X11 – Understanding /tmp/.X11-unix/

x11

I asked Google the same question and didn't like the results I got.

What is /tmp/.X11-unix/?

Best Answer

On my fairly up-to-date Arch laptop, /tmp/.X11-unix/ is a directory with one entry: X0, a Unix-domain socket.

The X11 server (usuall Xorg these days) communicates with clients like xterm, firefox, etc via some kind of reliable stream of bytes. A Unix domain socket is probably a bit more secure than a TCP socket open to the world, and probably a bit faster, as the kernel does it all, and does not have to rely on an ethernet or wireless card.

My X11 server shows up as:

bediger    294   293  0 Apr09 tty1     01:23:26 /usr/lib/xorg-server/Xorg -nolisten tcp :0 vt1 -auth /tmp/serverauth.aK3Lrv5hMV

The "-nolisten tcp" keeps it from opening TCP port 6000 for communications.

The command lsof -U can tell you what processes are using which Unix domain sockets. I see Xorg as connected to /tmp/.X11-unix/X0.

Related Solutions

X11 – What Process Created This X11 Window

Unless your X-server supports XResQueryClientIds from X-Resource v1.2 extension I know no easy way to reliably request process ID. There're other ways however.

If you just have a window in front of you and don't know its ID yet — it's easy to find it out. Just open a terminal next to the window in question, run xwininfo there and click on that window. xwininfo will show you the window-id.

So let's assume you know a window-id, e.g. 0x1600045, and want to find, what's the process owning it.

The easiest way to check who that window belongs to is to run XKillClient for it i.e.:

xkill -id 0x1600045

and see which process just died. But only if you don't mind killing it of course!

Another easy but unreliable way is to check its _NET_WM_PID and WM_CLIENT_MACHINE properties:

xprop -id 0x1600045

That's what tools like xlsclients and xrestop do.

Unfortunately this information may be incorrect not only because the process was evil and changed those, but also because it was buggy. For example after some firefox crash/restart I've seen orphaned windows (from flash plugin, I guess) with _NET_WM_PID pointing to a process, that died long time ago.

Alternative way is to run

xwininfo -root -tree

and check properties of parents of the window in question. That may also give you some hints about window origins.

But! While you may not find what process have created that window, there's still a way to find where that process have connected to X-server from. And that way is for real hackers. :)

The window-id 0x1600045 that you know with lower bits zeroed (i.e. 0x1600000) is a "client base". And all resource IDs, allocated for that client are "based" on it (0x1600001, 0x1600002, 0x1600003, etc). X-server stores information about its clients in clients[] array, and for each client its "base" is stored in clients[i]->clientAsMask variable. To find X-socket, corresponding to that client, you need to attach to X-server with gdb, walk over clients[] array, find client with that clientAsMask and print its socket descriptor, stored in ((OsCommPtr)(clients[i]->osPrivate))->fd.

There may be many X-clients connected, so in order to not check them all manually, let's use a gdb function:

define findclient
  set $ii = 0
  while ($ii < currentMaxClients)
    if (clients[$ii] != 0 && clients[$ii]->clientAsMask == $arg0 && clients[$ii]->osPrivate != 0)
      print ((OsCommPtr)(clients[$ii]->osPrivate))->fd
    end
    set $ii = $ii + 1
  end
end

When you find the socket, you can check, who's connected to it, and finally find the process.

WARNING: Do NOT attach gdb to X-server from INSIDE the X-server. gdb suspends the process it attaches to, so if you attach to it from inside X-session, you'll freeze your X-server and won't be able to interact with gdb. You must either switch to text terminal (Ctrl+Alt+F2) or connect to your machine over ssh.

Example:

Find the PID of your X-server:

$ ps ax | grep X
 1237 tty1     Ssl+  11:36 /usr/bin/X :0 vt1 -nr -nolisten tcp -auth /var/run/kdm/A:0-h6syCa

Window id is 0x1600045, so client base is 0x1600000. Attach to X-server and find client socket descriptor for that client base. You'll need debug information installed for X-server (-debuginfo package for rpm-distributions or -dbg package for deb's).

