1nxagent(1) NX Agent (Xserver) nxagent(1)
2
6 nxagent - nested Xserver optimized for remote computing
7
9 nxagent [options]
10
12 nxagent is an X server for remote application/desktop access similar to
13 Xnest or Xephyr.
14 nxagent implements a very efficient compression of the X11 protocol,
16 called the NX protocol.
17 The NX protocol increases performance when using X applications over
19 high latency and low bandwidth networks, while providing a local (LAN-
20 like) usage experience even if connecting from off-site locations (via
21 cable modem or GSM).
22 nxagent can be used standalone as a nested X server (with NX protocol
24 disabled), but its real benefits are gained when using it over remote
25 connections via the nxcomp compression library. The counterpart appli‐
26 cation on the other end (i.e. the client) is called nxproxy.
27 When used in proxy <-> agent mode, nxagent adds the feature of being
29 suspendible. Sessions can be started from one client, suspended and
30 then resumed from another (or the same) client.
31 nxagent and nxproxy are utilized by various remote application/desktop
33 frameworks for providing server-side GUI application access from remote
34 client systems.
35 Currently, nxagent is co-maintained by three of these projects: The
37 Arctica Project, TheQVD and X2Go.
38
40 nxagent should be run in user space. Other than the system's local
41 X.org server, nxagent does not require to be run as root. When bundled
42 with a remote application framework, you normally don't have to launch
43 nxagent manually. nxagent startup is usually managed by the underlying
44 framework (e.g. Arctica Session Manager, X2Go Server, etc.).
45 When nxagent starts up (e.g. by typing 'nxagent -ac :1' in a terminal
47 window), it typically launches in "windowed desktop" mode. On your
48 local X server a new window appears being an X server itself.
49 However, nxagent also supports rootless (or seamless) application mode
51 and a shadow session mode (similar to what VNC does).
52 Example: You can launch a complete desktop session inside this nested X
54 server now:
55 The Debian way...
57 $ export DISPLAY=:1
59 $ STARTUP=mate-session /etc/X11/Xsession
60 The Fedora / Gentoo / openSUSE way...
62 ### FIXME / TODO ###
64 However, nxagent also supports rootless (or seamless) application mode
66 and a shadow session mode (similar to what VNC does).
67
70 nxagent accepts a range of default X server options as described below.
71 Those default options have to be provided via the command line.
72 Furthermore, nxagent accepts some nx-X11 specific options, described
74 further below.
75 Last but not least, nxagent accepts several more options, the so-called
77 nx/nx options, provided via the $DISPLAY environment variable or the
78 -options command line option. See below for further details.
79
82 :displaynumber
83 The X server runs as the given displaynumber, which by default
84 is 0. If multiple X servers are to run simultaneously on a
85 host, each must have a unique display number. See the DISPLAY
86 NAMES section of the X(__miscmansuffix__) manual page to learn
87 how to specify which display number clients should try to use.
88 -a number
90 sets pointer acceleration (i.e. the ratio of how much is
91 reported to how much the user actually moved the pointer).
92 -ac disables host-based access control mechanisms. Enables access
94 by any host, and permits any host to modify the access control
95 list. Use with extreme caution. This option exists primarily
96 for running test suites remotely.
97 -audit level
99 sets the audit trail level. The default level is 1, meaning
100 only connection rejections are reported. Level 2 additionally
101 reports all successful connections and disconnects. Level 4
102 enables messages from the SECURITY extension, if present,
103 including generation and revocation of authorizations and vio‐
104 lations of the security policy. Level 0 turns off the audit
105 trail. Audit lines are sent as standard error output.
106 -auth authorization-file
108 specifies a file which contains a collection of authorization
109 records used to authenticate access. See also the xdm(1) and
110 Xsecurity(__miscmansuffix__) manual pages.
111 -bs disables backing store support on all screens.
113 -br sets the default root window to solid black (default).
115 -wr sets the default root window to solid white.
117 -c turns off key-click.
119 c volume
121 sets key-click volume (allowable range: 0-100).
122 -cc class
124 sets the visual class for the root window of color screens.
125 The class numbers are as specified in the X protocol. Not
126 obeyed by all servers.
127 -co filename
129 This used to be the option for specifying the path to the RGB
130 color database file. As the RGB color database is now embedded
131 into the binary this option has no effect but is kept for com‐
132 patibility. Deprecated.
133 -core causes the server to generate a core dump on fatal errors.
135 -displayfd fd
137 specifies a file descriptor in the launching process. Rather
138 than specifying a display number, the X server will attempt to
139 listen on successively higher display numbers, and upon finding
140 a free one, will write the port number back on this file
141 descriptor as a newline-terminated string. The -pn option is
142 ignored when using -displayfd.
143 nxagent specific:
145 (1) Other than in X.org's Xserver, you can use -displayfd in
147 conjunction with an explicit display number. If the explicit
148 display number is not available (i.e., already in use), nxagent
149 tries to figure out the next available display number,
150 e.g.:
152 nxagent -displayfd 2 :50
154 (2) If -displayfd <X> is given with <X> equaling 2 (STDERR),
156 then the display number string written to STDERR is beautified
157 with some human-readable (machine-parseable) text.
