1nxagent(1) NX Agent (Xserver) nxagent(1)
2
6 nxagent - nested Xserver optimized for remote computing
7
9 nxagent [options]
10
12 nxagent is an X server for remote application/desktop access similar to
13 Xnest or Xephyr.
14 nxagent implements a very efficient compression of the X11 protocol,
16 called the NX protocol.
17 The NX protocol increases performance when using X applications over
19 high latency and low bandwidth networks, while providing a local (LAN-
20 like) usage experience even if connecting from off-site locations (via
21 cable modem or GSM).
22 nxagent can be used standalone as a nested X server (with NX protocol
24 disabled), but its real benefits are gained when using it over remote
25 connections via the nxcomp compression library. The counterpart appli‐
26 cation on the other end (i.e. the client) is called nxproxy.
27 When used in proxy <-> agent mode, nxagent adds the feature of being
29 suspendible. Sessions can be started from one client, suspended and
30 then resumed from another (or the same) client.
31 nxagent and nxproxy are utilized by various remote application/desktop
33 frameworks for providing server-side GUI application access from remote
34 client systems.
35 Currently, nxagent is co-maintained by three of these projects: The
37 Arctica Project, TheQVD and X2Go.
38
40 nxagent should be run in user space. Other than the system's local
41 X.org server, nxagent does not require to be run as root. When bundled
42 with a remote application framework, you normally don't have to launch
43 nxagent manually. nxagent startup is usually managed by the underlying
44 framework (e.g. Arctica Session Manager, X2Go Server, etc.).
45 When nxagent starts up (e.g. by typing 'nxagent -ac :1' in a terminal
47 window), it typically launches in "windowed desktop" mode. On your lo‐
48 cal X server a new window appears being an X server itself.
49 However, nxagent also supports rootless (or seamless) application mode
51 and a shadow session mode (similar to what VNC does).
52 Example: You can launch a complete desktop session inside this nested X
54 server now:
55 The Debian way...
57 $ export DISPLAY=:1
59 $ STARTUP=mate-session /etc/X11/Xsession
60 The Fedora / Gentoo / openSUSE way...
62 ### FIXME / TODO ###
64 However, nxagent also supports rootless (or seamless) application mode
66 and a shadow session mode (similar to what VNC does).
67
70 nxagent accepts a range of default X server options as described below.
71 Those default options have to be provided via the command line.
72 Furthermore, nxagent accepts some nx-X11 specific options, described
74 further below.
75 Last but not least, nxagent accepts several more options, the so-called
77 nx/nx options, provided via the $DISPLAY environment variable or the
78 -options command line option. See below for further details.
79
82 :displaynumber
83 The X server runs as the given displaynumber, which by default
84 is 0. If multiple X servers are to run simultaneously on a
85 host, each must have a unique display number. See the DISPLAY
86 NAMES section of the X(__miscmansuffix__) manual page to learn
87 how to specify which display number clients should try to use.
88 -a number
90 sets pointer acceleration (i.e. the ratio of how much is re‐
91 ported to how much the user actually moved the pointer).
92 -ac disables host-based access control mechanisms. Enables access
94 by any host, and permits any host to modify the access control
95 list. Use with extreme caution. This option exists primarily
96 for running test suites remotely.
97 -audit level
99 sets the audit trail level. The default level is 1, meaning
100 only connection rejections are reported. Level 2 additionally
101 reports all successful connections and disconnects. Level 4
102 enables messages from the SECURITY extension, if present, in‐
103 cluding generation and revocation of authorizations and viola‐
104 tions of the security policy. Level 0 turns off the audit
105 trail. Audit lines are sent as standard error output.
106 -auth authorization-file
108 specifies a file which contains a collection of authorization
109 records used to authenticate access. See also the xdm(1) and
110 Xsecurity(__miscmansuffix__) manual pages.
111 -bs disables backing store support on all screens.
113 -br sets the default root window to solid black (default).
115 -wr sets the default root window to solid white.
117 -c turns off key-click.
119 c volume
121 sets key-click volume (allowable range: 0-100).
122 -cc class
124 sets the visual class for the root window of color screens.
125 The class numbers are as specified in the X protocol. Not
126 obeyed by all servers.
127 -co filename
129 This used to be the option for specifying the path to the RGB
130 color database file. As the RGB color database is now embedded
131 into the binary this option has no effect but is kept for com‐
132 patibility. Deprecated.
133 -core causes the server to generate a core dump on fatal errors.
135 -displayfd fd
137 specifies a file descriptor in the launching process. Rather
138 than specifying a display number, the X server will attempt to
139 listen on successively higher display numbers, and upon finding
140 a free one, will write the port number back on this file de‐
141 scriptor as a newline-terminated string. The -pn option is ig‐
142 nored when using -displayfd.
143 nxagent specific:
145 (1) Other than in X.org's Xserver, you can use -displayfd in
147 conjunction with an explicit display number. If the explicit
148 display number is not available (i.e., already in use), nxagent
149 tries to figure out the next available display number,
150 e.g.:
152 nxagent -displayfd 2 :50
154 (2) If -displayfd <X> is given with <X> equaling 2 (STDERR),
156 then the display number string written to STDERR is beautified
157 with some human-readable (machine-parseable) text.
158 -sync This option tells nxagent to synchronize its window and graph‐
160 ics operations with the real server. This is a useful option
161 for debugging, but it will slow down nxagent's performance con‐
162 siderably. It should not be used unless absolutely necessary.
