1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
|
.\" Copyright 1984 - 1991, 1993, 1994, 1998 The Open Group
.\" Copyright 2011 - 2016, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
.\"
.\" Permission to use, copy, modify, distribute, and sell this software and its
.\" documentation for any purpose is hereby granted without fee, provided that
.\" the above copyright notice appear in all copies and that both that
.\" copyright notice and this permission notice appear in supporting
.\" documentation.
.\"
.\" The above copyright notice and this permission notice shall be included
.\" in all copies or substantial portions of the Software.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
.\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
.\" IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR
.\" OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
.\" ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
.\" OTHER DEALINGS IN THE SOFTWARE.
.\"
.\" Except as contained in this notice, the name of The Open Group shall
.\" not be used in advertising or otherwise to promote the sale, use or
.\" other dealings in this Software without prior written authorization
.\" from The Open Group.
.ds q \N'34'
.TH NXAGENT 1 3.6.x
.SH NAME
nxagent \- nx-X11 Agent (nested Xserver optimized for remote computing)
.SH SYNOPSIS
.B nxagent
.I "[options]"
.SH DESCRIPTION
\fBnxagent\fR is an Xnest-like X server for remote application/desktop access.
.PP
\fBnxagent\fR implements a very efficient compression of the X11
protocol, called the NX protocol.
.PP
The NX protocol increases performance when using X applications over high
latency and low bandwidth networks, while providing a local (LAN-like)
usage experience even if connecting from off-site locations (via cable
modem or GSM).
.PP
\fBnxagent\fR can be used standalone as a nested X server (with NX
protocol disabled), but its real benefits are gained when using it over
remote connections via the nxcomp compression library. The counterpart
application on the other end (i.e. the client) is called
\fBnxproxy\fR.
.PP
When used in proxy <-> agent mode, \fBnxagent\fR adds the feature of
being suspendible. Sessions can be started from one client, suspended and
then resumed from another client.
.PP
\fBnxagent\fR and \fBnxproxy\fR are utilized by various remote
application/desktop frameworks for providing server-side GUI application
access from remote client systems.
.PP
Currently, nx-X11 Agent is co-maintained by three of these projects: The
Arctica Project, TheQVD and X2Go.
.PP
.SH "STARTING THE SERVER"
The nx-X11 Agent should be run in user space. Other than the system's
local X.org server, \fBnxagent\fR does not require to be run as root.
When bundled with a remote application framework, you normally don't have
to launch \fBnxagent\fR manually. nx-X11 Agent startup is normally
managed by the underlying framework (e.g. Arctica Session Manager, X2Go
Server, etc.).
.PP
When the nx-X11 Agent starts up (e.g. by typing 'nxagent -ac :1' in a
terminal window), it typically launches in "windowed desktop" mode. On
your local X server, there appears a new window being an X server itself.
.PP
However, nx-X11 Agent also supports rootless (or seamless) application
mode and a shadow session mode (similar to what VNC does).
.PP
Example: You can launch a complete desktop session inside this nested X
server now:
.TP 8
The Debian way...
.PP
.nf
$ export DISPLAY=:1
$ STARTUP=mate-session /etc/X11/Xsession
.fi
.TP 8
The Fedora / Gentoo / openSUSE way...
.PP
.nf
### FIXME / TODO ###
.fi
.PP
However, nx-X11 Agent also supports rootless (or seamless) application
mode and a shadow session mode (similar to what VNC does).
.SH OPTIONS
The nx-X11 agent accepts a range of default X server options as described
below. Those default options have to be provided via the command line.
Furthermore, the nx-X11 Agent accepts some nx-X11 specific options,
described further below.
Last but not least, the nx-X11 Agent accepts several more options
provided via the $DISPLAY environment variable, the so-called nx/nx
options. See below for further details.
.SH STANDARD XSERVER OPTIONS
.TP 8
.B :\fIdisplaynumber\fP
The X server runs as the given \fIdisplaynumber\fP, which by default is 0.
If multiple X servers are to run simultaneously on a host, each must have
a unique display number. See the DISPLAY
NAMES section of the \fIX\fP(__miscmansuffix__) manual page to learn how to
specify which display number clients should try to use.
.TP 8
.B \-a \fInumber\fP
sets pointer acceleration (i.e. the ratio of how much is reported to how much
the user actually moved the pointer).
.TP 8
.B \-ac
disables host-based access control mechanisms. Enables access by any host,
and permits any host to modify the access control list.
Use with extreme caution.
This option exists primarily for running test suites remotely.
