34

I am setting up a server where there are multiple developers working on multiple applications.

I have figured out how to give certain developers shared access to the necessary application directories using the setgid bit and default ACLs to give anyone in a group access.

Many of these applications run under a terminal while in development for easy access. When I work alone, I set up a user for an application and run screen as that user. This has the downside that every developer to use the screen session needs to know the password and it is harder to keep user and application accounts separate.

One way that could work is using screen multiuser features. They do not work out-of-the-box however, screen complains about needing suid root. Does giving that have any downsides? I am pretty careful about using suid root anything. Maybe there is a reason why it isn't the default?

Should I do it with screen or is there some other intelligent way of doing what I want?

varesa
  • 2,336
  • 5
  • 20
  • 19

3 Answers3

52

Yes, you can do it with screen which has multiuser support.

First, create a new session:

screen -d -m -S multisession

Attach to it:

screen -r multisession

Turn on multiuser support:

Press Ctrl-a and type (NOTE: Ctrl+a is needed just before each single command, i.e. twice here)

:multiuser on
:acladd USER ← use username of user you want to give access to your screen

Now, Ctrl-a d and list the sessions:

$ screen -ls
There is a screen on:
    4791.multisession   (Multi, detached)

You now have a multiuser screen session. Give the name multisession to acl'd user, so he can attach to it:

screen -x youruser/multisession

And that's it.

The only drawback is that screen must run as suid root. But as far as I know is the default, normal situation.

Another option is to do screen -S $screen_id -X multiuser on, screen -S $screen_id -X acladd authorized_user

Hope this helps.

Lubo
  • 115
  • 5
Scyld de Fraud
  • 2,662
  • 16
  • 14
  • 1
    This is what I tried, up to where screen complains about needing `suid root`. I figured out I'd ask if this was the preferred way of doing things before adding root permissions to programs that do not have them by default – varesa Oct 23 '14 at 21:36
  • Strange. My `screen` is `suid` root. – Scyld de Fraud Oct 23 '14 at 21:38
  • I think that might be a distro-dependant thing. I tried on CentOS 6 or 7 (need to check) – varesa Oct 23 '14 at 22:02
  • For what it's worth, `screen` is also not `suid root` on Ubuntu 16.04. – icedwater Jan 17 '18 at 05:12
  • 8
    `screen -S $screen_id -X multiuser on`, `screen -S $screen_id -X acladd authorized_user` instead of control-a commands would be a good addition to the answer – ribamar Mar 15 '18 at 15:29
2

I've determined that the reason why other people commenting on this question could not do multi-user even after following the steps in @Scyld de Fraud's answer is because SELinux must be enabled (see https://phoenixnap.com/kb/enable-selinux-centos). Screen requires this for certain functionality, such as assigning the Access Control List (via the screen acladd & aclchg commands) permissions to limit or grant access to various users on multi-user displays, as well as for restarting zombie sessions.

Russ Thils
  • 21
  • 2
0

Original post - this answer to How to execute a command inside a screen session:

It took me some time, but what I found is: Version of screen 4.06 has a bug. If you want to send a command over a shared screen session like this, it fails:

screen -S shared_session_name -X stuff "command \n"

Screen fails with an error:

Cannot opendir /run/screen/S-$USER: Permissions denied

After updating to the version screen 4.09 it works.

Greenonline
  • 1,759
  • 7
  • 16
  • 21
Roman Kovrigin
  • 1