Is it possible for a sysadmin to eavesdrop on his/her users’ terminals

administrationio-redirection

When logged in to a machine, I can find out each user's pseudo-terminal device(s) from the output of w. Being a sysadmin, is it possible for me to eavesdrop on this terminal without the user being aware? In other words, I would like to see everything being done on this terminal as output on my own terminal.

Please note the following:

  • This is not for a practical use case of monitoring user activities: I'm aware there are system auditing tools for that. I'm just curious if it can be done.
  • I'm aware of this question and it doesn't seem to cover what I'm asking about as all the solutions suggested there are either invasive (the user would be aware of what I'm doing) or produce too much noise (the strace solution). The one solution that comes close is the one that suggests using gdb. But this only lets me see stdout of the other terminal.

What I have tried

I tried this from my terminal:

tee /dev/pts/user_pts </dev/pts/user_pts

This allows me to see each character the user types in the other pseudo-terminal as they type it. The problem is, every few characters, it would "skip": it would show one rogue character on one terminal device but not the other. It also prevents the execution of any commands from the user's pseudo terminal device. I'm not really sure why this is happening and whether there's a way to improve it.

What I would like to see

USER TERMINAL        |    MY TERMINAL
$ echo "Test"        |    # slick_command_here
Test                 |    echo "Test"
$                    |    Test

Best Answer

It's the fd to the master side of the pseudo-terminal in the terminal emulator that you want to monitor if you want to see what's displayed on it. That master fd is what simulates the wire that goes to a real terminal. What xterm writes on it is the characters generated from the key you press. What it reads from it is what it displays.

For instance, on Linux:

$ lsof -ac xterm /dev/ptmx
COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
xterm   15173 chazelas    4u   CHR    5,2      0t0 2131 /dev/ptmx

And then run for instance:

stty -echo -opost
strace -e read -e read=4 -p15173 2>&1 | stdbuf -o0 sh -c '
  grep "^ |" | cut -b11-60 | tr -d " " | xxd -r -p'

Of course, it works better if you run that in a terminal of same type and size as the one you're trying to monitor. You can get the size with:

stty size < /dev/pts/that-terminal

That dumps what is read by xterm from the master side of the terminal, so what is displayed there, including the local echo of what is being typed.

The -e read=4 above is for strace to output a hexdump of what xterm reads on its fd 4. The rest of the command is to convert that to the actual characters. I tried peekfd -n -8 15173 4 but for some reason that only gave what was being written.

We're using -opost to disable any post-processing in our monitoring terminal, so that everything xxd writes to the slave side makes it unchanged to our master side, so that our monitoring xterm gets the same thing as the monitored one. -echo is so that if the application in the monitored terminal sends an escape sequence that requests an answer from the terminal (such as those that request the cursor position or the terminal type or window title), that will make its way to our monitoring xterm and our xterm will reply as well. We don't want a local echo of that.

You could also monitor what is being typed by tracing the write system calls to that same fd (replace read with write above). Note that upon pressing Enter, the terminal emulator sends a CR character, not LF. Also, since we're tracing on the master side, if the user types a<Backspace>b, we'll see all 3 keystrokes even if the terminal device is in canonical mode.

As to why yours doesn't work:

tee /dev/pts/user_pts </dev/pts/user_pts

Reading from the terminal device is reading the user input, and writing to it is to display it to the user.

You're telling tee to read from the terminal device. So what it reads (the user input) won't be read by the application(s) running in the terminal (and vis versa, tee and that application will fight for the terminal input). Writing to the terminal device, is for display there, it is not for putting it back there as input. When you do

echo test

(with echo's stdout being the terminal), it is not the same thing as if you had typed test.

There is an ioctl (TIOCSTI) to put characters back as input, but even that would not really work because you could put it back after the application as already read some more, so it would change the order the application is reading input, and any way, that would mean you would read it over and over again.

Related Question