When logged in to a machine, I can find out each user's pseudo-terminal device(s) from the output of w
. Being a sysadmin, is it possible for me to eavesdrop on this terminal without the user being aware? In other words, I would like to see everything being done on this terminal as output on my own terminal.
Please note the following:
- This is not for a practical use case of monitoring user activities: I'm aware there are system auditing tools for that. I'm just curious if it can be done.
- I'm aware of this question and it doesn't seem to cover what I'm asking about as all the solutions suggested there are either invasive (the user would be aware of what I'm doing) or produce too much noise (the
strace
solution). The one solution that comes close is the one that suggests usinggdb
. But this only lets me see stdout of the other terminal.
What I have tried
I tried this from my terminal:
tee /dev/pts/user_pts </dev/pts/user_pts
This allows me to see each character the user types in the other pseudo-terminal as they type it. The problem is, every few characters, it would "skip": it would show one rogue character on one terminal device but not the other. It also prevents the execution of any commands from the user's pseudo terminal device. I'm not really sure why this is happening and whether there's a way to improve it.
What I would like to see
USER TERMINAL | MY TERMINAL
$ echo "Test" | # slick_command_here
Test | echo "Test"
$ | Test
Best Answer
It's the fd to the master side of the pseudo-terminal in the terminal emulator that you want to monitor if you want to see what's displayed on it. That master fd is what simulates the wire that goes to a real terminal. What
xterm
writes on it is the characters generated from the key you press. What it reads from it is what it displays.For instance, on Linux:
And then run for instance:
Of course, it works better if you run that in a terminal of same type and size as the one you're trying to monitor. You can get the size with:
That dumps what is read by
xterm
from the master side of the terminal, so what is displayed there, including the localecho
of what is being typed.The
-e read=4
above is forstrace
to output a hexdump of whatxterm
reads on its fd 4. The rest of the command is to convert that to the actual characters. I triedpeekfd -n -8 15173 4
but for some reason that only gave what was being written.We're using
-opost
to disable any post-processing in our monitoring terminal, so that everythingxxd
writes to the slave side makes it unchanged to our master side, so that our monitoringxterm
gets the same thing as the monitored one.-echo
is so that if the application in the monitored terminal sends an escape sequence that requests an answer from the terminal (such as those that request the cursor position or the terminal type or window title), that will make its way to our monitoringxterm
and ourxterm
will reply as well. We don't want a local echo of that.You could also monitor what is being typed by tracing the
write
system calls to that same fd (replaceread
withwrite
above). Note that upon pressing Enter, the terminal emulator sends a CR character, not LF. Also, since we're tracing on the master side, if the user typesa<Backspace>b
, we'll see all 3 keystrokes even if the terminal device is in canonical mode.As to why yours doesn't work:
Reading from the terminal device is reading the user input, and writing to it is to display it to the user.
You're telling
tee
to read from the terminal device. So what it reads (the user input) won't beread
by the application(s) running in the terminal (and vis versa,tee
and thatapplication
will fight for the terminal input). Writing to the terminal device, is for display there, it is not for putting it back there as input. When you do(with
echo
's stdout being the terminal), it is not the same thing as if you had typedtest
.There is an
ioctl
(TIOCSTI
) to put characters back as input, but even that would not really work because you could put it back after the application as already read some more, so it would change the order the application is reading input, and any way, that would mean you would read it over and over again.