When working in multi-user Linux environments, sharing terminal sessions efficiently becomes crucial. The standard GNU Screen's multiuser mode requires explicit ACL permissions for each user, which becomes cumbersome when dealing with group-based access control.
# Traditional multiuser approach (per-user ACL)
screen -S shared_session
Ctrl+a :multiuser on
Ctrl+a :acladd user2
Ctrl+a :acladd user3
# ...and so on for each group member
To enable access for all users in a specific group without individually adding them, we need to combine Screen's ACL system with Linux filesystem permissions:
# 1. Create a dedicated group for screen sharing
sudo groupadd screen_users
sudo usermod -aG screen_users user1
sudo usermod -aG screen_users user2
# 2. Set group ownership on the screen socket
screen -S shared_session -d -m
chgrp screen_users /var/run/screen/S-user1/*
chmod g+rwx /var/run/screen/S-user1
# 3. Verify permissions
ls -l /var/run/screen/S-user1/
# Should show group read/write permissions
For recurring use, add these settings to ~/.screenrc:
# Enable multiuser mode by default
multiuser on
# Default ACL permissions (read/write for group members)
aclgroup screen_users #rwx
aclgrab on
defescape ^Gg
Imagine a team debugging a production issue:
# Primary user (devops) starts session
screen -S production_debug -d -m
screen -r production_debug
# In screen session:
top # Show system metrics
vim /var/log/app/error.log
# Secondary team member joins (same group)
ssh user2@host
screen -ls # Shows the shared session
screen -r devops/production_debug
When implementing group-based screen sharing:
- Regularly audit group membership (
getent group screen_users) - Consider filesystem-level restrictions for sensitive sessions
- Use separate groups for different security levels
- Monitor active sessions with
screen -list
GNU Screen supports multi-user functionality through ACLs (Access Control Lists). While the manual mentions individual user permissions, we'll explore group-based access control.
First, ensure these settings exist in /etc/screenrc or ~/.screenrc:
multiuser on
acladd root # Initial permission for configuration
Here's a practical solution using screen's built-in commands and Unix groups:
1. Create a dedicated group:
sudo groupadd screenusers
sudo usermod -aG screenusers user1
sudo usermod -aG screenusers user2
2. Start session with group permissions:
screen -d -m -S shared_session
screen -X chgrp screenusers
screen -X chmod g+rwx
Create /usr/local/bin/screen-group-share:
#!/bin/bash
SESSION=$1
GROUP=$2
screen -S $SESSION -X multiuser on
screen -S $SESSION -X acladd root
for user in $(getent group $GROUP | cut -d: -f4 | tr ',' ' '); do
screen -S $SESSION -X acladd $user
done
Usage example:
screen-group-share shared_session screenusers
Add to ~/.screenrc for automatic group permissions:
aclgrp screenusers
defaclgrp screenusers
Check active ACLs:
screen -S shared_session -X aclshow
Common issues:
- Ensure all users have proper /dev/pts permissions
- Verify group membership with 'groups' command
- Check umask (0027) allows group access
1. Never run screen as root
2. Use dedicated groups for different access levels
3. Regularly audit ACLs with:
screen -list
ls -l /var/run/screen/