.TP 8
.B \-audit \fIlevel\fP
sets the audit trail level. The default level is 1, meaning only connection
rejections are reported. Level 2 additionally reports all successful
connections and disconnects. Level 4 enables messages from the
SECURITY extension, if present, including generation and revocation of
authorizations and violations of the security policy.
Level 0 turns off the audit trail.
Audit lines are sent as standard error output.
.TP 8
.B \-auth \fIauthorization-file\fP
specifies a file which contains a collection of authorization records used
to authenticate access. See also the \fIxdm\fP(1) and
\fIXsecurity\fP(__miscmansuffix__) manual pages.
.TP 8
.B bc
disables certain kinds of error checking, for bug compatibility with
previous releases (e.g., to work around bugs in R2 and R3 xterms and toolkits).
Deprecated.
.TP 8
.B \-bs
disables backing store support on all screens.
.TP 8
.B \-br
sets the default root window to solid black instead of the standard root weave
pattern.
.TP 8
.B \-c
turns off key-click.
.TP 8
.B c \fIvolume\fP
sets key-click volume (allowable range: 0-100).
.TP 8
.B \-cc \fIclass\fP
sets the visual class for the root window of color screens.
The class numbers are as specified in the X protocol.
Not obeyed by all servers.
.TP 8
.B \-co \fIfilename\fP
sets name of RGB color database. The default is
.IR /usr/share/nx/rgb .
.ig
.TP 8
.B \-config \fIfilename\fP
reads more options from the given file. Options in the file may be separated
by newlines if desired. If a '#' character appears on a line, all characters
between it and the next newline are ignored, providing a simple commenting
facility. The \fB\-config\fP option itself may appear in the file.
.BR NOTE :
This option is disabled when the Xserver is run with an effective uid
different from the user's real uid.
..
.TP 8
.B \-core
causes the server to generate a core dump on fatal errors.
.TP 8
.B \-deferglyphs \fIwhichfonts\fP
specifies the types of fonts for which the server should attempt to use
deferred glyph loading. \fIwhichfonts\fP can be all (all fonts),
none (no fonts), or 16 (16 bit fonts only).
.TP 8
.B \-dpi \fIresolution\fP
sets the resolution for all screens, in dots per inch.
To be used when the server cannot determine the screen size(s) from the
hardware.
.TP 8
.B dpms
enables DPMS (display power management services), where supported. The
default state is platform and configuration specific.
.TP 8
.B \-dpms
disables DPMS (display power management services). The default state
is platform and configuration specific.
.TP 8
.B \-f \fIvolume\fP
sets feep (bell) volume (allowable range: 0-100).
.TP 8
.B \-fc \fIcursorFont\fP
sets default cursor font.
.TP 8
.B \-fn \fIfont\fP
sets the default font.
.TP 8
.B \-fp \fIfontPath\fP
sets the search path for fonts. This path is a comma separated list
of directories which the X server searches for font databases.
See the FONTS section of this manual page for more information and the default
list.
.TP 8
.B \-help
prints a usage message.
.TP 8
.B \-I
causes all remaining command line arguments to be ignored.
.TP 8
.B \-maxbigreqsize \fIsize\fP
sets the maxmium big request to
.I size
MB.
.TP 8
.B \-nolisten \fItrans-type\fP
disables a transport type. For example, TCP/IP connections can be disabled
with
.BR "\-nolisten tcp" .
This option may be issued multiple times to disable listening to different
transport types.
.TP 8
.B \-noreset
prevents a server reset when the last client connection is closed. This
overrides a previous
.B \-terminate
command line option.
.TP 8
.B \-p \fIminutes\fP
sets screen-saver pattern cycle time in minutes.
.TP 8
.B \-pn
permits the server to continue running if it fails to establish all of
its well-known sockets (connection points for clients), but
establishes at least one. This option is set by default.
.TP 8
.B \-nopn
causes the server to exit if it fails to establish all of its well-known
sockets (connection points for clients).
.TP 8
.B \-r
turns off auto-repeat.
.TP 8
.B r
turns on auto-repeat.
.TP 8
.B \-s \fIminutes\fP
sets screen-saver timeout time in minutes.
.TP 8
.B \-su
disables save under support on all screens.
.TP 8
.B \-t \fInumber\fP
sets pointer acceleration threshold in pixels (i.e. after how many pixels
pointer acceleration should take effect).
.TP 8
.B \-terminate
causes the server to terminate at server reset, instead of continuing to run.
This overrides a previous
.B \-noreset
command line option.
.TP 8
.B \-to \fIseconds\fP
sets default connection timeout in seconds.
.TP 8
.B \-tst
disables all testing extensions (e.g., XTEST, XTrap, XTestExtension1, RECORD).
