1nxagent(1) NX Agent (Xserver) nxagent(1)
2
6 nxagent - nested Xserver optimized for remote computing
7
9 nxagent [options]
10
12 nxagent is an X server for remote application/desktop access similar to
13 Xnest or Xephyr.
14 nxagent implements a very efficient compression of the X11 protocol,
16 called the NX protocol.
17 The NX protocol increases performance when using X applications over
19 high latency and low bandwidth networks, while providing a local (LAN-
20 like) usage experience even if connecting from off-site locations (via
21 cable modem or GSM).
22 nxagent can be used standalone as a nested X server (with NX protocol
24 disabled), but its real benefits are gained when using it over remote
25 connections via the nxcomp compression library. The counterpart appli‐
26 cation on the other end (i.e. the client) is called nxproxy.
27 When used in proxy <-> agent mode, nxagent adds the feature of being
29 suspendible. Sessions can be started from one client, suspended and
30 then resumed from another (or the same) client.
31 nxagent and nxproxy are utilized by various remote application/desktop
33 frameworks for providing server-side GUI application access from remote
34 client systems.
35 Currently, nxagent is co-maintained by three of these projects: The
37 Arctica Project, TheQVD and X2Go.
38
40 nxagent should be run in user space. Other than the system's local
41 X.org server, nxagent does not require to be run as root. When bundled
42 with a remote application framework, you normally don't have to launch
43 nxagent manually. nxagent startup is usually managed by the underlying
44 framework (e.g. Arctica Session Manager, X2Go Server, etc.).
45 When nxagent starts up (e.g. by typing 'nxagent -ac :1' in a terminal
47 window), it typically launches in "windowed desktop" mode. On your
48 local X server a new window appears being an X server itself.
49 However, nxagent also supports rootless (or seamless) application mode
51 and a shadow session mode (similar to what VNC does).
52 Example: You can launch a complete desktop session inside this nested X
54 server now:
55 The Debian way...
57 $ export DISPLAY=:1
59 $ STARTUP=mate-session /etc/X11/Xsession
60 The Fedora / Gentoo / openSUSE way...
62 ### FIXME / TODO ###
64 However, nxagent also supports rootless (or seamless) application mode
66 and a shadow session mode (similar to what VNC does).
67
70 nxagent accepts a range of default X server options as described below.
71 Those default options have to be provided via the command line.
72 Furthermore, nxagent accepts some nx-X11 specific options, described
74 further below.
75 Last but not least, nxagent accepts several more options, the so-called
77 nx/nx options, provided via the $DISPLAY environment variable or the
78 -options command line option. See below for further details.
79
82 :displaynumber
83 The X server runs as the given displaynumber, which by default
84 is 0. If multiple X servers are to run simultaneously on a
85 host, each must have a unique display number. See the DISPLAY
86 NAMES section of the X(__miscmansuffix__) manual page to learn
87 how to specify which display number clients should try to use.
88 -a number
90 sets pointer acceleration (i.e. the ratio of how much is
91 reported to how much the user actually moved the pointer).
92 -ac disables host-based access control mechanisms. Enables access
94 by any host, and permits any host to modify the access control
95 list. Use with extreme caution. This option exists primarily
96 for running test suites remotely.
97 -audit level
99 sets the audit trail level. The default level is 1, meaning
100 only connection rejections are reported. Level 2 additionally
101 reports all successful connections and disconnects. Level 4
102 enables messages from the SECURITY extension, if present,
103 including generation and revocation of authorizations and vio‐
104 lations of the security policy. Level 0 turns off the audit
105 trail. Audit lines are sent as standard error output.
106 -auth authorization-file
108 specifies a file which contains a collection of authorization
109 records used to authenticate access. See also the xdm(1) and
110 Xsecurity(__miscmansuffix__) manual pages.
111 -bs disables backing store support on all screens.
113 -br sets the default root window to solid black (default).
115 -wr sets the default root window to solid white.
117 -c turns off key-click.
119 c volume
121 sets key-click volume (allowable range: 0-100).
122 -cc class
124 sets the visual class for the root window of color screens.
125 The class numbers are as specified in the X protocol. Not
126 obeyed by all servers.
127 -co filename
129 This used to be the option for specifying the path to the RGB
130 color database file. As the RGB color database is now embedded
131 into the binary this option has no effect but is kept for com‐
132 patibility. Deprecated.
133 -core causes the server to generate a core dump on fatal errors.
135 -displayfd fd
137 specifies a file descriptor in the launching process. Rather
138 than specifying a display number, the X server will attempt to
139 listen on successively higher display numbers, and upon finding
140 a free one, will write the port number back on this file
141 descriptor as a newline-terminated string. The -pn option is
142 ignored when using -displayfd.
143 nxagent specific:
145 (1) Other than in X.org's Xserver, you can use -displayfd in
147 conjunction with an explicit display number. If the explicit
148 display number is not available (i.e., already in use), nxagent
149 tries to figure out the next available display number,
150 e.g.:
152 nxagent -displayfd 2 :50
154 (2) If -displayfd <X> is given with <X> equaling 2 (STDERR),
156 then the display number string written to STDERR is beautified
157 with some human-readable (machine-parseable) text.
158 -sync This option tells nxagent to synchronize its window and graph‐
160 ics operations with the real server. This is a useful option
161 for debugging, but it will slow down nxagent's performance con‐
162 siderably. It should not be used unless absolutely necessary.
