Multi-User Screen

Have you ever been jamming away on a Unix host’s command line and wish you could share your session with others? Perhaps you could do so to show someone else something you found on the system? Maybe you want that someone to type a password for you? Or perhaps you need to share the experience of going through some prompts and how to answer them? Recently there have been a myriad of technologies that can share windows and even whole desktops, but those programs are not always handy or appropriate.

Fortunately, the GNU Screen program can share that command line session of yours with other users with accounts on the same Unix host. Screen comes with a multi-user mode that allows them to connect to it. Each user can be granted permissions to each window to view, interact, or issue other commands to Screen. Here is a .screenrc file I have used to implement three groups of users: read-only users that can view all windows, read-write users that can also type in all windows, and an administrative user (the account that runs screen in my case) that retains all permissions within Screen.

multiuser on

aclchg READERS +r-wx "#"
aclchg READERS -rwx "?"
aclchg READERS +x colon,license,windows,next,prev,select,other,detach,suspend,redisplay,lastmsg,windowlist,help,stuff

aclchg WRITERS +rw-x "#"
aclchg WRITERS -rwx "?"
aclchg WRITERS +x colon,license,windows,next,prev,select,other,detach,suspend,redisplay,lastmsg,windowlist,help,stuff

aclgrp watcher1 READERS
aclgrp watcher2 READERS
aclgrp trusted1 WRITERS
aclgrp trusted2 WRITERS

aclumask "*"-rwx cosine+rwx READERS+r-wx WRITERS+rw-x "?"-rwx "??"-rwx

In this example, the administrative user is cosine. The read-only users watcher1 and watcher2 are in the READERS group. Likewise, the read-write users trusted1 and trusted2 are in the WRITERS group. Users are placed in groups with the aclgrp command.

The other commands to set this up can be understood with a careful read of Screen’s man page. The short of it is that for READERS we give read access but no write or execute (+r-wx) for all windows (#), then we do not allow any access (-rwx) to any Screen commands. Next we do enable access (+x) to a reasonable set of Screen commands necessary for navigation and comfortable viewing—otherwise Screen would not allow the user to change windows, exit his session, or a few other commands Screen users take for granted. The aclumask command provides a similar level of coverage to windows that are yet to be created. The WRITERS group is given similar permissions, except users in that group are also allowed to write (i.e. type things) into all windows.

If we wanted to create an ADMINS group that had full control of screen (able to create new windows and execute arbitrary screen commands), we could do so by replacing the aclumask command with another that replaces the mention of the cosine user with an ADMINS group, adding a pair of aclchg commands to grant this group access to everything, and then adding some users to the group:

aclchg ADMINS +rwx "#"
aclchg ADMINS +rwx "?"

aclgrp cosine ADMINS
aclgrp admin1 ADMINS
aclgrp admin2 ADMINS

aclumask "*"-rwx ADMINS+rwx READERS+r-wx WRITERS+rw-x "?"-rwx "??"-rwx

If you begin experimenting with these “acl” commands in Screen, do make sure you test your configurations before using them. Screen did not make these commands particularly user-friendly, and they do not always behave how you might think they do. They feel like they were bolted onto the program as an afterthought, and if you have been reading my blog for very long you know how I feel about that. I would not use Screen’s multi-user mode for any high-security application.

  • You can skip to the end and leave a comments. Trackback is currently closed.
  • Trackback URI: http://cosine.org/2007/10/23/multiuser-screen/trackback/
  • Comments RSS 2.0

One Response to “Multi-User Screen”

  1. AngelineJohnston34 Says:

    Some time before, I really needed to buy a car for my organization but I didn’t have enough money and could not purchase anything. Thank God my friend proposed to take the home loans at reliable creditors. So, I acted that and used to be happy with my commercial loan.

Leave a Reply

You must be logged in to post a comment.