.TP 8
.B tty\fIxx\fP
ignored, for servers started the ancient way (from init).
.TP 8
.B v
sets video-off screen-saver preference.
.TP 8
.B \-v
sets video-on screen-saver preference.
.TP 8
.B \-wm
forces the default backing-store of all windows to be WhenMapped. This
is a backdoor way of getting backing-store to apply to all windows.
Although all mapped windows will have backing store, the backing store
attribute value reported by the server for a window will be the last
value established by a client. If it has never been set by a client,
the server will report the default value, NotUseful. This behavior is
required by the X protocol, which allows the server to exceed the
client's backing store expectations but does not provide a way to tell
the client that it is doing so.
.TP 8
.B \-x \fIextension\fP
loads the specified extension at init.
This is a no-op for most implementations.
.TP 8
.B [+-]xinerama
enables(+) or disables(-) XINERAMA provided via the PanoramiX extension. This is
set to off by default.
.TP 8
.B [+-]rrxinerama
enables(+) or disables(-) XINERAMA provided via the RandR extension. By
default, this feature is enabled. To disable XINERAMA completely, make
sure to use both options (-xinerama -rrxinerama) on the command line.
.SH SERVER DEPENDENT OPTIONS
The nx-X11 Xserver (i.e. \fBnxagent\fR) additionally accepts the following options (non-standard options, dependent on Xserver implementation):
.TP 8
.B \-logo
turns on the X Window System logo display in the screen-saver.
There is currently no way to change this from a client.
.TP 8
.B nologo
turns off the X Window System logo display in the screen-saver.
There is currently no way to change this from a client.
.TP 8
.B \-render
.BR default | mono | gray | color
sets the color allocation policy that will be used by the render extension.
.RS 8
.TP 8
.I default
selects the default policy defined for the display depth of the X
server.
.TP 8
.I mono
don't use any color cell.
.TP 8
.I gray
use a gray map of 13 color cells for the X render extension.
.TP 8
.I color
use a color cube of at most 4*4*4 colors (that is 64 color cells).
.RE
.TP 8
.B \-dumbSched
disables smart scheduling on platforms that support the smart scheduler.
.TP
.B \-schedInterval \fIinterval\fP
sets the smart scheduler's scheduling interval to
.I interval
milliseconds.
.SH NXAGENT SPECIFIC OPTIONS
The nx-X11 system adds the following command line arguments:
.TP 8
.B \-forcenx
force use of NX protocol messages assuming communication through nxproxy
.TP 8
.B \-timeout \fIint\fP
auto-disconnect timeout in seconds (minimum allowed: 60)
.TP 8
.B \-norootlessexit
don't exit if there are no clients in rootless mode
.TP 8
.B \-norender
disable the use of the render extension
.TP 8
.B \-nocomposite
disable the use of the composite extension
.TP 8
.B \-nopersistent
disable disconnection/reconnection to the X display on SIGHUP
.TP 8
.B \-noshmem
disable use of shared memory extension
.TP 8
.B \-shmem
enable use of shared memory extension
.TP 8
.B \-noshpix
disable use of shared pixmaps
.TP 8
.B \-shpix
enable use of shared pixmaps
.TP 8
.B \-noignore
don't ignore pointer and keyboard configuration changes mandated by clients
.TP 8
.B \-nokbreset
don't reset keyboard device if the session is resumed
.TP 8
.B \-noxkblock
always allow applications to change layout through XKEYBOARD
.TP 8
.B \-tile WxH
size of image tiles (minimum allowed: 32x32)
.TP 8
.B \-D
enable desktop mode (default)
.TP 8
.B \-R
enable rootless mode
.TP 8
.B \-S
enable shadow mode
.TP 8
.B \-B
enable proxy binding mode
.PP
Other than the command line options, \fBnxagent\fR can be configured at
session startup and at runtime (i.e. when resuming a suspended session)
by so-called nx/nx options.
.PP
As nx/nx options all options supported by nxcomp (see \fBnxproxy\fR man
page) and all nxagent nx/nx options (see below) can be used.
.
When launching an nxcomp based nx-X11 agent session (i.e. proxy <->
agent), you will normally set the $DISPLAY variable like this:
.PP
.nf
$ export DISPLAY=nx/nx,listen=<proxy-port>,options=<options.file>:<nx-display-port>
$ nxagent <cmdline-options> :<nx-display-port>
.fi
.PP
The value for <nx-display-port> is some value of a not-yet-used X11
display (e.g. :50).
.PP
Using an options file is recommended, but you can also put available
nx/nx options (see below) into the DISPLAY variable directly. Note, that
the $DISPLAY variable field is of limited length.
