Installations that run more than one window system may need to use the xinit(1) utility instead of xdm. However, xinit is to be considered a tool for building startup scripts and is not intended for use by end users. Site administrators are strongly urged to use xdm, or build other interfaces for novice users.
The X server may also be started directly by the user, though this method is usually reserved for testing and is not recommended for normal operation. On some platforms, the user must have special permission to start the X server, often because access to certain devices (e.g. /dev/mouse) is restricted.
When the X server starts up, it typically takes over the display. If you are running on a workstation whose console is the display, you may not be able to log into the console while the server is running.
Many servers also have device-specific command line options. See the manual pages for the individual servers for more details.
The syntax of the security policy file is as follows. Notation: "*" means zero or more occurrences of the preceding element, and "+" means one or more occurrences. To interpret <foo/bar>, ignore the text after the /; it is used to distinguish between instances of <foo> in the next section.
<policy file> ::= <version line> <other line>* <version line> ::= <string/v> '\n' <other line > ::= <comment> | <access rule> | <site policy> | <blank line> <comment> ::= # <not newline>* '\n' <blank line> ::= <space> '\n' <site policy> ::= sitepolicy <string/sp> '\n' <access rule> ::= property <property/ar> <window> <perms> '\n' <property> ::= <string> <window> ::= any | root | <required property> <required property> ::= <property/rp> | <property with value> <property with value> ::= <property/rpv> = <string/rv> <perms> ::= [ <operation> | <action> | <space> ]* <operation> ::= r | w | d <action> ::= a | i | e <string> ::= <dbl quoted string> | <single quoted string> | <unqouted string> <dbl quoted string> ::= <space> " <not dqoute>* " <space> <single quoted string> ::= <space> ' <not squote>* ' <space> <unquoted string> ::= <space> <not space>+ <space> <space> ::= [ ' ' | '\t' ]* Character sets: <not newline> ::= any character except '\n' <not dqoute> ::= any character except " <not squote> ::= any character except ' <not space> ::= any character except those in <space>
The semantics associated with the above syntax are as follows.
<version line>, the first line in the file, specifies the file format version. If the server does not recognize the version <string/v>, it ignores the rest of the file. The version string for the file format described here is "version-1" .
Once past the <version line>, lines that do not match the above syntax are ignored.
<comment> lines are ignored.
<sitepolicy> lines are currently ignored. They are intended to specify the site policies used by the XC-QUERY-SECURITY-1 authorization method.
<access rule> lines specify how the server should react to untrusted client requests that affect the X Window property named <property/ar>. The rest of this section describes the interpretation of an <access rule>.
For an <access rule> to apply to a given instance of <property/ar>, <property/ar> must be on a window that is in the set of windows specified by <window>. If <window> is any, the rule applies to <property/ar> on any window. If <window> is root, the rule applies to <property/ar> only on root windows.
If <window> is <required property>, the following apply. If <required property> is a <property/rp>, the rule applies when the window also has that <property/rp>, regardless of its value. If <required property> is a <property with value>, <property/rpv> must also have the value specified by <string/rv>. In this case, the property must have type STRING and format 8, and should contain one or more null-terminated strings. If any of the strings match <string/rv>, the rule applies.
The definition of string matching is simple case-sensitive string comparison with one elaboration: the occurence of the character '*' in <string/rv> is a wildcard meaning "any string." A <string/rv> can contain multiple wildcards anywhere in the string. For example, "x*" matches strings that begin with x, "*x" matches strings that end with x, "*x*" matches strings containing x, and "x*y*" matches strings that start with x and subsequently contain y.
There may be multiple <access rule> lines for a given <property/ar>. The rules are tested in the order that they appear in the file. The first rule that applies is used.
<perms> specify operations that untrusted clients may attempt, and the actions that the server should take in response to those operations.
<operation> can be r (read), w (write), or d (delete). The following table shows how X Protocol property requests map to these operations in The Open Group server implementation.
GetProperty r, or r and d if delete = True ChangeProperty w RotateProperties r and w DeleteProperty d ListProperties none, untrusted clients can always list all properties
<action> can be a (allow), i (ignore), or e (error). Allow means execute the request as if it had been issued by a trusted client. Ignore means treat the request as a no-op. In the case of GetProperty, ignore means return an empty property value if the property exists, regardless of its actual value. Error means do not execute the request and return a BadAtom error with the atom set to the property name. Error is the default action for all properties, including those not listed in the security policy file.
An <action> applies to all <operation>s that follow it, until the next <action> is encountered. Thus, irwad means ignore read and write, allow delete.
GetProperty and RotateProperties may do multiple operations (r and d, or r and w). If different actions apply to the operations, the most severe action is applied to the whole request; there is no partial request execution. The severity ordering is: allow < ignore < error. Thus, if the <perms> for a property are ired (ignore read, error delete), and an untrusted client attempts GetProperty on that property with delete = True, an error is returned, but the property value is not. Similarly, if any of the properties in a RotateProperties do not allow both read and write, an error is returned without changing any property values.
