Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
XSERVER(1)							    XSERVER(1)

       Xserver - X Window System display server

       X [option ...]

       X  is  the  generic name	for the	X Window System	display	server.	 It is
       frequently a link or a copy of the appropriate server binary for	 driv-
       ing the most frequently used server on a	given machine.

       The  X  server  is  usually  started from the X Display Manager program
       xdm(1).	This utility is	run from the system boot files and takes  care
       of  keeping  the	server running,	prompting for usernames	and passwords,
       and starting up the user	sessions.

       Installations that run more than	one window system may need to use  the
       xinit(1)	 utility instead of xdm.  However, xinit is to be considered a
       tool for	building startup scripts and is	not intended for  use  by  end
       users.	Site  administrators  are  strongly urged to use xdm, or build
       other interfaces	for novice users.

       The X server may	also be	started	directly  by  the  user,  though  this
       method  is usually reserved for testing and is not recommended for nor-
       mal operation.  On some platforms, the user must	have  special  permis-
       sion  to	 start	the  X server, often because access to certain devices
       (e.g. /dev/mouse) is restricted.

       When the	X server starts	up, it typically takes over the	 display.   If
       you  are	running	on a workstation whose console is the display, you may
       not be able to log into the console while the server is running.

       Many X servers have device-specific command line	options.  See the man-
       ual  pages  for	the  individual	 servers  for  more details; a list of
       server-specific manual pages is provided	in the SEE ALSO	section	below.

       All of the X servers accept the following command line options:

	       The  X server runs as the given displaynumber, which by default
	       is 0.  If multiple X servers are	to  run	 simultaneously	 on  a
	       host,  each must	have a unique display number.  See the DISPLAY
	       NAMES section of	the X(7) manual	page to	learn how  to  specify
	       which display number clients should try to use.

       -a number
	       sets  pointer  acceleration  (i.e.  the	ratio  of  how much is
	       reported	to how much the	user actually moved the	pointer).

       -ac     disables	host-based access control mechanisms.  Enables	access
	       by  any host, and permits any host to modify the	access control
	       list.  Use with extreme caution.	 This option exists  primarily
	       for running test	suites remotely.

       -audit level
	       sets  the  audit	 trail level.  The default level is 1, meaning
	       only connection rejections are reported.	 Level 2  additionally
	       reports	all  successful	 connections and disconnects.  Level 4
	       enables messages	 from  the  SECURITY  extension,  if  present,
	       including  generation and revocation of authorizations and vio-
	       lations of the security policy.	Level 0	turns  off  the	 audit
	       trail.  Audit lines are sent as standard	error output.

       -auth authorization-file
	       specifies  a  file which	contains a collection of authorization
	       records used to authenticate access.  See also the xdm and Xse-
	       curity manual pages.

       bc      disables	certain	kinds of error checking, for bug compatibility
	       with previous releases (e.g., to	work around bugs in R2 and  R3
	       xterms and toolkits).  Deprecated.

       -bs     disables	backing	store support on all screens.

       -br     sets  the  default  root	 window	 to solid black	instead	of the
	       standard	root weave pattern.

       -c      turns off key-click.

       c volume
	       sets key-click volume (allowable	range: 0-100).

       -cc class
	       sets the	visual class for the root  window  of  color  screens.
	       The  class  numbers  are	 as  specified in the X	protocol.  Not
	       obeyed by all servers.

       -co filename
	       sets name of RGB	color database.	  The  default	is  __project-

       -core   causes the server to generate a core dump on fatal errors.

       -dpi resolution
	       sets  the  resolution  of  the screen, in dots per inch.	 To be
	       used when the server cannot determine the screen	size from  the

       -deferglyphs whichfonts
	       specifies  the  types  of  fonts	 for  which  the server	should
	       attempt to use deferred glyph loading.  whichfonts can  be  all
	       (all fonts), none (no fonts), or	16 (16 bit fonts only).

       -f volume
	       sets feep (bell)	volume (allowable range: 0-100).

       -fc cursorFont
	       sets default cursor font.

       -fn font
	       sets the	default	font.

       -fp fontPath
	       sets the	search path for	fonts.	This path is a comma separated
	       list of directories which the X server searches for font	 data-

       -help   prints a	usage message.

