default set‐
575               ting) support
576
577       streaming=<int>
578               streaming  support  for  images,  not fully implemented yet and
579               thus non-functional
580
581       backingstore=<int>
582               disable or enforce backing  store  support  (default:  Backing‐
583               StoreUndefined)
584
585       composite=<int>
586               enable  or  disable  Composite  support  in  nxagent  (default:
587               enabled)
588
589       xinerama=<int>
590               enable  or  disable  XINERAMA  support  in  nxagent   (default:
591               enabled)
592
593       shmem=<bool>
594               enable using shared memory
595
596       shpix=<bool>
597               enable shared pixmaps support
598
599       client=<string>
600               type of connecting operating system (supported: linux, windows,
601               solaris and macosx)
602
603       shadow=<int>
604               start nxagent in shadow mode, matches -S given on  the  command
605               line, no-op when resuming (default: false)
606
607       shadowuid=<int>
608               unique identifier for the shadow session
609
610       shadowmode=<string>
611               full access (set to 1) or viewing-only (set to 0, default)
612
613       defer=<int>
614               defer  image  updates  (enabled for all connection types except
615               LAN), accepts values 0, 1 and 2
616
617               The default value can be set via the command line (-defer). The
618               value  provided as nx/nx option is set when resuming a session,
619               thus it overrides the command line default.
620
621       tile=<string>
622               set the tile size in pixels (<W>x<H>) for bitmap data sent over
623               the wire
624
625               The  default value can be set via the command line (-tile). The
626               value provided as nx/nx option is set when resuming a  session,
627               thus it overrides the command line default.
628
629       menu=<int>
630               support  pulldown  menu  in  nxagent session (only available on
631               proxy <-> agent remote sessions)
632
633       magicpixel=<bool>
634               enable/disable magic pixel support in fullscreen mode (default:
635               1, enabled)
636
637       autodpi=<bool>
638               enable/disable  deriving  session  DPI  automatically from real
639               server (default: 0, disabled); only  takes  effect  on  session
640               startups, gets ignored when reconnecting to a suspended session
641
642       sleep=<int>
643               delay  X  server  operations when suspended (provided in msec),
644               set to 0 to keep nxagent session  fully  functional  when  sus‐
645               pended (e.g. useful when mirroring an nxagent session via VNC)
646
647       tolerancechecks=<string>
648
649               strict|safe|risky|bypass
650
651               strict  means  that  the number of internal and external pixmap
652                       formats must match exactly and  every  internal  pixmap
653                       format  must be available in the external pixmap format
654                       array. This is the default.
655
656               safe    means that the number of pixmap formats might  diverge,
657                       but  all  internal pixmap formats must also be included
658                       in the external pixmap formats array.  This  is  recom‐
659                       mended, because it allows clients with more pixmap for‐
660                       mats to still connect, but not lose functionality.
661
662               risky   means that the internal pixmap formats array is allowed
663                       to  be  smaller than the external pixmap formats array,
664                       but at least one pixmap  format  must  be  included  in
665                       both. This is potentially unsafe.
666
667               bypass  means  that all of these checks are essentially deacti‐
668                       vated. This is a very bad idea.
669
670       autograb=<int>
671               enable or disable autograb (default: disabled)
672
673       If you want to use nxagent as a replacement for Xnest or Xephyr you can
674       pass options like this:
675
676         $ echo nx/nx,fullscreen=1$DISPLAY >/tmp/opt
677         $ nxagent <command-line-options> -options /tmp/opt :<nx-display-port>
678
679