163 -full This option tells nxagent to utilize full regeneration of real
165 server objects and reopen a new connection to the real server
166 each time nxagent regenerates. The sample server implementa‐
167 tion regenerates all objects in the server when the last client
168 of this server terminates. When this happens, nxagent by de‐
169 fault maintains the same top-level window and the same real
170 server connection in each new generation. If the user selects
171 full regeneration, even the top-level window and the connection
172 to the real server will be regenerated for each server genera‐
173 tion.
174 -class string
176 This option specifies the default visual class of the nested
177 server. It is similar to the -cc option from the set of stan‐
178 dard options except that it will accept a string rather than a
179 number for the visual class specification. The string must be
180 one of the following six values: StaticGray, GrayScale, Static‐
181 Color, PseudoColor, TrueColor, or DirectColor. If both the
182 -class and -cc options are specified, the last instance of ei‐
183 ther option takes precedence. The class of the default visual
184 of the nested server need not be the same as the class of the
185 default visual of the real server, but it must be supported by
186 the real server. Use xdpyinfo(__appmansuffix__) to obtain a
187 list of supported visual classes on the real server before
188 starting nxagent. If the user chooses a static class, all the
189 colors in the default color map will be preallocated. If the
190 user chooses a dynamic class, colors in the default color map
191 will be available to individual clients for allocation.
192 -deferglyphs whichfonts
194 specifies the types of fonts for which the server should at‐
195 tempt to use deferred glyph loading. whichfonts can be all
196 (all fonts), none (no fonts), or 16 (16 bit fonts only).
197 -depth int
199 This option specifies the default visual depth of the nested
200 server. The depth of the default visual of the nested server
201 need not be the same as the depth of the default visual of the
202 real server, but it must be supported by the real server. Use
203 xdpyinfo(__appmansuffix__) to obtain a list of supported visual
204 depths on the real server before starting nxagent.
205 -geometry WxH+X+Y
207 This option specifies the geometry parameters for the top-level
208 nxagent window. See “GEOMETRY SPECIFICATIONS” in X(__miscman‐
209 suffix__) for a discusson of this option's syntax. This window
210 corresponds to the root window of the nested server. The width
211 W and height H specified with this option will be the maximum
212 width and height of each top-level nxagent window. nxagent
213 will allow the user to make any top-level window smaller, but
214 it will not actually change the size of the nested server root
215 window. If this option is not specified, nxagent will choose W
216 and H to be 3/4ths the dimensions of the root window of the
217 real server. For further values accepted see the documentation
218 of geometry=<string> below.
219 -dpi resolution
221 sets the resolution for all screens, in dots per inch. If this
222 option is not specified nxagent will assume 96. There's also
223 -autodpi which will clone the real server's dpi. Note that the
224 resolution specified via -dpi is a per session setting. It can‐
225 not be changed on reconnect! This means that clients may look
226 "wrong" when reconnecting a session that had been started with
227 a different dpi than the current real xserver.
228 dpms enables DPMS (display power management services), where sup‐
230 ported. The default state is platform and configuration spe‐
231 cific.
232 -dpms disables DPMS (display power management services). The default
234 state is platform and configuration specific.
235 -f volume
237 sets feep (bell) volume (allowable range: 0-100).
238 -fc cursorFont
240 sets default cursor font.
241 -fn font
243 sets the default font.
244 -fp fontPath
246 sets the search path for fonts. This path is a comma separated
247 list of directories which the X server searches for font data‐
248 bases. See the FONTS section of this manual page for more in‐
249 formation and the default list.
250 -help prints a usage message.
252 -I causes all remaining command line arguments to be ignored.
254 -maxbigreqsize size
256 sets the maximum big request to size MB.
257 -name string
259 This option specifies the name of the top-level nxagent window
260 as string. The default value is the program name.
261 -nolisten trans-type
263 disables a transport type. For example, TCP/IP connections can
264 be disabled with -nolisten tcp. This option may be issued mul‐
265 tiple times to disable listening to different transport types.
266 -noreset
268 prevents a server reset when the last client connection is
269 closed. This overrides a previous -terminate command line op‐
270 tion.
271 -p minutes
273 sets screen-saver pattern cycle time in minutes.
274 -pn permits the server to continue running if it fails to establish
276 all of its well-known sockets (connection points for clients),
277 but establishes at least one. This option is set by default.
278 -nopn causes the server to exit if it fails to establish all of its
280 well-known sockets (connection points for clients).
281 -r turns off auto-repeat.
283 r turns on auto-repeat.
285 -s minutes
287 sets screen-saver timeout time in minutes.
288 -su disables save under support on all screens.
290 -t number
292 sets pointer acceleration threshold in pixels (i.e. after how
293 many pixels pointer acceleration should take effect).
294 -terminate
296 causes the server to terminate at server reset, instead of con‐
297 tinuing to run. This overrides a previous -noreset command
298 line option.
299 -to seconds
301 sets default connection timeout in seconds.
302 -tst disables all testing extensions.
304 v sets video-off screen-saver preference.
306 -v sets video-on screen-saver preference.
308 -wm forces the default backing-store of all windows to be When‐
310 Mapped. This is a backdoor way of getting backing-store to ap‐
311 ply to all windows. Although all mapped windows will have
312 backing store, the backing store attribute value reported by
313 the server for a window will be the last value established by a
314 client. If it has never been set by a client, the server will
315 report the default value, NotUseful. This behavior is required
316 by the X protocol, which allows the server to exceed the
317 client's backing store expectations but does not provide a way
318 to tell the client that it is doing so.
319 [+-]xinerama
321 enables(+) or disables(-) XINERAMA provided via the PanoramiX
322 extension. This is set to off by default.
323 [+-]rrxinerama
325 enables(+) or disables(-) XINERAMA provided via the RandR ex‐
326 tension. By default, this feature is enabled. To disable XIN‐
327 ERAMA completely, make sure to use both options (-xinerama and
328 -rrxinerama) on the command line.