.PP
As <proxy-port> you can pick an arbitrary (unused) TCP port or Unix
socket file path. This is the port / socket that you have to connect to
with the \fBnxproxy\fR application.
.PP
Available nx-X11 Agent options (as an addition to nx/nx options supported
by nxcomp already):
.TP 8
.B options=<string>
read options from file, this text file can contain a single loooong line with comma-separated nx/nx options
.TP 8
.B rootless=<bool>
start \fBnxagent\fR in rootless mode, matches \-R given on the command line, no-op when resuming (default: false)
.TP 8
.B geometry=<string>
desktop geometry when starting or resuming a session, no-op in rootless mode (default 66% of the underlying X server geometry)
.TP 8
.B resize=<bool>
set resizing support (default: true)
.TP 8
.B fullscreen=<bool>
start or resume a session in fullscreen mode (default: off)
.TP 8
.B keyboard=<string>
set remote keyboard layout
.TP 8
.B clipboard=<string>
.BR both | client | server | none
enable / disable (set to: \fInone\fR) clipboard support, uni-directional (\fIserver\fR or \fIclient\fR) or bi-directional (\fIboth\fR, default setting) support
.TP 8
.B streaming=<int>
streaming support for images, not fully implemented yet and thus non-functional
.TP 8
.B backingstore=<int>
disable or enforce backing store support (default: BackingStoreUndefined)
.TP 8
.B composite=<int>
enable or disable Compsite support in \fBnxagent\fR (default: enabled)
.TP 8
.B xinerama=<int>
enable or disable XINERAMA support in \fBnxagent\fR (default: enabled)
.TP 8
.B shmem=<bool>
enable using shared memory
.TP 8
.B shpix=<bool>
enable shared pixmaps support
.TP 8
.B kbtype=<string>
set remote keyboard type
.TP 8
.B client=<string>
type of connecting operating system (supported: \fIlinux\fR, \fIwindows\fR, \fIsolaris\fR and \fImacosx\fR)
.TP 8
.B shadow=<int>
start \fBnxagent\fR in shadow mode, matches \-S given on the command line, no-op when resuming (default: false)
.TP 8
.B shadowuid=<int>
unique identifier for the shadow session
.TP 8
.B shadowmode=<string>
full access (set to \fI1\fR) or viewing-only (set to \fI0\fR, default)
.TP 8
.B defer=<int>
defer image updates (enabled for all connection types except LAN), accepts values \fI0\fR, \fI1\fR and \fI2\fR
The default value can be set via the cmd line (\-defer). The value
provided as nx/nx option is set when resuming a session, thus it
overrides the cmd line default.
.TP 8
.B tile=<string>
set the tile size in pixels (\fI<W>x<H>\fR) for bitmap data sent over the wire
The default value can be set via the cmd line (\-tile). The value
provided as nx/nx option is set when resuming a session, thus it
overrides the cmd line default.
.TP 8
.B menu=<int>
support pulldown menu in nx-X11 Agent session (only available on proxy <-> agent remote sessions)
.TP 8
.B sleep=<int>
delay X server operations when suspended (provided in msec), set to \fI0\fR to keep nx-X11 Agent session
fully functional when suspended (e.g. useful when mirroring nx-X11 Agent session via VNC)
.TP 8
.B reconnectchecks=<string>
.BR strict|safe|risky|bypass
.RS 8
.TP 8
.I strict
means that the number of internal and external pixmap formats must
match exactly and every internal pixmap format must be available in the
external pixmap format array.
.TP 8
.I safe
means that the number of pixmap formats might diverge, but all
internal pixmap formats must also be included in the external pixmap
formats array. This is recommended, because it allows clients with more
pixmap formats to still connect, but not lose functionality.
.TP 8
.I risky
means that the internal pixmap formats array is allowed to be
smaller than the external pixmap formats array, but at least one pixmap
format must be included in both. This is potentially unsafe.
.TP 8
.I bypass
means that all of these checks are essentially
deactivated. This is a very bad idea.
.RE
.SH XDMCP OPTIONS
X servers that support XDMCP have the following options.
See the \fIX Display Manager Control Protocol\fP specification for more
information.
.TP 8
.B \-query \fIhostname\fP
enables XDMCP and sends Query packets to the specified
.IR hostname .
.TP 8
.B \-broadcast
enable XDMCP and broadcasts BroadcastQuery packets to the network. The
first responding display manager will be chosen for the session.
.TP 8
.B \-multicast [\fIaddress\fP [\fIhop count\fP]]
Enable XDMCP and multicast BroadcastQuery packets to the network.