163 -full This option tells nxagent to utilize full regeneration of real
165 server objects and reopen a new connection to the real server
166 each time nxagent regenerates. The sample server implementa‐
167 tion regenerates all objects in the server when the last client
168 of this server terminates. When this happens, nxagent by
169 default maintains the same top-level window and the same real
170 server connection in each new generation. If the user selects
171 full regeneration, even the top-level window and the connection
172 to the real server will be regenerated for each server genera‐
173 tion.
174 -class string
176 This option specifies the default visual class of the nested
177 server. It is similar to the -cc option from the set of stan‐
178 dard options except that it will accept a string rather than a
179 number for the visual class specification. The string must be
180 one of the following six values: StaticGray, GrayScale, Static‐
181 Color, PseudoColor, TrueColor, or DirectColor. If both the
182 -class and -cc options are specified, the last instance of
183 either option takes precedence. The class of the default vis‐
184 ual of the nested server need not be the same as the class of
185 the default visual of the real server, but it must be supported
186 by the real server. Use xdpyinfo(__appmansuffix__) to obtain a
187 list of supported visual classes on the real server before
188 starting nxagent. If the user chooses a static class, all the
189 colors in the default color map will be preallocated. If the
190 user chooses a dynamic class, colors in the default color map
191 will be available to individual clients for allocation.
192 -deferglyphs whichfonts
194 specifies the types of fonts for which the server should
195 attempt to use deferred glyph loading. whichfonts can be all
196 (all fonts), none (no fonts), or 16 (16 bit fonts only).
197 -depth int
199 This option specifies the default visual depth of the nested
200 server. The depth of the default visual of the nested server
201 need not be the same as the depth of the default visual of the
202 real server, but it must be supported by the real server. Use
203 xdpyinfo(__appmansuffix__) to obtain a list of supported visual
204 depths on the real server before starting nxagent.
205 -geometry WxH+X+Y
207 This option specifies the geometry parameters for the top-level
208 nxagent window. See “GEOMETRY SPECIFICATIONS” in X(__miscman‐
209 suffix__) for a discusson of this option's syntax. This window
210 corresponds to the root window of the nested server. The width
211 W and height H specified with this option will be the maximum
212 width and height of each top-level nxagent window. nxagent
213 will allow the user to make any top-level window smaller, but
214 it will not actually change the size of the nested server root
215 window. If this option is not specified, nxagent will choose W
216 and H to be 3/4ths the dimensions of the root window of the
217 real server. For further values accepted see the documentation
218 of geometry=<string> below.
219 -dpi resolution
221 sets the resolution for all screens, in dots per inch. If this
222 option is not specified nxagent will assume 96. There's also
223 -autodpi which will clone the real server's dpi. Note that the
224 resolution specified via -dpi is a per session setting. It can‐
225 not be changed on reconnect! This means that clients may look
226 "wrong" when reconnecting a session that had been started with
227 a different dpi than the current real xserver.
228 dpms enables DPMS (display power management services), where sup‐
230 ported. The default state is platform and configuration spe‐
231 cific.
232 -dpms disables DPMS (display power management services). The default
234 state is platform and configuration specific.
235 -f volume
237 sets feep (bell) volume (allowable range: 0-100).
238 -fc cursorFont
240 sets default cursor font.
241 -fn font
243 sets the default font.
244 -fp fontPath
246 sets the search path for fonts. This path is a comma separated
247 list of directories which the X server searches for font data‐
248 bases. See the FONTS section of this manual page for more
249 information and the default list.
250 -help prints a usage message.
252 -I causes all remaining command line arguments to be ignored.
254 -maxbigreqsize size
256 sets the maximum big request to size MB.
257 -name string
259 This option specifies the name of the top-level nxagent window
260 as string. The default value is the program name.
261 -nolisten trans-type
263 disables a transport type. For example, TCP/IP connections can
264 be disabled with -nolisten tcp. This option may be issued mul‐
265 tiple times to disable listening to different transport types.
266 -noreset
268 prevents a server reset when the last client connection is
269 closed. This overrides a previous -terminate command line
270 option.
271 -p minutes
273 sets screen-saver pattern cycle time in minutes.
274 -pn permits the server to continue running if it fails to establish
276 all of its well-known sockets (connection points for clients),
277 but establishes at least one. This option is set by default.
278 -nopn causes the server to exit if it fails to establish all of its
280 well-known sockets (connection points for clients).
281 -r turns off auto-repeat.
283 r turns on auto-repeat.
285 -s minutes
287 sets screen-saver timeout time in minutes.
288 -su disables save under support on all screens.
290 -t number
292 sets pointer acceleration threshold in pixels (i.e. after how
293 many pixels pointer acceleration should take effect).
294 -terminate
296 causes the server to terminate at server reset, instead of con‐
297 tinuing to run. This overrides a previous -noreset command
298 line option.
299 -to seconds
301 sets default connection timeout in seconds.
302 -tst disables all testing extensions.
304 v sets video-off screen-saver preference.
306 -v sets video-on screen-saver preference.
308 -wm forces the default backing-store of all windows to be When‐
310 Mapped. This is a backdoor way of getting backing-store to
311 apply to all windows. Although all mapped windows will have
312 backing store, the backing store attribute value reported by
313 the server for a window will be the last value established by a
314 client. If it has never been set by a client, the server will
315 report the default value, NotUseful. This behavior is required
316 by the X protocol, which allows the server to exceed the
317 client's backing store expectations but does not provide a way
318 to tell the client that it is doing so.
