I asked Google the same question and didn't like the results I got.
What is /tmp/.X11-unix/
?
x11
I asked Google the same question and didn't like the results I got.
What is /tmp/.X11-unix/
?
Unless your X-server supports XResQueryClientIds
from X-Resource v1.2 extension I know no easy way to reliably request process ID. There're other ways however.
If you just have a window in front of you and don't know its ID yet — it's easy to find it out. Just open a terminal next to the window in question, run xwininfo
there and click on that window. xwininfo
will show you the window-id.
So let's assume you know a window-id, e.g. 0x1600045, and want to find, what's the process owning it.
The easiest way to check who that window belongs to is to run XKillClient for it i.e.:
xkill -id 0x1600045
and see which process just died. But only if you don't mind killing it of course!
Another easy but unreliable way is to check its _NET_WM_PID
and WM_CLIENT_MACHINE
properties:
xprop -id 0x1600045
That's what tools like xlsclients
and xrestop
do.
Unfortunately this information may be incorrect not only because the process was evil and changed those, but also because it was buggy. For example after some firefox crash/restart I've seen orphaned windows (from flash plugin, I guess) with _NET_WM_PID
pointing to a process, that died long time ago.
Alternative way is to run
xwininfo -root -tree
and check properties of parents of the window in question. That may also give you some hints about window origins.
But! While you may not find what process have created that window, there's still a way to find where that process have connected to X-server from. And that way is for real hackers. :)
The window-id 0x1600045 that you know with lower bits zeroed (i.e. 0x1600000) is a "client base". And all resource IDs, allocated for that client are "based" on it (0x1600001, 0x1600002, 0x1600003, etc). X-server stores information about its clients in clients[] array, and for each client its "base" is stored in clients[i]->clientAsMask variable. To find X-socket, corresponding to that client, you need to attach to X-server with gdb
, walk over clients[] array, find client with that clientAsMask
and print its socket descriptor, stored in ((OsCommPtr)(clients[i]->osPrivate))->fd.
There may be many X-clients connected, so in order to not check them all manually, let's use a gdb function:
define findclient
set $ii = 0
while ($ii < currentMaxClients)
if (clients[$ii] != 0 && clients[$ii]->clientAsMask == $arg0 && clients[$ii]->osPrivate != 0)
print ((OsCommPtr)(clients[$ii]->osPrivate))->fd
end
set $ii = $ii + 1
end
end
When you find the socket, you can check, who's connected to it, and finally find the process.
WARNING: Do NOT attach gdb to X-server from INSIDE the X-server. gdb suspends the process it attaches to, so if you attach to it from inside X-session, you'll freeze your X-server and won't be able to interact with gdb. You must either switch to text terminal (Ctrl+Alt+F2
) or connect to your machine over ssh.
Find the PID of your X-server:
$ ps ax | grep X
1237 tty1 Ssl+ 11:36 /usr/bin/X :0 vt1 -nr -nolisten tcp -auth /var/run/kdm/A:0-h6syCa
Window id is 0x1600045, so client base is 0x1600000. Attach to X-server and find client socket descriptor for that client base. You'll need debug information installed for X-server (-debuginfo package for rpm-distributions or -dbg package for deb's).
$ sudo gdb
(gdb) define findclient
Type commands for definition of "findclient".
End with a line saying just "end".
> set $ii = 0
> while ($ii < currentMaxClients)
> if (clients[$ii] != 0 && clients[$ii]->clientAsMask == $arg0 && clients[$ii]->osPrivate != 0)
> print ((OsCommPtr)(clients[$ii]->osPrivate))->fd
> end
> set $ii = $ii + 1
> end
> end
(gdb) attach 1237
(gdb) findclient 0x1600000
$1 = 31
(gdb) detach
(gdb) quit
Now you know that client is connected to a server socket 31. Use lsof
to find what that socket is:
$ sudo lsof -n | grep 1237 | grep 31
X 1237 root 31u unix 0xffff810008339340 8512422 socket
(here "X" is the process name, "1237" is its pid, "root" is the user it's running from, "31u" is a socket descriptor)
There you may see that the client is connected over TCP, then you can go to the machine it's connected from and check netstat -nap
there to find the process. But most probably you'll see a unix socket there, as shown above, which means it's a local client.
To find a pair for that unix socket you can use the MvG's technique (you'll also need debug information for your kernel installed):
$ sudo gdb -c /proc/kcore
(gdb) print ((struct unix_sock*)0xffff810008339340)->peer
$1 = (struct sock *) 0xffff810008339600
(gdb) quit
Now that you know client socket, use lsof
to find PID holding it:
$ sudo lsof -n | grep 0xffff810008339600
firefox 7725 username 146u unix 0xffff810008339600 8512421 socket
That's it. The process keeping that window is "firefox" with process-id 7725
2017 Edit: There are more options now as seen at Who's got the other end of this unix socketpair?. With Linux 3.3 or above and with lsof
4.89 or above, you can replace points 3 to 5 above with:
lsof +E -a -p 1237 -d 31
to find out who's at the other end of the socket on fd 31 of the X-server process with ID 1237.
If you have a X server running and the DISPLAY
environment variable is set to :0
, that tells applications to connect to the X server using a unix domain socket which is generally to be found on Linux in /tmp/.X11-unix/X0
(though see below about the abstract namespace on recent Linux).
When you ssh to machine remotemachine, sshd
on remotemachine sets DISPLAY to localhost:10
(for instance), which this time means that X connections are do be done over TCP to port 6010 of machine localhost. sshd on remotemachine listens for connections on there and forwards any incoming connection to the ssh client. The ssh client then tries to connect to /tmp/.X11-unix/X0
(on the local end, not the remote) to contact your X server.
Now, maybe you don't have a X server running (are you on Mac?) or maybe the unix domain socket is not to be found in /tmp/.X11-unix which would mean ssh hasn't been configured properly at compile time.
To figure out what the proper path is for the unix socket, you could try a strace -e connect xlogo
(or the equivalent on your system) on your local machine to see what a normal X application does.
netstat -x | grep X
may also give a clue.
For the record, on a Linux Debian wheezy machine here, Xorg listens on both /tmp/.X11-unix/X0
in the filesystem and /tmp/.X11-unix/X0
on the abstract namespace (generally written @/tmp/.X11-unix/X0
). From strace
, X11 applications seem to now use that abstract namespace by default, which explains why those still work if /tmp/.X11-unix
is removed, while ssh
doesn't use that abstract namespace.
Best Answer
On my fairly up-to-date Arch laptop,
/tmp/.X11-unix/
is a directory with one entry:X0
, a Unix-domain socket.The X11 server (usuall
Xorg
these days) communicates with clients likexterm
, firefox, etc via some kind of reliable stream of bytes. A Unix domain socket is probably a bit more secure than a TCP socket open to the world, and probably a bit faster, as the kernel does it all, and does not have to rely on an ethernet or wireless card.My X11 server shows up as:
The "-nolisten tcp" keeps it from opening TCP port 6000 for communications.
The command
lsof -U
can tell you what processes are using which Unix domain sockets. I seeXorg
as connected to/tmp/.X11-unix/X0
.