The first responding display manager is chosen for the session. If an
address is specified, the multicast is sent to that address. If no
address is specified, the multicast is sent to the default XDMCP IPv6
multicast group. If a hop count is specified, it is used as the maximum
hop count for the multicast. If no hop count is specified, the multicast
is set to a maximum of 1 hop, to prevent the multicast from being routed
beyond the local network.
.TP 8
.B \-indirect \fIhostname\fP
enables XDMCP and send IndirectQuery packets to the specified
.IR hostname .
.TP 8
.B \-port \fIport-number\fP
uses the specified \fIport-number\fP for XDMCP packets, instead of the
default. This option must be specified before any \-query, \-broadcast,
\-multicast, or \-indirect options.
.TP 8
.B \-from \fIlocal-address\fP
specifies the local address to connect from (useful if the connecting host
has multiple network interfaces). The \fIlocal-address\fP may be expressed
in any form acceptable to the host platform's \fIgethostbyname\fP(3)
implementation.
.TP 8
.B \-once
causes the server to terminate (rather than reset) when the XDMCP session
ends.
.TP 8
.B \-class \fIdisplay-class\fP
XDMCP has an additional display qualifier used in resource lookup for
display-specific options. This option sets that value, by default it
is "MIT-Unspecified" (not a very useful value).
.TP 8
.B \-cookie \fIxdm-auth-bits\fP
When testing XDM-AUTHENTICATION-1, a private key is shared between the
server and the manager. This option sets the value of that private
data (not that it is very private, being on the command line!).
.TP 8
.B \-displayID \fIdisplay-id\fP
Yet another XDMCP specific value, this one allows the display manager to
identify each display so that it can locate the shared key.
.SH XKEYBOARD OPTIONS
X servers that support the XKEYBOARD (a.k.a. \*qXKB\*q) extension accept the
following options. All layout files specified on the command line must be
located in the XKB base directory or a subdirectory, and specified as the
relative path from the XKB base directory. The default XKB base directory is
.IR /usr/share/X11/xkb .
.TP 8
.B [+-]kb
enables(+) or disables(-) the XKEYBOARD extension.
.TP 8
.BR [+-]accessx " [ \fItimeout\fP [ \fItimeout_mask\fP [ \fIfeedback\fP [ \fIoptions_mask\fP ] ] ] ]"
enables(+) or disables(-) AccessX key sequences.
.TP 8
.B \-xkbdir \fIdirectory\fP
base directory for keyboard layout files. This option is not available
for setuid X servers (i.e., when the X server's real and effective uids
are different).
.TP 8
.B \-ar1 \fImilliseconds\fP
sets the autorepeat delay (length of time in milliseconds that a key must
be depressed before autorepeat starts).
.TP 8
.B \-ar2 \fImilliseconds\fP
sets the autorepeat interval (length of time in milliseconds that should
elapse between autorepeat-generated keystrokes).
.TP 8
.B \-noloadxkb
disables loading of an XKB keymap description on server startup.
.TP 8
.B \-xkbdb \fIfilename\fP
uses \fIfilename\fP for default keyboard keymaps.
.TP 8
.B \-xkbmap \fIfilename\fP
loads keyboard description in \fIfilename\fP on server startup.
.SH SECURITY EXTENSION OPTIONS
X servers that support the SECURITY extension accept the following option:
.TP 8
.B \-sp \fIfilename\fP
causes the server to attempt to read and interpret filename as a security
policy file with the format described below. The file is read at server
startup and reread at each server reset.
.PP
The syntax of the security policy file is as follows.
Notation: "*" means zero or more occurrences of the preceding element,
and "+" means one or more occurrences. To interpret <foo/bar>, ignore
the text after the /; it is used to distinguish between instances of
<foo> in the next section.
.PP
.nf
<policy file> ::= <version line> <other line>*
<version line> ::= <string/v> '\en'
<other line > ::= <comment> | <access rule> | <site policy> | <blank line>
<comment> ::= # <not newline>* '\en'
<blank line> ::= <space> '\en'
<site policy> ::= sitepolicy <string/sp> '\en'
<access rule> ::= property <property/ar> <window> <perms> '\en'
<property> ::= <string>
<window> ::= any | root | <required property>
<required property> ::= <property/rp> | <property with value>
<property with value> ::= <property/rpv> = <string/rv>
<perms> ::= [ <operation> | <action> | <space> ]*
<operation> ::= r | w | d
<action> ::= a | i | e
<string> ::= <dbl quoted string> | <single quoted string> | <unqouted string>
<dbl quoted string> ::= <space> " <not dqoute>* " <space>
<single quoted string> ::= <space> ' <not squote>* ' <space>
<unquoted string> ::= <space> <not space>+ <space>
<space> ::= [ ' ' | '\et' ]*
Character sets:
<not newline> ::= any character except '\en'
<not dqoute> ::= any character except "
<not squote> ::= any character except '
<not space> ::= any character except those in <space>
.fi
.PP
The semantics associated with the above syntax are as follows.