319 [+-]xinerama
321 enables(+) or disables(-) XINERAMA provided via the PanoramiX
322 extension. This is set to off by default.
323 [+-]rrxinerama
325 enables(+) or disables(-) XINERAMA provided via the RandR
326 extension. By default, this feature is enabled. To disable XIN‐
327 ERAMA completely, make sure to use both options (-xinerama and
328 -rrxinerama) on the command line.
329
332 nxagent additionally accepts the following non-standard options:
333 -logo turns on the X Window System logo display in the screen-saver.
335 There is currently no way to change this from a client.
336 nologo turns off the X Window System logo display in the screen-saver.
338 There is currently no way to change this from a client.
339 -render
341 default|mono|gray|color
343 sets the color allocation policy that will be used by the ren‐
345 der extension.
346 default selects the default policy defined for the display
348 depth of the X server.
349 mono don't use any color cell.
351 gray use a gray map of 13 color cells for the X render
353 extension.
354 color use a color cube of at most 4*4*4 colors (that is 64
356 color cells).
357 -dumbSched
359 disables smart scheduling on platforms that support the smart
360 scheduler.
361 -schedInterval interval
363 sets the smart scheduler's scheduling interval to interval mil‐
364 liseconds.
365
367 The nx-X11 system adds the following command line arguments:
368 -forcenx
370 force use of NX protocol messages assuming communication
371 through nxproxy
372 -autograb
374 enable autograb mode on nxagent startup. The autograb feature
375 can be toggled via nxagent keystrokes
376 -nxrealwindowprop
378 set property NX_REAL_WINDOW for each X11 client inside nxagent,
379 providing the window XID of the corresponding window object on
380 the X server that nxagent runs on
381 -reportwids
383 explicitly tell nxagent to report its externally exposed X11
384 window IDs to the session log (in machine readable form), so
385 that external parsers can obtain that information from there
386 -reportprivatewids
388 explicitly tell nxagent to report X11 window IDs of internally
389 created window objects to the session log (in machine readable
390 form), so that external parsers can obtain that information
391 from there; this creates a lot of output and may affect perfor‐
392 mance
393 -timeout int
395 auto-disconnect timeout in seconds (minimum allowed: 60).
396 Default is 0 (no timeout).
397 -norootlessexit
399 don't exit if there are no clients in rootless mode
400 -autodpi
402 detect real server's DPI and set it in the agent session; the
403 -dpi cmdline option overrides -autodpi. Note that using
404 -autodpi will also adapt the DPI on reconnect which will cause
405 newly started clients respecting the new DPI while clients that
406 had been started before the reconnect still use the old DPI.
407 This may lead to applications looking "weird".
408 -nomagicpixel
410 disable magic pixel support at session startup, can be re-
411 enabled via nx/nx option on session resumption
412 -norender
414 disable the use of the render extension
415 -nocomposite
417 disable the use of the composite extension
418 -nopersistent
420 disable disconnection/reconnection to the X display on SIGHUP.
421 Non-persistent sessions will terminate on SIGHUP.
422 -noshmem
424 disable use of shared memory extension
425 -shmem enable use of shared memory extension (default)
427 -noshpix
429 disable use of shared pixmaps
430 -shpix enable use of shared pixmaps (default)
432 -noignore
434 don't ignore pointer and keyboard configuration changes man‐
435 dated by clients. As a result, configuration commands like dis‐
436 abling the keyboard bell (xset -b) will also affect the real X
437 server.
438 -nokbreset
440 don't reset keyboard device if the session is resumed
441 -noxkblock
443 this is only relevant if you also specify -keyboard=query. In
444 that case nxagent will lock the keyboard settings and clients
445 will get an error when trying to change keyboard settings via
446 XKEYBOARD. With -noxkblock the lock is not applied and clients
447 are allowed to change the keyboard settings through XKEYBOARD.
448 -tile WxH
450 maximum size of the tile used when sending an image to the
451 remote display (minimum allowed: 32x32). The default depends on
452 the link type: 64x64 for modem and isdn, 4096x4096 for all
453 other link types)
454 -irlimit
456 maximum image data rate to the encoder input in kB/s. The
457 default is no limit.
458 -D enable desktop mode (default)
460 -R enable rootless mode
462 -S enable shadow mode
464 -B enable proxy binding mode
466 -keystrokefile
468 define path to a keyboard shortcut definitions file. Default is
469 ~/.nx/keystrokes.cfg and /etc/nxagent/keystroke.cfg (first
470 existing file is taken). If nxagent is run as x2goagent the
471 defaults are ~/.x2go/keystrokes.cfg and /etc/x2go/key‐
472 strokes.cfg nxagent knows about that are not defined in this
473 file are ignored. (Only) if no file is found built-in defaults
474 are used. The keystroke file can be re-read by a keystroke
475 (ctrl-alt-k by default). See README.keystrokes and README.key‐
476 strokes.debug for all keystrokes nxagent knows. At startup the
477 active keystrokes are printed to the session output.
478 -version
480 show version information and exit
481 -options filepath|string
483 path to an options file containing nx/nx options (see below).
484 Instead of a path the options can be specified diretly on the
485 commandline by prefixing the options strings with nx/nx, which
486 is mostly useful for testing/debugging.
487 In addition to the command line options, nxagent can be configured at
489 session startup and at runtime (i.e. when resuming a suspended session)
490 by so-called nx/nx options. The options file is read on startup. It can
491 be modified during runtime (but it must stay at the same path). On re-
492 connect the modified file is then read and the changed options are
493 applied.
