Provided by: nxagent_3.5.99.16-1_amd64 
NAME
nxagent - nested Xserver optimized for remote computing
SYNOPSIS
nxagent [options]
DESCRIPTION
nxagent is an X server for remote application/desktop access similar to Xnest or Xephyr.
nxagent implements a very efficient compression of the X11 protocol, called the NX
protocol.
The NX protocol increases performance when using X applications over high latency and low
bandwidth networks, while providing a local (LAN-like) usage experience even if connecting
from off-site locations (via cable modem or GSM).
nxagent can be used standalone as a nested X server (with NX protocol disabled), but its
real benefits are gained when using it over remote connections via the nxcomp compression
library. The counterpart application on the other end (i.e. the client) is called nxproxy.
When used in proxy <-> agent mode, nxagent adds the feature of being suspendible. Sessions
can be started from one client, suspended and then resumed from another (or the same)
client.
nxagent and nxproxy are utilized by various remote application/desktop frameworks for
providing server-side GUI application access from remote client systems.
Currently, nxagent is co-maintained by three of these projects: The Arctica Project,
TheQVD and X2Go.
STARTING THE SERVER
nxagent should be run in user space. Other than the system's local X.org server, nxagent
does not require to be run as root. When bundled with a remote application framework, you
normally don't have to launch nxagent manually. nxagent startup is usually managed by the
underlying framework (e.g. Arctica Session Manager, X2Go Server, etc.).
When nxagent starts up (e.g. by typing 'nxagent -ac :1' in a terminal window), it
typically launches in "windowed desktop" mode. On your local X server a new window appears
being an X server itself.
However, nxagent also supports rootless (or seamless) application mode and a shadow
session mode (similar to what VNC does).
Example: You can launch a complete desktop session inside this nested X server now:
The Debian way...
$ export DISPLAY=:1
$ STARTUP=mate-session /etc/X11/Xsession
The Fedora / Gentoo / openSUSE way...
### FIXME / TODO ###
However, nxagent also supports rootless (or seamless) application mode and a shadow
session mode (similar to what VNC does).
OPTIONS
nxagent accepts a range of default X server options as described below. Those default
options have to be provided via the command line.
Furthermore, nxagent accepts some nx-X11 specific options, described further below.
Last but not least, nxagent accepts several more options, the so-called nx/nx options,
provided via the $DISPLAY environment variable or the -options command line option. See
below for further details.
STANDARD XSERVER OPTIONS
:displaynumber
The X server runs as the given displaynumber, which by default is 0. If multiple
X servers are to run simultaneously on a host, each must have a unique display
number. See the DISPLAY NAMES section of the X(__miscmansuffix__) manual page to
learn how to specify which display number clients should try to use.
-a number
sets pointer acceleration (i.e. the ratio of how much is reported to how much the
user actually moved the pointer).
-ac disables host-based access control mechanisms. Enables access by any host, and
permits any host to modify the access control list. Use with extreme caution.
This option exists primarily for running test suites remotely.
-audit level
sets the audit trail level. The default level is 1, meaning only connection
rejections are reported. Level 2 additionally reports all successful connections
and disconnects. Level 4 enables messages from the SECURITY extension, if
present, including generation and revocation of authorizations and violations of
the security policy. Level 0 turns off the audit trail. Audit lines are sent as
standard error output.
-auth authorization-file
specifies a file which contains a collection of authorization records used to
authenticate access. See also the xdm(1) and Xsecurity(__miscmansuffix__) manual
pages.
-bs disables backing store support on all screens.
-br sets the default root window to solid black instead of the standard root weave
pattern.
-c turns off key-click.
c volume
sets key-click volume (allowable range: 0-100).
-cc class
sets the visual class for the root window of color screens. The class numbers are
as specified in the X protocol. Not obeyed by all servers.
-co filename
This used to be the option for specifying the path to the RGB color database file.
As the RGB color database is now embedded into the binary this option has no
effect but is kept for compatibility. Deprecated.