XDMCP OPTIONS

681       X  servers  that  support  XDMCP have the following options.  See the X
682       Display Manager Control Protocol specification for more information.
683
684       -query hostname
685               enables XDMCP and sends Query packets to  the  specified  host‐
686               name.
687
688       -broadcast
689               enable  XDMCP and broadcasts BroadcastQuery packets to the net‐
690               work.  The first responding display manager will be chosen  for
691               the session.
692
693       -multicast [address [hop count]]
694               Enable  XDMCP  and multicast BroadcastQuery packets to the net‐
695               work.  The first responding display manager is chosen  for  the
696               session.   If an address is specified, the multicast is sent to
697               that address.  If no address is  specified,  the  multicast  is
698               sent to the default XDMCP IPv6 multicast group.  If a hop count
699               is specified, it is used as the maximum hop count for the  mul‐
700               ticast.   If no hop count is specified, the multicast is set to
701               a maximum of 1 hop, to prevent the multicast from being  routed
702               beyond the local network.
703
704       -indirect hostname
705               enables  XDMCP  and send IndirectQuery packets to the specified
706               hostname.
707
708       -port port-number
709               uses the specified port-number for XDMCP  packets,  instead  of
710               the  default.  This option must be specified before any -query,
711               -broadcast, -multicast, or -indirect options.
712
713       -from local-address
714               specifies the local address to connect from (useful if the con‐
715               necting  host  has  multiple  network  interfaces).  The local-
716               address may be expressed in any form  acceptable  to  the  host
717               platform's gethostbyname(3) implementation.
718
719       -once   causes  the  server  to  terminate (rather than reset) when the
720               XDMCP session ends.
721
722       -class display-class
723               XDMCP has an additional  display  qualifier  used  in  resource
724               lookup  for  display-specific  options.   This option sets that
725               value, by default it is "MIT-Unspecified" (not  a  very  useful
726               value).
727
728       -cookie xdm-auth-bits
729               When  testing  XDM-AUTHENTICATION-1,  a  private  key is shared
730               between the server and the manager.  This option sets the value
731               of that private data (not that it is very private, being on the
732               command line!).
733
734       -displayID display-id
735               Yet another XDMCP specific value, this one allows  the  display
736               manager  to  identify  each  display  so that it can locate the
737               shared key.
738
739

XKEYBOARD OPTIONS

741       X servers that support the XKEYBOARD (a.k.a.  "XKB")  extension  accept
742       the  following options.  All layout files specified on the command line
743       must be located in the XKB base directory or a subdirectory, and speci‐
744       fied as the relative path from the XKB base directory.  The default XKB
745       base directory is /usr/share/X11/xkb.
746
747       [+-]kb  enables(+) or disables(-) the XKEYBOARD extension.
748
749       [+-]accessx [ timeout [ timeout_mask [ feedback [ options_mask ] ] ] ]
750               enables(+) or disables(-) AccessX key sequences.
751
752       -xkbdir directory
753               base directory for keyboard layout files.  This option  is  not
754               available  for setuid X servers (i.e., when the X server's real
755               and effective uids are different).
756
757       -ardelay milliseconds
758               sets the autorepeat delay (length of time in milliseconds  that
759               a key must be depressed before autorepeat starts).
760
761       -arinterval milliseconds
762               sets  the  autorepeat  interval (length of time in milliseconds
763               that should elapse between autorepeat-generated keystrokes).
764
765       -xkbmap filename
766               loads keyboard description in filename on server startup.
767
768