494 As nx/nx options all options supported by nxcomp (see nxproxy man page)
496 and all nxagent nx/nx options (see below) can be used. When launching
497 an nxcomp based nxagent session (i.e. proxy <-> agent), you will nor‐
498 mally set the $DISPLAY variable like this:
499 $ export DISPLAY=nx/nx,listen=<proxy-port>,options=<options.file>:<nx-display-port>
501 $ nxagent <command-line-options> :<nx-display-port>
502 The value for <nx-display-port> is some value of a not-yet-used X11
504 display (e.g. :50).
505 Using an options file is recommended, but you can also put available
507 nx/nx options (see below) into the DISPLAY variable directly. Note,
508 that the $DISPLAY variable field is of limited length.
509 As <proxy-port> you can pick an arbitrary (unused) TCP port or Unix
511 socket file path. This is the port / socket that you have to connect to
512 with the nxproxy application.
513 The right hand side of an option (the part following the "=" character)
515 can include URL encoded characters. It is required to URL encode at
516 least "," (as %2D) and "=" (as %3D) to avoid wrong parsing of the
517 options string.
518 Available nxagent options (as an addition to nx/nx options supported by
520 nxcomp already):
521 options=<string>
523 read options from file, this text file can contain a single
524 loooong line with comma-separated nx/nx options
525 rootless=<bool>
527 start nxagent in rootless mode, matches -R given on the command
528 line, no-op when resuming (default: 0, disabled)
529 geometry=<string>
531 desktop geometry when starting or resuming a session, no-op in
532 rootless mode (default 66% of the underlying X server geome‐
533 try). You can either specify a standard X geometry string
534 (WxH+X+Y) or allscreens for a window covering all available
535 screens or onescreen for a window covering only one screen. For
536 historical reasons fullscreen (as a synonym to allscreens) is
537 also accepted.
538 fullscreen=<int>
540 start or resume a session in fullscreen mode (default: 0, off).
541 Specify 1 for a fullscreen window covering all available
542 screens or 2 for a fullscreen window covering only the first
543 screen.
544 resize=<bool>
546 set resizing support (default: 1, enabled)
547 keyboard=<string> or kbtype=<string>
549 query|clone|<model>/<layout>|rmlvo/<rules>#<model>#<lay‐
551 out>#<variant>#<options>
552 query use the default XKB keyboard layout (see below) and
555 only allow clients to query the settings but prevent
556 any changes. query is especially helpful for setups
557 where you need to set/modify the actual keyboard layout
558 using core X protocol functions (e.g. via xmodmap). It
559 is used for MacOS X clients to handle some keyboard
560 problems that are special for this platform. Note that
561 in this case XKEYBOARD will always report the default
562 layout which will most likely not match the experienced
563 settings.
564 clone ask the real X server for the keyboard settings using
566 XKEYBOARD protocol functions and clone them. This is
567 the recommended setting. For compatibility reasons it
568 is not the default.
569 <model>/<layout>
571 use the given model and layout. A value of null/null is
572 equivalent to clone. You can not modify keyboard rules,
573 variant or options this way. Instead preset values are
574 used. These are base for rules and empty strings for
575 variant and options.
576 rmlvo/<rules>#<model>#<layout>#<variant>#<options>
578 configure the keyboard according to the rmlvo
579 (Rules+Model+Layout+Variant+Options) description given
580 after the / and separated by #. This can be used to
581 fully pass the keyboard configuration of nxagent right
582 after the start. Example:
583 rmlvo/base#pc105#de,us#nodeadkeys#lv3:rwin_switch
584 If keyboard is omitted the internal defaults of nxagent will be
588 used (rules: base, layout: us, model: pc102, empty variant and
589 options).
590 keyconv=<string>
593 set keycode conversion mode
594 auto|on|off
596 by default (auto) nxagent will activate keycode conversion if
598 it detects an evdev XKEYBOARD setup on the nxproxy side (the
599 standard on Linux systems nowadays). Keycode conversion means
600 that certain keycodes are mapped to make the keyboard appear as
601 an pc105 model. Using off this conversion can be suppressed and
602 with on it will be forced.
603 clipboard=<string>
606 both|client|server|none
608 both Allow clipboard data exchange both from nxagent to real
611 X server and vice-versa. This is the default.
612 client Limit clipboard data exchange to work only in one
614 direction: from real X server to nxagent. Clipboard
615 will still work inside nxagent. This setting effec‐
616 tively prevents data leakage from the nxagent session
617 to the outside.
618 server Limit clipboard data exchange to work only in one
620 direction: from nxagent to real X server.
621 none Disable any clipboard data exchange. Clipboard will
623 still work inside the nxagent and on the real X server,
624 but no data exchange will be possible.
625 streaming=<bool>
627 enable (set to 1) or disable (set to 0) streaming support for
628 images, not fully implemented yet and thus non-functional.
629 (default: disabled)
630 backingstore=<bool>
632 disable (set to 0) or enforce (set to 1) backing store support
633 (default: enforced). In rootless mode backingstore is always
634 disabled.
