Section: User Commands (1)
Updated: xorg-server 1.1.1
Return to Main Contents
Xserver - X Window System display server
is the generic name for the X Window System display server. It is
frequently a link or a copy of the appropriate server binary for
driving the most frequently used server on a given machine.
STARTING THE SERVER
The X server is usually started from the X Display Manager program
xdm(1) or a similar display manager program.
This utility is run from the system boot files and takes care of keeping
the server running, prompting for usernames and passwords, and starting up
the user sessions.
Installations that run more than one window system may need to use the
xinit(1) utility instead of a display manager. However, xinit is
to be considered a tool for building startup scripts and is not
intended for use by end users. Site administrators are strongly
urged to use a display manager, or build other interfaces for novice users.
The X server may also be started directly by the user, though this
method is usually reserved for testing and is not recommended for
normal operation. On some platforms, the user must have special
permission to start the X server, often because access to certain
devices (e.g. /dev/mouse) is restricted.
When the X server starts up, it typically takes over the display. If
you are running on a workstation whose console is the display, you may
not be able to log into the console while the server is running.
Many X servers have device-specific command line options. See the manual
pages for the individual servers for more details; a list of
server-specific manual pages is provided in the SEE ALSO section below.
All of the X servers accept the command line options described below.
Some X servers may have alternative ways of providing the parameters
described here, but the values provided via the command line options
should override values specified via other mechanisms.
The X server runs as the given displaynumber, which by default is 0.
If multiple X servers are to run simultaneously on a host, each must have
a unique display number. See the DISPLAY
NAMES section of the X(7) manual page to learn how to
specify which display number clients should try to use.
- -a number
sets pointer acceleration (i.e. the ratio of how much is reported to how much
the user actually moved the pointer).
disables host-based access control mechanisms. Enables access by any host,
and permits any host to modify the access control list.
Use with extreme caution.
This option exists primarily for running test suites remotely.
- -audit level
sets the audit trail level. The default level is 1, meaning only connection
rejections are reported. Level 2 additionally reports all successful
connections and disconnects. Level 4 enables messages from the
SECURITY extension, if present, including generation and revocation of
authorizations and violations of the security policy.
Level 0 turns off the audit trail.
Audit lines are sent as standard error output.
- -auth authorization-file
specifies a file which contains a collection of authorization records used
to authenticate access. See also the xdm(1) and
Xsecurity(7) manual pages.
disables certain kinds of error checking, for bug compatibility with
previous releases (e.g., to work around bugs in R2 and R3 xterms and toolkits).
disables backing store support on all screens.
sets the default root window to solid black instead of the standard root weave
turns off key-click.
- c volume
sets key-click volume (allowable range: 0-100).
- -cc class
sets the visual class for the root window of color screens.
The class numbers are as specified in the X protocol.
Not obeyed by all servers.
- -co filename
sets name of RGB color database. The default is
causes the server to generate a core dump on fatal errors.
- -deferglyphs whichfonts
specifies the types of fonts for which the server should attempt to use
deferred glyph loading. whichfonts can be all (all fonts),
none (no fonts), or 16 (16 bit fonts only).
- -dpi resolution
sets the resolution for all screens, in dots per inch.
To be used when the server cannot determine the screen size(s) from the
enables DPMS (display power management services), where supported. The
default state is platform and configuration specific.
disables DPMS (display power management services). The default state
is platform and configuration specific.
- -f volume
sets feep (bell) volume (allowable range: 0-100).
- -fc cursorFont
sets default cursor font.
- -fn font
sets the default font.
- -fp fontPath
sets the search path for fonts. This path is a comma separated list
of directories which the X server searches for font databases.
See the FONTS section of this manual page for more information and the default
prints a usage message.
causes all remaining command line arguments to be ignored.
- -maxbigreqsize size
sets the maxmium big request to
- -nolisten trans-type
disables a transport type. For example, TCP/IP connections can be disabled
This option may be issued multiple times to disable listening to different
prevents a server reset when the last client connection is closed. This
overrides a previous
command line option.
- -p minutes
sets screen-saver pattern cycle time in minutes.
permits the server to continue running if it fails to establish all of
its well-known sockets (connection points for clients), but
establishes at least one. This option is set by default.
causes the server to exit if it fails to establish all of its well-known
sockets (connection points for clients).
turns off auto-repeat.
turns on auto-repeat.
