October 23rd, 2007
Multi-User Screen
Have you ever been jamming away on a Unix host’s command line and wish you could share your session with others? Perhaps you could do so to show someone else something you found on the system? Maybe you want that someone to type a password for you? Or perhaps you need to share the experience of going through some prompts and how to answer them? Recently there have been a myriad of technologies that can share windows and even whole desktops, but those programs are not always handy or appropriate.
Fortunately, the GNU Screen program can share that command line session of yours with other users with accounts on the same Unix host. Screen comes with a multi-user mode that allows them to connect to it. Each user can be granted permissions to each window to view, interact, or issue other commands to Screen. Here is a .screenrc file I have used to implement three groups of users: read-only users that can view all windows, read-write users that can also type in all windows, and an administrative user (the account that runs screen in my case) that retains all permissions within Screen.
multiuser on aclchg READERS +r-wx "#" aclchg READERS -rwx "?" aclchg READERS +x colon,license,windows,next,prev,select,other,detach,suspend,redisplay,lastmsg,windowlist,help,stuff aclchg WRITERS +rw-x "#" aclchg WRITERS -rwx "?" aclchg WRITERS +x colon,license,windows,next,prev,select,other,detach,suspend,redisplay,lastmsg,windowlist,help,stuff aclgrp watcher1 READERS aclgrp watcher2 READERS aclgrp trusted1 WRITERS aclgrp trusted2 WRITERS aclumask "*"-rwx cosine+rwx READERS+r-wx WRITERS+rw-x "?"-rwx "??"-rwx
In this example, the administrative user is cosine
. The read-only users watcher1
and watcher2
are in the READERS
group. Likewise, the read-write users trusted1
and trusted2
are in the WRITERS
group. Users are placed in groups with the aclgrp
command.
The other commands to set this up can be understood with a careful read of Screen’s man page. The short of it is that for READERS
we give read access but no write or execute (+r-wx
) for all windows (#
), then we do not allow any access (-rwx
) to any Screen commands. Next we do enable access (+x
) to a reasonable set of Screen commands necessary for navigation and comfortable viewing—otherwise Screen would not allow the user to change windows, exit his session, or a few other commands Screen users take for granted. The aclumask
command provides a similar level of coverage to windows that are yet to be created. The WRITERS
group is given similar permissions, except users in that group are also allowed to write (i.e. type things) into all windows.
If we wanted to create an ADMINS
group that had full control of screen (able to create new windows and execute arbitrary screen commands), we could do so by replacing the aclumask
command with another that replaces the mention of the cosine
user with an ADMINS
group, adding a pair of aclchg
commands to grant this group access to everything, and then adding some users to the group:
aclchg ADMINS +rwx "#" aclchg ADMINS +rwx "?" aclgrp cosine ADMINS aclgrp admin1 ADMINS aclgrp admin2 ADMINS aclumask "*"-rwx ADMINS+rwx READERS+r-wx WRITERS+rw-x "?"-rwx "??"-rwx
If you begin experimenting with these “acl” commands in Screen, do make sure you test your configurations before using them. Screen did not make these commands particularly user-friendly, and they do not always behave how you might think they do. They feel like they were bolted onto the program as an afterthought, and if you have been reading my blog for very long you know how I feel about that. I would not use Screen’s multi-user mode for any high-security application.
December 11th, 2011 at 6:10 am
Some time before, I really needed to buy a car for my organization but I didn’t have enough money and could not purchase anything. Thank God my friend proposed to take the home loans at reliable creditors. So, I acted that and used to be happy with my commercial loan.