635 composite=<bool>
637 enable (set to 1) or disable (set to 0) Composite support in
638 nxagent (default: enabled)
639 xinerama=<bool>
641 enable (set to 1) or disable (set to 0) XINERAMA support in
642 nxagent (default: enabled)
643 shmem=<bool>
645 enable/disable using shared memory. Accepted values: 1 (enable,
646 default), 0 (disable)
647 shpix=<bool>
649 enable/disable shared pixmaps support. Accepted values: 1
650 (enable, default), 0 (disable)
651 client=<string>
653 type of connecting operating system (supported: linux, windows,
654 solaris and macosx)
655 shadow=<string>
657 define the display that should be shadowed
658 shadowuid=<int>
660 unique identifier for the shadow session
661 shadowmode=<bool>
663 full access (set to 1) or viewing-only (set to 0, default)
664 defer=<int>
666 defer image updates (enabled for all connection types except
667 LAN), accepts values 0, 1 and 2
668 The default value can be set via the command line (-defer). The
670 value provided as nx/nx option is set when resuming a session,
671 thus it overrides the command line default.
672 The default depends on the link type (see man nxproxy).
674 Each defer level adds the following rules to the previous ones:
676 0 Eager encoding.
678 Default for link speed lan and local.
680 1 No data is put or copied on pixmaps, marking them
682 always as corrupted and synchronizing them on demand,
683 i.e. when a copy area to a window is requested, the
684 source is synchronized before copying it.
685 Default for link speed wan.
687 2 The put images over the windows are skipped marking the
689 destination as corrupted. The same happens for copy
690 area and composite operations, spreading the corrupted
691 regions of involved drawables.
692 Default for link speed adsl, isdn and modem.
694 tile=<string>
697 set the maximum tile size in pixels (<W>x<H>) for bitmap data
698 sent over the wire
699 The default value can be set via the command line (-tile). The
701 value provided as nx/nx option is set when resuming a session,
702 thus it overrides the command line default.
703 menu=<bool>
705 support pulldown menu in nxagent session (only available on
706 proxy <-> agent remote sessions) (default: 1, enabled)
707 magicpixel=<bool>
709 enable/disable magic pixel support in fullscreen mode (default:
710 1, enabled)
711 copysize=<int>
713 Maximum number of bytes that can be pasted from an NX session
714 into an external application. Default is unlimited.
715 autodpi=<bool>
717 enable/disable deriving session DPI automatically from real
718 server (default: 0, disabled); only takes effect on session
719 startups, gets ignored when reconnecting to a suspended session
720 sleep=<int>
722 delay X server operations when suspended (provided in millisec‐
723 onds), set to 0 to keep nxagent session fully functional when
724 suspended (e.g. useful when mirroring an nxagent session via
725 VNC). Graphic intensive applications will be affected by this
726 more than others. The default is 50ms.
727 tolerancechecks=<string>
729 strict|safe|risky|bypass
731 strict means that the number of internal and external pixmap
733 formats must match exactly and every internal pixmap
734 format must be available in the external pixmap format
735 array. This is the default.
736 safe means that the number of pixmap formats might diverge,
738 but all internal pixmap formats must also be included
739 in the external pixmap formats array. This is recom‐
740 mended, because it allows clients with more pixmap for‐
741 mats to still connect, but not lose functionality.
742 risky means that the internal pixmap formats array is allowed
744 to be smaller than the external pixmap formats array,
745 but at least one pixmap format must be included in
746 both. This is potentially unsafe.
747 bypass means that all of these checks are essentially deacti‐
749 vated. This is a very bad idea.
750 autograb=<bool>
752 enable or disable autograb (default: 0, disabled). Can be tog‐
753 gled during session via keystroke.
754 If you want to use nxagent as a replacement for Xnest or Xephyr you can
756 pass options like this:
757 $ echo nx/nx,fullscreen=1$DISPLAY >/tmp/opt
759 $ nxagent <command-line-options> -options /tmp/opt :<nx-display-port>
760
763 X servers that support XDMCP have the following options. See the X
764 Display Manager Control Protocol specification for more information.
765 -query hostname
767 enables XDMCP and sends Query packets to the specified host‐
768 name.
769 -broadcast
771 enable XDMCP and broadcasts BroadcastQuery packets to the net‐
772 work. The first responding display manager will be chosen for
773 the session.
774 -multicast [address [hop count]]
776 Enable XDMCP and multicast BroadcastQuery packets to the net‐
777 work. The first responding display manager is chosen for the
778 session. If an address is specified, the multicast is sent to
779 that address. If no address is specified, the multicast is
780 sent to the default XDMCP IPv6 multicast group. If a hop count
781 is specified, it is used as the maximum hop count for the mul‐
782 ticast. If no hop count is specified, the multicast is set to
783 a maximum of 1 hop, to prevent the multicast from being routed
784 beyond the local network.
785 -indirect hostname
787 enables XDMCP and send IndirectQuery packets to the specified
788 hostname.
789 -port port-number
791 uses the specified port-number for XDMCP packets, instead of
792 the default. This option must be specified before any -query,
793 -broadcast, -multicast, or -indirect options.
794 -from local-address
796 specifies the local address to connect from (useful if the con‐
797 necting host has multiple network interfaces). The local-
798 address may be expressed in any form acceptable to the host
799 platform's gethostbyname(3) implementation.
800 -once causes the server to terminate (rather than reset) when the
802 XDMCP session ends.
803 -class display-class
805 XDMCP has an additional display qualifier used in resource
806 lookup for display-specific options. This option sets that
807 value, by default it is "MIT-Unspecified" (not a very useful
808 value).
809 -cookie xdm-auth-bits
811 When testing XDM-AUTHENTICATION-1, a private key is shared
812 between the server and the manager. This option sets the value
813 of that private data (not that it is very private, being on the
814 command line!).