- -s minutes
sets screen-saver timeout time in minutes.
disables save under support on all screens.
- -t number
sets pointer acceleration threshold in pixels (i.e. after how many pixels
pointer acceleration should take effect).
causes the server to terminate at server reset, instead of continuing to run.
This overrides a previous
command line option.
- -to seconds
sets default connection timeout in seconds.
disables all testing extensions (e.g., XTEST, XTrap, XTestExtension1, RECORD).
ignored, for servers started the ancient way (from init).
sets video-off screen-saver preference.
sets video-on screen-saver preference.
forces the default backing-store of all windows to be WhenMapped. This
is a backdoor way of getting backing-store to apply to all windows.
Although all mapped windows will have backing store, the backing store
attribute value reported by the server for a window will be the last
value established by a client. If it has never been set by a client,
the server will report the default value, NotUseful. This behavior is
required by the X protocol, which allows the server to exceed the
client's backing store expectations but does not provide a way to tell
the client that it is doing so.
- -x extension
loads the specified extension at init.
This is a no-op for most implementations.
enables(+) or disables(-) the XINERAMA extension. The default state is
platform and configuration specific.
SERVER DEPENDENT OPTIONS
Some X servers accept the following options:
- -ld kilobytes
sets the data space limit of the server to the specified number of kilobytes.
A value of zero makes the data size as large as possible. The default value
of -1 leaves the data space limit unchanged.
- -lf files
sets the number-of-open-files limit of the server to the specified number.
A value of zero makes the limit as large as possible. The default value
of -1 leaves the limit unchanged.
- -ls kilobytes
sets the stack space limit of the server to the specified number of kilobytes.
A value of zero makes the stack size as large as possible. The default value
of -1 leaves the stack space limit unchanged.
turns on the X Window System logo display in the screen-saver.
There is currently no way to change this from a client.
turns off the X Window System logo display in the screen-saver.
There is currently no way to change this from a client.
sets the color allocation policy that will be used by the render extension.
selects the default policy defined for the display depth of the X
don't use any color cell.
use a gray map of 13 color cells for the X render extension.
use a color cube of at most 4*4*4 colors (that is 64 color cells).
disables smart scheduling on platforms that support the smart scheduler.
- -schedInterval interval
sets the smart scheduler's scheduling interval to
X servers that support XDMCP have the following options.
See the X Display Manager Control Protocol specification for more
- -query hostname
enables XDMCP and sends Query packets to the specified
enable XDMCP and broadcasts BroadcastQuery packets to the network. The
first responding display manager will be chosen for the session.
- -multicast [address [hop count]]
Enable XDMCP and multicast BroadcastQuery packets to the network.
The first responding display manager is chosen for the session. If an
address is specified, the multicast is sent to that address. If no
address is specified, the multicast is sent to the default XDMCP IPv6
multicast group. If a hop count is specified, it is used as the maximum
hop count for the multicast. If no hop count is specified, the multicast
is set to a maximum of 1 hop, to prevent the multicast from being routed
beyond the local network.
- -indirect hostname
enables XDMCP and send IndirectQuery packets to the specified
- -port port-number
uses the specified port-number for XDMCP packets, instead of the
default. This option must be specified before any -query, -broadcast,
-multicast, or -indirect options.
- -from local-address
specifies the local address to connect from (useful if the connecting host
has multiple network interfaces). The local-address may be expressed
in any form acceptable to the host platform's gethostbyname(3)
causes the server to terminate (rather than reset) when the XDMCP session
- -class display-class
XDMCP has an additional display qualifier used in resource lookup for
display-specific options. This option sets that value, by default it
is "MIT-Unspecified" (not a very useful value).
- -cookie xdm-auth-bits
When testing XDM-AUTHENTICATION-1, a private key is shared between the
server and the manager. This option sets the value of that private
data (not that it is very private, being on the command line!).
- -displayID display-id
Yet another XDMCP specific value, this one allows the display manager to
identify each display so that it can locate the shared key.
X servers that support the XKEYBOARD (a.k.a. N'34'XKBN'34') extension accept the
following options. All layout files specified on the command line must be
located in the XKB base directory or a subdirectory, and specified as the
relative path from the XKB base directory. The default XKB base directory is
enables(+) or disables(-) the XKEYBOARD extension.
