XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
NAME
Xserver - X Window System display server
SYNOPSIS
X [option ...]
DESCRIPTION
X is the generic name for the X Window System display
server. It is frequently a link or a copy of the
appropriate server binary for driving the most frequently
used server on a given machine.
STARTING THE SERVER
The X server is usually started from the X Display Manager
program xdm(1). This utility is run from the system boot
files and takes care of keeping the server running,
prompting for usernames and passwords, and starting up the
user sessions.
Installations that run more than one window system may need
to use the xinit(1) utility instead of xdm. However, xinit
is to be considered a tool for building startup scripts and
is not intended for use by end users. Site administrators
are strongly urged to use xdm, or build other interfaces for
novice users.
The X server may also be started directly by the user,
though this method is usually reserved for testing and is
not recommended for normal operation. On some platforms,
the user must have special permission to start the X server,
often because access to certain devices (e.g. /dev/mouse) is
restricted.
When the X server starts up, it typically takes over the
display. If you are running on a workstation whose console
is the display, you may not be able to log into the console
while the server is running.
OPTIONS
All of the X servers accept the following command line
options:
:displaynumber
the X server runs as the given displaynumber, which
by default is 0. If multiple X servers are to run
simultaneously on a host, each must have a unique
display number. See the DISPLAY NAMES section of
the X(1) manual page to learn how to specify which
display number clients should try to use.
-a number
sets pointer acceleration (i.e. the ratio of how
Page 1 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
much is reported to how much the user actually moved
the pointer).
-ac disables host-based access control mechanisms.
Enables access by any host, and permits any host to
modify the access control list. Use with extreme
caution. This option exists primarily for running
test suites remotely.
-audit level
Sets the audit trail level. The default level is 1,
meaning only connection rejections are reported.
Level 2 additionally reports all successful
connections and disconnects. Level 4 enables
messages from the SECURITY extension, if present,
including generation and revocation of
authorizations and violations of the security
policy. Level 0 turns off the audit trail. Audit
lines are sent as standard error output.
-auth authorization-file
Specifies a file which contains a collection of
authorization records used to authenticate access.
See also the xdm and Xsecurity manual pages.
bc disables certain kinds of error checking, for bug
compatibility with previous releases (e.g., to work
around bugs in R2 and R3 xterms and toolkits).
Deprecated.
-bs disables backing store support on all screens.
-c turns off key-click.
c volume
sets key-click volume (allowable range: 0-100).
-cc class
sets the visual class for the root window of color
screens. The class numbers are as specified in the
X protocol. Not obeyed by all servers.
-co filename
sets name of RGB color database. The default is
<XRoot>/lib/X11/rgb, where <XRoot> refers to the
root of the X11 install tree.
-config filename
reads more options from the given file. Options in
the file may be separated by newlines if desired.
If a '#' character appears on a line, all characters
between it and the next newline are ignored,
Page 2 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
providing a simple commenting facility. The -config
option itself may appear in the file.
-core causes the server to generate a core dump on fatal
errors.
-dpi resolution
sets the resolution of the screen, in dots per inch.
To be used when the server cannot determine the
screen size from the hardware.
-deferglyphs whichfonts
specifies the types of fonts for which the server
should attempt to use deferred glyph loading.
whichfonts can be all (all fonts), none (no fonts),
or 16 (16 bit fonts only).
-f volume
sets feep (bell) volume (allowable range: 0-100).
-fc cursorFont
sets default cursor font.
-fn font
sets the default font.
-fp fontPath
sets the search path for fonts. This path is a
comma separated list of directories which the X
server searches for font databases.
-help prints a usage message.
-I causes all remaining command line arguments to be
ignored.
-kb disables the XKEYBOARD extension if present.
-p minutes
sets screen-saver pattern cycle time in minutes.
-pn permits the server to continue running if it fails
to establish all of its well-known sockets
(connection points for clients), but establishes at
least one.
-r turns off auto-repeat.
r turns on auto-repeat.
-s minutes
sets screen-saver timeout time in minutes.
Page 3 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)-su disables save under support on all screens.
-t number
sets pointer acceleration threshold in pixels (i.e.
after how many pixels pointer acceleration should
take effect).
-terminate
causes the server to terminate at server reset,
instead of continuing to run. On platforms running
XFree86(1), the -terminate option overrides a
previous -noreset command line option.
-to seconds
sets default connection timeout in seconds.