815 -displayID display-id
817 Yet another XDMCP specific value, this one allows the display
818 manager to identify each display so that it can locate the
819 shared key.
820
823 X servers that support the XKEYBOARD (a.k.a. "XKB") extension accept
824 the following options. All layout files specified on the command line
825 must be located in the XKB base directory or a subdirectory, and speci‐
826 fied as the relative path from the XKB base directory. The default XKB
827 base directory is /usr/share/X11/xkb.
828 [+-]kb enables(+) or disables(-) the XKEYBOARD extension.
830 [+-]accessx [ timeout [ timeout_mask [ feedback [ options_mask ] ] ] ]
832 enables(+) or disables(-) AccessX key sequences.
833 -xkbdir directory
835 base directory for keyboard layout files. This option is not
836 available for setuid X servers (i.e., when the X server's real
837 and effective uids are different).
838 -ardelay milliseconds
840 sets the autorepeat delay (length of time in milliseconds that
841 a key must be depressed before autorepeat starts).
842 -arinterval milliseconds
844 sets the autorepeat interval (length of time in milliseconds
845 that should elapse between autorepeat-generated keystrokes).
846 -xkbmap filename
848 loads keyboard description in filename on server startup.
849
852 X servers that support the SECURITY extension accept the following
853 option:
854 -sp filename
856 causes the server to attempt to read and interpret filename as
857 a security policy file with the format described below. The
858 file is read at server startup and reread at each server reset.
859 The syntax of the security policy file is as follows. Notation: "*"
861 means zero or more occurrences of the preceding element, and "+" means
862 one or more occurrences. To interpret <foo/bar>, ignore the text after
863 the /; it is used to distinguish between instances of <foo> in the next
864 section.
865 <policy file> ::= <version line> <other line>*
867 <version line> ::= <string/v> '\n'
869 <other line > ::= <comment> | <access rule> | <site policy> | <blank line>
871 <comment> ::= # <not newline>* '\n'
873 <blank line> ::= <space> '\n'
875 <site policy> ::= sitepolicy <string/sp> '\n'
877 <access rule> ::= property <property/ar> <window> <perms> '\n'
879 <property> ::= <string>
881 <window> ::= any | root | <required property>
883 <required property> ::= <property/rp> | <property with value>
885 <property with value> ::= <property/rpv> = <string/rv>
887 <perms> ::= [ <operation> | <action> | <space> ]*
889 <operation> ::= r | w | d
891 <action> ::= a | i | e
893 <string> ::= <dbl quoted string> | <single quoted string> | <unquoted string>
895 <dbl quoted string> ::= <space> " <not dqoute>* " <space>
897 <single quoted string> ::= <space> ' <not squote>* ' <space>
899 <unquoted string> ::= <space> <not space>+ <space>
901 <space> ::= [ ' ' | '\t' ]*
903 Character sets:
905 <not newline> ::= any character except '\n'
907 <not dqoute> ::= any character except "
908 <not squote> ::= any character except '
909 <not space> ::= any character except those in <space>
910 The semantics associated with the above syntax are as follows.
912 <version line>, the first line in the file, specifies the file format
914 version. If the server does not recognize the version <string/v>, it
915 ignores the rest of the file. The version string for the file format
916 described here is "version-1" .
917 Once past the <version line>, lines that do not match the above syntax
919 are ignored.
920 <comment> lines are ignored.
922 <sitepolicy> lines are currently ignored. They are intended to specify
924 the site policies used by the XC-QUERY-SECURITY-1 authorization method.
925 <access rule> lines specify how the server should react to untrusted
927 client requests that affect the X Window property named <property/ar>.
928 The rest of this section describes the interpretation of an <access
929 rule>.
930 For an <access rule> to apply to a given instance of <property/ar>,
932 <property/ar> must be on a window that is in the set of windows speci‐
933 fied by <window>. If <window> is any, the rule applies to <prop‐
934 erty/ar> on any window. If <window> is root, the rule applies to
935 <property/ar> only on root windows.
936 If <window> is <required property>, the following apply. If <required
938 property> is a <property/rp>, the rule applies when the window also has
939 that <property/rp>, regardless of its value. If <required property> is
940 a <property with value>, <property/rpv> must also have the value speci‐
941 fied by <string/rv>. In this case, the property must have type STRING
942 and format 8, and should contain one or more null-terminated strings.
943 If any of the strings match <string/rv>, the rule applies.
944 The definition of string matching is simple case-sensitive string com‐
946 parison with one elaboration: the occurrence of the character '*' in
947 <string/rv> is a wildcard meaning "any string." A <string/rv> can con‐
948 tain multiple wildcards anywhere in the string. For example, "x*"
949 matches strings that begin with x, "*x" matches strings that end with
950 x, "*x*" matches strings containing x, and "x*y*" matches strings that
951 start with x and subsequently contain y.
952 There may be multiple <access rule> lines for a given <property/ar>.
954 The rules are tested in the order that they appear in the file. The
955 first rule that applies is used.
956 <perms> specify operations that untrusted clients may attempt, and the
958 actions that the server should take in response to those operations.
959 <operation> can be r (read), w (write), or d (delete). The following
961 table shows how X Protocol property requests map to these operations in
962 The Open Group server implementation.
963 GetProperty r, or r and d if delete = True
965 ChangeProperty w
966 RotateProperties r and w
967 DeleteProperty d
968 ListProperties none, untrusted clients can always list all properties
969 <action> can be a (allow), i (ignore), or e (error). Allow means exe‐
971 cute the request as if it had been issued by a trusted client. Ignore
972 means treat the request as a no-op. In the case of GetProperty, ignore
973 means return an empty property value if the property exists, regardless
974 of its actual value. Error means do not execute the request and return
975 a BadAtom error with the atom set to the property name. Error is the
976 default action for all properties, including those not listed in the
977 security policy file.