       -I      causes all remaining command line arguments to be ignored.

       -nolisten trans-type
	       disables	a transport type.  For example,	TCP/IP connections can
	       be disabled with	-nolisten tcp.

	       prevents	a server reset when  the  last	client	connection  is
	       closed.	 This  overrides  a  previous  -terminate command line

       -p minutes
	       sets screen-saver pattern cycle time in minutes.

       -pn     permits the server to continue running if it fails to establish
	       all  of its well-known sockets (connection points for clients),
	       but establishes at least	one.

       -r      turns off auto-repeat.

       r       turns on	auto-repeat.

       -s minutes
	       sets screen-saver timeout time in minutes.

       -su     disables	save under support on all screens.

       -t number
	       sets pointer acceleration threshold in pixels (i.e.  after  how
	       many pixels pointer acceleration	should take effect).

	       causes the server to terminate at server	reset, instead of con-
	       tinuing to run.	This overrides	a  previous  -noreset  command
	       line option.

       -to seconds
	       sets default connection timeout in seconds.

       -tst    disables	 all  testing extensions (e.g.,	XTEST, XTrap, XTestEx-
	       tension1, RECORD).

       ttyxx   ignored,	for servers started the	ancient	way (from init).

       v       sets video-off screen-saver preference.

       -v      sets video-on screen-saver preference.

       -wm     forces the default backing-store	of all	windows	 to  be	 When-
	       Mapped.	 This  is  a  backdoor way of getting backing-store to
	       apply to	all windows.  Although all mapped  windows  will  have
	       backing	store,	the  backing store attribute value reported by
	       the server for a	window will be the last	value established by a
	       client.	 If it has never been set by a client, the server will
	       report the default value, NotUseful.  This behavior is required
	       by  the	X  protocol,  which  allows  the  server to exceed the
	       client's	backing	store expectations but does not	provide	a  way
	       to tell the client that it is doing so.

       -x extension
	       loads  the  specified  extension	 at init.  This	is a no-op for
	       most implementations.

	       enables(+) or disables(-) the XINERAMA extension.  The  default
	       state is	disabled.

       Some X servers accept the following options:

       -ld kilobytes
	       sets the	data space limit of the	server to the specified	number
	       of kilobytes.  A	value of zero makes the	data size as large  as
	       possible.   The default value of	-1 leaves the data space limit

       -lf files
	       sets the	number-of-open-files limit of the server to the	speci-
	       fied  number.  A	value of zero makes the	limit as large as pos-
	       sible.  The default value of -1 leaves the limit	unchanged.

       -ls kilobytes
	       sets the	stack space limit of the server	to the specified  num-
	       ber  of	kilobytes.   A	value  of zero makes the stack size as
	       large as	possible.  The default value of	-1  leaves  the	 stack
	       space limit unchanged.

       -logo   turns  on the X Window System logo display in the screen-saver.
	       There is	currently no way to change this	from a client.

       nologo  turns off the X Window System logo display in the screen-saver.
	       There is	currently no way to change this	from a client.

       X  servers  that	 support  XDMCP	have the following options.  See the X
       Display Manager Control Protocol	specification for more information.

       -query hostname
	       enables XDMCP and sends Query packets to	 the  specified	 host-

	       enable  XDMCP and broadcasts BroadcastQuery packets to the net-
	       work.  The first	responding display manager will	be chosen  for
	       the session.

       -indirect hostname
	       enables	XDMCP  and send	IndirectQuery packets to the specified

       -port port-number
	       uses the	specified port-number for XDMCP	 packets,  instead  of
	       the  default.  This option must be specified before any -query,
	       -broadcast or -indirect options.

       -from local-address
	       specifies the local address to connect from (useful if the con-
	       necting	host  has  multiple  network  interfaces).  The	local-
	       address may be expressed	in any form  acceptable	 to  the  host
	       platform's gethostbyname(3) implementation.

       -once   causes  the  server  to	terminate (rather than reset) when the
	       XDMCP session ends.