SECURITY EXTENSION OPTIONS

770       X servers that support the  SECURITY  extension  accept  the  following
771       option:
772
773       -sp filename
774               causes  the server to attempt to read and interpret filename as
775               a security policy file with the format  described  below.   The
776               file is read at server startup and reread at each server reset.
777
778       The  syntax  of  the security policy file is as follows.  Notation: "*"
779       means zero or more occurrences of the preceding element, and "+"  means
780       one or more occurrences.  To interpret <foo/bar>, ignore the text after
781       the /; it is used to distinguish between instances of <foo> in the next
782       section.
783
784       <policy file> ::= <version line> <other line>*
785
786       <version line> ::= <string/v> '\n'
787
788       <other line > ::= <comment> | <access rule> | <site policy> | <blank line>
789
790       <comment> ::= # <not newline>* '\n'
791
792       <blank line> ::= <space> '\n'
793
794       <site policy> ::= sitepolicy <string/sp> '\n'
795
796       <access rule> ::= property <property/ar> <window> <perms> '\n'
797
798       <property> ::= <string>
799
800       <window> ::= any | root | <required property>
801
802       <required property> ::= <property/rp> | <property with value>
803
804       <property with value> ::= <property/rpv> = <string/rv>
805
806       <perms> ::= [ <operation> | <action> | <space> ]*
807
808       <operation> ::= r | w | d
809
810       <action> ::= a | i | e
811
812       <string> ::= <dbl quoted string> | <single quoted string> | <unquoted string>
813
814       <dbl quoted string> ::= <space> " <not dqoute>* " <space>
815
816       <single quoted string> ::= <space> ' <not squote>* ' <space>
817
818       <unquoted string> ::= <space> <not space>+ <space>
819
820       <space> ::= [ ' ' | '\t' ]*
821
822       Character sets:
823
824       <not newline> ::= any character except '\n'
825       <not dqoute>  ::= any character except "
826       <not squote>  ::= any character except '
827       <not space>   ::= any character except those in <space>
828
829       The semantics associated with the above syntax are as follows.
830
831       <version  line>,  the first line in the file, specifies the file format
832       version.  If the server does not recognize the version  <string/v>,  it
833       ignores  the  rest of the file.  The version string for the file format
834       described here is "version-1" .
835
836       Once past the <version line>, lines that do not match the above  syntax
837       are ignored.
838
839       <comment> lines are ignored.
840
841       <sitepolicy> lines are currently ignored.  They are intended to specify
842       the site policies used by the XC-QUERY-SECURITY-1 authorization method.
843
844       <access rule> lines specify how the server should  react  to  untrusted
845       client  requests that affect the X Window property named <property/ar>.
846       The rest of this section describes the  interpretation  of  an  <access
847       rule>.
848
849       For  an  <access  rule>  to apply to a given instance of <property/ar>,
850       <property/ar> must be on a window that is in the set of windows  speci‐
851       fied  by  <window>.   If  <window>  is  any, the rule applies to <prop‐
852       erty/ar> on any window.  If <window>  is  root,  the  rule  applies  to
853       <property/ar> only on root windows.
854
855       If  <window> is <required property>, the following apply.  If <required
856       property> is a <property/rp>, the rule applies when the window also has
857       that <property/rp>, regardless of its value.  If <required property> is
858       a <property with value>, <property/rpv> must also have the value speci‐
859       fied  by <string/rv>.  In this case, the property must have type STRING
860       and format 8, and should contain one or more  null-terminated  strings.
861       If any of the strings match <string/rv>, the rule applies.
862
863       The  definition of string matching is simple case-sensitive string com‐
864       parison with one elaboration: the occurrence of the  character  '*'  in
865       <string/rv> is a wildcard meaning "any string."  A <string/rv> can con‐
866       tain multiple wildcards anywhere in  the  string.   For  example,  "x*"
867       matches  strings  that begin with x, "*x" matches strings that end with
868       x, "*x*" matches strings containing x, and "x*y*" matches strings  that
869       start with x and subsequently contain y.
870
871       There  may  be  multiple <access rule> lines for a given <property/ar>.
872       The rules are tested in the order that they appear in  the  file.   The
873       first rule that applies is used.
874
875       <perms>  specify operations that untrusted clients may attempt, and the
876       actions that the server should take in response to those operations.
877
878       <operation> can be r (read), w (write), or d (delete).   The  following
879       table shows how X Protocol property requests map to these operations in
880       The Open Group server implementation.
881