-tst disables all testing extensions (e.g., XTEST, XTrap,
XTestExtension1, RECORD).
ttyxx ignored, for servers started the ancient way (from
init).
v sets video-off screen-saver preference.
-v sets video-on screen-saver preference.
-wm forces the default backing-store of all windows to
be WhenMapped. This is a backdoor way of getting
backing-store to apply to all windows. Although all
mapped windows will have backing store, the backing
store attribute value reported by the server for a
window will be the last value established by a
client. If it has never been set by a client, the
server will report the default value, NotUseful.
This behavior is required by the X protocol, which
allows the server to exceed the client's backing
store expectations but does not provide a way to
tell the client that it is doing so.
-x extension
loads the specified extension at init. This is a
no-op for most implementations.
[+-]xinerama
enable(+) or disable(-) XINERAMA extension. Default
is disabled.
SERVER DEPENDENT OPTIONS
Some X servers accept the following options:
-ld kilobytes
sets the data space limit of the server to the
Page 4 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
specified number of kilobytes. A value of zero
makes the data size as large as possible. The
default value of -1 leaves the data space limit
unchanged.
-lf files
sets the number-of-open-files limit of the server to
the specified number. A value of zero makes the
limit as large as possible. The default value of -1
leaves the limit unchanged.
-ls kilobytes
sets the stack space limit of the server to the
specified number of kilobytes. A value of zero
makes the stack size as large as possible. The
default value of -1 leaves the stack space limit
unchanged.
-logo turns on the X Window System logo display in the
screen-saver. There is currently no way to change
this from a client.
-nolisten trans-type
Disable a transport type. For example, TCP/IP
connections can be disabled with -nolisten tcp. This
option is available on platforms running XFree86(1).
-noreset
Prevents a server reset when the last client
connection is closed. This overrides a previous
-terminate command line option. This option is
available on platforms running XFree86(1).
nologo turns off the X Window System logo display in the
screen-saver. There is currently no way to change
this from a client.
XDMCP OPTIONS
X servers that support XDMCP have the following options.
See the X Display Manager Control Protocol specification for
more information.
-query host-name
Enable XDMCP and send Query packets to the specified
host.
-broadcast
Enable XDMCP and broadcast BroadcastQuery packets to
the network. The first responding display manager
will be chosen for the session.
-indirect host-name
Page 5 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
Enable XDMCP and send IndirectQuery packets to the
specified host.
-port port-num
Use an alternate port number for XDMCP packets.
Must be specified before any -query, -broadcast or
-indirect options.
-from local-address
Specify the local address to send the XDMCP query
from. This is currently only implemented for direct
(-query) XDMCP queries. This option is available on
platforms running XFree86(1).
-once Causes the server to terminate (rather than reset)
when the XDMCP session ends. This option is
available on platforms running XFree86(1).
-class display-class
XDMCP has an additional display qualifier used in
resource lookup for display-specific options. This
option sets that value, by default it is "MIT-
Unspecified" (not a very useful value).
-cookie xdm-auth-bits
When testing XDM-AUTHENTICATION-1, a private key is
shared between the server and the manager. This
option sets the value of that private data (not that
it is very private, being on the command line!).
-displayID display-id
Yet another XDMCP specific value, this one allows
the display manager to identify each display so that
it can locate the shared key.
XKEYBOARD OPTIONS
X servers that support the XKEYBOARD extension accept the
following options:
-xkbdir directory
base directory for keyboard layout files
-xkbmap filename
keyboard description to load on startup
[+-]accessx
enable(+) or disable(-) AccessX key sequences
-ar1 milliseconds
sets the length of time in milliseconds that a key
must be depressed before autorepeat starts
Page 6 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)-ar2 milliseconds
sets the length of time in milliseconds that should
elapse between autorepeat-generated keystrokes
Many servers also have device-specific command line options.
See the manual pages for the individual servers for more
details.
SECURITY EXTENSION OPTIONS
X servers that support the SECURITY extension accept the
following option:
-sp filename
causes the server to attempt to read and interpret
filename as a security policy file with the format
described below. The file is read at server startup
and reread at each server reset.
The syntax of the security policy file is as follows.
Notation: "*" means zero or more occurrences of the
preceding element, and "+" means one or more occurrences.
To interpret <foo/bar>, ignore the text after the /; it is
used to distinguish between instances of <foo> in the next
section.