- [+-]accessx [ timeout [ timeout_mask [ feedback [ options_mask ] ] ] ]
enables(+) or disables(-) AccessX key sequences.
- -xkbdir directory
base directory for keyboard layout files. This option is not available
for setuid X servers (i.e., when the X server's real and effective uids
- -ar1 milliseconds
sets the autorepeat delay (length of time in milliseconds that a key must
be depressed before autorepeat starts).
- -ar2 milliseconds
sets the autorepeat interval (length of time in milliseconds that should
elapse between autorepeat-generated keystrokes).
disables loading of an XKB keymap description on server startup.
- -xkbdb filename
uses filename for default keyboard keymaps.
- -xkbmap filename
loads keyboard description in filename on server startup.
SECURITY EXTENSION OPTIONS
X servers that support the SECURITY extension accept the following option:
- -sp filename
causes the server to attempt to read and interpret filename as a security
policy file with the format described below. The file is read at server
startup and reread at each server reset.
The syntax of the security policy file is as follows.
Notation: "*" means zero or more occurrences of the preceding element,
and "+" means one or more occurrences. To interpret <foo/bar>, ignore
the text after the /; it is used to distinguish between instances of
<foo> in the next section.
<policy file> ::= <version line> <other line>*
<version line> ::= <string/v> '\n'
<other line > ::= <comment> | <access rule> | <site policy> | <blank line>
<comment> ::= # <not newline>* '\n'
<blank line> ::= <space> '\n'
<site policy> ::= sitepolicy <string/sp> '\n'
<access rule> ::= property <property/ar> <window> <perms> '\n'
<property> ::= <string>
<window> ::= any | root | <required property>
<required property> ::= <property/rp> | <property with value>
<property with value> ::= <property/rpv> = <string/rv>
<perms> ::= [ <operation> | <action> | <space> ]*
<operation> ::= r | w | d
<action> ::= a | i | e
<string> ::= <dbl quoted string> | <single quoted string> | <unqouted string>
<dbl quoted string> ::= <space> " <not dqoute>* " <space>
<single quoted string> ::= <space> ' <not squote>* ' <space>
<unquoted string> ::= <space> <not space>+ <space>
<space> ::= [ ' ' | '\t' ]*
<not newline> ::= any character except '\n'
<not dqoute> ::= any character except "
<not squote> ::= any character except '
<not space> ::= any character except those in <space>
The semantics associated with the above syntax are as follows.
<version line>, the first line in the file, specifies the file format
version. If the server does not recognize the version <string/v>, it
ignores the rest of the file. The version string for the file format
described here is "version-1" .
Once past the <version line>, lines that do not match the above syntax
<comment> lines are ignored.
<sitepolicy> lines are currently ignored. They are intended to
specify the site policies used by the XC-QUERY-SECURITY-1
<access rule> lines specify how the server should react to untrusted
client requests that affect the X Window property named <property/ar>.
The rest of this section describes the interpretation of an
For an <access rule> to apply to a given instance of <property/ar>,
<property/ar> must be on a window that is in the set of windows
specified by <window>. If <window> is any, the rule applies to
<property/ar> on any window. If <window> is root, the rule applies to
<property/ar> only on root windows.
If <window> is <required property>, the following apply. If <required
property> is a <property/rp>, the rule applies when the window also
has that <property/rp>, regardless of its value. If <required
property> is a <property with value>, <property/rpv> must also have
the value specified by <string/rv>. In this case, the property must
have type STRING and format 8, and should contain one or more
null-terminated strings. If any of the strings match <string/rv>, the
The definition of string matching is simple case-sensitive string
comparison with one elaboration: the occurrence of the character '*' in
<string/rv> is a wildcard meaning "any string." A <string/rv> can
contain multiple wildcards anywhere in the string. For example, "x*"
matches strings that begin with x, "*x" matches strings that end with
x, "*x*" matches strings containing x, and "x*y*" matches strings that
start with x and subsequently contain y.
There may be multiple <access rule> lines for a given <property/ar>.
The rules are tested in the order that they appear in the file. The
first rule that applies is used.
<perms> specify operations that untrusted clients may attempt, and
the actions that the server should take in response to those operations.
<operation> can be r (read), w (write), or d (delete). The following
table shows how X Protocol property requests map to these operations
in The Open Group server implementation.