329
332 nxagent additionally accepts the following non-standard options:
333 -logo turns on the X Window System logo display in the screen-saver.
335 There is currently no way to change this from a client.
336 nologo turns off the X Window System logo display in the screen-saver.
338 There is currently no way to change this from a client.
339 -render
341 default|mono|gray|color
343 sets the color allocation policy that will be used by the ren‐
345 der extension.
346 default selects the default policy defined for the display
348 depth of the X server.
349 mono don't use any color cell.
351 gray use a gray map of 13 color cells for the X render ex‐
353 tension.
354 color use a color cube of at most 4*4*4 colors (that is 64
356 color cells).
357 -dumbSched
359 disables smart scheduling on platforms that support the smart
360 scheduler.
361 -schedInterval interval
363 sets the smart scheduler's scheduling interval to interval mil‐
364 liseconds.
365
367 The nx-X11 system adds the following command line arguments:
368 -forcenx
370 force use of NX protocol messages assuming communication
371 through nxproxy
372 -id string
374 The session id.
375 -autograb
377 enable autograb mode on nxagent startup. The autograb feature
378 can be toggled via nxagent keystrokes
379 -textclipboard
381 force text-only clipboard nxagent startup. See option file op‐
382 tion textclipboard=<bool> for an explanation.
383 -nxrealwindowprop
385 set property NX_REAL_WINDOW for each X11 client inside nxagent,
386 providing the window XID of the corresponding window object on
387 the X server that nxagent runs on
388 -reportwids
390 explicitly tell nxagent to report its externally exposed X11
391 window IDs to the session log (in machine readable form), so
392 that external parsers can obtain that information from there
393 -reportprivatewids
395 explicitly tell nxagent to report X11 window IDs of internally
396 created window objects to the session log (in machine readable
397 form), so that external parsers can obtain that information
398 from there; this creates a lot of output and may affect perfor‐
399 mance
400 -timeout int
402 auto-disconnect timeout in seconds (minimum allowed: 60). De‐
403 fault is 0 (no timeout).
404 -norootlessexit
406 don't exit if there are no clients in rootless mode
407 -autodpi
409 detect real server's DPI and set it in the agent session; the
410 -dpi cmdline option overrides -autodpi. Note that using -au‐
411 todpi will also adapt the DPI on reconnect which will cause
412 newly started clients respecting the new DPI while clients that
413 had been started before the reconnect still use the old DPI.
414 This may lead to applications looking "weird".
415 -nomagicpixel
417 disable magic pixel support at session startup, can be re-en‐
418 abled via nx/nx option on session resumption
419 -norender
421 disable the use of the render extension
422 -nocomposite/-composite
424 disable/enable the use of the composite extension (default ist
425 disabled)
426 -nopersistent
428 disable disconnection/reconnection to the X display on SIGHUP.
429 Non-persistent sessions will terminate on SIGHUP.
430 -noshmem
432 disable use of shared memory extension
433 -shmem enable use of shared memory extension (default)
435 -noshpix
437 disable use of shared pixmaps
438 -shpix enable use of shared pixmaps (default)
440 -noignore
442 don't ignore pointer and keyboard configuration changes man‐
443 dated by clients. As a result, configuration commands like dis‐
444 abling the keyboard bell (xset -b) will also affect the real X
445 server.
446 -nokbreset
448 don't reset keyboard device if the session is resumed
449 -noxkblock
451 this is only relevant if you also specify -keyboard=query. In
452 that case nxagent will lock the keyboard settings and clients
453 will get an error when trying to change keyboard settings via
454 XKEYBOARD. With -noxkblock the lock is not applied and clients
455 are allowed to change the keyboard settings through XKEYBOARD.
456 -tile WxH
458 maximum size of the tile used when sending an image to the re‐
459 mote display (minimum allowed: 32x32). The default depends on
460 the link type: 64x64 for modem and isdn, 4096x4096 for all
461 other link types)
462 -irlimit
464 maximum image data rate to the encoder input in kB/s. The de‐
465 fault is no limit.
466 -D enable desktop mode (default)
468 -R enable rootless mode
470 -S enable shadow mode
472 -B enable proxy binding mode
474 -keystrokefile
476 define path to a keyboard shortcut definitions file. Default is
477 ~/.nx/keystrokes.cfg and /etc/nxagent/keystroke.cfg (first ex‐
478 isting file is taken). If nxagent is run as x2goagent the de‐
479 faults are ~/.x2go/keystrokes.cfg and /etc/x2go/keystrokes.cfg
480 nxagent knows about that are not defined in this file are ig‐
481 nored. (Only) if no file is found built-in defaults are used.
482 The keystroke file can be re-read by a keystroke (ctrl-alt-k by
483 default). See README.keystrokes and README.keystrokes.debug
484 for all keystrokes nxagent knows. At startup the active key‐
485 strokes are printed to the session output.
486 -version
488 show version information and exit
489 -options filepath|string
491 path to an options file containing nx/nx options (see below).
492 Instead of a path the options can be specified diretly on the
493 commandline by prefixing the options strings with nx/nx, which
494 is mostly useful for testing/debugging.
495 In addition to the command line options, nxagent can be configured at
497 session startup and at runtime (i.e. when resuming a suspended session)
498 by so-called nx/nx options. The options file is read on startup. It can
499 be modified during runtime (but it must stay at the same path). On re-
500 connect the modified file is then read and the changed options are ap‐
501 plied.