<policy file> ::= <version line> <other line>*
<version line> ::= <string/v> '\n'
<other line > ::= <comment> | <access rule> | <site policy> | <blank line>
<comment> ::= # <not newline>* '\n'
<blank line> ::= <space> '\n'
<site policy> ::= sitepolicy <string/sp> '\n'
<access rule> ::= property <property/ar> <window> <perms> '\n'
<property> ::= <string>
<window> ::= any | root | <required property>
<required property> ::= <property/rp> | <property with value>
<property with value> ::= <property/rpv> = <string/rv>
<perms> ::= [ <operation> | <action> | <space> ]*
<operation> ::= r | w | d
<action> ::= a | i | e
Page 7 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
<string> ::= <dbl quoted string> | <single quoted string> | <unqouted string>
<dbl quoted string> ::= <space> " <not dqoute>* " <space>
<single quoted string> ::= <space> ' <not squote>* ' <space>
<unquoted string> ::= <space> <not space>+ <space>
<space> ::= [ ' ' | '\t' ]*
Character sets:
<not newline> ::= any character except '\n'
<not dqoute> ::= any character except "
<not squote> ::= any character except '
<not space> ::= any character except those in <space>
The semantics associated with the above syntax are as
follows.
<version line>, the first line in the file, specifies the
file format version. If the server does not recognize the
version <string/v>, it ignores the rest of the file. The
version string for the file format described here is
"version-1" .
Once past the <version line>, lines that do not match the
above syntax are ignored.
<comment> lines are ignored.
<sitepolicy> lines are currently ignored. They are intended
to specify the site policies used by the XC-QUERY-SECURITY-1
authorization method.
<access rule> lines specify how the server should react to
untrusted client requests that affect the X Window property
named <property/ar>. The rest of this section describes the
interpretation of an <access rule>.
For an <access rule> to apply to a given instance of
<property/ar>, <property/ar> must be on a window that is in
the set of windows specified by <window>. If <window> is
any, the rule applies to <property/ar> on any window. If
<window> is root, the rule applies to <property/ar> only on
root windows.
If <window> is <required property>, the following apply. If
<required property> is a <property/rp>, the rule applies
when the window also has that <property/rp>, regardless of
its value. If <required property> is a <property with
value>, <property/rpv> must also have the value specified by
Page 8 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
<string/rv>. In this case, the property must have type
STRING and format 8, and should contain one or more null-
terminated strings. If any of the strings match
<string/rv>, the rule applies.
The definition of string matching is simple case-sensitive
string comparison with one elaboration: the occurence of the
character '*' in <string/rv> is a wildcard meaning "any
string." A <string/rv> can contain multiple wildcards
anywhere in the string. For example, "x*" matches strings
that begin with x, "*x" matches strings that end with x,
"*x*" matches strings containing x, and "x*y*" matches
strings that start with x and subsequently contain y.
There may be multiple <access rule> lines for a given
<property/ar>. The rules are tested in the order that they
appear in the file. The first rule that applies is used.
<perms> specify operations that untrusted clients may
attempt, and the actions that the server should take in
response to those operations.
<operation> can be r (read), w (write), or d (delete). The
following table shows how X Protocol property requests map
to these operations in The Open Group server implementation.
GetProperty r, or r and d if delete = True
ChangeProperty w
RotateProperties r and w
DeleteProperty d
ListProperties none, untrusted clients can always list all properties
<action> can be a (allow), i (ignore), or e (error). Allow
means execute the request as if it had been issued by a
trusted client. Ignore means treat the request as a no-op.
In the case of GetProperty, ignore means return an empty
property value if the property exists, regardless of its
actual value. Error means do not execute the request and
return a BadAtom error with the atom set to the property
name. Error is the default action for all properties,
including those not listed in the security policy file.
An <action> applies to all <operation>s that follow it,
until the next <action> is encountered. Thus, irwad means
ignore read and write, allow delete.
GetProperty and RotateProperties may do multiple operations
(r and d, or r and w). If different actions apply to the
operations, the most severe action is applied to the whole
request; there is no partial request execution. The
severity ordering is: allow < ignore < error. Thus, if the
<perms> for a property are ired (ignore read, error delete),
Page 9 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
and an untrusted client attempts GetProperty on that
property with delete = True, an error is returned, but the
property value is not. Similarly, if any of the properties
in a RotateProperties do not allow both read and write, an
error is returned without changing any property values.