GetProperty r, or r and d if delete = True
RotateProperties r and w
ListProperties none, untrusted clients can always list all properties
<action> can be a (allow), i (ignore), or e (error). Allow means
execute the request as if it had been issued by a trusted client.
Ignore means treat the request as a no-op. In the case of
GetProperty, ignore means return an empty property value if the
property exists, regardless of its actual value. Error means do not
execute the request and return a BadAtom error with the atom set to
the property name. Error is the default action for all properties,
including those not listed in the security policy file.
An <action> applies to all <operation>s that follow it, until the next
<action> is encountered. Thus, irwad means ignore read and write,
GetProperty and RotateProperties may do multiple operations (r and d,
or r and w). If different actions apply to the operations, the most
severe action is applied to the whole request; there is no partial
request execution. The severity ordering is: allow < ignore < error.
Thus, if the <perms> for a property are ired (ignore read, error
delete), and an untrusted client attempts GetProperty on that property
with delete = True, an error is returned, but the property value is
not. Similarly, if any of the properties in a RotateProperties do not
allow both read and write, an error is returned without changing any
Here is an example security policy file.
# Allow reading of application resources, but not writing.
property RESOURCE_MANAGER root ar iw
property SCREEN_RESOURCES root ar iw
# Ignore attempts to use cut buffers. Giving errors causes apps to crash,
# and allowing access may give away too much information.
property CUT_BUFFER0 root irw
property CUT_BUFFER1 root irw
property CUT_BUFFER2 root irw
property CUT_BUFFER3 root irw
property CUT_BUFFER4 root irw
property CUT_BUFFER5 root irw
property CUT_BUFFER6 root irw
property CUT_BUFFER7 root irw
# If you are using Motif, you probably want these.
property _MOTIF_DEFAULT_BINDINGS rootar iw
property _MOTIF_DRAG_WINDOW root ar iw
property _MOTIF_DRAG_TARGETS any ar iw
property _MOTIF_DRAG_ATOMS any ar iw
property _MOTIF_DRAG_ATOM_PAIRS any ar iw
# The next two rules let xwininfo -tree work when untrusted.
property WM_NAME any ar
# Allow read of WM_CLASS, but only for windows with WM_NAME.
# This might be more restrictive than necessary, but demonstrates
# the <required property> facility, and is also an attempt to
# say "top level windows only."
property WM_CLASS WM_NAME ar
# These next three let xlsclients work untrusted. Think carefully
# before including these; giving away the client machine name and command
# may be exposing too much.
property WM_STATE WM_NAME ar
property WM_CLIENT_MACHINE WM_NAME ar
property WM_COMMAND WM_NAME ar
# To let untrusted clients use the standard colormaps created by
# xstdcmap, include these lines.
property RGB_DEFAULT_MAP root ar
property RGB_BEST_MAP root ar
property RGB_RED_MAP root ar
property RGB_GREEN_MAP root ar
property RGB_BLUE_MAP root ar
property RGB_GRAY_MAP root ar
# To let untrusted clients use the color management database created
# by xcmsdb, include these lines.
property XDCCC_LINEAR_RGB_CORRECTION rootar
property XDCCC_LINEAR_RGB_MATRICES rootar
property XDCCC_GRAY_SCREENWHITEPOINT rootar
property XDCCC_GRAY_CORRECTION rootar
# To let untrusted clients use the overlay visuals that many vendors
# support, include this line.
property SERVER_OVERLAY_VISUALS rootar
# Dumb examples to show other capabilities.
# oddball property names and explicit specification of error conditions
property "property with spaces" 'property with "'aw er ed
# Allow deletion of Woo-Hoo if window also has property OhBoy with value
# ending in "son". Reads and writes will cause an error.
property Woo-Hoo OhBoy = "*son"ad
The X server supports client connections via a platform-dependent subset of
the following transport types: TCP/IP, Unix Domain sockets, DECnet,
and several varieties of SVR4 local connections. See the DISPLAY
NAMES section of the X(7) manual page to learn how to
specify which transport type clients should try to use.
The X server implements a platform-dependent subset of the following
authorization protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1,
XDM-AUTHORIZATION-2, SUN-DES-1, and MIT-KERBEROS-5. See the
Xsecurity(7) manual page for information on the
operation of these protocols.
Authorization data required by the above protocols is passed to the
server in a private file named with the -auth command line
option. Each time the server is about to accept the first connection
after a reset (or when the server is starting), it reads this file.