882       GetProperty    r, or r and d if delete = True
883       ChangeProperty w
884       RotateProperties    r and w
885       DeleteProperty d
886       ListProperties none, untrusted clients can always list all properties
887
888       <action> can be a (allow), i (ignore), or e (error).  Allow means  exe‐
889       cute  the request as if it had been issued by a trusted client.  Ignore
890       means treat the request as a no-op.  In the case of GetProperty, ignore
891       means return an empty property value if the property exists, regardless
892       of its actual value.  Error means do not execute the request and return
893       a  BadAtom  error with the atom set to the property name.  Error is the
894       default action for all properties, including those not  listed  in  the
895       security policy file.
896
897       An  <action> applies to all <operation>s that follow it, until the next
898       <action> is encountered.  Thus, irwad  means  ignore  read  and  write,
899       allow delete.
900
901       GetProperty  and  RotateProperties may do multiple operations (r and d,
902       or r and w).  If different actions apply to the  operations,  the  most
903       severe  action  is  applied  to  the whole request; there is no partial
904       request execution.  The severity ordering is: allow < ignore  <  error.
905       Thus,  if  the  <perms>  for  a  property  are ired (ignore read, error
906       delete), and an untrusted client attempts GetProperty on that  property
907       with  delete  =  True,  an error is returned, but the property value is
908       not.  Similarly, if any of the properties in a RotateProperties do  not
909       allow  both  read  and write, an error is returned without changing any
910       property values.
911
912       Here is an example security policy file.
913
914       version-1
915
916       # Allow reading of application resources, but not writing.
917       property RESOURCE_MANAGER     root      ar iw
918       property SCREEN_RESOURCES     root      ar iw
919
920       # Ignore attempts to use cut buffers.  Giving errors causes apps to crash,
921       # and allowing access may give away too much information.
922       property CUT_BUFFER0          root      irw
923       property CUT_BUFFER1          root      irw
924       property CUT_BUFFER2          root      irw
925       property CUT_BUFFER3          root      irw
926       property CUT_BUFFER4          root      irw
927       property CUT_BUFFER5          root      irw
928       property CUT_BUFFER6          root      irw
929       property CUT_BUFFER7          root      irw
930
931       # If you are using Motif, you probably want these.
932       property _MOTIF_DEFAULT_BINDINGS        rootar iw
933       property _MOTIF_DRAG_WINDOW   root      ar iw
934       property _MOTIF_DRAG_TARGETS  any       ar iw
935       property _MOTIF_DRAG_ATOMS    any       ar iw
936       property _MOTIF_DRAG_ATOM_PAIRS         anyar iw
937
938       # The next two rules let xwininfo -tree work when untrusted.
939       property WM_NAME              any       ar
940
941       # Allow read of WM_CLASS, but only for windows with WM_NAME.
942       # This might be more restrictive than necessary, but demonstrates
943       # the <required property> facility, and is also an attempt to
944       # say "top level windows only."
945       property WM_CLASS             WM_NAME   ar
946
947       # These next three let xlsclients work untrusted.  Think carefully
948       # before including these; giving away the client machine name and command
949       # may be exposing too much.
950       property WM_STATE             WM_NAME   ar
951       property WM_CLIENT_MACHINE    WM_NAME   ar
952       property WM_COMMAND           WM_NAME   ar
953
954       # To let untrusted clients use the standard colormaps created by
955       # xstdcmap, include these lines.
956       property RGB_DEFAULT_MAP      root      ar
957       property RGB_BEST_MAP         root      ar
958       property RGB_RED_MAP          root      ar
959       property RGB_GREEN_MAP        root      ar
960       property RGB_BLUE_MAP         root      ar
961       property RGB_GRAY_MAP         root      ar
962
963       # To let untrusted clients use the color management database created
964       # by xcmsdb, include these lines.
965       property XDCCC_LINEAR_RGB_CORRECTION    rootar
966       property XDCCC_LINEAR_RGB_MATRICES      rootar
967       property XDCCC_GRAY_SCREENWHITEPOINT    rootar
968       property XDCCC_GRAY_CORRECTION          rootar
969
970       # To let untrusted clients use the overlay visuals that many vendors
971       # support, include this line.
972       property SERVER_OVERLAY_VISUALS         rootar
973
974       # Dumb examples to show other capabilities.
975
976       # oddball property names and explicit specification of error conditions
977       property "property with spaces"         'property with "'aw er ed
978
979       # Allow deletion of Woo-Hoo if window also has property OhBoy with value
980       # ending in "son".  Reads and writes will cause an error.
981       property Woo-Hoo              OhBoy = "*son"ad
982
983