158 -sync This option tells nxagent to synchronize its window and graph‐
160 ics operations with the real server. This is a useful option
161 for debugging, but it will slow down nxagent's performance con‐
162 siderably. It should not be used unless absolutely necessary.
163 -full This option tells nxagent to utilize full regeneration of real
165 server objects and reopen a new connection to the real server
166 each time nxagent regenerates. The sample server implementa‐
167 tion regenerates all objects in the server when the last client
168 of this server terminates. When this happens, nxagent by
169 default maintains the same top-level window and the same real
170 server connection in each new generation. If the user selects
171 full regeneration, even the top-level window and the connection
172 to the real server will be regenerated for each server genera‐
173 tion.
174 -class string
176 This option specifies the default visual class of the nested
177 server. It is similar to the -cc option from the set of stan‐
178 dard options except that it will accept a string rather than a
179 number for the visual class specification. The string must be
180 one of the following six values: StaticGray, GrayScale, Static‐
181 Color, PseudoColor, TrueColor, or DirectColor. If both the
182 -class and -cc options are specified, the last instance of
183 either option takes precedence. The class of the default vis‐
184 ual of the nested server need not be the same as the class of
185 the default visual of the real server, but it must be supported
186 by the real server. Use xdpyinfo(__appmansuffix__) to obtain a
187 list of supported visual classes on the real server before
188 starting nxagent. If the user chooses a static class, all the
189 colors in the default color map will be preallocated. If the
190 user chooses a dynamic class, colors in the default color map
191 will be available to individual clients for allocation.
192 -deferglyphs whichfonts
194 specifies the types of fonts for which the server should
195 attempt to use deferred glyph loading. whichfonts can be all
196 (all fonts), none (no fonts), or 16 (16 bit fonts only).
197 -depth int
199 This option specifies the default visual depth of the nested
200 server. The depth of the default visual of the nested server
201 need not be the same as the depth of the default visual of the
202 real server, but it must be supported by the real server. Use
203 xdpyinfo(__appmansuffix__) to obtain a list of supported visual
204 depths on the real server before starting nxagent.
205 -geometry WxH+X+Y
207 This option specifies the geometry parameters for the top-level
208 nxagent window. See “GEOMETRY SPECIFICATIONS” in X(__miscman‐
209 suffix__) for a discusson of this option's syntax. This window
210 corresponds to the root window of the nested server. The width
211 W and height H specified with this option will be the maximum
212 width and height of each top-level nxagent window. nxagent
213 will allow the user to make any top-level window smaller, but
214 it will not actually change the size of the nested server root
215 window. If this option is not specified, nxagent will choose W
216 and H to be 3/4ths the dimensions of the root window of the
217 real server.
218 -dpi resolution
220 sets the resolution for all screens, in dots per inch. If this
221 option is not specified nxagent will assume 96. There's also
222 -autodpi which will clone the real server's dpi. Note that the
223 resolution specified via -dpi is a per session setting. It can‐
224 not be changed on reconnect! This means that clients may look
225 "wrong" when reconnecting a session that had been started with
226 a different dpi than the current real xserver.
227 dpms enables DPMS (display power management services), where sup‐
229 ported. The default state is platform and configuration spe‐
230 cific.
231 -dpms disables DPMS (display power management services). The default
233 state is platform and configuration specific.
234 -f volume
236 sets feep (bell) volume (allowable range: 0-100).
237 -fc cursorFont
239 sets default cursor font.
240 -fn font
242 sets the default font.
243 -fp fontPath
245 sets the search path for fonts. This path is a comma separated
246 list of directories which the X server searches for font data‐
247 bases. See the FONTS section of this manual page for more
248 information and the default list.
249 -help prints a usage message.
251 -I causes all remaining command line arguments to be ignored.
253 -maxbigreqsize size
255 sets the maximum big request to size MB.
256 -name string
258 This option specifies the name of the top-level nxagent window
259 as string. The default value is the program name.
260 -nolisten trans-type
262 disables a transport type. For example, TCP/IP connections can
263 be disabled with -nolisten tcp. This option may be issued mul‐
264 tiple times to disable listening to different transport types.
265 -noreset
267 prevents a server reset when the last client connection is
268 closed. This overrides a previous -terminate command line
269 option.
270 -p minutes
272 sets screen-saver pattern cycle time in minutes.
273 -pn permits the server to continue running if it fails to establish
275 all of its well-known sockets (connection points for clients),
276 but establishes at least one. This option is set by default.
277 -nopn causes the server to exit if it fails to establish all of its
279 well-known sockets (connection points for clients).
280 -r turns off auto-repeat.
282 r turns on auto-repeat.
284 -s minutes
286 sets screen-saver timeout time in minutes.
287 -su disables save under support on all screens.
289 -t number
291 sets pointer acceleration threshold in pixels (i.e. after how
292 many pixels pointer acceleration should take effect).
293 -terminate
295 causes the server to terminate at server reset, instead of con‐
296 tinuing to run. This overrides a previous -noreset command
297 line option.
298 -to seconds
300 sets default connection timeout in seconds.
301 -tst disables all testing extensions.
303 v sets video-off screen-saver preference.
305 -v sets video-on screen-saver preference.
307 -wm forces the default backing-store of all windows to be When‐
309 Mapped. This is a backdoor way of getting backing-store to
310 apply to all windows. Although all mapped windows will have
311 backing store, the backing store attribute value reported by
312 the server for a window will be the last value established by a
313 client. If it has never been set by a client, the server will
314 report the default value, NotUseful. This behavior is required
315 by the X protocol, which allows the server to exceed the
316 client's backing store expectations but does not provide a way
317 to tell the client that it is doing so.
318 [+-]xinerama
320 enables(+) or disables(-) XINERAMA provided via the PanoramiX
321 extension. This is set to off by default.
322 [+-]rrxinerama
324 enables(+) or disables(-) XINERAMA provided via the RandR
325 extension. By default, this feature is enabled. To disable XIN‐
326 ERAMA completely, make sure to use both options (-xinerama and
327 -rrxinerama) on the command line.
328
331 nxagent additionally accepts the following non-standard options:
332 -logo turns on the X Window System logo display in the screen-saver.
334 There is currently no way to change this from a client.
335 nologo turns off the X Window System logo display in the screen-saver.
337 There is currently no way to change this from a client.
338 -render
340 default|mono|gray|color
342 sets the color allocation policy that will be used by the ren‐
344 der extension.
345 default selects the default policy defined for the display
347 depth of the X server.
348 mono don't use any color cell.
350 gray use a gray map of 13 color cells for the X render
352 extension.
353 color use a color cube of at most 4*4*4 colors (that is 64
355 color cells).
356 -dumbSched
358 disables smart scheduling on platforms that support the smart
359 scheduler.
360 -schedInterval interval
362 sets the smart scheduler's scheduling interval to interval mil‐
363 liseconds.
364
366 The nx-X11 system adds the following command line arguments:
367 -forcenx
369 force use of NX protocol messages assuming communication
370 through nxproxy
371 -autograb
373 enable autograb mode on nxagent startup. The autograb feature
374 can be toggled via nxagent keystrokes
375 -nxrealwindowprop
377 set property NX_REAL_WINDOW for each X11 client inside nxagent,
378 providing the window XID of the corresponding window object on
379 the X server that nxagent runs on
380 -reportwids
382 explicitly tell nxagent to report its externally exposed X11
383 window IDs to the session log (in machine readable form), so
384 that external parsers can obtain that information from there
385 -reportprivatewids
387 explicitly tell nxagent to report X11 window IDs of internally
388 created window objects to the session log (in machine readable
389 form), so that external parsers can obtain that information
390 from there; this creates a lot of output and may affect perfor‐
391 mance
392 -timeout int
394 auto-disconnect timeout in seconds (minimum allowed: 60)
395 -norootlessexit
397 don't exit if there are no clients in rootless mode
398 -autodpi
400 detect real server's DPI and set it in the agent session; the
401 -dpi cmdline option overrides -autodpi. Note that using
402 -autodpi will also adapt the DPI on reconnect which will cause
403 newly started clients respecting the new DPI while clients that
404 had been started before the reconnect still use the old DPI.
405 This may lead to applications looking "weird".
406 -nomagicpixel
408 disable magic pixel support at session startup, can be re-
409 enabled via nx/nx option on session resumption
410 -norender
412 disable the use of the render extension
413 -nocomposite
415 disable the use of the composite extension
416 -nopersistent
418 disable disconnection/reconnection to the X display on SIGHUP
419 -noshmem
421 disable use of shared memory extension
422 -shmem enable use of shared memory extension
424 -noshpix
426 disable use of shared pixmaps
427 -shpix enable use of shared pixmaps
429 -noignore
431 don't ignore pointer and keyboard configuration changes man‐
432 dated by clients. As a result, configuration commands like dis‐
433 abling the keyboard bell (xset -b) will also affect the real X
434 server.
435 -nokbreset
437 don't reset keyboard device if the session is resumed
438 -noxkblock
440 this is only relevant if you also specify -keyboard=query. In
441 that case nxagent will lock the keyboard settings and clients
442 will get an error when trying to change keyboard settings via
443 XKEYBOARD. With -noxkblock the lock is not applied and clients
444 are allowed to change the keyboard settings through XKEYBOARD.
445 -tile WxH
447 size of image tiles (minimum allowed: 32x32)
448 -D enable desktop mode (default)
450 -R enable rootless mode
452 -S enable shadow mode
454 -B enable proxy binding mode
456 -version
458 show version information and exit
459 -options filename
461 path to an options file containing nx/nx options (see below).
462 Other than the command line options, nxagent can be configured at ses‐
464 sion startup and at runtime (i.e. when resuming a suspended session) by
465 so-called nx/nx options.
466 As nx/nx options all options supported by nxcomp (see nxproxy man page)
468 and all nxagent nx/nx options (see below) can be used. When launching
469 an nxcomp based nxagent session (i.e. proxy <-> agent), you will nor‐
470 mally set the $DISPLAY variable like this:
471 $ export DISPLAY=nx/nx,listen=<proxy-port>,options=<options.file>:<nx-display-port>
473 $ nxagent <command-line-options> :<nx-display-port>
474 The value for <nx-display-port> is some value of a not-yet-used X11
476 display (e.g. :50).
477 Using an options file is recommended, but you can also put available
479 nx/nx options (see below) into the DISPLAY variable directly. Note,
480 that the $DISPLAY variable field is of limited length.
481 As <proxy-port> you can pick an arbitrary (unused) TCP port or Unix
483 socket file path. This is the port / socket that you have to connect to
484 with the nxproxy application.
485 The right hand side of an option (the part following the "=" character)
487 can include URL encoded characters. It is required to URL encode at
488 least "," (as %2D) and "=" (as %3D) to avoid wrong parsing of the
489 options string.
490 Available nxagent options (as an addition to nx/nx options supported by
492 nxcomp already):
493 options=<string>
495 read options from file, this text file can contain a single
496 loooong line with comma-separated nx/nx options
497 rootless=<bool>
499 start nxagent in rootless mode, matches -R given on the command
500 line, no-op when resuming (default: false)
501 geometry=<string>
503 desktop geometry when starting or resuming a session, no-op in
504 rootless mode (default 66% of the underlying X server geometry)
505 resize=<bool>
507 set resizing support (default: true)
508 fullscreen=<bool>
510 start or resume a session in fullscreen mode (default: off)
511 keyboard=<string> or kbtype=<string>
513 query|clone|<model>/<layout>|rmlvo/<rules>#<model>#<lay‐
515 out>#<variant>#<options>
516 query use the default XKB keyboard layout (see below) and
519 only allow clients to query the settings but prevent
520 any changes. query is especially helpful for setups
521 where you need to set/modify the actual keyboard layout
522 using core X protocol functions (e.g. via xmodmap). It
523 is used for MacOS X clients to handle some keyboard
524 problems that are special for this platform. Note that
525 in this case XKEYBOARD will always report the default
526 layout which will most likely not match the experienced
527 settings.
528 clone ask the real X server for the keyboard settings using
530 XKEYBOARD protocol functions and clone them. This is
531 the recommended setting. For compatibility reasons it
532 is not the default.
533 <model>/<layout>
535 use the given model and layout. A value of null/null is
536 equivalent to clone. You can not modify keyboard rules,
537 variant or options this way. Instead preset values are
538 used. These are base for rules and empty strings for
539 variant and options.
540 rmlvo/<rules>#<model>#<layout>#<variant>#<options>
542 configure the keyboard according to the rmlvo
543 (Rules+Model+Layout+Variant+Options) description given
544 after the / and separated by #. This can be used to
545 fully pass the keyboard configuration of nxagent right
546 after the start. Example:
547 rmlvo/base#pc105#de,us#nodeadkeys#lv3:rwin_switch
548 If keyboard is omitted the internal defaults of nxagent will be
552 used (rules: base, layout: us, model: pc102, empty variant and
553 options).
554 keyconv=<string>
557 set keycode conversion mode
558 auto|on|off
560 by default (auto) nxagent will activate keycode conversion if
562 it detects an evdev XKEYBOARD setup on the client side (the
563 standard on linux systems nowadays). Keycode conversion means
564 that certain keycodes are mapped to make the keyboard appear as
565 an pc105 model. Using off this conversion can be suppressed and
566 with on it will be forced.
567 clipboard=<string>
570 both|client|server|none
572 enable / disable (set to: none) clipboard support, uni-direc‐
574 tional (server or client) or bi-directional (both, default set‐
575 ting) support
576 streaming=<int>
578 streaming support for images, not fully implemented yet and
579 thus non-functional
580 backingstore=<int>
582 disable or enforce backing store support (default: Backing‐
583 StoreUndefined)
584 composite=<int>
586 enable or disable Composite support in nxagent (default:
587 enabled)
588 xinerama=<int>
590 enable or disable XINERAMA support in nxagent (default:
591 enabled)
592 shmem=<bool>
594 enable using shared memory
595 shpix=<bool>
597 enable shared pixmaps support
598 client=<string>
600 type of connecting operating system (supported: linux, windows,
601 solaris and macosx)
602 shadow=<int>
604 start nxagent in shadow mode, matches -S given on the command
605 line, no-op when resuming (default: false)
606 shadowuid=<int>
608 unique identifier for the shadow session
609 shadowmode=<string>
611 full access (set to 1) or viewing-only (set to 0, default)
612 defer=<int>
614 defer image updates (enabled for all connection types except
615 LAN), accepts values 0, 1 and 2
616 The default value can be set via the command line (-defer). The
618 value provided as nx/nx option is set when resuming a session,
619 thus it overrides the command line default.
620 tile=<string>
622 set the tile size in pixels (<W>x<H>) for bitmap data sent over
623 the wire
624 The default value can be set via the command line (-tile). The
626 value provided as nx/nx option is set when resuming a session,
627 thus it overrides the command line default.
628 menu=<int>
630 support pulldown menu in nxagent session (only available on
631 proxy <-> agent remote sessions)
632 magicpixel=<bool>
634 enable/disable magic pixel support in fullscreen mode (default:
635 1, enabled)
636 autodpi=<bool>
638 enable/disable deriving session DPI automatically from real
639 server (default: 0, disabled); only takes effect on session
640 startups, gets ignored when reconnecting to a suspended session
641 sleep=<int>
643 delay X server operations when suspended (provided in msec),
644 set to 0 to keep nxagent session fully functional when sus‐
645 pended (e.g. useful when mirroring an nxagent session via VNC)
646 tolerancechecks=<string>
648 strict|safe|risky|bypass
650 strict means that the number of internal and external pixmap
652 formats must match exactly and every internal pixmap
653 format must be available in the external pixmap format
654 array. This is the default.
655 safe means that the number of pixmap formats might diverge,
657 but all internal pixmap formats must also be included
658 in the external pixmap formats array. This is recom‐
659 mended, because it allows clients with more pixmap for‐
660 mats to still connect, but not lose functionality.
661 risky means that the internal pixmap formats array is allowed
663 to be smaller than the external pixmap formats array,
664 but at least one pixmap format must be included in
665 both. This is potentially unsafe.
666 bypass means that all of these checks are essentially deacti‐
668 vated. This is a very bad idea.
669 autograb=<int>
671 enable or disable autograb (default: disabled)
672 If you want to use nxagent as a replacement for Xnest or Xephyr you can
674 pass options like this:
675 $ echo nx/nx,fullscreen=1$DISPLAY >/tmp/opt
677 $ nxagent <command-line-options> -options /tmp/opt :<nx-display-port>
678
681 X servers that support XDMCP have the following options. See the X
682 Display Manager Control Protocol specification for more information.
683 -query hostname
685 enables XDMCP and sends Query packets to the specified host‐
686 name.
687 -broadcast
689 enable XDMCP and broadcasts BroadcastQuery packets to the net‐
690 work. The first responding display manager will be chosen for
691 the session.
692 -multicast [address [hop count]]
694 Enable XDMCP and multicast BroadcastQuery packets to the net‐
695 work. The first responding display manager is chosen for the
696 session. If an address is specified, the multicast is sent to
697 that address. If no address is specified, the multicast is
698 sent to the default XDMCP IPv6 multicast group. If a hop count
699 is specified, it is used as the maximum hop count for the mul‐
700 ticast. If no hop count is specified, the multicast is set to
701 a maximum of 1 hop, to prevent the multicast from being routed
702 beyond the local network.
703 -indirect hostname
705 enables XDMCP and send IndirectQuery packets to the specified
706 hostname.
707 -port port-number
709 uses the specified port-number for XDMCP packets, instead of
710 the default. This option must be specified before any -query,
711 -broadcast, -multicast, or -indirect options.
712 -from local-address
714 specifies the local address to connect from (useful if the con‐
715 necting host has multiple network interfaces). The local-
716 address may be expressed in any form acceptable to the host
717 platform's gethostbyname(3) implementation.
718 -once causes the server to terminate (rather than reset) when the
720 XDMCP session ends.
721 -class display-class
723 XDMCP has an additional display qualifier used in resource
724 lookup for display-specific options. This option sets that
725 value, by default it is "MIT-Unspecified" (not a very useful
726 value).
727 -cookie xdm-auth-bits
729 When testing XDM-AUTHENTICATION-1, a private key is shared
730 between the server and the manager. This option sets the value
731 of that private data (not that it is very private, being on the
732 command line!).
733 -displayID display-id
735 Yet another XDMCP specific value, this one allows the display
736 manager to identify each display so that it can locate the
737 shared key.
738
741 X servers that support the XKEYBOARD (a.k.a. "XKB") extension accept
742 the following options. All layout files specified on the command line
743 must be located in the XKB base directory or a subdirectory, and speci‐
744 fied as the relative path from the XKB base directory. The default XKB
745 base directory is /usr/share/X11/xkb.
746 [+-]kb enables(+) or disables(-) the XKEYBOARD extension.
748 [+-]accessx [ timeout [ timeout_mask [ feedback [ options_mask ] ] ] ]
750 enables(+) or disables(-) AccessX key sequences.
751 -xkbdir directory
753 base directory for keyboard layout files. This option is not
754 available for setuid X servers (i.e., when the X server's real
755 and effective uids are different).
756 -ardelay milliseconds
758 sets the autorepeat delay (length of time in milliseconds that
759 a key must be depressed before autorepeat starts).
760 -arinterval milliseconds
762 sets the autorepeat interval (length of time in milliseconds
763 that should elapse between autorepeat-generated keystrokes).
764 -xkbmap filename
766 loads keyboard description in filename on server startup.
767
770 X servers that support the SECURITY extension accept the following
771 option:
772 -sp filename
774 causes the server to attempt to read and interpret filename as
775 a security policy file with the format described below. The
776 file is read at server startup and reread at each server reset.
777 The syntax of the security policy file is as follows. Notation: "*"
779 means zero or more occurrences of the preceding element, and "+" means
780 one or more occurrences. To interpret <foo/bar>, ignore the text after
781 the /; it is used to distinguish between instances of <foo> in the next
782 section.
783 <policy file> ::= <version line> <other line>*
785 <version line> ::= <string/v> '\n'
787 <other line > ::= <comment> | <access rule> | <site policy> | <blank line>
789 <comment> ::= # <not newline>* '\n'
791 <blank line> ::= <space> '\n'
793 <site policy> ::= sitepolicy <string/sp> '\n'
795 <access rule> ::= property <property/ar> <window> <perms> '\n'
797 <property> ::= <string>
799 <window> ::= any | root | <required property>
801 <required property> ::= <property/rp> | <property with value>
803 <property with value> ::= <property/rpv> = <string/rv>
805 <perms> ::= [ <operation> | <action> | <space> ]*
807 <operation> ::= r | w | d
809 <action> ::= a | i | e
811 <string> ::= <dbl quoted string> | <single quoted string> | <unquoted string>
813 <dbl quoted string> ::= <space> " <not dqoute>* " <space>
815 <single quoted string> ::= <space> ' <not squote>* ' <space>
817 <unquoted string> ::= <space> <not space>+ <space>
819 <space> ::= [ ' ' | '\t' ]*
821 Character sets:
823 <not newline> ::= any character except '\n'
825 <not dqoute> ::= any character except "
826 <not squote> ::= any character except '
827 <not space> ::= any character except those in <space>
828 The semantics associated with the above syntax are as follows.
830 <version line>, the first line in the file, specifies the file format
832 version. If the server does not recognize the version <string/v>, it
833 ignores the rest of the file. The version string for the file format
834 described here is "version-1" .
835 Once past the <version line>, lines that do not match the above syntax
837 are ignored.
838 <comment> lines are ignored.
840 <sitepolicy> lines are currently ignored. They are intended to specify
842 the site policies used by the XC-QUERY-SECURITY-1 authorization method.
843 <access rule> lines specify how the server should react to untrusted
845 client requests that affect the X Window property named <property/ar>.
846 The rest of this section describes the interpretation of an <access
847 rule>.
848 For an <access rule> to apply to a given instance of <property/ar>,
850 <property/ar> must be on a window that is in the set of windows speci‐
851 fied by <window>. If <window> is any, the rule applies to <prop‐
852 erty/ar> on any window. If <window> is root, the rule applies to
853 <property/ar> only on root windows.
854 If <window> is <required property>, the following apply. If <required
856 property> is a <property/rp>, the rule applies when the window also has
857 that <property/rp>, regardless of its value. If <required property> is
858 a <property with value>, <property/rpv> must also have the value speci‐
859 fied by <string/rv>. In this case, the property must have type STRING
860 and format 8, and should contain one or more null-terminated strings.
861 If any of the strings match <string/rv>, the rule applies.
862 The definition of string matching is simple case-sensitive string com‐
864 parison with one elaboration: the occurrence of the character '*' in
865 <string/rv> is a wildcard meaning "any string." A <string/rv> can con‐
866 tain multiple wildcards anywhere in the string. For example, "x*"
867 matches strings that begin with x, "*x" matches strings that end with
868 x, "*x*" matches strings containing x, and "x*y*" matches strings that
869 start with x and subsequently contain y.
870 There may be multiple <access rule> lines for a given <property/ar>.
872 The rules are tested in the order that they appear in the file. The
873 first rule that applies is used.
874 <perms> specify operations that untrusted clients may attempt, and the
876 actions that the server should take in response to those operations.
877 <operation> can be r (read), w (write), or d (delete). The following
879 table shows how X Protocol property requests map to these operations in
880 The Open Group server implementation.
881 GetProperty r, or r and d if delete = True
883 ChangeProperty w
884 RotateProperties r and w
885 DeleteProperty d
886 ListProperties none, untrusted clients can always list all properties
887 <action> can be a (allow), i (ignore), or e (error). Allow means exe‐
889 cute the request as if it had been issued by a trusted client. Ignore
890 means treat the request as a no-op. In the case of GetProperty, ignore
891 means return an empty property value if the property exists, regardless
892 of its actual value. Error means do not execute the request and return
893 a BadAtom error with the atom set to the property name. Error is the
894 default action for all properties, including those not listed in the
895 security policy file.
896 An <action> applies to all <operation>s that follow it, until the next
898 <action> is encountered. Thus, irwad means ignore read and write,
899 allow delete.
900 GetProperty and RotateProperties may do multiple operations (r and d,
902 or r and w). If different actions apply to the operations, the most
903 severe action is applied to the whole request; there is no partial
904 request execution. The severity ordering is: allow < ignore < error.
905 Thus, if the <perms> for a property are ired (ignore read, error
906 delete), and an untrusted client attempts GetProperty on that property
907 with delete = True, an error is returned, but the property value is
908 not. Similarly, if any of the properties in a RotateProperties do not
909 allow both read and write, an error is returned without changing any
910 property values.
911 Here is an example security policy file.
913 version-1
915 # Allow reading of application resources, but not writing.
917 property RESOURCE_MANAGER root ar iw
918 property SCREEN_RESOURCES root ar iw
919 # Ignore attempts to use cut buffers. Giving errors causes apps to crash,
921 # and allowing access may give away too much information.
922 property CUT_BUFFER0 root irw
923 property CUT_BUFFER1 root irw
924 property CUT_BUFFER2 root irw
925 property CUT_BUFFER3 root irw
926 property CUT_BUFFER4 root irw
927 property CUT_BUFFER5 root irw
928 property CUT_BUFFER6 root irw
929 property CUT_BUFFER7 root irw
930 # If you are using Motif, you probably want these.
932 property _MOTIF_DEFAULT_BINDINGS rootar iw
933 property _MOTIF_DRAG_WINDOW root ar iw
934 property _MOTIF_DRAG_TARGETS any ar iw
935 property _MOTIF_DRAG_ATOMS any ar iw
936 property _MOTIF_DRAG_ATOM_PAIRS anyar iw
937 # The next two rules let xwininfo -tree work when untrusted.
939 property WM_NAME any ar
940 # Allow read of WM_CLASS, but only for windows with WM_NAME.
942 # This might be more restrictive than necessary, but demonstrates
943 # the <required property> facility, and is also an attempt to
944 # say "top level windows only."
945 property WM_CLASS WM_NAME ar
946 # These next three let xlsclients work untrusted. Think carefully
948 # before including these; giving away the client machine name and command
949 # may be exposing too much.
950 property WM_STATE WM_NAME ar
951 property WM_CLIENT_MACHINE WM_NAME ar
952 property WM_COMMAND WM_NAME ar
953 # To let untrusted clients use the standard colormaps created by
955 # xstdcmap, include these lines.
956 property RGB_DEFAULT_MAP root ar
957 property RGB_BEST_MAP root ar
958 property RGB_RED_MAP root ar
959 property RGB_GREEN_MAP root ar
960 property RGB_BLUE_MAP root ar
961 property RGB_GRAY_MAP root ar
962 # To let untrusted clients use the color management database created
964 # by xcmsdb, include these lines.
965 property XDCCC_LINEAR_RGB_CORRECTION rootar
966 property XDCCC_LINEAR_RGB_MATRICES rootar
967 property XDCCC_GRAY_SCREENWHITEPOINT rootar
968 property XDCCC_GRAY_CORRECTION rootar
969 # To let untrusted clients use the overlay visuals that many vendors
971 # support, include this line.
972 property SERVER_OVERLAY_VISUALS rootar
973 # Dumb examples to show other capabilities.
975 # oddball property names and explicit specification of error conditions
977 property "property with spaces" 'property with "'aw er ed
978 # Allow deletion of Woo-Hoo if window also has property OhBoy with value
980 # ending in "son". Reads and writes will cause an error.
981 property Woo-Hoo OhBoy = "*son"ad
982
985 The X server supports client connections via a platform-dependent sub‐
986 set of the following transport types: TCPIP, Unix Domain sockets and
987 several varieties of SVR4 local connections. See the DISPLAY NAMES
988 section of the X(__miscmansuffix__) manual page to learn how to specify
989 which transport type clients should try to use.
990
993 The X server implements a platform-dependent subset of the following
994 authorization protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1, XDM-
995 AUTHORIZATION-2, SUN-DES-1, and MIT-KERBEROS-5. See the Xsecu‐
996 rity(__miscmansuffix__) manual page for information on the operation of
997 these protocols.
998 Authorization data required by the above protocols is passed to the
1000 server in a private file named with the -auth command line option.
1001 Each time the server is about to accept the first connection after a
1002 reset (or when the server is starting), it reads this file. If this
1003 file contains any authorization records, the local host is not automat‐
1004 ically allowed access to the server, and only clients which send one of
1005 the authorization records contained in the file in the connection setup
1006 information will be allowed access. See the Xau manual page for a
1007 description of the binary format of this file. See xauth(1) for main‐
1008 tenance of this file, and distribution of its contents to remote hosts.
1009 The X server also uses a host-based access control list for deciding
1011 whether or not to accept connections from clients on a particular
1012 machine. If no other authorization mechanism is being used, this list
1013 initially consists of the host on which the server is running as well
1014 as any machines listed in the file /etc/Xn.hosts, where n is the dis‐
1015 play number of the server. Each line of the file should contain either
1016 an Internet hostname (e.g. expo.lcs.mit.edu) or a complete name in the
1017 format family:name as described in the xhost(1) manual page. There
1018 should be no leading or trailing spaces on any lines. For example:
1019 joesworkstation
1021 corporate.company.com
1022 star::
1023 inet:bigcpu
1024 local:
1025 Users can add or remove hosts from this list and enable or disable
1027 access control using the xhost command from the same machine as the
1028 server.