-core causes the server to generate a core dump on fatal errors.
-displayfd fd
specifies a file descriptor in the launching process. Rather than specifying a
display number, the X server will attempt to listen on successively higher display
numbers, and upon finding a free one, will write the port number back on this file
descriptor as a newline-terminated string. The -pn option is ignored when using
-displayfd.
nxagent specific:
(1) Other than in X.org's Xserver, you can use -displayfd in conjunction with an
explicit display number. If the explicit display number is not available (i.e.,
already in use), nxagent tries to figure out the next available display number,
e.g.:
nxagent -displayfd 2 :50
(2) If -displayfd <X> is given with <X> equaling 2 (STDERR), then the display
number string written to STDERR is beautified with some human-readable (machine-
parseable) text.
-deferglyphs whichfonts
specifies the types of fonts for which the server should attempt to use deferred
glyph loading. whichfonts can be all (all fonts), none (no fonts), or 16 (16 bit
fonts only).
-dpi resolution
sets the resolution for all screens, in dots per inch. To be used when the server
cannot determine the screen size(s) from the hardware.
dpms enables DPMS (display power management services), where supported. The default
state is platform and configuration specific.
-dpms disables DPMS (display power management services). The default state is platform
and configuration specific.
-f volume
sets feep (bell) volume (allowable range: 0-100).
-fc cursorFont
sets default cursor font.
-fn font
sets the default font.
-fp fontPath
sets the search path for fonts. This path is a comma separated list of
directories which the X server searches for font databases. See the FONTS section
of this manual page for more information and the default list.
-help prints a usage message.
-I causes all remaining command line arguments to be ignored.
-maxbigreqsize size
sets the maximum big request to size MB.
-nolisten trans-type
disables a transport type. For example, TCP/IP connections can be disabled with
-nolisten tcp. This option may be issued multiple times to disable listening to
different transport types.
-noreset
prevents a server reset when the last client connection is closed. This overrides
a previous -terminate command line option.
-p minutes
sets screen-saver pattern cycle time in minutes.
-pn permits the server to continue running if it fails to establish all of its well-
known sockets (connection points for clients), but establishes at least one. This
option is set by default.
-nopn causes the server to exit if it fails to establish all of its well-known sockets
(connection points for clients).
-r turns off auto-repeat.
r turns on auto-repeat.
-s minutes
sets screen-saver timeout time in minutes.
-su disables save under support on all screens.
-t number
sets pointer acceleration threshold in pixels (i.e. after how many pixels pointer
acceleration should take effect).
-terminate
causes the server to terminate at server reset, instead of continuing to run.
This overrides a previous -noreset command line option.
-to seconds
sets default connection timeout in seconds.
-tst disables all testing extensions.
v sets video-off screen-saver preference.
-v sets video-on screen-saver preference.
-wm forces the default backing-store of all windows to be WhenMapped. This is a
backdoor way of getting backing-store to apply to all windows. Although all
mapped windows will have backing store, the backing store attribute value reported
by the server for a window will be the last value established by a client. If it
has never been set by a client, the server will report the default value,
NotUseful. This behavior is required by the X protocol, which allows the server
to exceed the client's backing store expectations but does not provide a way to
tell the client that it is doing so.
[+-]xinerama
enables(+) or disables(-) XINERAMA provided via the PanoramiX extension. This is
set to off by default.
[+-]rrxinerama
enables(+) or disables(-) XINERAMA provided via the RandR extension. By default,
this feature is enabled. To disable XINERAMA completely, make sure to use both
options (-xinerama and -rrxinerama) on the command line.
SERVER DEPENDENT OPTIONS
nxagent additionally accepts the following non-standard options:
-logo turns on the X Window System logo display in the screen-saver. There is currently
no way to change this from a client.
nologo turns off the X Window System logo display in the screen-saver. There is
currently no way to change this from a client.