       -class display-class
	       XDMCP has an additional	display	 qualifier  used  in  resource
	       lookup  for  display-specific  options.	 This option sets that
	       value, by default it is "MIT-Unspecified" (not  a  very	useful

       -cookie xdm-auth-bits
	       When  testing  XDM-AUTHENTICATION-1,  a	private	 key is	shared
	       between the server and the manager.  This option	sets the value
	       of that private data (not that it is very private, being	on the
	       command line!).

       -displayID display-id
	       Yet another XDMCP specific value, this one allows  the  display
	       manager	to  identify  each  display  so	that it	can locate the
	       shared key.

       X servers that support the XKEYBOARD (a.k.a.  `XKB')  extension	accept
       the following options:

       [+-]kb  enables(+) or disables(-) the XKEYBOARD extension.

       [+-]accessx [ timeout [ timeout_mask [ feedback [ options_mask ]	] ] ]
	       enables(+) or disables(-) AccessX key sequences.

       -xkbdir directory
	       base  directory	for keyboard layout files.  This option	is not
	       available for setuid X servers (i.e., when the X	server's  real
	       and effective uids are different).

       -ar1 milliseconds
	       sets  the autorepeat delay (length of time in milliseconds that
	       a key must be depressed before autorepeat starts).

       -ar2 milliseconds
	       sets the	autorepeat interval (length of	time  in  milliseconds
	       that should elapse between autorepeat-generated keystrokes).

	       disables	 loading  of  an  XKB  keymap  description  on	server

       -xkbdb filename
	       uses filename for default keyboard keymaps.

       -xkbmap filename
	       loads keyboard description in filename on server	startup.

       X servers that support the  SECURITY  extension	accept	the  following

       -sp filename
	       causes  the server to attempt to	read and interpret filename as
	       a security policy file with the format  described  below.   The
	       file is read at server startup and reread at each server	reset.

       The syntax of the security policy file is as  follows.	Notation:  "*"
       means  zero or more occurrences of the preceding	element, and "+" means
       one or more occurrences.	 To interpret <foo/bar>, ignore	the text after
       the /; it is used to distinguish	between	instances of <foo> in the next

       <policy file> ::= <version line>	<other line>*

       <version	line> ::= <string/v> '\n'

       <other line > ::= <comment> | <access rule> | <site policy> | <blank line>

       <comment> ::= # <not newline>* '\n'

       <blank line> ::=	<space>	'\n'

       <site policy> ::= sitepolicy <string/sp>	'\n'

       <access rule> ::= property <property/ar>	<window> <perms> '\n'

       <property> ::= <string>

       <window>	::= any	| root | <required property>

       <required property> ::= <property/rp> | <property with value>

       <property with value> ::= <property/rpv>	= <string/rv>

       <perms> ::= [ <operation> | <action> | <space> ]*

       <operation> ::= r | w | d

       <action>	::= a |	i | e

       <string>	::= <dbl quoted	string>	| <single quoted string> | <unqouted string>

       <dbl quoted string> ::= <space> " <not dqoute>* " <space>

       <single quoted string> ::= <space> ' <not squote>* ' <space>

       <unquoted string> ::= <space> <not space>+ <space>

       <space> ::= [ ' ' | '\t'	]*

       Character sets:

       <not newline> ::= any character except '\n'
       <not dqoute>  ::= any character except "
       <not squote>  ::= any character except '
       <not space>   ::= any character except those in <space>

       The semantics associated	with the above syntax are as follows.

       <version	line>, the first line in the file, specifies the  file	format
       version.	  If  the server does not recognize the	version	<string/v>, it
       ignores the rest	of the file.  The version string for the  file	format
       described here is "version-1" .

       Once  past the <version line>, lines that do not	match the above	syntax
       are ignored.

       <comment> lines are ignored.

       <sitepolicy> lines are currently	ignored.  They are intended to specify
       the site	policies used by the XC-QUERY-SECURITY-1 authorization method.

       <access rule> lines specify how the server should  react	 to  untrusted
       client  requests	that affect the	X Window property named	<property/ar>.
       The rest	of this	section	describes the  interpretation  of  an  <access

       For  an	<access	 rule>	to apply to a given instance of	<property/ar>,
       <property/ar> must be on	a window that is in the	set of windows	speci-
       fied  by	 <window>.   If	 <window>  is  any, the	rule applies to	<prop-
       erty/ar>	on any window.	If <window>  is	 root,	the  rule  applies  to
       <property/ar> only on root windows.