.PP
<version line>, the first line in the file, specifies the file format
version. If the server does not recognize the version <string/v>, it
ignores the rest of the file. The version string for the file format
described here is "version-1" .
.PP
Once past the <version line>, lines that do not match the above syntax
are ignored.
.PP
<comment> lines are ignored.
.PP
<sitepolicy> lines are currently ignored. They are intended to
specify the site policies used by the XC-QUERY-SECURITY-1
authorization method.
.PP
<access rule> lines specify how the server should react to untrusted
client requests that affect the X Window property named <property/ar>.
The rest of this section describes the interpretation of an
<access rule>.
.PP
For an <access rule> to apply to a given instance of <property/ar>,
<property/ar> must be on a window that is in the set of windows
specified by <window>. If <window> is any, the rule applies to
<property/ar> on any window. If <window> is root, the rule applies to
<property/ar> only on root windows.
.PP
If <window> is <required property>, the following apply. If <required
property> is a <property/rp>, the rule applies when the window also
has that <property/rp>, regardless of its value. If <required
property> is a <property with value>, <property/rpv> must also have
the value specified by <string/rv>. In this case, the property must
have type STRING and format 8, and should contain one or more
null-terminated strings. If any of the strings match <string/rv>, the
rule applies.
.PP
The definition of string matching is simple case-sensitive string
comparison with one elaboration: the occurrence of the character '*' in
<string/rv> is a wildcard meaning "any string." A <string/rv> can
contain multiple wildcards anywhere in the string. For example, "x*"
matches strings that begin with x, "*x" matches strings that end with
x, "*x*" matches strings containing x, and "x*y*" matches strings that
start with x and subsequently contain y.
.PP
There may be multiple <access rule> lines for a given <property/ar>.
The rules are tested in the order that they appear in the file. The
first rule that applies is used.
.PP
<perms> specify operations that untrusted clients may attempt, and
the actions that the server should take in response to those operations.
.PP
<operation> can be r (read), w (write), or d (delete). The following
table shows how X Protocol property requests map to these operations
in The Open Group server implementation.
.PP
.nf
GetProperty r, or r and d if delete = True
ChangeProperty w
RotateProperties r and w
DeleteProperty d
ListProperties none, untrusted clients can always list all properties
.fi
.PP
<action> can be a (allow), i (ignore), or e (error). Allow means
execute the request as if it had been issued by a trusted client.
Ignore means treat the request as a no-op. In the case of
GetProperty, ignore means return an empty property value if the
property exists, regardless of its actual value. Error means do not
execute the request and return a BadAtom error with the atom set to
the property name. Error is the default action for all properties,
including those not listed in the security policy file.
.PP
An <action> applies to all <operation>s that follow it, until the next
<action> is encountered. Thus, irwad means ignore read and write,
allow delete.
.PP
GetProperty and RotateProperties may do multiple operations (r and d,
or r and w). If different actions apply to the operations, the most
severe action is applied to the whole request; there is no partial
request execution. The severity ordering is: allow < ignore < error.
Thus, if the <perms> for a property are ired (ignore read, error
delete), and an untrusted client attempts GetProperty on that property
with delete = True, an error is returned, but the property value is
not. Similarly, if any of the properties in a RotateProperties do not
allow both read and write, an error is returned without changing any
property values.
.PP
Here is an example security policy file.