-render
default|mono|gray|color
sets the color allocation policy that will be used by the render extension.
default selects the default policy defined for the display depth of the X server.
mono don't use any color cell.
gray use a gray map of 13 color cells for the X render extension.
color use a color cube of at most 4*4*4 colors (that is 64 color cells).
-dumbSched
disables smart scheduling on platforms that support the smart scheduler.
-schedInterval interval
sets the smart scheduler's scheduling interval to interval milliseconds.
NXAGENT SPECIFIC OPTIONS
The nx-X11 system adds the following command line arguments:
-forcenx
force use of NX protocol messages assuming communication through nxproxy
-nxrealwindowprop
set property NX_REAL_WINDOW for each X11 client inside nxagent, providing the
window XID of the corresponding window object on the X server that nxagent runs on
-reportwids
explicitly tell nxagent to report its externally exposed X11 window IDs to the
session log (in machine readable form), so that external parsers can obtain that
information from there
-reportprivatewids
explicitly tell nxagent to report X11 window IDs of internally created window
objects to the session log (in machine readable form), so that external parsers
can obtain that information from there; this creates a lot of output and may
affect performance
-timeout int
auto-disconnect timeout in seconds (minimum allowed: 60)
-norootlessexit
don't exit if there are no clients in rootless mode
-autodpi
detect real server's DPI and set it in the agent session; the -dpi <dpi> cmdline
option overrides -autodpi
-nomagicpixel
disable magic pixel support at session startup, can be re-enabled via nx/nx option
on session resumption
-norender
disable the use of the render extension
-nocomposite
disable the use of the composite extension
-nopersistent
disable disconnection/reconnection to the X display on SIGHUP
-noshmem
disable use of shared memory extension
-shmem enable use of shared memory extension
-noshpix
disable use of shared pixmaps
-shpix enable use of shared pixmaps
-noignore
don't ignore pointer and keyboard configuration changes mandated by clients. As a
result, configuration commands like disabling the keyboard bell (xset -b) will
also affect the real X server.
-nokbreset
don't reset keyboard device if the session is resumed
-noxkblock
this is only relevant if you also specify -keyboard=query. In that case nxagent
will lock the keyboard settings and clients will get an error when trying to
change keyboard settings via XKEYBOARD. With -noxkblock the lock is not applied
and clients can change the keyboard settings through XKEYBOARD.
-tile WxH
size of image tiles (minimum allowed: 32x32)
-D enable desktop mode (default)
-R enable rootless mode
-S enable shadow mode
-B enable proxy binding mode
-version
show version information and exit
-options filename
path to an options file containing nx/nx options (see below).
Other than the command line options, nxagent can be configured at session startup and at
runtime (i.e. when resuming a suspended session) by so-called nx/nx options.
As nx/nx options all options supported by nxcomp (see nxproxy man page) and all nxagent
nx/nx options (see below) can be used. When launching an nxcomp based nxagent session
(i.e. proxy <-> agent), you will normally set the $DISPLAY variable like this:
$ export DISPLAY=nx/nx,listen=<proxy-port>,options=<options.file>:<nx-display-port>
$ nxagent <command-line-options> :<nx-display-port>
The value for <nx-display-port> is some value of a not-yet-used X11 display (e.g. :50).
Using an options file is recommended, but you can also put available nx/nx options (see
below) into the DISPLAY variable directly. Note, that the $DISPLAY variable field is of
limited length.
As <proxy-port> you can pick an arbitrary (unused) TCP port or Unix socket file path. This
is the port / socket that you have to connect to with the nxproxy application.
Available nxagent options (as an addition to nx/nx options supported by nxcomp already):
options=<string>
read options from file, this text file can contain a single loooong line with
comma-separated nx/nx options
rootless=<bool>
start nxagent in rootless mode, matches -R given on the command line, no-op when
resuming (default: false)
geometry=<string>
desktop geometry when starting or resuming a session, no-op in rootless mode
(default 66% of the underlying X server geometry)
resize=<bool>
set resizing support (default: true)
fullscreen=<bool>
start or resume a session in fullscreen mode (default: off)
keyboard=<string> or kbtype=<string>
query|<model>/<layout>
query use the default XKB keyboard layout (see below) and only allow clients to
query the settings but prevent any changes. query is especially helpful
for setups where you need to set/modify the actual keyboard layout using
core X protocol functions (e.g. via xmodmap). It is used for MacOS X
clients to handle some keyboard problems that are special for this
platform. Note that in this case XKEYBOARD will always report the default
layout which will most likely not match the experienced settings.