       If  <window> is <required property>, the	following apply.  If <required
       property> is a <property/rp>, the rule applies when the window also has
       that <property/rp>, regardless of its value.  If	<required property> is
       a <property with	value>,	<property/rpv> must also have the value	speci-
       fied  by	<string/rv>.  In this case, the	property must have type	STRING
       and format 8, and should	contain	one or more  null-terminated  strings.
       If any of the strings match <string/rv>,	the rule applies.

       The  definition of string matching is simple case-sensitive string com-
       parison with one	elaboration: the occurence of  the  character  '*'  in
       <string/rv> is a	wildcard meaning "any string."	A <string/rv> can con-
       tain multiple wildcards anywhere	in  the	 string.   For	example,  "x*"
       matches	strings	 that begin with x, "*x" matches strings that end with
       x, "*x*"	matches	strings	containing x, and "x*y*" matches strings  that
       start with x and	subsequently contain y.

       There  may  be  multiple	<access	rule> lines for	a given	<property/ar>.
       The rules are tested in the order that they appear in  the  file.   The
       first rule that applies is used.

       <perms>	specify	operations that	untrusted clients may attempt, and the
       actions that the	server should take in response to those	operations.

       <operation> can be r (read), w (write), or d (delete).	The  following
       table shows how X Protocol property requests map	to these operations in
       The Open	Group server implementation.

       GetProperty    r, or r and d if delete =	True
       ChangeProperty w
       RotateProperties	   r and w
       DeleteProperty d
       ListProperties none, untrusted clients can always list all properties

       <action>	can be a (allow), i (ignore), or e (error).  Allow means  exe-
       cute  the request as if it had been issued by a trusted client.	Ignore
       means treat the request as a no-op.  In the case	of GetProperty,	ignore
       means return an empty property value if the property exists, regardless
       of its actual value.  Error means do not	execute	the request and	return
       a  BadAtom  error with the atom set to the property name.  Error	is the
       default action for all properties, including those not  listed  in  the
       security	policy file.

       An  <action> applies to all <operation>s	that follow it,	until the next
       <action>	is encountered.	 Thus, irwad  means  ignore  read  and	write,
       allow delete.

       GetProperty  and	 RotateProperties may do multiple operations (r	and d,
       or r and	w).  If	different actions apply	to the	operations,  the  most
       severe  action  is  applied  to	the whole request; there is no partial
       request execution.  The severity	ordering is: allow < ignore  <	error.
       Thus,  if  the  <perms>	for  a	property  are ired (ignore read, error
       delete),	and an untrusted client	attempts GetProperty on	that  property
       with  delete  =	True,  an error	is returned, but the property value is
       not.  Similarly,	if any of the properties in a RotateProperties do  not
       allow  both  read  and write, an	error is returned without changing any
       property	values.

       Here is an example security policy file.


       # Allow reading of application resources, but not writing.
       property	RESOURCE_MANAGER     root      ar iw
       property	SCREEN_RESOURCES     root      ar iw

       # Ignore	attempts to use	cut buffers.  Giving errors causes apps	to crash,
       # and allowing access may give away too much information.
       property	CUT_BUFFER0	     root      irw
       property	CUT_BUFFER1	     root      irw
       property	CUT_BUFFER2	     root      irw
       property	CUT_BUFFER3	     root      irw
       property	CUT_BUFFER4	     root      irw
       property	CUT_BUFFER5	     root      irw
       property	CUT_BUFFER6	     root      irw
       property	CUT_BUFFER7	     root      irw

       # If you	are using Motif, you probably want these.
       property	_MOTIF_DEFAULT_BINDINGS	       rootar iw
       property	_MOTIF_DRAG_WINDOW   root      ar iw
       property	_MOTIF_DRAG_TARGETS  any       ar iw
       property	_MOTIF_DRAG_ATOMS    any       ar iw
       property	_MOTIF_DRAG_ATOM_PAIRS	       any ar iw