1029 If the X FireWall Proxy (xfwp) is being used without a sitepolicy,
1031 host-based authorization must be turned on for clients to be able to
1032 connect to the X server via the xfwp. If xfwp is run without a config‐
1033 uration file and thus no sitepolicy is defined, if xfwp is using an X
1034 server where xhost + has been run to turn off host-based authorization
1035 checks, when a client tries to connect to this X server via xfwp, the X
1036 server will deny the connection. See xfwp(1) for more information
1037 about this proxy.
1038 The X protocol intrinsically does not have any notion of window opera‐
1040 tion permissions or place any restrictions on what a client can do; if
1041 a program can connect to a display, it has full run of the screen. X
1042 servers that support the SECURITY extension fare better because clients
1043 can be designated untrusted via the authorization they use to connect;
1044 see the xauth(1) manual page for details. Restrictions are imposed on
1045 untrusted clients that curtail the mischief they can do. See the SECU‐
1046 RITY extension specification for a complete list of these restrictions.
1047 Sites that have better authentication and authorization systems might
1049 wish to make use of the hooks in the libraries and the server to pro‐
1050 vide additional security models.
1051
1053 The X server attaches special meaning to the following signals:
1054 SIGHUP This signal causes the server to close all existing connec‐
1056 tions, free all resources, and restore all defaults. It is
1057 sent by the display manager whenever the main user's main
1058 application (usually an xterm or window manager) exits to force
1059 the server to clean up and prepare for the next user.
1060 SIGTERM This signal causes the server to exit cleanly.
1062 SIGUSR1 This signal is used quite differently from either of the above.
1064 When the server starts, it checks to see if it has inherited
1065 SIGUSR1 as SIG_IGN instead of the usual SIG_DFL. In this case,
1066 the server sends a SIGUSR1 to its parent process after it has
1067 set up the various connection schemes. Xdm uses this feature
1068 to recognize when connecting to the server is possible.
1069
1071 The X server can obtain fonts from directories and/or from font
1072 servers. The list of directories and font servers the X server uses
1073 when trying to open a font is controlled by the font path.
1074 The default font path is __default_font_path__ .
1076 The font path can be set with the -fp option or by xset(1) after the
1078 server has started.
1079
1081 /etc/Xn.hosts Initial access control list for display
1082 number n
1083 /usr/share/fonts/X11/misc,
1085 /usr/share/fonts/X11/75dpi,
1086 /usr/share/fonts/X11/100dpi Bitmap
1087 font directories
1088 /usr/share/fonts/X11/Type1 Outline font directories
1090 /usr/share/nx/rgb Color database
1092 /tmp/.X11-unix/Xn Unix domain socket for display number n
1094 /tmp/rcXn Kerberos 5 replay cache for display num‐
1096 ber n
1097
1099 Protocols: X Window System Protocol, NX Compression Protocol, The X
1100 Font Service Protocol, X Display Manager Control Protocol
1101 Fonts: bdftopcf(1), mkfontdir(1), mkfontscale(1), xfs(1), xlsfonts(1),
1103 xfontsel(1), xfd(1), X Logical Font Description Conventions
1104 Security: Xsecurity(__miscmansuffix__), xauth(1), Xau(1), xdm(1),
1106 xhost(1), xfwp(1), Security Extension Specification
1107 Starting the server: xdm(1), xinit(1)
1109 Controlling the server once started: xset(1), xsetroot(1), xhost(1)
1111 Server-specific man pages: Xdec(1), XmacII(1), Xsun(1), Xnest(1),
1113 Xvfb(1), XFree86(1), XDarwin(1).
1114 Server internal documentation: Definition of the Porting Layer for the
1116 X v11 Sample Server
1117
1119 The first sample X server was originally written by Susan Angebranndt,
1120 Raymond Drewry, Philip Karlton, and Todd Newman, from Digital Equipment
1121 Corporation, with support from a large cast. It has since been exten‐
1122 sively rewritten by Keith Packard and Bob Scheifler, from MIT. Dave
1123 Wiggins took over post-R5 and made substantial improvements.
1124 The first implementation of nx-X11 (version 1.x up to 3.5.x) was writ‐
1126 ten by NoMachine (maintained until 2011).
1127 The current implementation of nx-X11 is maintained by various projects,
1129 amongst others The Arctica Project, TheQVD (Qindel Group) and X2Go.
1130 This manual page was written by Per Hansen <spamhans@yahoo.de>, and
1132 modified by Marcelo Boveto Shima <marceloshima@gmail.com> and Mike
1133 Gabriel <mike.gabriel@das-netzwerkteam.de>. In 2016, the original
1134 Xserver.man page shipped with nx-X11 was merged into the nxagent man
1135 page and received a major update by Mike Gabriel <mike.gabriel@das-net‐
1136 zwerkteam.de>.
1137Version 3.5.99.22 Aug 2019 nxagent(1)