<model>/<layout>
use the given model and layout. You can not modify keyboard rules, variant
or options. Instead preset values are used. These are xfree86 for rules
and empty strings for variant and options.
If keyboard is omitted the internal defaults of nxagent will be used (rules:
xfree86, layout: us, model: pc102, empty variant and options).
keyconv=<string>
set keycode conversion mode
auto|on|off
by default (auto) nxagent will activate keycode conversion if it detects an evdev
XKEYBOARD setup on the client side (the standard on linux systems nowadays).
Keycode conversion means that certain keycodes are mapped to make the keyboard
appear as an pc105 model. Using off this conversion can be suppressed and with on
it will be forced.
clipboard=<string>
both|client|server|none
enable / disable (set to: none) clipboard support, uni-directional (server or
client) or bi-directional (both, default setting) support
streaming=<int>
streaming support for images, not fully implemented yet and thus non-functional
backingstore=<int>
disable or enforce backing store support (default: BackingStoreUndefined)
composite=<int>
enable or disable Composite support in nxagent (default: enabled)
xinerama=<int>
enable or disable XINERAMA support in nxagent (default: enabled)
shmem=<bool>
enable using shared memory
shpix=<bool>
enable shared pixmaps support
client=<string>
type of connecting operating system (supported: linux, windows, solaris and
macosx)
shadow=<int>
start nxagent in shadow mode, matches -S given on the command line, no-op when
resuming (default: false)
shadowuid=<int>
unique identifier for the shadow session
shadowmode=<string>
full access (set to 1) or viewing-only (set to 0, default)
defer=<int>
defer image updates (enabled for all connection types except LAN), accepts values
0, 1 and 2
The default value can be set via the command line (-defer). The value provided as
nx/nx option is set when resuming a session, thus it overrides the command line
default.
tile=<string>
set the tile size in pixels (<W>x<H>) for bitmap data sent over the wire
The default value can be set via the command line (-tile). The value provided as
nx/nx option is set when resuming a session, thus it overrides the command line
default.
menu=<int>
support pulldown menu in nxagent session (only available on proxy <-> agent remote
sessions)
magicpixel=<bool>
enable/disable magic pixel support in fullscreen mode (default: 1, enabled)
autodpi=<bool>
enable/disable deriving session DPI automatically from real server (default: 0,
disabled); only takes effect on session startups, gets ignored when reconnecting
to a suspended session
sleep=<int>
delay X server operations when suspended (provided in msec), set to 0 to keep
nxagent session fully functional when suspended (e.g. useful when mirroring an
nxagent session via VNC)
tolerancechecks=<string>
strict|safe|risky|bypass
strict means that the number of internal and external pixmap formats must match
exactly and every internal pixmap format must be available in the external
pixmap format array. This is the default.
safe means that the number of pixmap formats might diverge, but all internal
pixmap formats must also be included in the external pixmap formats array.
This is recommended, because it allows clients with more pixmap formats to
still connect, but not lose functionality.
risky means that the internal pixmap formats array is allowed to be smaller than
the external pixmap formats array, but at least one pixmap format must be
included in both. This is potentially unsafe.
bypass means that all of these checks are essentially deactivated. This is a very
bad idea.
If you want to use nxagent as a replacement for Xnest or Xephyr you can pass options like
this:
$ echo nx/nx,fullscreen=1$DISPLAY >/tmp/opt
$ nxagent <command-line-options> -options /tmp/opt :<nx-display-port>
XDMCP OPTIONS
X servers that support XDMCP have the following options. See the X Display Manager
Control Protocol specification for more information.