       # The next two rules let	xwininfo -tree work when untrusted.
       property	WM_NAME		     any       ar

       # Allow read of WM_CLASS, but only for windows with WM_NAME.
       # This might be more restrictive	than necessary,	but demonstrates
       # the <required property> facility, and is also an attempt to
       # say "top level	windows	only."
       property	WM_CLASS	     WM_NAME   ar

       # These next three let xlsclients work untrusted.  Think	carefully
       # before	including these; giving	away the client	machine	name and command
       # may be	exposing too much.
       property	WM_STATE	     WM_NAME   ar
       property	WM_CLIENT_MACHINE    WM_NAME   ar
       property	WM_COMMAND	     WM_NAME   ar

       # To let	untrusted clients use the standard colormaps created by
       # xstdcmap, include these lines.
       property	RGB_DEFAULT_MAP	     root      ar
       property	RGB_BEST_MAP	     root      ar
       property	RGB_RED_MAP	     root      ar
       property	RGB_GREEN_MAP	     root      ar
       property	RGB_BLUE_MAP	     root      ar
       property	RGB_GRAY_MAP	     root      ar

       # To let	untrusted clients use the color	management database created
       # by xcmsdb, include these lines.
       property	XDCCC_LINEAR_RGB_CORRECTION    rootar
       property	XDCCC_LINEAR_RGB_MATRICES      rootar
       property	XDCCC_GRAY_SCREENWHITEPOINT    rootar
       property	XDCCC_GRAY_CORRECTION	       rootar

       # To let	untrusted clients use the overlay visuals that many vendors
       # support, include this line.
       property	SERVER_OVERLAY_VISUALS	       rootar

       # Dumb examples to show other capabilities.

       # oddball property names	and explicit specification of error conditions
       property	"property with spaces"	       'property with "'aw er ed

       # Allow deletion	of Woo-Hoo if window also has property OhBoy with value
       # ending	in "son".  Reads and writes will cause an error.
       property	Woo-Hoo		     OhBoy = "*son"ad

       The X server supports client connections	via a platform-dependent  sub-
       set  of the following transport types: TCPIP, Unix Domain sockets, DEC-
       net, and	several	varieties of SVR4 local	connections.  See the  DISPLAY
       NAMES  section  of  the	X(7) manual page to learn how to specify which
       transport type clients should try to use.

       The X server implements a platform-dependent subset  of	the  following
       authorization  protocols: MIT-MAGIC-COOKIE-1, XDM-AUTHORIZATION-1, SUN-
       DES-1, and MIT-KERBEROS-5.  See the Xsecurity(7)	manual page for	infor-
       mation on the operation of these	protocols.

       Authorization  data  required  by  the above protocols is passed	to the
       server in a private file	named with  the	 -auth	command	 line  option.
       Each  time  the	server is about	to accept the first connection after a
       reset (or when the server is starting), it reads	this  file.   If  this
       file contains any authorization records,	the local host is not automat-
       ically allowed access to	the server, and	only clients which send	one of
       the authorization records contained in the file in the connection setup
       information will	be allowed access.  See	the  Xau  manual  page	for  a
       description  of the binary format of this file.	See xauth(1) for main-
       tenance of this file, and distribution of its contents to remote	hosts.

       The  X  server  also uses a host-based access control list for deciding
       whether or not to accept	 connections  from  clients  on	 a  particular
       machine.	  If no	other authorization mechanism is being used, this list
       initially consists of the host on which the server is running  as  well
       as  any	machines listed	in the file /etc/Xn.hosts, where n is the dis-
       play number of the server.  Each	line of	the file should	contain	either
       an  Internet  hostname  (e.g. or a DECnet hostname in
       double colon format (e.g. hydra::).  There  should  be  no  leading  or
       trailing	spaces on any lines.  For example:


       Users  can  add	or  remove  hosts from this list and enable or disable
       access control using the	xhost command from the	same  machine  as  the

       If  the	X  FireWall  Proxy  (xfwp) is being used without a sitepolicy,
       host-based authorization	must be	turned on for clients to  be  able  to
       connect to the X	server via the xfwp.  If xfwp is run without a config-
       uration file and	thus no	sitepolicy is defined, if xfwp is using	 an  X
       server  where xhost + has been run to turn off host-based authorization
       checks, when a client tries to connect to this X	server via xfwp, the X
       server  will  deny  the	connection.   See xfwp(1) for more information
       about this proxy.