502 As nx/nx options all options supported by nxcomp (see nxproxy man page)
504 and all nxagent nx/nx options (see below) can be used. When launching
505 an nxcomp based nxagent session (i.e. proxy <-> agent), you will nor‐
506 mally set the $DISPLAY variable like this:
507 $ export DISPLAY=nx/nx,listen=<proxy-port>,options=<options.file>:<nx-display-port>
509 $ nxagent <command-line-options> :<nx-display-port>
510 The value for <nx-display-port> is some value of a not-yet-used X11
512 display (e.g. :50).
513 Using an options file is recommended, but you can also put available
515 nx/nx options (see below) into the DISPLAY variable directly. Note,
516 that the $DISPLAY variable field is of limited length.
517 As <proxy-port> you can pick an arbitrary (unused) TCP port or Unix
519 socket file path. This is the port / socket that you have to connect to
520 with the nxproxy application.
521 The right hand side of an option (the part following the "=" character)
523 can include URL encoded characters. It is required to URL encode at
524 least "," (as %2D) and "=" (as %3D) to avoid wrong parsing of the op‐
525 tions string.
526 Available nxagent options (as an addition to nx/nx options supported by
528 nxcomp already):
529 options=<string>
531 read options from file, this text file can contain a single
532 loooong line with comma-separated nx/nx options
533 rootless=<bool>
535 start nxagent in rootless mode, matches -R given on the command
536 line, no-op when resuming (default: 0, disabled)
537 geometry=<string>
539 desktop geometry when starting or resuming a session, no-op in
540 rootless mode (default 66% of the underlying X server geome‐
541 try). You can either specify a standard X geometry string
542 (WxH+X+Y) or allscreens for a window covering all available
543 screens or onescreen for a window covering only one screen. For
544 historical reasons fullscreen (as a synonym to allscreens) is
545 also accepted.
546 fullscreen=<int>
548 start or resume a session in fullscreen mode (default: 0, off).
549 Specify 1 for a fullscreen window covering all available
550 screens or 2 for a fullscreen window covering only the first
551 screen.
552 resize=<bool>
554 set resizing support (default: 1, enabled)
555 keyboard=<string> or kbtype=<string>
557 query|clone|<model>/<layout>|rmlvo/<rules>#<model>#<lay‐
559 out>#<variant>#<options>
560 query use the default XKB keyboard layout (see below) and
563 only allow clients to query the settings but prevent
564 any changes. query is especially helpful for setups
565 where you need to set/modify the actual keyboard layout
566 using core X protocol functions (e.g. via xmodmap). It
567 is used for MacOS X clients to handle some keyboard
568 problems that are special for this platform. Note that
569 in this case XKEYBOARD will always report the default
570 layout which will most likely not match the experienced
571 settings.
572 clone ask the real X server for the keyboard settings using
574 XKEYBOARD protocol functions and clone them. This is
575 the recommended setting. For compatibility reasons it
576 is not the default.
577 <model>/<layout>
579 use the given model and layout. A value of null/null is
580 equivalent to clone. You can not modify keyboard rules,
581 variant or options this way. Instead preset values are
582 used. These are base for rules and empty strings for
583 variant and options.
584 rmlvo/<rules>#<model>#<layout>#<variant>#<options>
586 configure the keyboard according to the rmlvo
587 (Rules+Model+Layout+Variant+Options) description given
588 after the / and separated by #. This can be used to
589 fully pass the keyboard configuration of nxagent right
590 after the start. Example: rm‐
591 lvo/base#pc105#de,us#nodeadkeys#lv3:rwin_switch
592 If keyboard is omitted the internal defaults of nxagent will be
596 used (rules: base, layout: us, model: pc102, empty variant and
597 options).
598 keyconv=<string>
601 set keycode conversion mode
602 auto|on|off
604 by default (auto) nxagent will activate keycode conversion if
606 it detects an evdev XKEYBOARD setup on the nxproxy side (the
607 standard on Linux systems nowadays). Keycode conversion means
608 that certain keycodes are mapped to make the keyboard appear as
609 an pc105 model. Using off this conversion can be suppressed and
610 with on it will be forced.
611 clipboard=<string>
614 both|client|server|none
616 both Allow clipboard data exchange both from nxagent to real
619 X server and vice-versa. This is the default.
620 client Limit clipboard data exchange to work only in one di‐
622 rection: from real X server to nxagent. Clipboard will
623 still work inside nxagent. This setting effectively
624 prevents data leakage from the nxagent session to the
625 outside.
626 server Limit clipboard data exchange to work only in one di‐
628 rection: from nxagent to real X server.
629 none Disable any clipboard data exchange. Clipboard will
631 still work inside the nxagent and on the real X server,
632 but no data exchange will be possible.
633 textclipboard=<bool>
635 enable (set to 1) or disable (set to 0) text-only clipboard.
636 Text-only clipboard is the old (<= 3.5.99.26) clipboard behav‐
637 iour where you could only copy and paste text strings (no
638 graphics, no rich text, ...). Using this mode been seen as a
639 security feature as it effectively prevents transferring dan‐
640 gerous binary data, e.g. manipulated graphics by accident. On
641 the other hand it's also less comfortable. (default: disabled)
642 streaming=<bool>
644 enable (set to 1) or disable (set to 0) streaming support for
645 images, not fully implemented yet and thus non-functional. (de‐
646 fault: disabled)
647 backingstore=<bool>
649 disable (set to 0) or enforce (set to 1) backing store support
650 (default: enforced). In rootless mode backingstore is always
651 disabled.