-query hostname
enables XDMCP and sends Query packets to the specified hostname.
-broadcast
enable XDMCP and broadcasts BroadcastQuery packets to the network. The first
responding display manager will be chosen for the session.
-multicast [address [hop count]]
Enable XDMCP and multicast BroadcastQuery packets to the network. The first
responding display manager is chosen for the session. If an address is specified,
the multicast is sent to that address. If no address is specified, the multicast
is sent to the default XDMCP IPv6 multicast group. If a hop count is specified,
it is used as the maximum hop count for the multicast. If no hop count is
specified, the multicast is set to a maximum of 1 hop, to prevent the multicast
from being routed beyond the local network.
-indirect hostname
enables XDMCP and send IndirectQuery packets to the specified hostname.
-port port-number
uses the specified port-number for XDMCP packets, instead of the default. This
option must be specified before any -query, -broadcast, -multicast, or -indirect
options.
-from local-address
specifies the local address to connect from (useful if the connecting host has
multiple network interfaces). The local-address may be expressed in any form
acceptable to the host platform's gethostbyname(3) implementation.
-once causes the server to terminate (rather than reset) when the XDMCP session ends.
-class display-class
XDMCP has an additional display qualifier used in resource lookup for display-
specific options. This option sets that value, by default it is "MIT-Unspecified"
(not a very useful value).
-cookie xdm-auth-bits
When testing XDM-AUTHENTICATION-1, a private key is shared between the server and
the manager. This option sets the value of that private data (not that it is very
private, being on the command line!).
-displayID display-id
Yet another XDMCP specific value, this one allows the display manager to identify
each display so that it can locate the shared key.
XKEYBOARD OPTIONS
X servers that support the XKEYBOARD (a.k.a. "XKB") extension accept the following
options. All layout files specified on the command line must be located in the XKB base
directory or a subdirectory, and specified as the relative path from the XKB base
directory. The default XKB base directory is /usr/share/X11/xkb.
[+-]kb enables(+) or disables(-) the XKEYBOARD extension.
[+-]accessx [ timeout [ timeout_mask [ feedback [ options_mask ] ] ] ]
enables(+) or disables(-) AccessX key sequences.
-xkbdir directory
base directory for keyboard layout files. This option is not available for setuid
X servers (i.e., when the X server's real and effective uids are different).
-ardelay milliseconds
sets the autorepeat delay (length of time in milliseconds that a key must be
depressed before autorepeat starts).
-arinterval milliseconds
sets the autorepeat interval (length of time in milliseconds that should elapse
between autorepeat-generated keystrokes).
-xkbmap filename
loads keyboard description in filename on server startup.
SECURITY EXTENSION OPTIONS
X servers that support the SECURITY extension accept the following option:
-sp filename
causes the server to attempt to read and interpret filename as a security policy
file with the format described below. The file is read at server startup and
reread at each server reset.
The syntax of the security policy file is as follows. Notation: "*" means zero or more
occurrences of the preceding element, and "+" means one or more occurrences. To interpret
<foo/bar>, ignore the text after the /; it is used to distinguish between instances of
<foo> in the next section.
<policy file> ::= <version line> <other line>*
<version line> ::= <string/v> '\n'
<other line > ::= <comment> | <access rule> | <site policy> | <blank line>
<comment> ::= # <not newline>* '\n'
<blank line> ::= <space> '\n'
<site policy> ::= sitepolicy <string/sp> '\n'
<access rule> ::= property <property/ar> <window> <perms> '\n'
<property> ::= <string>
<window> ::= any | root | <required property>
<required property> ::= <property/rp> | <property with value>
<property with value> ::= <property/rpv> = <string/rv>
<perms> ::= [ <operation> | <action> | <space> ]*
<operation> ::= r | w | d
<action> ::= a | i | e
<string> ::= <dbl quoted string> | <single quoted string> | <unqouted string>
<dbl quoted string> ::= <space> " <not dqoute>* " <space>
<single quoted string> ::= <space> ' <not squote>* ' <space>
<unquoted string> ::= <space> <not space>+ <space>
<space> ::= [ ' ' | '\t' ]*
Character sets:
<not newline> ::= any character except '\n'
<not dqoute> ::= any character except "
<not squote> ::= any character except '
<not space> ::= any character except those in <space>
The semantics associated with the above syntax are as follows.