NETWORK CONNECTIONS

985       The X server supports client connections via a platform-dependent  sub‐
986       set  of  the  following transport types: TCPIP, Unix Domain sockets and
987       several varieties of SVR4 local connections.   See  the  DISPLAY  NAMES
988       section of the X(__miscmansuffix__) manual page to learn how to specify
989       which transport type clients should try to use.
990
991

GRANTING ACCESS

993       The X server implements a platform-dependent subset  of  the  following
994       authorization  protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1, XDM-
995       AUTHORIZATION-2,  SUN-DES-1,  and  MIT-KERBEROS-5.   See   the   Xsecu‐
996       rity(__miscmansuffix__) manual page for information on the operation of
997       these protocols.
998
999       Authorization data required by the above protocols  is  passed  to  the
1000       server  in  a  private  file  named with the -auth command line option.
1001       Each time the server is about to accept the first  connection  after  a
1002       reset  (or  when  the server is starting), it reads this file.  If this
1003       file contains any authorization records, the local host is not automat‐
1004       ically allowed access to the server, and only clients which send one of
1005       the authorization records contained in the file in the connection setup
1006       information  will  be  allowed  access.   See the Xau manual page for a
1007       description of the binary format of this file.  See xauth(1) for  main‐
1008       tenance of this file, and distribution of its contents to remote hosts.
1009
1010       The  X  server  also uses a host-based access control list for deciding
1011       whether or not to accept  connections  from  clients  on  a  particular
1012       machine.   If no other authorization mechanism is being used, this list
1013       initially consists of the host on which the server is running  as  well
1014       as  any  machines listed in the file /etc/Xn.hosts, where n is the dis‐
1015       play number of the server.  Each line of the file should contain either
1016       an  Internet hostname (e.g. expo.lcs.mit.edu) or a complete name in the
1017       format family:name as described in the  xhost(1)  manual  page.   There
1018       should be no leading or trailing spaces on any lines.  For example:
1019
1020               joesworkstation
1021               corporate.company.com
1022               star::
1023               inet:bigcpu
1024               local:
1025
1026       Users  can  add  or  remove  hosts from this list and enable or disable
1027       access control using the xhost command from the  same  machine  as  the
1028       server.
1029
1030       If  the  X  FireWall  Proxy  (xfwp) is being used without a sitepolicy,
1031       host-based authorization must be turned on for clients to  be  able  to
1032       connect to the X server via the xfwp.  If xfwp is run without a config‐
1033       uration file and thus no sitepolicy is defined, if xfwp is using  an  X
1034       server  where xhost + has been run to turn off host-based authorization
1035       checks, when a client tries to connect to this X server via xfwp, the X
1036       server  will  deny  the  connection.   See xfwp(1) for more information
1037       about this proxy.
1038
1039       The X protocol intrinsically does not have any notion of window  opera‐
1040       tion  permissions or place any restrictions on what a client can do; if
1041       a program can connect to a display, it has full run of the  screen.   X
1042       servers that support the SECURITY extension fare better because clients
1043       can be designated untrusted via the authorization they use to  connect;
1044       see  the xauth(1) manual page for details.  Restrictions are imposed on
1045       untrusted clients that curtail the mischief they can do.  See the SECU‐
1046       RITY extension specification for a complete list of these restrictions.
1047
1048       Sites  that  have better authentication and authorization systems might
1049       wish to make use of the hooks in the libraries and the server  to  pro‐
1050       vide additional security models.
1051