652 composite=<bool>
654 enable (set to 1) or disable (set to 0) Composite support in
655 nxagent (default: enabled)
656 xinerama=<bool>
658 enable (set to 1) or disable (set to 0) XINERAMA support in nx‐
659 agent (default: enabled)
660 shmem=<bool>
662 enable/disable using shared memory. Accepted values: 1 (enable,
663 default), 0 (disable)
664 shpix=<bool>
666 enable/disable shared pixmaps support. Accepted values: 1 (en‐
667 able, default), 0 (disable)
668 client=<string>
670 type of connecting operating system (supported: linux, windows,
671 solaris and macosx)
672 clients=<string>
674 filename where to log output of the nxagent's clients. This is
675 ignored if no session id has been provided. It then points to
676 stderr. Default: <sessiondir>/clients.
677 shadow=<string>
679 define the display that should be shadowed
680 shadowuid=<int>
682 unique identifier for the shadow session
683 shadowmode=<bool>
685 full access (set to 1) or viewing-only (set to 0, default)
686 state=<string>
688 filename where to store the state of the nxagent (for easier
689 interoperation with software like x2go. Default: ses‐
690 siondir/state.
691 defer=<int>
693 defer image updates (enabled for all connection types except
694 LAN), accepts values 0, 1 and 2
695 The default value can be set via the command line (-defer). The
697 value provided as nx/nx option is set when resuming a session,
698 thus it overrides the command line default.
699 The default depends on the link type (see man nxproxy).
701 Each defer level adds the following rules to the previous ones:
703 0 Eager encoding.
705 Default for link speed lan and local.
707 1 No data is put or copied on pixmaps, marking them al‐
709 ways as corrupted and synchronizing them on demand,
710 i.e. when a copy area to a window is requested, the
711 source is synchronized before copying it.
712 Default for link speed wan.
714 2 The put images over the windows are skipped marking the
716 destination as corrupted. The same happens for copy
717 area and composite operations, spreading the corrupted
718 regions of involved drawables.
719 Default for link speed adsl, isdn and modem.
721 tile=<string>
724 set the maximum tile size in pixels (<W>x<H>) for bitmap data
725 sent over the wire
726 The default value can be set via the command line (-tile). The
728 value provided as nx/nx option is set when resuming a session,
729 thus it overrides the command line default.
730 menu=<bool>
732 support pulldown menu in nxagent session (only available on
733 proxy <-> agent remote sessions) (default: 1, enabled)
734 magicpixel=<bool>
736 enable/disable magic pixel support in fullscreen mode (default:
737 1, enabled)
738 copysize=<int>
740 Maximum number of bytes that can be pasted from an NX session
741 into an external application. Default is unlimited.
742 autodpi=<bool>
744 enable/disable deriving session DPI automatically from real
745 server (default: 0, disabled); only takes effect on session
746 startups, gets ignored when reconnecting to a suspended session
747 sleep=<int>
749 delay X server operations when suspended (provided in millisec‐
750 onds), set to 0 to keep nxagent session fully functional when
751 suspended (e.g. useful when mirroring an nxagent session via
752 VNC). Graphic intensive applications will be affected by this
753 more than others. The default is 50ms.
754 tolerancechecks=<string>
756 strict|safe|risky|bypass
758 strict means that the number of internal and external pixmap
760 formats must match exactly and every internal pixmap
761 format must be available in the external pixmap format
762 array. This is the default.
763 safe means that the number of pixmap formats might diverge,
765 but all internal pixmap formats must also be included
766 in the external pixmap formats array. This is recom‐
767 mended, because it allows clients with more pixmap for‐
768 mats to still connect, but not lose functionality.
769 risky means that the internal pixmap formats array is allowed
771 to be smaller than the external pixmap formats array,
772 but at least one pixmap format must be included in
773 both. This is potentially unsafe.
774 bypass means that all of these checks are essentially deacti‐
776 vated. This is a very bad idea.
777 autograb=<bool>
779 enable or disable autograb (default: 0, disabled). Can be tog‐
780 gled during session via keystroke.
781 If you want to use nxagent as a replacement for Xnest or Xephyr you can
783 pass options like this:
784 $ echo nx/nx,fullscreen=1$DISPLAY >/tmp/opt
786 $ nxagent <command-line-options> -options /tmp/opt :<nx-display-port>
787
790 X servers that support XDMCP have the following options. See the X
791 Display Manager Control Protocol specification for more information.
792 -query hostname
794 enables XDMCP and sends Query packets to the specified host‐
795 name.
796 -broadcast
798 enable XDMCP and broadcasts BroadcastQuery packets to the net‐
799 work. The first responding display manager will be chosen for
800 the session.
801 -multicast [address [hop count]]
803 Enable XDMCP and multicast BroadcastQuery packets to the net‐
804 work. The first responding display manager is chosen for the
805 session. If an address is specified, the multicast is sent to
806 that address. If no address is specified, the multicast is
807 sent to the default XDMCP IPv6 multicast group. If a hop count
808 is specified, it is used as the maximum hop count for the mul‐
809 ticast. If no hop count is specified, the multicast is set to
810 a maximum of 1 hop, to prevent the multicast from being routed
811 beyond the local network.
812 -indirect hostname
814 enables XDMCP and send IndirectQuery packets to the specified
815 hostname.
816 -port port-number
818 uses the specified port-number for XDMCP packets, instead of
819 the default. This option must be specified before any -query,
820 -broadcast, -multicast, or -indirect options.
821 -from local-address
823 specifies the local address to connect from (useful if the con‐
824 necting host has multiple network interfaces). The local-ad‐
825 dress may be expressed in any form acceptable to the host plat‐
826 form's gethostbyname(3) implementation.
827 -once causes the server to terminate (rather than reset) when the
829 XDMCP session ends.
830 -class display-class
832 XDMCP has an additional display qualifier used in resource
833 lookup for display-specific options. This option sets that
834 value, by default it is "MIT-Unspecified" (not a very useful
835 value).