Here is an example security policy file.
version-1 # Allow reading of application resources, but not writing. property RESOURCE_MANAGER root ar iw property SCREEN_RESOURCES root ar iw # Ignore attempts to use cut buffers. Giving errors causes apps to crash, # and allowing access may give away too much information. property CUT_BUFFER0 root irw property CUT_BUFFER1 root irw property CUT_BUFFER2 root irw property CUT_BUFFER3 root irw property CUT_BUFFER4 root irw property CUT_BUFFER5 root irw property CUT_BUFFER6 root irw property CUT_BUFFER7 root irw # If you are using Motif, you probably want these. property _MOTIF_DEFAULT_BINDINGS root ar iw property _MOTIF_DRAG_WINDOW root ar iw property _MOTIF_DRAG_TARGETS any ar iw property _MOTIF_DRAG_ATOMS any ar iw property _MOTIF_DRAG_ATOM_PAIRS any ar iw # The next two rules let xwininfo -tree work when untrusted. property WM_NAME any ar # Allow read of WM_CLASS, but only for windows with WM_NAME. # This might be more restrictive than necessary, but demonstrates # the <required property> facility, and is also an attempt to # say "top level windows only." property WM_CLASS WM_NAME ar # These next three let xlsclients work untrusted. Think carefully # before including these; giving away the client machine name and command # may be exposing too much. property WM_STATE WM_NAME ar property WM_CLIENT_MACHINE WM_NAME ar property WM_COMMAND WM_NAME ar # To let untrusted clients use the standard colormaps created by # xstdcmap, include these lines. property RGB_DEFAULT_MAP root ar property RGB_BEST_MAP root ar property RGB_RED_MAP root ar property RGB_GREEN_MAP root ar property RGB_BLUE_MAP root ar property RGB_GRAY_MAP root ar # To let untrusted clients use the color management database created # by xcmsdb, include these lines. property XDCCC_LINEAR_RGB_CORRECTION root ar property XDCCC_LINEAR_RGB_MATRICES root ar property XDCCC_GRAY_SCREENWHITEPOINT root ar property XDCCC_GRAY_CORRECTION root ar # To let untrusted clients use the overlay visuals that many vendors # support, include this line. property SERVER_OVERLAY_VISUALS root ar # Dumb examples to show other capabilities. # oddball property names and explicit specification of error conditions property "property with spaces" 'property with "' aw er ed # Allow deletion of Woo-Hoo if window also has property OhBoy with value # ending in "son". Reads and writes will cause an error. property Woo-Hoo OhBoy = "*son" ad
Authorization data required by the above protocols is passed to the server in a private file named with the -auth command line option. Each time the server is about to accept the first connection after a reset (or when the server is starting), it reads this file. If this file contains any authorization records, the local host is not automatically allowed access to the server, and only clients which send one of the authorization records contained in the file in the connection setup information will be allowed access. See the Xau manual page for a description of the binary format of this file. See xauth(1) for maintenance of this file, and distribution of its contents to remote hosts.
The X server also uses a host-based access control list for deciding whether or not to accept connections from clients on a particular machine. If no other authorization mechanism is being used, this list initially consists of the host on which the server is running as well as any machines listed in the file /etc/Xn.hosts, where n is the display number of the server. Each line of the file should contain either an Internet hostname (e.g. expo.lcs.mit.edu) or a DECnet hostname in double colon format (e.g. hydra::). There should be no leading or trailing spaces on any lines. For example:
joesworkstation corporate.company.com star:: bigcpu::
Users can add or remove hosts from this list and enable or disable access control using the xhost command from the same machine as the server.
If the X FireWall Proxy (xfwp) is being used without a sitepolicy, host-based authorization must be turned on for clients to be able to connect to the X server via the xfwp. If xfwp is run without a configuration file and thus no sitepolicy is defined, if xfwp is using an X server where xhost + has been run to turn off host-based authorization checks, when a client tries to connect to this X server via xfwp, the X server will deny the connection. See xfwp(1) for more information about this proxy.
The X protocol intrinsically does not have any notion of window operation permissions or place any restrictions on what a client can do; if a program can connect to a display, it has full run of the screen. X servers that support the SECURITY extension fare better because clients can be designated untrusted via the authorization they use to connect; see the xauth(1) manual page for details. Restrictions are imposed on untrusted clients that curtail the mischief they can do. See the SECURITY extension specification for a complete list of these restrictions.
Sites that have better authentication and authorization systems might wish to make use of the hooks in the libraries and the server to provide additional security models.
The default font path is "<XRoot>/lib/X11/fonts/misc/, <XRoot>/lib/X11/fonts/Speedo/, <XRoot>/lib/X11/fonts/Type1/, <XRoot>/lib/X11/fonts/75dpi/, <XRoot>/lib/X11/fonts/100dpi/" . where <XRoot> refers to the root of the X11 install tree.
The font path can be set with the -fp option or by xset(1) after the server has started.
Note: <XRoot> refers to the root of the X11 install tree.
Protocols: X Window System Protocol, The X Font Service Protocol, X Display Manager Control Protocol
Fonts: bdftopcf(1) , mkfontdir(1) , xfs(1) , xlsfonts(1) , xfontsel(1) , xfd(1) , X Logical Font Description Conventions
Security: Xsecurity(1) , xauth(1) , Xau(1) , xdm(1) , xhost(1) , xfwp(1) Security Extension Specification
Starting the server: xdm(1) , xinit(1)
Controlling the server once started: xset(1) , xsetroot(1) , xhost(1)
Server-specific man pages: Xdec(1) , XmacII(1) , Xsun(1) , Xnest(1) , Xvfb(1) , XF86_Accel(1) , XF86_SVGA(1) , XFree86(1)
Server internal documentation: Definition of the Porting Layer for the X v11 Sample Server
Table of Contents