.PP
.ta 3i 4i
.nf
version-1
# Allow reading of application resources, but not writing.
property RESOURCE_MANAGER root ar iw
property SCREEN_RESOURCES root ar iw
# Ignore attempts to use cut buffers. Giving errors causes apps to crash,
# and allowing access may give away too much information.
property CUT_BUFFER0 root irw
property CUT_BUFFER1 root irw
property CUT_BUFFER2 root irw
property CUT_BUFFER3 root irw
property CUT_BUFFER4 root irw
property CUT_BUFFER5 root irw
property CUT_BUFFER6 root irw
property CUT_BUFFER7 root irw
# If you are using Motif, you probably want these.
property _MOTIF_DEFAULT_BINDINGS root ar iw
property _MOTIF_DRAG_WINDOW root ar iw
property _MOTIF_DRAG_TARGETS any ar iw
property _MOTIF_DRAG_ATOMS any ar iw
property _MOTIF_DRAG_ATOM_PAIRS any ar iw
# The next two rules let xwininfo -tree work when untrusted.
property WM_NAME any ar
# Allow read of WM_CLASS, but only for windows with WM_NAME.
# This might be more restrictive than necessary, but demonstrates
# the <required property> facility, and is also an attempt to
# say "top level windows only."
property WM_CLASS WM_NAME ar
# These next three let xlsclients work untrusted. Think carefully
# before including these; giving away the client machine name and command
# may be exposing too much.
property WM_STATE WM_NAME ar
property WM_CLIENT_MACHINE WM_NAME ar
property WM_COMMAND WM_NAME ar
# To let untrusted clients use the standard colormaps created by
# xstdcmap, include these lines.
property RGB_DEFAULT_MAP root ar
property RGB_BEST_MAP root ar
property RGB_RED_MAP root ar
property RGB_GREEN_MAP root ar
property RGB_BLUE_MAP root ar
property RGB_GRAY_MAP root ar
# To let untrusted clients use the color management database created
# by xcmsdb, include these lines.
property XDCCC_LINEAR_RGB_CORRECTION root ar
property XDCCC_LINEAR_RGB_MATRICES root ar
property XDCCC_GRAY_SCREENWHITEPOINT root ar
property XDCCC_GRAY_CORRECTION root ar
# To let untrusted clients use the overlay visuals that many vendors
# support, include this line.
property SERVER_OVERLAY_VISUALS root ar
# Dumb examples to show other capabilities.
# oddball property names and explicit specification of error conditions
property "property with spaces" 'property with "' aw er ed
# Allow deletion of Woo-Hoo if window also has property OhBoy with value
# ending in "son". Reads and writes will cause an error.
property Woo-Hoo OhBoy = "*son" ad
.fi
.SH "NETWORK CONNECTIONS"
The X server supports client connections via a platform-dependent subset of
the following transport types: TCP\/IP, Unix Domain sockets, DECnet,
and several varieties of SVR4 local connections. See the DISPLAY
NAMES section of the \fIX\fP(__miscmansuffix__) manual page to learn how to
specify which transport type clients should try to use.
.SH GRANTING ACCESS
The X server implements a platform-dependent subset of the following
authorization protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1,
XDM-AUTHORIZATION-2, SUN-DES-1, and MIT-KERBEROS-5. See the
\fIXsecurity\fP(__miscmansuffix__) manual page for information on the
operation of these protocols.
.PP
Authorization data required by the above protocols is passed to the
server in a private file named with the \fB\-auth\fP command line
option. Each time the server is about to accept the first connection
after a reset (or when the server is starting), it reads this file.
If this file contains any authorization records, the local host is not
automatically allowed access to the server, and only clients which
send one of the authorization records contained in the file in the
connection setup information will be allowed access. See the
\fIXau\fP manual page for a description of the binary format of this
file. See \fIxauth\fP(1) for maintenance of this file, and distribution
of its contents to remote hosts.
.PP
The X server also uses a host-based access control list for deciding
whether or not to accept connections from clients on a particular machine.
If no other authorization mechanism is being used,
this list initially consists of the host on which the server is running as
well as any machines listed in the file \fI/etc/X\fBn\fI.hosts\fR, where
\fBn\fP is the display number of the server. Each line of the file should
contain either an Internet hostname (e.g. expo.lcs.mit.edu) or a DECnet
hostname in double colon format (e.g. hydra::) or a complete name in the format
\fIfamily\fP:\fIname\fP as described in the \fIxhost\fP(1) manual page.
There should be no leading or trailing spaces on any lines. For example:
.sp
.in +8
.nf
joesworkstation
corporate.company.com
star::
inet:bigcpu
local:
.fi
.in -8
.PP
Users can add or remove hosts from this list and enable or disable access
control using the \fIxhost\fP command from the same machine as the server.
.PP
If the X FireWall Proxy (\fIxfwp\fP) is being used without a sitepolicy,
host-based authorization must be turned on for clients to be able to
connect to the X server via the \fIxfwp\fP. If \fIxfwp\fP is run without
a configuration file and thus no sitepolicy is defined, if \fIxfwp\fP
is using an X server where xhost + has been run to turn off host-based
authorization checks, when a client tries to connect to this X server
via \fIxfwp\fP, the X server will deny the connection. See \fIxfwp\fP(1)
for more information about this proxy.
.PP
The X protocol intrinsically does not have any notion of window operation
permissions or place any restrictions on what a client can do; if a program can
connect to a display, it has full run of the screen.