Here is an example security policy file.
version-1
# Allow reading of application resources, but not writing.
property RESOURCE_MANAGER root ar iw
property SCREEN_RESOURCES root ar iw
# Ignore attempts to use cut buffers. Giving errors causes apps to crash,
# and allowing access may give away too much information.
property CUT_BUFFER0 root irw
property CUT_BUFFER1 root irw
property CUT_BUFFER2 root irw
property CUT_BUFFER3 root irw
property CUT_BUFFER4 root irw
property CUT_BUFFER5 root irw
property CUT_BUFFER6 root irw
property CUT_BUFFER7 root irw
# If you are using Motif, you probably want these.
property _MOTIF_DEFAULT_BINDINGS rootar iw
property _MOTIF_DRAG_WINDOW root ar iw
property _MOTIF_DRAG_TARGETS any ar iw
property _MOTIF_DRAG_ATOMS any ar iw
property _MOTIF_DRAG_ATOM_PAIRS any ar iw
# The next two rules let xwininfo -tree work when untrusted.
property WM_NAME any ar
# Allow read of WM_CLASS, but only for windows with WM_NAME.
# This might be more restrictive than necessary, but demonstrates
# the <required property> facility, and is also an attempt to
# say "top level windows only."
property WM_CLASS WM_NAME ar
# These next three let xlsclients work untrusted. Think carefully
# before including these; giving away the client machine name and command
# may be exposing too much.
property WM_STATE WM_NAME ar
property WM_CLIENT_MACHINE WM_NAME ar
property WM_COMMAND WM_NAME ar
# To let untrusted clients use the standard colormaps created by
# xstdcmap, include these lines.
property RGB_DEFAULT_MAP root ar
property RGB_BEST_MAP root ar
Page 10 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
property RGB_RED_MAP root ar
property RGB_GREEN_MAP root ar
property RGB_BLUE_MAP root ar
property RGB_GRAY_MAP root ar
# To let untrusted clients use the color management database created
# by xcmsdb, include these lines.
property XDCCC_LINEAR_RGB_CORRECTION rootar
property XDCCC_LINEAR_RGB_MATRICES rootar
property XDCCC_GRAY_SCREENWHITEPOINT rootar
property XDCCC_GRAY_CORRECTION rootar
# To let untrusted clients use the overlay visuals that many vendors
# support, include this line.
property SERVER_OVERLAY_VISUALS rootar
# Dumb examples to show other capabilities.
# oddball property names and explicit specification of error conditions
property "property with spaces" 'property with "'aw er ed
# Allow deletion of Woo-Hoo if window also has property OhBoy with value
# ending in "son". Reads and writes will cause an error.
property Woo-Hoo OhBoy = "*son"ad
NETWORK CONNECTIONS
The X server supports client connections via a platform-
dependent subset of the following transport types: TCP/IP,
Unix Domain sockets, DECnet, and several varieties of SVR4
local connections. See the DISPLAY NAMES section of the
X(1) manual page to learn how to specify which transport
type clients should try to use.
GRANTING ACCESS
The X server implements a platform-dependent subset of the
following authorization protocols: MIT-MAGIC-COOKIE-1, XDM-
AUTHORIZATION-1, SUN-DES-1, and MIT-KERBEROS-5. See the
Xsecurity(1) manual page for information on the operation of
these protocols.
Authorization data required by the above protocols is passed
to the server in a private file named with the -auth command
line option. Each time the server is about to accept the
first connection after a reset (or when the server is
starting), it reads this file. If this file contains any
authorization records, the local host is not automatically
allowed access to the server, and only clients which send
one of the authorization records contained in the file in
the connection setup information will be allowed access.
See the Xau manual page for a description of the binary
format of this file. See xauth(1) for maintenance of this
Page 11 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
file, and distribution of its contents to remote hosts.
The X server also uses a host-based access control list for
deciding whether or not to accept connections from clients
on a particular machine. If no other authorization
mechanism is being used, this list initially consists of the
host on which the server is running as well as any machines
listed in the file /etc/Xn.hosts, where n is the display
number of the server. Each line of the file should contain
either an Internet hostname (e.g. expo.lcs.mit.edu) or a
DECnet hostname in double colon format (e.g. hydra::).
There should be no leading or trailing spaces on any lines.
For example:
joesworkstation
corporate.company.com
star::
bigcpu::
Users can add or remove hosts from this list and enable or
disable access control using the xhost command from the same
machine as the server.