<version line>, the first line in the file, specifies the file format version. If the
server does not recognize the version <string/v>, it ignores the rest of the file. The
version string for the file format described here is "version-1" .
Once past the <version line>, lines that do not match the above syntax are ignored.
<comment> lines are ignored.
<sitepolicy> lines are currently ignored. They are intended to specify the site policies
used by the XC-QUERY-SECURITY-1 authorization method.
<access rule> lines specify how the server should react to untrusted client requests that
affect the X Window property named <property/ar>. The rest of this section describes the
interpretation of an <access rule>.
For an <access rule> to apply to a given instance of <property/ar>, <property/ar> must be
on a window that is in the set of windows specified by <window>. If <window> is any, the
rule applies to <property/ar> on any window. If <window> is root, the rule applies to
<property/ar> only on root windows.
If <window> is <required property>, the following apply. If <required property> is a
<property/rp>, the rule applies when the window also has that <property/rp>, regardless of
its value. If <required property> is a <property with value>, <property/rpv> must also
have the value specified by <string/rv>. In this case, the property must have type STRING
and format 8, and should contain one or more null-terminated strings. If any of the
strings match <string/rv>, the rule applies.
The definition of string matching is simple case-sensitive string comparison with one
elaboration: the occurrence of the character '*' in <string/rv> is a wildcard meaning "any
string." A <string/rv> can contain multiple wildcards anywhere in the string. For
example, "x*" matches strings that begin with x, "*x" matches strings that end with x,
"*x*" matches strings containing x, and "x*y*" matches strings that start with x and
subsequently contain y.
There may be multiple <access rule> lines for a given <property/ar>. The rules are tested
in the order that they appear in the file. The first rule that applies is used.
<perms> specify operations that untrusted clients may attempt, and the actions that the
server should take in response to those operations.
<operation> can be r (read), w (write), or d (delete). The following table shows how X
Protocol property requests map to these operations in The Open Group server
implementation.
GetProperty r, or r and d if delete = True
ChangeProperty w
RotateProperties r and w
DeleteProperty d
ListProperties none, untrusted clients can always list all properties
<action> can be a (allow), i (ignore), or e (error). Allow means execute the request as
if it had been issued by a trusted client. Ignore means treat the request as a no-op. In
the case of GetProperty, ignore means return an empty property value if the property
exists, regardless of its actual value. Error means do not execute the request and return
a BadAtom error with the atom set to the property name. Error is the default action for
all properties, including those not listed in the security policy file.
An <action> applies to all <operation>s that follow it, until the next <action> is
encountered. Thus, irwad means ignore read and write, allow delete.
GetProperty and RotateProperties may do multiple operations (r and d, or r and w). If
different actions apply to the operations, the most severe action is applied to the whole
request; there is no partial request execution. The severity ordering is: allow < ignore
< error. Thus, if the <perms> for a property are ired (ignore read, error delete), and an
untrusted client attempts GetProperty on that property with delete = True, an error is
returned, but the property value is not. Similarly, if any of the properties in a
RotateProperties do not allow both read and write, an error is returned without changing
any property values.