If this file contains any authorization records, the local host is not
automatically allowed access to the server, and only clients which
send one of the authorization records contained in the file in the
connection setup information will be allowed access. See the
Xau manual page for a description of the binary format of this
file. See xauth(1) for maintenance of this file, and distribution
of its contents to remote hosts.
The X server also uses a host-based access control list for deciding
whether or not to accept connections from clients on a particular machine.
If no other authorization mechanism is being used,
this list initially consists of the host on which the server is running as
well as any machines listed in the file /etc/Xn.hosts, where
n is the display number of the server. Each line of the file should
contain either an Internet hostname (e.g. expo.lcs.mit.edu) or a DECnet
hostname in double colon format (e.g. hydra::) or a complete name in the format
family:name as described in the xhost(1) manual page.
There should be no leading or trailing spaces on any lines. For example:
Users can add or remove hosts from this list and enable or disable access
control using the xhost command from the same machine as the server.
If the X FireWall Proxy (xfwp) is being used without a sitepolicy,
host-based authorization must be turned on for clients to be able to
connect to the X server via the xfwp. If xfwp is run without
a configuration file and thus no sitepolicy is defined, if xfwp
is using an X server where xhost + has been run to turn off host-based
authorization checks, when a client tries to connect to this X server
via xfwp, the X server will deny the connection. See xfwp(1)
for more information about this proxy.
The X protocol intrinsically does not have any notion of window operation
permissions or place any restrictions on what a client can do; if a program can
connect to a display, it has full run of the screen.
X servers that support the SECURITY extension fare better because clients
can be designated untrusted via the authorization they use to connect; see
the xauth(1) manual page for details. Restrictions are imposed
on untrusted clients that curtail the mischief they can do. See the SECURITY
extension specification for a complete list of these restrictions.
Sites that have better
authentication and authorization systems might wish to make
use of the hooks in the libraries and the server to provide additional
The X server attaches special meaning to the following signals:
This signal causes the server to close all existing connections, free all
resources, and restore all defaults. It is sent by the display manager
whenever the main user's main application (usually an xterm or window
manager) exits to force the server to clean up and prepare for the next
This signal causes the server to exit cleanly.
This signal is used quite differently from either of the above. When the
server starts, it checks to see if it has inherited SIGUSR1 as SIG_IGN
instead of the usual SIG_DFL. In this case, the server sends a SIGUSR1 to
its parent process after it has set up the various connection schemes.
Xdm uses this feature to recognize when connecting to the server
The X server
can obtain fonts from directories and/or from font servers.
The list of directories and font servers
the X server uses when trying to open a font is controlled
by the font path.
The default font path is
unix/:7100, built-ins .
The font path can be set with the -fp option or by xset(1)
after the server has started.
Initial access control list for display number n
Bitmap font directories
Outline font directories
Unix domain socket for display number n
Kerberos 5 replay cache for display number n
Error log file for display number n if run from init(8)
Default error log file if the server is run from xdm(1)
General information: X(7)
X Window System Protocol,
The X Font Service Protocol,
X Display Manager Control Protocol
Fonts: bdftopcf(1), mkfontdir(1), mkfontscale(1),
xfs(1), xlsfonts(1), xfontsel(1), xfd(1),
X Logical Font Description Conventions
Security: Xsecurity(7), xauth(1), Xau(1),
xdm(1), xhost(1), xfwp(1),
Security Extension Specification
Starting the server: xdm(1), xinit(1)
Controlling the server once started: xset(1), xsetroot(1),
Server-specific man pages:
Xorg(1), Xdmx(1), Xnest(1),
Xvfb(1), XDarwin(1), XWin(1).
Server internal documentation:
Definition of the Porting Layer for the X v11 Sample Server
The sample server was originally written by Susan Angebranndt, Raymond
Drewry, Philip Karlton, and Todd Newman, from Digital Equipment
Corporation, with support from a large cast. It has since been
extensively rewritten by Keith Packard and Bob Scheifler, from MIT.
Dave Wiggins took over post-R5 and made substantial improvements.
- STARTING THE SERVER
- SERVER DEPENDENT OPTIONS
- XDMCP OPTIONS
- XKEYBOARD OPTIONS
- SECURITY EXTENSION OPTIONS
- NETWORK CONNECTIONS
- GRANTING ACCESS
- SEE ALSO
linux.jgfs.net manual pages