If the X FireWall Proxy (xfwp) is being used without a
sitepolicy, host-based authorization must be turned on for
clients to be able to connect to the X server via the xfwp.
If xfwp is run without a configuration file and thus no
sitepolicy is defined, if xfwp is using an X server where
xhost + has been run to turn off host-based authorization
checks, when a client tries to connect to this X server via
xfwp, the X server will deny the connection. See xfwp(1)
for more information about this proxy.
The X protocol intrinsically does not have any notion of
window operation permissions or place any restrictions on
what a client can do; if a program can connect to a display,
it has full run of the screen. X servers that support the
SECURITY extension fare better because clients can be
designated untrusted via the authorization they use to
connect; see the xauth(1) manual page for details.
Restrictions are imposed on untrusted clients that curtail
the mischief they can do. See the SECURITY extension
specification for a complete list of these restrictions.
Sites that have better authentication and authorization
systems might wish to make use of the hooks in the libraries
and the server to provide additional security models.
SIGNALS
The X server attaches special meaning to the following
signals:
Page 12 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
SIGHUP This signal causes the server to close all existing
connections, free all resources, and restore all
defaults. It is sent by the display manager
whenever the main user's main application (usually
an xterm or window manager) exits to force the
server to clean up and prepare for the next user.
SIGTERM This signal causes the server to exit cleanly.
SIGUSR1 This signal is used quite differently from either of
the above. When the server starts, it checks to see
if it has inherited SIGUSR1 as SIG_IGN instead of
the usual SIG_DFL. In this case, the server sends a
SIGUSR1 to its parent process after it has set up
the various connection schemes. Xdm uses this
feature to recognize when connecting to the server
is possible.
FONTS
The X server can obtain fonts from directories and/or from
font servers. The list of directories and font servers the
X server uses when trying to open a font is controlled by
the font path.
The default font path is "<XRoot>/lib/X11/fonts/misc/,
<XRoot>/lib/X11/fonts/Speedo/, <XRoot>/lib/X11/fonts/Type1/,
<XRoot>/lib/X11/fonts/75dpi/, <XRoot>/lib/X11/fonts/100dpi/"
. where <XRoot> refers to the root of the X11 install tree.
The font path can be set with the -fp option or by xset(1)
after the server has started.
FILES
/etc/Xn.hosts Initial access control list
for display number n
<XRoot>/lib/X11/fonts/100dpi
<XRoot>/lib/X11/fonts/misc, <XRoot>/lib/X11/fonts/75dpi,
Bitmap font directories
<XRoot>/lib/X11/fonts/Speedo, <XRoot>/lib/X11/fonts/Type1
Outline font directories
<XRoot>/lib/X11/fonts/PEX PEX font directories
<XRoot>/lib/X11/rgb.txt Color database
/tmp/.X11-unix/Xn Unix domain socket for display
number n
/tmp/rcXn Kerberos 5 replay cache for
display number n
Page 13 (printed 7/20/06)
XSERVER(1) X Version 11 (Release 6.6) XSERVER(1)
/usr/adm/Xnmsgs Error log file for display
number n if run from init(8)
<XRoot>/lib/X11/xdm/xdm-errors
Default error log file if the
server is run from xdm(1)
Note: <XRoot> refers to the root of the X11 install tree.
SEE ALSO
General information: X(1)
Protocols: X Window System Protocol, The X Font Service
Protocol, X Display Manager Control Protocol
Fonts: bdftopcf(1), mkfontdir(1), xfs(1), xlsfonts(1),
xfontsel(1), xfd(1), X Logical Font Description Conventions
Security: Xsecurity(1), xauth(1), Xau(1), xdm(1), xhost(1),
xfwp(1) Security Extension Specification
Starting the server: xdm(1), xinit(1)
Controlling the server once started: xset(1), xsetroot(1),
xhost(1)
Server-specific man pages: XFree86(1), Xsgi(1), Xnest(1),
Xvfb(1)
Server internal documentation: Definition of the Porting
Layer for the X v11 Sample Server
AUTHORS
The sample server was originally written by Susan
Angebranndt, Raymond Drewry, Philip Karlton, and Todd
Newman, from Digital Equipment Corporation, with support
from a large cast. It has since been extensively rewritten
by Keith Packard and Bob Scheifler, from MIT. Dave Wiggins
took over post-R5 and made substantial improvements.
Page 14 (printed 7/20/06)