978 An <action> applies to all <operation>s that follow it, until the next
980 <action> is encountered. Thus, irwad means ignore read and write,
981 allow delete.
982 GetProperty and RotateProperties may do multiple operations (r and d,
984 or r and w). If different actions apply to the operations, the most
985 severe action is applied to the whole request; there is no partial
986 request execution. The severity ordering is: allow < ignore < error.
987 Thus, if the <perms> for a property are ired (ignore read, error
988 delete), and an untrusted client attempts GetProperty on that property
989 with delete = True, an error is returned, but the property value is
990 not. Similarly, if any of the properties in a RotateProperties do not
991 allow both read and write, an error is returned without changing any
992 property values.
993 Here is an example security policy file.
995 version-1
997 # Allow reading of application resources, but not writing.
999 property RESOURCE_MANAGER root ar iw
1000 property SCREEN_RESOURCES root ar iw
1001 # Ignore attempts to use cut buffers. Giving errors causes apps to crash,
1003 # and allowing access may give away too much information.
1004 property CUT_BUFFER0 root irw
1005 property CUT_BUFFER1 root irw
1006 property CUT_BUFFER2 root irw
1007 property CUT_BUFFER3 root irw
1008 property CUT_BUFFER4 root irw
1009 property CUT_BUFFER5 root irw
1010 property CUT_BUFFER6 root irw
1011 property CUT_BUFFER7 root irw
1012 # If you are using Motif, you probably want these.
1014 property _MOTIF_DEFAULT_BINDINGS rootar iw
1015 property _MOTIF_DRAG_WINDOW root ar iw
1016 property _MOTIF_DRAG_TARGETS any ar iw
1017 property _MOTIF_DRAG_ATOMS any ar iw
1018 property _MOTIF_DRAG_ATOM_PAIRS anyar iw
1019 # The next two rules let xwininfo -tree work when untrusted.
1021 property WM_NAME any ar
1022 # Allow read of WM_CLASS, but only for windows with WM_NAME.
1024 # This might be more restrictive than necessary, but demonstrates
1025 # the <required property> facility, and is also an attempt to
1026 # say "top level windows only."
1027 property WM_CLASS WM_NAME ar
1028 # These next three let xlsclients work untrusted. Think carefully
1030 # before including these; giving away the client machine name and command
1031 # may be exposing too much.
1032 property WM_STATE WM_NAME ar
1033 property WM_CLIENT_MACHINE WM_NAME ar
1034 property WM_COMMAND WM_NAME ar
1035 # To let untrusted clients use the standard colormaps created by
1037 # xstdcmap, include these lines.
1038 property RGB_DEFAULT_MAP root ar
1039 property RGB_BEST_MAP root ar
1040 property RGB_RED_MAP root ar
1041 property RGB_GREEN_MAP root ar
1042 property RGB_BLUE_MAP root ar
1043 property RGB_GRAY_MAP root ar
1044 # To let untrusted clients use the color management database created
1046 # by xcmsdb, include these lines.
1047 property XDCCC_LINEAR_RGB_CORRECTION rootar
1048 property XDCCC_LINEAR_RGB_MATRICES rootar
1049 property XDCCC_GRAY_SCREENWHITEPOINT rootar
1050 property XDCCC_GRAY_CORRECTION rootar
1051 # To let untrusted clients use the overlay visuals that many vendors
1053 # support, include this line.
1054 property SERVER_OVERLAY_VISUALS rootar
1055 # Dumb examples to show other capabilities.
1057 # oddball property names and explicit specification of error conditions
1059 property "property with spaces" 'property with "'aw er ed
1060 # Allow deletion of Woo-Hoo if window also has property OhBoy with value
1062 # ending in "son". Reads and writes will cause an error.
1063 property Woo-Hoo OhBoy = "*son"ad
1064
1067 The X server supports client connections via a platform-dependent sub‐
1068 set of the following transport types: TCPIP, Unix Domain sockets and
1069 several varieties of SVR4 local connections. See the DISPLAY NAMES
1070 section of the X(__miscmansuffix__) manual page to learn how to specify
1071 which transport type clients should try to use.
1072
1075 The X server implements a platform-dependent subset of the following
1076 authorization protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1, XDM-
1077 AUTHORIZATION-2, SUN-DES-1, and MIT-KERBEROS-5. See the Xsecu‐
1078 rity(__miscmansuffix__) manual page for information on the operation of
1079 these protocols.
1080 Authorization data required by the above protocols is passed to the
1082 server in a private file named with the -auth command line option.
1083 Each time the server is about to accept the first connection after a
1084 reset (or when the server is starting), it reads this file. If this
1085 file contains any authorization records, the local host is not automat‐
1086 ically allowed access to the server, and only clients which send one of
1087 the authorization records contained in the file in the connection setup
1088 information will be allowed access. See the Xau manual page for a
1089 description of the binary format of this file. See xauth(1) for main‐
1090 tenance of this file, and distribution of its contents to remote hosts.