Here is an example security policy file.
version-1
# Allow reading of application resources, but not writing.
property RESOURCE_MANAGER root ar iw
property SCREEN_RESOURCES root ar iw
# Ignore attempts to use cut buffers. Giving errors causes apps to crash,
# and allowing access may give away too much information.
property CUT_BUFFER0 root irw
property CUT_BUFFER1 root irw
property CUT_BUFFER2 root irw
property CUT_BUFFER3 root irw
property CUT_BUFFER4 root irw
property CUT_BUFFER5 root irw
property CUT_BUFFER6 root irw
property CUT_BUFFER7 root irw
# If you are using Motif, you probably want these.
property _MOTIF_DEFAULT_BINDINGS rootar iw
property _MOTIF_DRAG_WINDOW root ar iw
property _MOTIF_DRAG_TARGETS any ar iw
property _MOTIF_DRAG_ATOMS any ar iw
property _MOTIF_DRAG_ATOM_PAIRS anyar iw
# The next two rules let xwininfo -tree work when untrusted.
property WM_NAME any ar
# Allow read of WM_CLASS, but only for windows with WM_NAME.
# This might be more restrictive than necessary, but demonstrates
# the <required property> facility, and is also an attempt to
# say "top level windows only."
property WM_CLASS WM_NAME ar
# These next three let xlsclients work untrusted. Think carefully
# before including these; giving away the client machine name and command
# may be exposing too much.
property WM_STATE WM_NAME ar
property WM_CLIENT_MACHINE WM_NAME ar
property WM_COMMAND WM_NAME ar
# To let untrusted clients use the standard colormaps created by
# xstdcmap, include these lines.
property RGB_DEFAULT_MAP root ar
property RGB_BEST_MAP root ar
property RGB_RED_MAP root ar
property RGB_GREEN_MAP root ar
property RGB_BLUE_MAP root ar
property RGB_GRAY_MAP root ar
# To let untrusted clients use the color management database created
# by xcmsdb, include these lines.
property XDCCC_LINEAR_RGB_CORRECTION rootar
property XDCCC_LINEAR_RGB_MATRICES rootar
property XDCCC_GRAY_SCREENWHITEPOINT rootar
property XDCCC_GRAY_CORRECTION rootar
# To let untrusted clients use the overlay visuals that many vendors
# support, include this line.
property SERVER_OVERLAY_VISUALS rootar
# Dumb examples to show other capabilities.
# oddball property names and explicit specification of error conditions
property "property with spaces" 'property with "'aw er ed
# Allow deletion of Woo-Hoo if window also has property OhBoy with value
# ending in "son". Reads and writes will cause an error.
property Woo-Hoo OhBoy = "*son"ad
NETWORK CONNECTIONS
The X server supports client connections via a platform-dependent subset of the following
transport types: TCPIP, Unix Domain sockets and several varieties of SVR4 local
connections. See the DISPLAY NAMES section of the X(__miscmansuffix__) manual page to
learn how to specify which transport type clients should try to use.
GRANTING ACCESS
The X server implements a platform-dependent subset of the following authorization
protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1, XDM-AUTHORIZATION-2, SUN-DES-1, and
MIT-KERBEROS-5. See the Xsecurity(__miscmansuffix__) manual page for information on the
operation of these protocols.
Authorization data required by the above protocols is passed to the server in a private
file named with the -auth command line option. Each time the server is about to accept
the first connection after a reset (or when the server is starting), it reads this file.
If this file contains any authorization records, the local host is not automatically
allowed access to the server, and only clients which send one of the authorization records
contained in the file in the connection setup information will be allowed access. See the
Xau manual page for a description of the binary format of this file. See xauth(1) for
maintenance of this file, and distribution of its contents to remote hosts.
The X server also uses a host-based access control list for deciding whether or not to
accept connections from clients on a particular machine. If no other authorization
mechanism is being used, this list initially consists of the host on which the server is
running as well as any machines listed in the file /etc/Xn.hosts, where n is the display
number of the server. Each line of the file should contain either an Internet hostname
(e.g. expo.lcs.mit.edu) or a complete name in the format family:name as described in the
xhost(1) manual page. There should be no leading or trailing spaces on any lines. For
example:
joesworkstation
corporate.company.com
star::
inet:bigcpu
local:
Users can add or remove hosts from this list and enable or disable access control using
the xhost command from the same machine as the server.
