Home Articles/Blog mmmmsteckdosequincer

Use GNU screen to hide your login

A friend of mine showed me a cool trick to hide your login somewhat, using GNU screen. What I can tell from online searches, this doesn't look like to be that known... GNU screen has command line options -l and -ln (or command C-a L to toggle) to control the window's login behaviour. From the man page: 

-l and -ln
    turns login mode on or off (for  /etc/utmp  updating).   This  can
    also be defined through the "deflogin" .screenrc command.

C-a L       (login)       Toggle this  windows  login  slot.  Available
                          only  if  screen  is configured to update the
                          utmp database.

The benefits we get from this is, once turned off, we are still controlling screen, so we are logged-in, but there is no record anymore in the user accounting login records. So, lets see, starting screen and running who(1): 

$ who
dude            ttyv0    Jun 27 08:51
dude            pts/0    Jun 27 08:52 (:0)
dude            pts/1    Jun 27 08:52 (:0)
dude            pts/3    Jun 27 10:45 (:0)

Now after toggling login mode with C-a L: 

$ who
dude            ttyv0    Jun 27 08:51
dude            pts/0    Jun 27 08:52 (:0)
dude            pts/1    Jun 27 08:52 (:0)
Also, other commands like w(1) on FreeBSD behave similar. However, it's not all hidden, of course. The screen process shows up with ps(1), along with the user that runs it, and I'm sure there are more ways... e.g. on FreeBSD I can use getent(1) to get some idea of what's going on: 
$ getent utmpx active
[1435387900.738886 -- Sat Jun 27 08:51:40 2015] user process: id="74a6f9bdc43b89a6" pid="1631" user="dude" line="ttyv0" host=""
[1435387921.482140 -- Sat Jun 27 08:52:01 2015] user process: id="cdab068901338b19" pid="1976" user="dude" line="pts/0" host=":0"
[1435387922.927262 -- Sat Jun 27 08:52:02 2015] user process: id="0eb0980869dbcdaf" pid="2027" user="dude" line="pts/1" host=":0"
[1435394277.047666 -- Sat Jun 27 10:45:57 2015] user process: id="2f33000000000000" pid="1518" user="dude" line="pts/3" host=":0"

And after toggling, it still shows the same number of entries, with a slight suspicious difference: 

$ getent utmpx active
[1435387900.738886 -- Sat Jun 27 08:51:40 2015] user process: id="74a6f9bdc43b89a6" pid="1631" user="dude" line="ttyv0" host=""
[1435387921.482140 -- Sat Jun 27 08:52:01 2015] user process: id="cdab068901338b19" pid="1976" user="dude" line="pts/0" host=":0"
[1435387922.927262 -- Sat Jun 27 08:52:02 2015] user process: id="0eb0980869dbcdaf" pid="2027" user="dude" line="pts/1" host=":0"
[1435394277.047666 -- Sat Jun 27 10:45:57 2015] user process: id="2f33000000000000" pid="1518"

What I don't understand, though, is how this actually works. On FreeBSD I can achieve a similar effect using utxrm(8) by modifying the accounting database, directly. However, this is limited to root. At first I thought that screen has those permissions as it is by default installed with the setuid (or setgid on some distributions) bit set, which is necessary to make multiuser sharing work. However, a test shows that it still works after removing that bit...

Oh well, the answer is probably in what the manpage states, that this only works "if screen is configured to update the utmp database", which on all systems I touched seems to be the case.

Pretty neat... unfortunately, tmux doesn't have this feature. :(

2015-06-27 by 0xpebbles Permalink