How to Run Screen Session After Sudo to Another User: Terminal Permission Fix


3 views

When administering Linux systems, a common scenario occurs when you need to:

  1. SSH into a server with your personal account (e.g., bob@server)
  2. Elevate privileges to a service account (e.g., monitor)
  3. Launch a persistent screen session
# Typical failing workflow
ssh bob@server
sudo su - monitor
screen
# Error: Cannot open your terminal '/dev/pts/0' - please check.

The root cause lies in terminal device permissions. When you:

  • The original SSH connection allocates /dev/pts/[N] to your personal user
  • sudo changes your effective UID but doesn't transfer terminal ownership
  • screen attempts to access the terminal with the new UID's permissions

Option 1: Use sudo -i for Login Shell

ssh bob@server
sudo -i -u monitor
screen

This creates a proper login shell with correct environment variables and terminal permissions.

Option 2: Script Wrapper Approach

#!/bin/bash
# /usr/local/bin/monitor_screen
sudo -u monitor script -q -c "screen -DR" /dev/null

Then make executable and allow users to run:

chmod +x /usr/local/bin/monitor_screen
sudo visudo
# Add: bob ALL=(monitor) NOPASSWD: /usr/local/bin/monitor_screen

Option 3: Direct Terminal Permission Fix

For temporary cases where you must use sudo su:

ssh bob@server
sudo su - monitor
script /dev/null
screen

For teams needing regular access:

# /etc/sudoers.d/monitor
Cmnd_Alias SCREEN_CMD = /usr/bin/screen
%team ALL=(monitor) NOPASSWD: SCREEN_CMD

Then users can run:

sudo -u monitor screen -list

When implementing these solutions:

  • Prefer specific command permissions over broad sudo access
  • Use NOPASSWD judiciously only for non-sensitive operations
  • Consider creating separate screen wrappers for different privilege levels

When you sudo su to another user (like "monitor") and try to launch screen, you'll encounter:

Cannot open your terminal '/dev/pts/0' - please check.

This happens because:

  • The new user lacks read/write permissions on your original terminal device
  • screen needs direct terminal access to function properly
  • Sudo environments don't automatically transfer terminal permissions

Instead of sudo su, use:

sudo -i -u monitor
screen

This creates a proper login shell with correct terminal permissions.

If you must use sudo su, first make your terminal accessible:

sudo su - monitor
script /dev/null  # This preserves terminal access
screen

If you just need to attach to an existing screen session:

sudo -u monitor screen -x

Edit /etc/sudoers (via visudo):

Defaults:%monitor !requiretty
monitor ALL=(ALL) NOPASSWD: ALL

tmux handles this scenario more gracefully:

sudo -u monitor tmux new-session -s monitoring

Create a wrapper script (/usr/local/bin/monitor-screen):

#!/bin/bash
sudo -u monitor /usr/bin/screen -D -RR monitoring

Then set permissions:

chmod +x /usr/local/bin/monitor-screen
sudo visudo -f /etc/sudoers.d/monitor

Add to sudoers file:

%team ALL=(monitor) NOPASSWD: /usr/bin/screen