X servers that support the SECURITY extension fare better because clients
can be designated untrusted via the authorization they use to connect; see
the \fIxauth\fP(1) manual page for details. Restrictions are imposed
on untrusted clients that curtail the mischief they can do. See the SECURITY
extension specification for a complete list of these restrictions.
.PP
Sites that have better
authentication and authorization systems might wish to make
use of the hooks in the libraries and the server to provide additional
security models.
.SH SIGNALS
The X server attaches special meaning to the following signals:
.TP 8
.I SIGHUP
This signal causes the server to close all existing connections, free all
resources, and restore all defaults. It is sent by the display manager
whenever the main user's main application (usually an \fIxterm\fP or window
manager) exits to force the server to clean up and prepare for the next
user.
.TP 8
.I SIGTERM
This signal causes the server to exit cleanly.
.TP 8
.I SIGUSR1
This signal is used quite differently from either of the above. When the
server starts, it checks to see if it has inherited SIGUSR1 as SIG_IGN
instead of the usual SIG_DFL. In this case, the server sends a SIGUSR1 to
its parent process after it has set up the various connection schemes.
\fIXdm\fP uses this feature to recognize when connecting to the server
is possible.
.SH FONTS
The X server
can obtain fonts from directories and/or from font servers.
The list of directories and font servers
the X server uses when trying to open a font is controlled
by the \fIfont path\fP.
.LP
The default font path is
__default_font_path__ .
.LP
The font path can be set with the \fB\-fp\fP option or by \fIxset\fP(1)
after the server has started.
.SH FILES
.TP 30
.I /etc/X\fBn\fP.hosts
Initial access control list for display number \fBn\fP
.TP 30
.IR /usr/share/fonts/X11/misc,
/usr/share/fonts/X11/75dpi,
/usr/share/fonts/X11/100dpi
Bitmap font directories
.TP 30
.IR /usr/share/fonts/X11/Type1
Outline font directories
.TP 30
.I /usr/share/nx/rgb
Color database
.TP 30
.I /tmp/.X11-unix/X\fBn\fP
Unix domain socket for display number \fBn\fP
.TP 30
.IR /tmp/rcX\fBn\fP
Kerberos 5 replay cache for display number \fBn\fP
.SH "SEE ALSO"
Protocols:
.I "X Window System Protocol,"
.I "NX Compression Protocol,"
.I "The X Font Service Protocol,"
.I "X Display Manager Control Protocol"
.PP
Fonts: \fIbdftopcf\fP(1), \fImkfontdir\fP(1), \fImkfontscale\fP(1),
\fIxfs\fP(1), \fIxlsfonts\fP(1), \fIxfontsel\fP(1), \fIxfd\fP(1),
.I "X Logical Font Description Conventions"
.PP
Security: \fIXsecurity\fP(__miscmansuffix__), \fIxauth\fP(1), \fIXau\fP(1),
\fIxdm\fP(1), \fIxhost\fP(1), \fIxfwp\fP(1),
.I "Security Extension Specification"
.PP
Starting the server: \fIxdm\fP(1), \fIxinit\fP(1)
.PP
Controlling the server once started: \fIxset\fP(1), \fIxsetroot\fP(1),
\fIxhost\fP(1)
.PP
Server-specific man pages:
\fIXdec\fP(1), \fIXmacII\fP(1), \fIXsun\fP(1), \fIXnest\fP(1),
\fIXvfb\fP(1), \fIXFree86\fP(1), \fIXDarwin\fP(1).
.PP
Server internal documentation:
.I "Definition of the Porting Layer for the X v11 Sample Server"
.SH AUTHORS
The first sample X server was originally written by Susan Angebranndt,
Raymond Drewry, Philip Karlton, and Todd Newman, from Digital Equipment
Corporation, with support from a large cast. It has since been
extensively rewritten by Keith Packard and Bob Scheifler, from MIT. Dave
Wiggins took over post-R5 and made substantial improvements.
.PP
The first implementation of nx-X11 (version 1.x up to 3.5.x) was written
by NoMachine (maintained until 2011).
.PP
The current implementation of nx-X11 is maintained by various projects,
amongst others The Arctica Project, TheQVD (Qindel Group) and X2Go.
.PP
This manual page was written by Per Hansen <spamhans@yahoo.de>, and
modified by Marcelo Boveto Shima <marceloshima@gmail.com> and Mike
Gabriel <mike.gabriel@das-netzwerkteam.de>. In 2016, the original
Xserver.man page shipped with nx-X11 was merged into the \fBnxagent\fR
man page and received a major update by Mike Gabriel
<mike.gabriel@das-netzwerkteam.de>.
|