1091 The X server also uses a host-based access control list for deciding
1093 whether or not to accept connections from clients on a particular
1094 machine. If no other authorization mechanism is being used, this list
1095 initially consists of the host on which the server is running as well
1096 as any machines listed in the file /etc/Xn.hosts, where n is the dis‐
1097 play number of the server. Each line of the file should contain either
1098 an Internet hostname (e.g. expo.lcs.mit.edu) or a complete name in the
1099 format family:name as described in the xhost(1) manual page. There
1100 should be no leading or trailing spaces on any lines. For example:
1101 joesworkstation
1103 corporate.company.com
1104 star::
1105 inet:bigcpu
1106 local:
1107 Users can add or remove hosts from this list and enable or disable
1109 access control using the xhost command from the same machine as the
1110 server.
1111 If the X FireWall Proxy (xfwp) is being used without a sitepolicy,
1113 host-based authorization must be turned on for clients to be able to
1114 connect to the X server via the xfwp. If xfwp is run without a config‐
1115 uration file and thus no sitepolicy is defined, if xfwp is using an X
1116 server where xhost + has been run to turn off host-based authorization
1117 checks, when a client tries to connect to this X server via xfwp, the X
1118 server will deny the connection. See xfwp(1) for more information
1119 about this proxy.
1120 The X protocol intrinsically does not have any notion of window opera‐
1122 tion permissions or place any restrictions on what a client can do; if
1123 a program can connect to a display, it has full run of the screen. X
1124 servers that support the SECURITY extension fare better because clients
1125 can be designated untrusted via the authorization they use to connect;
1126 see the xauth(1) manual page for details. Restrictions are imposed on
1127 untrusted clients that curtail the mischief they can do. See the SECU‐
1128 RITY extension specification for a complete list of these restrictions.
1129 Sites that have better authentication and authorization systems might
1131 wish to make use of the hooks in the libraries and the server to pro‐
1132 vide additional security models.
1133
1135 The X server attaches special meaning to the following signals:
1136 SIGHUP This signal causes the server to close all existing connec‐
1138 tions, free all resources, and restore all defaults. It is
1139 sent by the display manager whenever the main user's main
1140 application (usually an xterm or window manager) exits to force
1141 the server to clean up and prepare for the next user.
1142 SIGTERM This signal causes the server to exit cleanly.
1144 SIGUSR1 This signal is used quite differently from either of the above.
1146 When the server starts, it checks to see if it has inherited
1147 SIGUSR1 as SIG_IGN instead of the usual SIG_DFL. In this case,
1148 the server sends a SIGUSR1 to its parent process after it has
1149 set up the various connection schemes. Xdm uses this feature
1150 to recognize when connecting to the server is possible.
1151
1153 The X server can obtain fonts from directories and/or from font
1154 servers. The list of directories and font servers the X server uses
1155 when trying to open a font is controlled by the font path.
1156 The default font path is __default_font_path__ .
1158 The font path can be set with the -fp option or by xset(1) after the
1160 server has started.
1161
1163 /etc/Xn.hosts Initial access control list for display
1164 number n
1165 /usr/share/fonts/X11/misc,
1167 /usr/share/fonts/X11/75dpi,
1168 /usr/share/fonts/X11/100dpi Bitmap
1169 font directories
1170 /usr/share/fonts/X11/Type1 Outline font directories
1172 /usr/share/nx/rgb Color database
1174 /tmp/.X11-unix/Xn Unix domain socket for display number n
1176 /tmp/rcXn Kerberos 5 replay cache for display num‐
1178 ber n
1179
1181 Protocols: X Window System Protocol, NX Compression Protocol, The X
1182 Font Service Protocol, X Display Manager Control Protocol
1183 Fonts: bdftopcf(1), mkfontdir(1), mkfontscale(1), xfs(1), xlsfonts(1),
1185 xfontsel(1), xfd(1), X Logical Font Description Conventions
1186 Security: Xsecurity(__miscmansuffix__), xauth(1), Xau(1), xdm(1),
1188 xhost(1), xfwp(1), Security Extension Specification
1189 Starting the server: xdm(1), xinit(1)
1191 Controlling the server once started: xset(1), xsetroot(1), xhost(1)
1193 Server-specific man pages: Xdec(1), XmacII(1), Xsun(1), Xnest(1),
1195 Xvfb(1), XFree86(1), XDarwin(1).
1196 Server internal documentation: Definition of the Porting Layer for the
1198 X v11 Sample Server
1199
1201 The first sample X server was originally written by Susan Angebranndt,
1202 Raymond Drewry, Philip Karlton, and Todd Newman, from Digital Equipment
1203 Corporation, with support from a large cast. It has since been exten‐
1204 sively rewritten by Keith Packard and Bob Scheifler, from MIT. Dave
1205 Wiggins took over post-R5 and made substantial improvements.
1206 The first implementation of nx-X11 (version 1.x up to 3.5.x) was writ‐
1208 ten by NoMachine (maintained until 2011).
1209 The current implementation of nx-X11 is maintained by various projects,
1211 amongst others The Arctica Project, TheQVD (Qindel Group) and X2Go.
1212 This manual page was written by Per Hansen <spamhans@yahoo.de>, and
1214 modified by Marcelo Boveto Shima <marceloshima@gmail.com> and Mike
1215 Gabriel <mike.gabriel@das-netzwerkteam.de>. In 2016, the original
1216 Xserver.man page shipped with nx-X11 was merged into the nxagent man
1217 page and received a major update by Mike Gabriel <mike.gabriel@das-net‐
1218 zwerkteam.de>.
1219Version 3.5.99.26 Feb 2021 nxagent(1)