836 -cookie xdm-auth-bits
838 When testing XDM-AUTHENTICATION-1, a private key is shared be‐
839 tween the server and the manager. This option sets the value
840 of that private data (not that it is very private, being on the
841 command line!).
842 -displayID display-id
844 Yet another XDMCP specific value, this one allows the display
845 manager to identify each display so that it can locate the
846 shared key.
847
850 X servers that support the XKEYBOARD (a.k.a. "XKB") extension accept
851 the following options. All layout files specified on the command line
852 must be located in the XKB base directory or a subdirectory, and speci‐
853 fied as the relative path from the XKB base directory. The default XKB
854 base directory is /usr/share/X11/xkb.
855 [+-]kb enables(+) or disables(-) the XKEYBOARD extension.
857 [+-]accessx [ timeout [ timeout_mask [ feedback [ options_mask ] ] ] ]
859 enables(+) or disables(-) AccessX key sequences.
860 -xkbdir directory
862 base directory for keyboard layout files. This option is not
863 available for setuid X servers (i.e., when the X server's real
864 and effective uids are different).
865 -ardelay milliseconds
867 sets the autorepeat delay (length of time in milliseconds that
868 a key must be depressed before autorepeat starts).
869 -arinterval milliseconds
871 sets the autorepeat interval (length of time in milliseconds
872 that should elapse between autorepeat-generated keystrokes).
873 -xkbmap filename
875 loads keyboard description in filename on server startup.
876
879 X servers that support the SECURITY extension accept the following op‐
880 tion:
881 -sp filename
883 causes the server to attempt to read and interpret filename as
884 a security policy file with the format described below. The
885 file is read at server startup and reread at each server reset.
886 The syntax of the security policy file is as follows. Notation: "*"
888 means zero or more occurrences of the preceding element, and "+" means
889 one or more occurrences. To interpret <foo/bar>, ignore the text after
890 the /; it is used to distinguish between instances of <foo> in the next
891 section.
892 <policy file> ::= <version line> <other line>*
894 <version line> ::= <string/v> '\n'
896 <other line > ::= <comment> | <access rule> | <site policy> | <blank line>
898 <comment> ::= # <not newline>* '\n'
900 <blank line> ::= <space> '\n'
902 <site policy> ::= sitepolicy <string/sp> '\n'
904 <access rule> ::= property <property/ar> <window> <perms> '\n'
906 <property> ::= <string>
908 <window> ::= any | root | <required property>
910 <required property> ::= <property/rp> | <property with value>
912 <property with value> ::= <property/rpv> = <string/rv>
914 <perms> ::= [ <operation> | <action> | <space> ]*
916 <operation> ::= r | w | d
918 <action> ::= a | i | e
920 <string> ::= <dbl quoted string> | <single quoted string> | <unquoted string>
922 <dbl quoted string> ::= <space> " <not dqoute>* " <space>
924 <single quoted string> ::= <space> ' <not squote>* ' <space>
926 <unquoted string> ::= <space> <not space>+ <space>
928 <space> ::= [ ' ' | '\t' ]*
930 Character sets:
932 <not newline> ::= any character except '\n'
934 <not dqoute> ::= any character except "
935 <not squote> ::= any character except '
936 <not space> ::= any character except those in <space>
937 The semantics associated with the above syntax are as follows.
939 <version line>, the first line in the file, specifies the file format
941 version. If the server does not recognize the version <string/v>, it
942 ignores the rest of the file. The version string for the file format
943 described here is "version-1" .
944 Once past the <version line>, lines that do not match the above syntax
946 are ignored.
947 <comment> lines are ignored.
949 <sitepolicy> lines are currently ignored. They are intended to specify
951 the site policies used by the XC-QUERY-SECURITY-1 authorization method.
952 <access rule> lines specify how the server should react to untrusted
954 client requests that affect the X Window property named <property/ar>.
955 The rest of this section describes the interpretation of an <access
956 rule>.
957 For an <access rule> to apply to a given instance of <property/ar>,
959 <property/ar> must be on a window that is in the set of windows speci‐
960 fied by <window>. If <window> is any, the rule applies to <prop‐
961 erty/ar> on any window. If <window> is root, the rule applies to
962 <property/ar> only on root windows.
963 If <window> is <required property>, the following apply. If <required
965 property> is a <property/rp>, the rule applies when the window also has
966 that <property/rp>, regardless of its value. If <required property> is
967 a <property with value>, <property/rpv> must also have the value speci‐
968 fied by <string/rv>. In this case, the property must have type STRING
969 and format 8, and should contain one or more null-terminated strings.
970 If any of the strings match <string/rv>, the rule applies.
971 The definition of string matching is simple case-sensitive string com‐
973 parison with one elaboration: the occurrence of the character '*' in
974 <string/rv> is a wildcard meaning "any string." A <string/rv> can con‐
975 tain multiple wildcards anywhere in the string. For example, "x*"
976 matches strings that begin with x, "*x" matches strings that end with
977 x, "*x*" matches strings containing x, and "x*y*" matches strings that
978 start with x and subsequently contain y.
979 There may be multiple <access rule> lines for a given <property/ar>.
981 The rules are tested in the order that they appear in the file. The
982 first rule that applies is used.
983 <perms> specify operations that untrusted clients may attempt, and the
985 actions that the server should take in response to those operations.