$ sudo gdb
(gdb) define findclient
Type commands for definition of "findclient".
End with a line saying just "end".
>  set $ii = 0
>  while ($ii < currentMaxClients)
 >   if (clients[$ii] != 0 && clients[$ii]->clientAsMask == $arg0 && clients[$ii]->osPrivate != 0)
  >     print ((OsCommPtr)(clients[$ii]->osPrivate))->fd
  >     end
 >   set $ii = $ii + 1
 >   end
>  end
(gdb) attach 1237
(gdb) findclient 0x1600000
$1 = 31
(gdb) detach
(gdb) quit

Now you know that client is connected to a server socket 31. Use lsof to find what that socket is:
```
$ sudo lsof -n | grep 1237 | grep 31
X        1237    root   31u   unix 0xffff810008339340       8512422 socket
```
(here "X" is the process name, "1237" is its pid, "root" is the user it's running from, "31u" is a socket descriptor)

There you may see that the client is connected over TCP, then you can go to the machine it's connected from and check netstat -nap there to find the process. But most probably you'll see a unix socket there, as shown above, which means it's a local client.

To find a pair for that unix socket you can use the MvG's technique (you'll also need debug information for your kernel installed):

$ sudo gdb -c /proc/kcore
(gdb) print ((struct unix_sock*)0xffff810008339340)->peer
$1 = (struct sock *) 0xffff810008339600
(gdb) quit

Now that you know client socket, use lsof to find PID holding it:

$ sudo lsof -n | grep 0xffff810008339600
firefox  7725  username  146u   unix 0xffff810008339600       8512421 socket

That's it. The process keeping that window is "firefox" with process-id 7725

2017 Edit: There are more options now as seen at Who's got the other end of this unix socketpair?. With Linux 3.3 or above and with lsof 4.89 or above, you can replace points 3 to 5 above with:

lsof +E -a -p 1237 -d 31

to find out who's at the other end of the socket on fd 31 of the X-server process with ID 1237.

SSH X11 – Fix ‘connect /tmp/.X11-unix/X0: No Such File or Directory’ Error

If you have a X server running and the DISPLAY environment variable is set to :0, that tells applications to connect to the X server using a unix domain socket which is generally to be found on Linux in /tmp/.X11-unix/X0 (though see below about the abstract namespace on recent Linux).

When you ssh to machine remotemachine, sshd on remotemachine sets DISPLAY to localhost:10 (for instance), which this time means that X connections are do be done over TCP to port 6010 of machine localhost. sshd on remotemachine listens for connections on there and forwards any incoming connection to the ssh client. The ssh client then tries to connect to /tmp/.X11-unix/X0 (on the local end, not the remote) to contact your X server.

Now, maybe you don't have a X server running (are you on Mac?) or maybe the unix domain socket is not to be found in /tmp/.X11-unix which would mean ssh hasn't been configured properly at compile time.

To figure out what the proper path is for the unix socket, you could try a strace -e connect xlogo (or the equivalent on your system) on your local machine to see what a normal X application does.

netstat -x | grep X may also give a clue.

For the record, on a Linux Debian wheezy machine here, Xorg listens on both /tmp/.X11-unix/X0 in the filesystem and /tmp/.X11-unix/X0 on the abstract namespace (generally written @/tmp/.X11-unix/X0). From strace, X11 applications seem to now use that abstract namespace by default, which explains why those still work if /tmp/.X11-unix is removed, while ssh doesn't use that abstract namespace.

Best Answer

Related Solutions

X11 – What Process Created This X11 Window

Example:

SSH X11 – Fix ‘connect /tmp/.X11-unix/X0: No Such File or Directory’ Error

Related Question