2

I'm trying to allow a user to connect to the screens that the root user has. When another user does "screen -ls", it shows "No Sockets found in /var/run/screen/S-USERNAMEHERE".

In addition to this, is it possible to restrict users to individual screens? For example, I don't want user1 to attach to screen1, but I want them to be able to attach to screen2.

Thanks, Toby.

Toby Mellor
  • 121
  • 1
  • 4
  • 1
    To list accessible screens belonging to another user use `screen -ls username/`. – kasperd Sep 05 '15 at 22:09
  • Great to know! This comes up with "Must run suid root for multiuser support.", which I've googled. I've enabled multiuser with "Ctrl-a :multiuser on" and "Ctrl-a :acladd USERHERE" but when I type screen -ls USERHERE/ nothing shows up still. Thanks for the help. – Toby Mellor Sep 05 '15 at 22:25
  • 1
    I have only been using it to let root connect to a non-root screen. That may explain why I didn't need to make it suid. But I only used that on Debian, so I don't know if there might be any difference between Ubuntu and Debian. – kasperd Sep 06 '15 at 07:40
  • @kasperd Usually Ubuntu and Debian are quite similar. Have you got any suggestions for a non-root connecting to a root screen? Thanks! – Toby Mellor Sep 06 '15 at 12:14
  • I would first become root through any of the usual means and then attach to the screen. Changing `screen` to be suid if it wasn't already means you would be opening a possible attack vector for an intruder to gain root privileges. – kasperd Sep 06 '15 at 13:02

1 Answers1

1

As far as I know you can tell screen to share with one user at a time.

In order for this to work, you must have SELinux enabled and screen must run as suid root - both of which are the defa

Host

1. Create session

First, create a new screen session:

$ screen -d -m -S session_name

Attach to it:

$ screen -r session_name

2. Turn on multiuser support

From within screen'; type Ctrl+a` and type

:multiuser on

Or from a outside the screen session, type:

$ screen -S session_name -X multiuser on

3. Give access to a user

From within screen, type Ctrl+a and type:

:acladd guest_username # the username to share your screen with

Or from outside a screen session, type:

$ screen -S session_name -X acladd guest_username

You could run this line programmatically to give access to a list of users.

4. Share session information

You can share your username <host_username> and the screen session name <session_name> with the guest so they can connect.

Hitting, Ctrl+a d lets you leave the session without closing screen

Guest

Armed with the access, the screen session name and the host username, the guest can connect to the screen session:

screen -x host_username/session_name

The guest should now have access to the host's screen session

Adonis Gaitatzis
  • 111
  • 1