{"id":6,"date":"2011-01-10T03:05:11","date_gmt":"2011-01-10T03:05:11","guid":{"rendered":"https:\/\/kristau.net\/blog\/?p=6"},"modified":"2011-01-10T03:05:11","modified_gmt":"2011-01-10T03:05:11","slug":"sharing-a-screen-session-with-another-administrator-on-a-linux-system","status":"publish","type":"post","link":"https:\/\/kristau.net\/blog\/6\/","title":{"rendered":"Sharing a screen session with another administrator on a Linux system"},"content":{"rendered":"<h1>Background<\/h1>\n<p>If you aren\u2019t familiar with <a href=\"http:\/\/www.gnu.org\/software\/screen\/\"><span class=\"caps\">GNU<\/span> screen<\/a>, you really should stop right now and <a href=\"http:\/\/www.gnu.org\/software\/screen\/manual\/screen.html\">familiarize yourself with it.<\/a> This is a very powerful utility which allows you to run terminal based programs on a system, disconnect from that session and re-connect later from the same or a different location. You can also start multiple terminals within a given screen session. Whenever I ssh into a system, I almost always launch screen first. If my ssh session gets disconnected unexpectedly, I can simply re-connect and pick up where I left off by re-attaching to the screen session.<\/p>\n<h1>The Problem<\/h1>\n<p>I was recently working with a client on a process that was going to take quite some time to complete. The command we were running would give a progress indicator, so we could monitor the progress off and on over time. I assumed, since we both had the ability to utilize <a href=\"http:\/\/en.wikipedia.org\/wiki\/Sudo\">sudo<\/a> to change user privileges that he would be able to <strong>sudo su \u2013 myusername<\/strong> followed by <strong>screen -r<\/strong> to take over the screen session I had started which contained this command. When he tried this, however, he was greeted with the following error:<\/p>\n<pre>Cannot open your terminal '\/dev\/pts\/1' - please check.\n<\/pre>\n<h1>The Solution<\/h1>\n<p>Searching around on Google comes up with a couple of different solutions. One of these solutions suggests that the second user should change the permissions on his tty to allow everyone access to it. While this works, it is definitely a Bad Idea for security as any user on the system could then snoop that tty.<\/p>\n<p>The other solution suggests that the second user should issue <strong>script \/dev\/null<\/strong> after escalating themselves to the first user\u2019s account. This works and does not appear to have the same security implications as the method above because everyone retains access to their own tty\u2019s.<\/p>\n<h1>But Why Does This Work?<\/h1>\n<p>What I found was that none of the posts I ran across which presented the second, preferred solution explained why this works. They merely said, \u201cuse this method,\u201d and left it at that. Being naturally curious, and harboring a concern as to whether this also opened up a tty to others\u2019 snooping, I had to investigate.<\/p>\n<h2>Prerequisites<\/h2>\n<p>Of course, this all assumes that at least the second user has the ability to <strong>sudo su \u2013 <\/strong> and escalate their privileges. That is all. Let\u2019s move on.<\/p>\n<h2>Stepping Through The Process<\/h2>\n<p>Here\u2019s how I went about discovering what exactly <strong>script \/dev\/null<\/strong> does and why it allows the second user to access what appeared to be an inaccessible tty.<\/p>\n<p>First, <strong>usera<\/strong> logs in via ssh, checks which tty was assigned, checks the permissions on that tty and launches screen:<\/p>\n<pre>usera@localhost ~ $ ssh usera@remotehost\nusera@remotehost ~ $ tty\n\/dev\/pts\/1\nusera@remotehost ~ $ ls -l \/dev\/pts\/1\ncrw--w---- 1 usera tty 136, 1 2011-01-09 20:14 \/dev\/pts\/1\nusera@remotehost ~ $ screen\n<\/pre>\n<p>As you can see, <strong>usera<\/strong> has RW permissions, group members have W permissions and others have no access at all to this tty. Next, <strong>userb<\/strong> logs in to the same system via ssh, checks which tty was assigned and checks the permissions on that tty:<\/p>\n<pre>userb@localhost ~ $ ssh userb@remotehost\nuserb@remotehost ~ $ tty\n\/dev\/pts\/2\nuserb@remotehost ~ $ ls -l \/dev\/pts\/2\ncrw--w---- 1 userb tty 136, 2 2011-01-09 20:20 \/dev\/pts\/2\n<\/pre>\n<p>Again, the same permissions are present on the tty assigned to <strong>userb<\/strong>. So neither user can snoop on the other\u2019s tty at this point. Here\u2019s where it gets interesting, though. Let\u2019s have <strong>userb<\/strong> escalate to <strong>usera<\/strong> and check the tty assignment and permissions again:<\/p>\n<pre>userb@remotehost ~ $ sudo su - usera\n[sudo] password for userb:\nusera@remotehost ~ $ tty\n\/dev\/pts\/2\nusera@remotehost ~ $ ls -l \/dev\/pts\/2\ncrw--w---- 1 userb tty 136, 2 2011-01-09 20:20 \/dev\/pts\/2\n<\/pre>\n<p>This is where I had my \u201caha moment.\u201d Although <strong>userb<\/strong> has changed to <strong>usera<\/strong>, the same tty (with the same permissions) is in use. Therefore, all commands issued are now under <strong>usera<\/strong> but any command which tries to manipulate the tty (like screen does) will fail because the tty remains under control of <strong>userb<\/strong>.<\/p>\n<p>So now let\u2019s take a look at what <strong>script \/dev\/null<\/strong> does to the tty:<\/p>\n<pre>usera@remotehost ~ $ script \/dev\/null\nScript started, file is \/dev\/null\nusera@remotehost ~ $ tty\n\/dev\/pts\/3\nusera@remotehost ~ $ ls -l \/dev\/pts\/3\ncrw--w---- 1 usera tty 136, 3 2011-01-09 20:36 \/dev\/pts\/3\n<\/pre>\n<p>Ahh, we now have a <em>new<\/em> tty assigned to this user. Therefore, when <strong>screen -r<\/strong> is issued, the currently assigned tty, <strong>\/dev\/pts\/3<\/strong> is accessible to <strong>usera<\/strong> and the command succeeds! Also note that this new tty has the same permissions as the original <strong>usera<\/strong> tty, so it should be just as secure from snooping.<\/p>\n<h1>Conclusion<\/h1>\n<p>If you need to share a screen session with another (admin-rights holding) user, then the <strong>script \/dev\/null<\/strong> method is much preferred over mucking around with tty permissions. It appears that the <strong>script \/dev\/null<\/strong> method is just as secure as the original user\u2019s tty because the permissions on the new tty are exactly the same.<\/p>\n<p>On a more general note, be aware that solutions you find on the Internet might work, but they may not always be the best solution for the task at hand. Be sure you understand the implications of what you are doing instead of blindly copying and pasting commands you found on someone\u2019s blog. If you are not sure what a particular solution does, I encourage you to test as I did (on a non-production system, of course) to make sure you understand it before you put it to use.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Background If you aren\u2019t familiar with GNU screen, you really should stop right now and familiarize yourself with it. This is a very powerful utility which allows you to run terminal based programs on a system, disconnect from that session and re-connect later from the same or a different location. You can also start multiple [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":144,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,7],"tags":[90,244,171,184,187],"class_list":["post-6","post","type-post","status-publish","format-standard","hentry","category-linux","category-technology","tag-gnu-screen","tag-linux","tag-script","tag-ssh","tag-sudo"],"_links":{"self":[{"href":"https:\/\/kristau.net\/blog\/wp-json\/wp\/v2\/posts\/6","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kristau.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kristau.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kristau.net\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kristau.net\/blog\/wp-json\/wp\/v2\/comments?post=6"}],"version-history":[{"count":0,"href":"https:\/\/kristau.net\/blog\/wp-json\/wp\/v2\/posts\/6\/revisions"}],"wp:attachment":[{"href":"https:\/\/kristau.net\/blog\/wp-json\/wp\/v2\/media?parent=6"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kristau.net\/blog\/wp-json\/wp\/v2\/categories?post=6"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kristau.net\/blog\/wp-json\/wp\/v2\/tags?post=6"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}