If the X FireWall Proxy (xfwp) is being used without a sitepolicy, host-based
authorization must be turned on for clients to be able to connect to the X server via the
xfwp. If xfwp is run without a configuration file and thus no sitepolicy is defined, if
xfwp is using an X server where xhost + has been run to turn off host-based authorization
checks, when a client tries to connect to this X server via xfwp, the X server will deny
the connection. See xfwp(1) for more information about this proxy.
The X protocol intrinsically does not have any notion of window operation permissions or
place any restrictions on what a client can do; if a program can connect to a display, it
has full run of the screen. X servers that support the SECURITY extension fare better
because clients can be designated untrusted via the authorization they use to connect; see
the xauth(1) manual page for details. Restrictions are imposed on untrusted clients that
curtail the mischief they can do. See the SECURITY extension specification for a complete
list of these restrictions.
Sites that have better authentication and authorization systems might wish to make use of
the hooks in the libraries and the server to provide additional security models.
SIGNALS
The X server attaches special meaning to the following signals:
SIGHUP This signal causes the server to close all existing connections, free all
resources, and restore all defaults. It is sent by the display manager whenever
the main user's main application (usually an xterm or window manager) exits to
force the server to clean up and prepare for the next user.
SIGTERM This signal causes the server to exit cleanly.
SIGUSR1 This signal is used quite differently from either of the above. When the server
starts, it checks to see if it has inherited SIGUSR1 as SIG_IGN instead of the
usual SIG_DFL. In this case, the server sends a SIGUSR1 to its parent process
after it has set up the various connection schemes. Xdm uses this feature to
recognize when connecting to the server is possible.
FONTS
The X server can obtain fonts from directories and/or from font servers. The list of
directories and font servers the X server uses when trying to open a font is controlled by
the font path.
The default font path is __default_font_path__ .
The font path can be set with the -fp option or by xset(1) after the server has started.
FILES
/etc/Xn.hosts Initial access control list for display number n
/usr/share/fonts/X11/misc,
/usr/share/fonts/X11/75dpi,
/usr/share/fonts/X11/100dpi Bitmap font directories
/usr/share/fonts/X11/Type1 Outline font directories
/usr/share/nx/rgb Color database
/tmp/.X11-unix/Xn Unix domain socket for display number n
/tmp/rcXn Kerberos 5 replay cache for display number n
SEE ALSO
Protocols: X Window System Protocol, NX Compression Protocol, The X Font Service Protocol,
X Display Manager Control Protocol
Fonts: bdftopcf(1), mkfontdir(1), mkfontscale(1), xfs(1), xlsfonts(1), xfontsel(1),
xfd(1), X Logical Font Description Conventions
Security: Xsecurity(__miscmansuffix__), xauth(1), Xau(1), xdm(1), xhost(1), xfwp(1),
Security Extension Specification
Starting the server: xdm(1), xinit(1)
Controlling the server once started: xset(1), xsetroot(1), xhost(1)
Server-specific man pages: Xdec(1), XmacII(1), Xsun(1), Xnest(1), Xvfb(1), XFree86(1),
XDarwin(1).
Server internal documentation: Definition of the Porting Layer for the X v11 Sample Server
AUTHORS
The first sample X server was originally written by Susan Angebranndt, Raymond Drewry,
Philip Karlton, and Todd Newman, from Digital Equipment Corporation, with support from a
large cast. It has since been extensively rewritten by Keith Packard and Bob Scheifler,
from MIT. Dave Wiggins took over post-R5 and made substantial improvements.
The first implementation of nx-X11 (version 1.x up to 3.5.x) was written by NoMachine
(maintained until 2011).
The current implementation of nx-X11 is maintained by various projects, amongst others The
Arctica Project, TheQVD (Qindel Group) and X2Go.
This manual page was written by Per Hansen <spamhans@yahoo.de>, and modified by Marcelo
Boveto Shima <marceloshima@gmail.com> and Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.
In 2016, the original Xserver.man page shipped with nx-X11 was merged into the nxagent man
page and received a major update by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.