I am setting up a server where there are multiple developers working on multiple applications.
I have figured out how to give certain developers shared access to the necessary application directories using the
setgid bit and
default ACLs to give anyone in a group access.
Many of these applications run under a terminal while in development for easy access. When I work alone, I set up a user for an application and run screen as that user. This has the downside that every developer to use the
screen session needs to know the password and it is harder to keep user and application accounts separate.
One way that could work is using screen multiuser features. They do not work out-of-the-box however, screen complains about needing
suid root. Does giving that have any downsides? I am pretty careful about using
suid root anything. Maybe there is a reason why it isn’t the default?
Should I do it with
screen or is there some other intelligent way of doing what I want?
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Yes, you can do it with
screen which has multiuser support.
First, create a new session:
screen -d -m -S multisession
Attach to it:
screen -r multisession
Turn on multiuser support:
Ctrl-a and type (NOTE:
Ctrl+a is needed just before each single command, i.e. twice here)
:multiuser on :acladd USER ← use username of user you want to give access to your screen
Ctrl-a dand list the sessions:
$ screen -ls There is a screen on: 4791.multisession (Multi, detached)
You now have a multiuser screen session. Give the name
multisessionto acl’d user, so he can attach to it:
screen -x youruser/multisession
And that’s it.
The only drawback is that
screen must run as
suid root. But as far as I know is the default, normal situation.
Another option is to do
screen -S $screen_id -X multiuser on,
screen -S $screen_id -X acladd authorized_user
Hope this helps.
I’ve determined that the reason why other people commenting on this question could not do multi-user even after following the steps in @Scyld de Fraud’s answer is because SELinux must be enabled (see https://phoenixnap.com/kb/enable-selinux-centos). Screen requires this for certain functionality, such as assigning the Access Control List (via the screen
aclchg commands) permissions to limit or grant access to various users on multi-user displays, as well as for restarting zombie sessions.
It took me some time, but what I found is: Version of screen 4.06
has a bug. If you want to send a command over a shared screen session
like this, it fails:screen -S shared_session_name -X stuff "command n"
Screen fails with an error:Cannot opendir /run/screen/S-$USER: Permissions denied
After updating to the version screen 4.09 it works.