Martins Blog

Trying to explain complex things in simple terms

screen fails with “Cannot open your terminal ‘/dev/pts/x’ – please check.”

Posted by Martin Bach on January 16, 2010

A quick note on how to get around this problem. Background: many shops uses individual operating system accounts for DBAs and keep the oracle password secret. Once connected, the user would sudo to oracle: “sudo su – oracle” which is explicitly allowed. The auditors can then trace who did what and when, otherwise the logins to oracle would be almost completely anonymous.

Here’s a sample session output to demonstrate the problem:

login as: mbh
mbh@prodbox's password:
Last login: Thu Jan 14 12:11:12 2010 from desktop001

RHN kickstart on 2009-07-27

[mbh@prodbox ~]$ sudo su - oracle
[oracle@prodbox ~]$ screen
Cannot open your terminal '/dev/pts/4' - please check.

This is slightly frustrating-starting the screen session with your account works fine, but then no one can follow up and connect to your session. The quick but insecure solution is as follows:after logging in as yourself, find out which tty you use:

[oracle@prodbox ~]$ w | grep mbh
mbh    pts/4    desktop001 12:14    0.00s  0.05s  0.07s sshd: mbh

Then grant permission to your tty to the world:

[mbh@prodbox ~]$ chmod a+rw /dev/pts/4

Alternatively, add the oracle user to group tty, which owns all the ttys.

Now sudo to oracle and start your screen sesssion:

[mbh@prodbox ~]$ sudo su - oracle
[oracle@prodbox ~]$ screen
[screen is terminating]

Also check the comment by Ariel for another solution. Anyway, check with your security team what method is most appropriate in your situation.

About these ads

10 Responses to “screen fails with “Cannot open your terminal ‘/dev/pts/x’ – please check.””

  1. coskan said

    Shame on me, I never heard about screen command :(. It looks extremely useful. Thank you for mentioning the command Martin.

  2. […] 2-How to get around from “Cannot open your terminal ‘/dev/pts/” with screen command ? Martin Bach-screen fails with “Cannot open your terminal ‘/dev/pts/x’ – please check.” […]

  3. oracledba01 said

    Strikes me that if you don’t want your dbas to know the oracle password you have bigger issues than security. Am I the only one thinking that sudo is a poor substitute for trust? And if we’re saying to our colleagues you aren’t trustworthy then why did we hire them in the first place? There is no amount of controls, devices, or features that can protect us from people without integrity.

    • Martin said

      The bigger problem is called SAS 70 accreditation in this case. However I know many shops where direct access to the oracle (or root) account is prohibited for accountability.

  4. kR105 said

    Thanks! You saved my ass! :)

  5. My solution said

    sudo su -c “script -c \”screen -RD\” /dev/null” – oracle

  6. Ariel said

    > Then grant permission to your tty to the world:
    >
    > [mbh@prodbox ~]$ chmod a+rw /dev/pts/4

    VERY bad idea, by doing that you are allowing anybody in your “prodbox” to have your “mbh” privileges (hopefully you won’t never ever do that if /dev/pts/XX is owned by root!!!)

    Rather just use the script/screen combination or in your screen session do:

    CTRL-a multiuser on
    CTRL-a addacl

    (more info: man screen)

  7. There is also another way with
    screen -d -m script.sh as well as automated way with tty command to get the tty the user is in.
    I’ve written a short article on the same problem, as I just stumbled on it few days ago. You might check it here – http://www.pc-freak.net/blog/how-to-work-around-screen-cannot-open-your-terminal-devpts1-please-check/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 2,419 other followers

%d bloggers like this: