For a while now, I’ve wanted a way for people to watch how I work and let me know how I could improve both my techniques and my code. I mostly work in Emacs so being inside of a terminal works fine.

At Precog we use tmux for pairing sessions. It works really great but I wanted to make it read-only for guests.

I created a guest user on the VPS that brianmckenna.org is now hosted on. The guest user is chrooted to /srv/chroot/guest via the SSH config:

Match User guest
    ForceCommand nologin
    ChrootDirectory /srv/chroot/guest
    X11Forwarding no
    AllowTcpForwarding no

The chroot has hardlinks back to system binaries (symlinks can’t get out of the jail). I had to hardlink /bin/bash, its libraries (found via ldd) and my custom tmux (more on that below).

The guest user’s shell points to /usr/bin/login:

guest:x:1001:1001::/home/guest:/usr/bin/login

Which contains:

#!/bin/bash
exec /usr/local/bin/tmux -S /var/lib/tmux-sessions/guest attach -r

The /var/lib/tmux-sessions directory has group write/execute permission for admin, so that my account can create the socket. I then have to run a script to allow guest to have write permission:

#!/bin/sh
exec chmod o+w /srv/chroot/guest/var/lib/tmux-sessions/guest

Sadly, I have to run that script each time I recreate the session - tmux loves to reset the permissions.

One thing about tmux is that read-only users can still resize the window for everyone. I had to patch tmux to disable that:

diff --git a/resize.c b/resize.c
index 5c365df..dab4508 100644
--- a/resize.c
+++ b/resize.c
@@ -58,7 +58,7 @@ recalculate_sizes(void)
        ssx = ssy = UINT_MAX;
        for (j = 0; j < ARRAY_LENGTH(&clients); j++) {
            c = ARRAY_ITEM(&clients, j);
-			if (c == NULL || c->flags & CLIENT_SUSPENDED)
+			if (c == NULL || c->flags & (CLIENT_SUSPENDED | CLIENT_READONLY))
                continue;
            if (c->session == s) {
                if (c->tty.sx < ssx)

If a guest’s window is too small, the stdout stream will write over itself when things change. Largely things looks fine but every now and then things can look a bit strange.

I also had to change /etc/ssh/sshd_config to accept empty passwords:

PermitEmptyPasswords yes

And then PAM for SSH in /etc/pam.d/sshd:

auth	[success=1 default=ignore]	pam_unix.so nullok

So now users can run ssh guest@brianmckenna.org and have a read-only view of my guest tmux session, if I have it running. I’m hoping to be able to work on quite a few of my projects and let people spy on me.

If you have any security concerns, please send me an email at brian@brianmckenna.org.