986 <operation> can be r (read), w (write), or d (delete). The following
988 table shows how X Protocol property requests map to these operations in
989 The Open Group server implementation.
990 GetProperty r, or r and d if delete = True
992 ChangeProperty w
993 RotateProperties r and w
994 DeleteProperty d
995 ListProperties none, untrusted clients can always list all properties
996 <action> can be a (allow), i (ignore), or e (error). Allow means exe‐
998 cute the request as if it had been issued by a trusted client. Ignore
999 means treat the request as a no-op. In the case of GetProperty, ignore
1000 means return an empty property value if the property exists, regardless
1001 of its actual value. Error means do not execute the request and return
1002 a BadAtom error with the atom set to the property name. Error is the
1003 default action for all properties, including those not listed in the
1004 security policy file.
1005 An <action> applies to all <operation>s that follow it, until the next
1007 <action> is encountered. Thus, irwad means ignore read and write, al‐
1008 low delete.
1009 GetProperty and RotateProperties may do multiple operations (r and d,
1011 or r and w). If different actions apply to the operations, the most
1012 severe action is applied to the whole request; there is no partial re‐
1013 quest execution. The severity ordering is: allow < ignore < error.
1014 Thus, if the <perms> for a property are ired (ignore read, error
1015 delete), and an untrusted client attempts GetProperty on that property
1016 with delete = True, an error is returned, but the property value is
1017 not. Similarly, if any of the properties in a RotateProperties do not
1018 allow both read and write, an error is returned without changing any
1019 property values.
1020 Here is an example security policy file.
1022 version-1
1024 # Allow reading of application resources, but not writing.
1026 property RESOURCE_MANAGER root ar iw
1027 property SCREEN_RESOURCES root ar iw
1028 # Ignore attempts to use cut buffers. Giving errors causes apps to crash,
1030 # and allowing access may give away too much information.
1031 property CUT_BUFFER0 root irw
1032 property CUT_BUFFER1 root irw
1033 property CUT_BUFFER2 root irw
1034 property CUT_BUFFER3 root irw
1035 property CUT_BUFFER4 root irw
1036 property CUT_BUFFER5 root irw
1037 property CUT_BUFFER6 root irw
1038 property CUT_BUFFER7 root irw
1039 # If you are using Motif, you probably want these.
1041 property _MOTIF_DEFAULT_BINDINGS rootar iw
1042 property _MOTIF_DRAG_WINDOW root ar iw
1043 property _MOTIF_DRAG_TARGETS any ar iw
1044 property _MOTIF_DRAG_ATOMS any ar iw
1045 property _MOTIF_DRAG_ATOM_PAIRS anyar iw
1046 # The next two rules let xwininfo -tree work when untrusted.
1048 property WM_NAME any ar
1049 # Allow read of WM_CLASS, but only for windows with WM_NAME.
1051 # This might be more restrictive than necessary, but demonstrates
1052 # the <required property> facility, and is also an attempt to
1053 # say "top level windows only."
1054 property WM_CLASS WM_NAME ar
1055 # These next three let xlsclients work untrusted. Think carefully
1057 # before including these; giving away the client machine name and command
1058 # may be exposing too much.
1059 property WM_STATE WM_NAME ar
1060 property WM_CLIENT_MACHINE WM_NAME ar
1061 property WM_COMMAND WM_NAME ar
1062 # To let untrusted clients use the standard colormaps created by
1064 # xstdcmap, include these lines.
1065 property RGB_DEFAULT_MAP root ar
1066 property RGB_BEST_MAP root ar
1067 property RGB_RED_MAP root ar
1068 property RGB_GREEN_MAP root ar
1069 property RGB_BLUE_MAP root ar
1070 property RGB_GRAY_MAP root ar
1071 # To let untrusted clients use the color management database created
1073 # by xcmsdb, include these lines.
1074 property XDCCC_LINEAR_RGB_CORRECTION rootar
1075 property XDCCC_LINEAR_RGB_MATRICES rootar
1076 property XDCCC_GRAY_SCREENWHITEPOINT rootar
1077 property XDCCC_GRAY_CORRECTION rootar
1078 # To let untrusted clients use the overlay visuals that many vendors
1080 # support, include this line.
1081 property SERVER_OVERLAY_VISUALS rootar
1082 # Dumb examples to show other capabilities.
1084 # oddball property names and explicit specification of error conditions
1086 property "property with spaces" 'property with "'aw er ed
1087 # Allow deletion of Woo-Hoo if window also has property OhBoy with value
1089 # ending in "son". Reads and writes will cause an error.
1090 property Woo-Hoo OhBoy = "*son"ad
1091
1094 The X server supports client connections via a platform-dependent sub‐
1095 set of the following transport types: TCPIP, Unix Domain sockets and
1096 several varieties of SVR4 local connections. See the DISPLAY NAMES
1097 section of the X(__miscmansuffix__) manual page to learn how to specify
1098 which transport type clients should try to use.
1099
1102 The X server implements a platform-dependent subset of the following
1103 authorization protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1, XDM-
1104 AUTHORIZATION-2, SUN-DES-1, and MIT-KERBEROS-5. See the Xsecu‐
1105 rity(__miscmansuffix__) manual page for information on the operation of
1106 these protocols.
1107 Authorization data required by the above protocols is passed to the
1109 server in a private file named with the -auth command line option.
1110 Each time the server is about to accept the first connection after a
1111 reset (or when the server is starting), it reads this file. If this
1112 file contains any authorization records, the local host is not automat‐
1113 ically allowed access to the server, and only clients which send one of
1114 the authorization records contained in the file in the connection setup
1115 information will be allowed access. See the Xau manual page for a de‐
1116 scription of the binary format of this file. See xauth(1) for mainte‐
1117 nance of this file, and distribution of its contents to remote hosts.
1118 The X server also uses a host-based access control list for deciding
1120 whether or not to accept connections from clients on a particular ma‐
1121 chine. If no other authorization mechanism is being used, this list
1122 initially consists of the host on which the server is running as well
1123 as any machines listed in the file /etc/Xn.hosts, where n is the dis‐
1124 play number of the server. Each line of the file should contain either
1125 an Internet hostname (e.g. expo.lcs.mit.edu) or a complete name in the
1126 format family:name as described in the xhost(1) manual page. There
1127 should be no leading or trailing spaces on any lines. For example:
1128 joesworkstation
1130 corporate.company.com
1131 star::
1132 inet:bigcpu
1133 local:
1134 Users can add or remove hosts from this list and enable or disable ac‐
1136 cess control using the xhost command from the same machine as the
1137 server.
1138 If the X FireWall Proxy (xfwp) is being used without a sitepolicy,
1140 host-based authorization must be turned on for clients to be able to
1141 connect to the X server via the xfwp. If xfwp is run without a config‐
1142 uration file and thus no sitepolicy is defined, if xfwp is using an X
1143 server where xhost + has been run to turn off host-based authorization
1144 checks, when a client tries to connect to this X server via xfwp, the X
1145 server will deny the connection. See xfwp(1) for more information
1146 about this proxy.
1147 The X protocol intrinsically does not have any notion of window opera‐
1149 tion permissions or place any restrictions on what a client can do; if
1150 a program can connect to a display, it has full run of the screen. X
1151 servers that support the SECURITY extension fare better because clients
1152 can be designated untrusted via the authorization they use to connect;
1153 see the xauth(1) manual page for details. Restrictions are imposed on
1154 untrusted clients that curtail the mischief they can do. See the SECU‐
1155 RITY extension specification for a complete list of these restrictions.
1156 Sites that have better authentication and authorization systems might
1158 wish to make use of the hooks in the libraries and the server to pro‐
1159 vide additional security models.
1160
1162 The X server attaches special meaning to the following signals:
1163 SIGHUP This signal causes the server to close all existing connec‐
1165 tions, free all resources, and restore all defaults. It is
1166 sent by the display manager whenever the main user's main ap‐
1167 plication (usually an xterm or window manager) exits to force
1168 the server to clean up and prepare for the next user.
1169 SIGTERM This signal causes the server to exit cleanly.
1171 SIGUSR1 This signal is used quite differently from either of the above.
1173 When the server starts, it checks to see if it has inherited
1174 SIGUSR1 as SIG_IGN instead of the usual SIG_DFL. In this case,
1175 the server sends a SIGUSR1 to its parent process after it has
1176 set up the various connection schemes. Xdm uses this feature
1177 to recognize when connecting to the server is possible.
1178
1180 The X server can obtain fonts from directories and/or from font
1181 servers. The list of directories and font servers the X server uses
1182 when trying to open a font is controlled by the font path.
1183 The default font path is __default_font_path__ .
1185 The font path can be set with the -fp option or by xset(1) after the
1187 server has started.
1188
1190 /etc/Xn.hosts Initial access control list for display
1191 number n
1192 /usr/share/fonts/X11/misc,
1194 /usr/share/fonts/X11/75dpi,
1195 /usr/share/fonts/X11/100dpi Bitmap
1196 font directories
1197 /usr/share/fonts/X11/Type1 Outline font directories
1199 /usr/share/nx/rgb Color database
1201 /tmp/.X11-unix/Xn Unix domain socket for display number n
1203 /tmp/rcXn Kerberos 5 replay cache for display num‐
1205 ber n
1206
1208 Protocols: X Window System Protocol, NX Compression Protocol, The X
1209 Font Service Protocol, X Display Manager Control Protocol
1210 Fonts: bdftopcf(1), mkfontdir(1), mkfontscale(1), xfs(1), xlsfonts(1),
1212 xfontsel(1), xfd(1), X Logical Font Description Conventions
1213 Security: Xsecurity(__miscmansuffix__), xauth(1), Xau(1), xdm(1),
1215 xhost(1), xfwp(1), Security Extension Specification
1216 Starting the server: xdm(1), xinit(1)
1218 Controlling the server once started: xset(1), xsetroot(1), xhost(1)
1220 Server-specific man pages: Xdec(1), XmacII(1), Xsun(1), Xnest(1),
1222 Xvfb(1), XFree86(1), XDarwin(1).
1223 Server internal documentation: Definition of the Porting Layer for the
1225 X v11 Sample Server
1226
1228 The first sample X server was originally written by Susan Angebranndt,
1229 Raymond Drewry, Philip Karlton, and Todd Newman, from Digital Equipment
1230 Corporation, with support from a large cast. It has since been exten‐
1231 sively rewritten by Keith Packard and Bob Scheifler, from MIT. Dave
1232 Wiggins took over post-R5 and made substantial improvements.
1233 The first implementation of nx-X11 (version 1.x up to 3.5.x) was writ‐
1235 ten by NoMachine (maintained until 2011).
1236 The current implementation of nx-X11 is maintained by various projects,
1238 amongst others The Arctica Project, TheQVD (Qindel Group) and X2Go.
1239 This manual page was written by Per Hansen <spamhans@yahoo.de>, and
1241 modified by Marcelo Boveto Shima <marceloshima@gmail.com> and Mike
1242 Gabriel <mike.gabriel@das-netzwerkteam.de>. In 2016, the original
1243 Xserver.man page shipped with nx-X11 was merged into the nxagent man
1244 page and received a major update by Mike Gabriel <mike.gabriel@das-net‐
1245 zwerkteam.de>.
1246Version 3.5.99.27 Jun 2023 nxagent(1)