       The X protocol intrinsically does not have any notion of	window	opera-
       tion  permissions or place any restrictions on what a client can	do; if
       a program can connect to	a display, it has full run of the  screen.   X
       servers that support the	SECURITY extension fare	better because clients
       can be designated untrusted via the authorization they use to  connect;
       see  the	xauth(1) manual	page for details.  Restrictions	are imposed on
       untrusted clients that curtail the mischief they	can do.	 See the SECU-
       RITY extension specification for	a complete list	of these restrictions.

       Sites that have better authentication and authorization	systems	 might
       wish  to	 make use of the hooks in the libraries	and the	server to pro-
       vide additional security	models.

       The X server attaches special meaning to	the following signals:

       SIGHUP  This signal causes the server to	 close	all  existing  connec-
	       tions,  free  all  resources,  and restore all defaults.	 It is
	       sent by the display  manager  whenever  the  main  user's  main
	       application (usually an xterm or	window manager)	exits to force
	       the server to clean up and prepare for the next user.

       SIGTERM This signal causes the server to	exit cleanly.

       SIGUSR1 This signal is used quite differently from either of the	above.
	       When  the  server  starts, it checks to see if it has inherited
	       SIGUSR1 as SIG_IGN instead of the usual SIG_DFL.	 In this case,
	       the  server  sends a SIGUSR1 to its parent process after	it has
	       set up the various connection schemes.  Xdm uses	 this  feature
	       to recognize when connecting to the server is possible.

       The  X  server  can  obtain  fonts  from	 directories  and/or from font
       servers.	 The list of directories and font servers the  X  server  uses
       when trying to open a font is controlled	by the font path.

       The    default	 font	 path	 is    /usr/X11R6/lib/X11/fonts/misc/,
       /usr/X11R6/lib/X11/fonts/Speedo/,      /usr/X11R6/lib/X11/fonts/Type1/,
       /usr/X11R6/lib/X11/fonts/75dpi/,	/usr/X11R6/lib/X11/fonts/100dpi/" .

       The  font  path	can be set with	the -fp	option or by xset(1) after the
       server has started.

       /etc/Xn.hosts		     Initial access control list  for  display
				     number n

				     Bitmap font directories

				     Outline font directories

       /usr/X11R6/lib/X11/rgb.txt    Color database

       /tmp/.X11-unix/Xn	     Unix domain socket	for display number n

       /tmp/rcXn		     Kerberos  5 replay	cache for display num-
				     ber n

       /usr/adm/Xnmsgs		     Error log file for	display	 number	 n  if
				     run from init(8)

				     Default  error  log file if the server is
				     run from xdm(1)

       General information: X(7)

       Protocols: X Window System Protocol, The	X  Font	 Service  Protocol,  X
       Display Manager Control Protocol

       Fonts:  bdftopcf(1),  mkfontdir(1),  xfs(1),  xlsfonts(1), xfontsel(1),
       xfd(1), X Logical Font Description Conventions

       Security: Xsecurity(7), xauth(1),  Xau(1),  xdm(1),  xhost(1),  xfwp(1)
       Security	Extension Specification

       Starting	the server: xdm(1), xinit(1)

       Controlling the server once started: xset(1), xsetroot(1), xhost(1)

       Server-specific	man  pages:  Xdec(1),  XmacII(1),  Xsun(1),  Xnest(1),
       Xvfb(1),	XFree86(1), XDarwin(1).

       Server internal documentation: Definition of the	Porting	Layer for  the
       X v11 Sample Server

       The  sample server was originally written by Susan Angebranndt, Raymond
       Drewry, Philip Karlton, and Todd	Newman,	from Digital Equipment	Corpo-
       ration,	with support from a large cast.	 It has	since been extensively
       rewritten by Keith Packard and Bob Scheifler, from MIT.	 Dave  Wiggins
       took over post-R5 and made substantial improvements.

X Version 11			  Release 6.6			    XSERVER(1)


Want to link to this manual page? Use this URL:

home | help