SIGNALS

1053       The X server attaches special meaning to the following signals:
1054
1055       SIGHUP  This  signal  causes  the  server to close all existing connec‐
1056               tions, free all resources, and restore  all  defaults.   It  is
1057               sent  by  the  display  manager  whenever  the main user's main
1058               application (usually an xterm or window manager) exits to force
1059               the server to clean up and prepare for the next user.
1060
1061       SIGTERM This signal causes the server to exit cleanly.
1062
1063       SIGUSR1 This signal is used quite differently from either of the above.
1064               When the server starts, it checks to see if  it  has  inherited
1065               SIGUSR1 as SIG_IGN instead of the usual SIG_DFL.  In this case,
1066               the server sends a SIGUSR1 to its parent process after  it  has
1067               set  up  the various connection schemes.  Xdm uses this feature
1068               to recognize when connecting to the server is possible.
1069

FONTS

1071       The X server  can  obtain  fonts  from  directories  and/or  from  font
1072       servers.   The  list  of directories and font servers the X server uses
1073       when trying to open a font is controlled by the font path.
1074
1075       The default font path is __default_font_path__ .
1076
1077       The font path can be set with the -fp option or by  xset(1)  after  the
1078       server has started.
1079

FILES

1081       /etc/Xn.hosts                 Initial  access  control list for display
1082                                     number n
1083
1084       /usr/share/fonts/X11/misc,
1085                                         /usr/share/fonts/X11/75dpi,
1086                                         /usr/share/fonts/X11/100dpi    Bitmap
1087                                     font directories
1088
1089       /usr/share/fonts/X11/Type1    Outline font directories
1090
1091       /usr/share/nx/rgb             Color database
1092
1093       /tmp/.X11-unix/Xn             Unix domain socket for display number n
1094
1095       /tmp/rcXn                     Kerberos  5 replay cache for display num‐
1096                                     ber n
1097

SEE ALSO

1099       Protocols: X Window System Protocol, NX  Compression  Protocol,  The  X
1100       Font Service Protocol, X Display Manager Control Protocol
1101
1102       Fonts:  bdftopcf(1), mkfontdir(1), mkfontscale(1), xfs(1), xlsfonts(1),
1103       xfontsel(1), xfd(1), X Logical Font Description Conventions
1104
1105       Security:  Xsecurity(__miscmansuffix__),  xauth(1),   Xau(1),   xdm(1),
1106       xhost(1), xfwp(1), Security Extension Specification
1107
1108       Starting the server: xdm(1), xinit(1)
1109
1110       Controlling the server once started: xset(1), xsetroot(1), xhost(1)
1111
1112       Server-specific  man  pages:  Xdec(1),  XmacII(1),  Xsun(1),  Xnest(1),
1113       Xvfb(1), XFree86(1), XDarwin(1).
1114
1115       Server internal documentation: Definition of the Porting Layer for  the
1116       X v11 Sample Server
1117

AUTHORS

1119       The  first sample X server was originally written by Susan Angebranndt,
1120       Raymond Drewry, Philip Karlton, and Todd Newman, from Digital Equipment
1121       Corporation,  with support from a large cast.  It has since been exten‐
1122       sively rewritten by Keith Packard and Bob  Scheifler,  from  MIT.  Dave
1123       Wiggins took over post-R5 and made substantial improvements.
1124
1125       The  first implementation of nx-X11 (version 1.x up to 3.5.x) was writ‐
1126       ten by NoMachine (maintained until 2011).
1127
1128       The current implementation of nx-X11 is maintained by various projects,
1129       amongst others The Arctica Project, TheQVD (Qindel Group) and X2Go.
1130
1131       This  manual  page  was  written by Per Hansen <spamhans@yahoo.de>, and
1132       modified by Marcelo  Boveto  Shima  <marceloshima@gmail.com>  and  Mike
1133       Gabriel   <mike.gabriel@das-netzwerkteam.de>.  In  2016,  the  original
1134       Xserver.man page shipped with nx-X11 was merged into  the  nxagent  man
1135       page and received a major update by Mike Gabriel <mike.gabriel@das-net‐
1136       zwerkteam.de>.
1137
1138
1139
1140Version 3.5.99.22                  Aug 2019                         nxagent(1)
Impressum