Cannot make directory ‘/var/run/screen/S-apache’: Permission denied

ByEric Ma

Permission denied when creating screen directory for non-root users

The error “Cannot make directory ‘/var/run/screen/S-apache’: Permission denied” typically means the screen session directory can’t be created under /var/run/screen/. This happens when screen lacks proper permissions or when security policies block the operation.

Verify screen installation and permissions

First, confirm screen is installed with correct permissions:

$ ls -la $(which screen)
-rwxr-sr-x 1 root screen 474288 Aug 28 18:59 /usr/bin/screen

The key detail is the s in the group permission field (the fourth position) — this setgid bit allows screen to create directories owned by the screen group.

Check the /var/run/screen directory:

$ ls -la /var/run/ | grep screen
drwxrwxr-x 3 root screen 60 Aug 28 18:59 screen

It should be owned by root:screen with 775 permissions. If permissions are wrong, fix them:

$ sudo chmod 775 /var/run/screen
$ sudo chgrp screen /var/run/screen

If screen isn’t installed or permissions are mangled, reinstall it:

# CentOS/RHEL
$ sudo yum reinstall screen

# Debian/Ubuntu
$ sudo apt reinstall screen

Check SELinux policies

On CentOS 7 and RHEL systems, SELinux often blocks screen operations. Check the audit log after attempting to use screen as the apache user:

$ sudo tail -f /var/log/audit/audit.log | grep -i screen

Look for denial messages. If you see SELinux blocks, check the specific denial:

$ sudo ausearch -m avc -ts recent | grep screen

Generate a policy module to allow the operation:

$ sudo ausearch -m avc -ts recent | audit2allow -a -M screen_fix
$ sudo semodule -i screen_fix.pp

For a quicker workaround, set the context on the screen directory:

$ sudo chcon -R -t user_devpts_t /var/run/screen

Verify the fix

Test that the non-root user can now create screen sessions:

$ sudo -u apache screen -S test -d
$ sudo -u apache screen -list
There is a screen on:
    test    (Detached)
1 Socket in /var/run/screen/S-apache.

# Clean up
$ sudo -u apache screen -S test -X quit

Additional considerations

If you’re running apache under a different user (not the default apache), replace it with the actual username. The group permission issue is the most common cause — screen relies on the screen group to manage the runtime directory, and without proper setgid permissions, unprivileged users can’t create their session directories.

On modern systems with systemd, /var/run is mounted as a tmpfs that gets recreated on boot. If permissions reset after reboot, create a tmpfiles.d configuration:

$ sudo tee /etc/tmpfiles.d/screen.conf > /dev/null << EOF
d /var/run/screen 0775 root screen -
EOF

This ensures permissions persist across reboots.

Read more:

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *