tmux-party/party.1

.\" party - share a tmux session with the people you already work with
.Dd April 30, 2026
.Dt PARTY 1
.Os
.Sh NAME
.Nm party
.Nd share a tmux session with the people you already work with
.Sh SYNOPSIS
.Nm
.Cm host
.Op Ar name
.Op Fl -group Ar group
.Nm
.Cm close
.Op Ar name
.Nm
.Cm join
.Op Ar name
.Op Fl -passive
.Nm
.Cm leave
.Nm
.Cm invite
.Ar user
.Op Fl r
.Nm
.Cm voice
.Ar user
.Nm
.Cm mute
.Ar user
.Nm
.Cm kick
.Ar user
.Nm
.Cm detach
.Ar user
.Nm
.Cm role
.Op Cm active | passive | switch
.Nm
.Cm list
.Nm
.Cm who
.Op Fl -short
.Nm
.Cm status
.Sh DESCRIPTION
.Nm
hosts a live
.Xr tmux 1
session for other users on the same UNIX host, or joins one
someone else is hosting, with the ergonomics of
.Ql screen -x
and none of the copy/paste friction.
Use it to pair-program, mentor, debug an outage together, or demo a
workflow live: same terminal, no screen-sharing software, no
intermediary servers.
.Pp
Each party runs on its own dedicated
.Xr tmux 1
server, distinct from the host's personal
.Xr tmux 1 .
This keeps
.Xr tmux 1
.Cm server-access
scoped: inviting someone to your party does not expose your other
sessions.
Two gates protect each party.
The
.Em filesystem gate
is universal across every supported platform: the per-party directory
is
.Xr chgrp 1 Ns 'd
to
.Ev TMUX_PARTY_GROUP
at mode 0750 so only group members can traverse into it; the socket
itself is
.Ql g+rw .
The
.Em auth gate
is
.Xr tmux 1
.Cm server-access :
a user who passes the FS gate but is not on the allowlist is rejected
at the protocol layer.
Both gates must pass.
.Pp
.Nm
is designed for small, mutually trusted groups: a hacklab, a tech
team, a circle of friends, not strangers across the internet.
The auth gate is authoritative; the FS gate is defense in depth.
.Sh SUBCOMMANDS
.Bl -tag -width Ds
.It Cm host Op Ar name Op Fl -group Ar group
Spawn a dedicated party
.Xr tmux 1
server.
With no
.Ar name ,
a random one is generated.
Only the host is on the allowlist; invite others explicitly with
.Cm invite .
Group precedence:
.Fl -group
flag >
.Ev TMUX_PARTY_GROUP
> the default
.Ql party .
.It Cm close Op Ar name
Tear down the party server and remove its per-party directory.
With no
.Ar name ,
closes the only party the caller hosts.
Host-only.
.It Cm join Op Ar name Op Fl -passive
Join a party.
With no
.Ar name
and exactly one party visible, auto-attaches; otherwise presents a
numbered picker.
By default joins in
.Em active
mode (your own session group with an independent window cursor).
.Fl -passive
attaches read-only to the host's session (mirrored view).
The read-only boundary is set at attach time and is not toggled by
later
.Cm role
changes.
.It Cm leave
Detach from the current party and clean up the per-guest session.
.It Cm invite Ar user Op Fl r
Add
.Ar user
to the allowlist as read/write.
.Fl r
or
.Fl -read-only
invites as a watcher.
Best-effort
.Xr write 1
ping is sent if available.
Host-only.
.It Cm voice Ar user
Promote
.Ar user
to read/write.
Alias:
.Cm rw .
Host-only.
.It Cm mute Ar user
Demote
.Ar user
to read-only.
Alias:
.Cm ro .
Host-only.
.It Cm kick Ar user
Revoke
.Ar user Ns 's
invite, disconnect their client, and kill their guest session.
Host-only.
.It Cm detach Ar user
Disconnect
.Ar user Ns 's
client and kill their guest session, but keep them on the allowlist.
Host-only.
.It Cm role Op Cm active | passive | switch
Flip your clients between the guest session and the host session.
With no argument, prints the current role for each of your clients.
Session-level only: the read-only boundary set at attach time
.Po see
.Cm join Fl -passive
.Pc
is not toggled by role changes
.Po
.Xr tmux 1
.Cm switch-client
has no read-only flag
.Pc .
.It Cm list
List live parties on this host from the roster.
.It Cm who Op Fl -short
Show invited and attached users for the current party.
.Fl -short
emits a compact form suitable for a status-line widget.
.It Cm status
Show the caller's own state: hosting, attached, or idle.
.El
.Sh ENVIRONMENT
.Bl -tag -width "PARTY_SOCKET_DIR"
.It Ev TMUX_PARTY_GROUP
Shared system group used for socket access.
Default
.Ql party .
Override to reuse an existing group like
.Ql wheel ,
.Ql users ,
or
.Ql staff ,
or pass
.Fl -group Ar name
to
.Cm host .
.It Ev PARTY_SOCKET_DIR
Where each party's per-party private directory (and its socket and
roster) is created.
Default
.Pa /tmp .
.It Ev PARTY_TMUX
.Xr tmux 1
binary to use.
Default
.Ql tmux .
Override if
.Xr tmux 1
\(>= 3.3 lives at a non-standard path.
.El
.Sh FILES
.Bl -tag -width Ds
.It Pa ${PARTY_SOCKET_DIR}/party-${USER}:${NAME}.d/
Per-party private directory, mode 0750, group
.Ev TMUX_PARTY_GROUP .
.It Pa ${PARTY_SOCKET_DIR}/party-${USER}:${NAME}.d/sock
The
.Xr tmux 1
socket, mode
.Ql g+rw .
.It Pa ${PARTY_SOCKET_DIR}/party-${USER}:${NAME}.d/roster
Bookkeeping:
.Va HOST_USER ,
.Va PARTY_NAME ,
.Va SOCKET ,
.Va SERVER_PID ,
.Va GROUP ,
.Va CREATED .
Security-relevant fields are re-derived from the directory itself on
every read, not trusted from the file.
.It Pa ${PARTY_SOCKET_DIR}/party-${USER}:${NAME}.d/.party-notify
Auto-generated helper that fans
.Cm display-message
out to every attached client on join/leave.
.El
.Sh EXIT STATUS
.Bl -tag -width Ds
.It 0
Success.
.It 1
Operational failure (no such party, not a member of the group, socket
gone, ambiguous match, etc.).
.It 2
Usage error (unknown subcommand or flag, missing argument, invalid
party name).
.It 13
.Cm join :
caller is not on the allowlist for the named party.
.El
.Sh EXAMPLES
One-time setup, as root:
.Bd -literal -offset indent
groupadd party
usermod -aG party alice
usermod -aG party bob
.Ed
.Pp
Have alice and bob log out and back in so the new group takes effect.
.Pp
Host a party named
.Ql debug-the-deploy
and invite alice as a watcher and bob as a co-driver:
.Bd -literal -offset indent
$ party host debug-the-deploy
$ party invite alice -r
$ party invite bob
.Ed
.Pp
On bob's side, join the only running party on this host:
.Bd -literal -offset indent
$ party join
.Ed
.Pp
On alice's side, join read-only:
.Bd -literal -offset indent
$ party join debug-the-deploy --passive
.Ed
.Pp
Reuse an existing group instead of creating a new one:
.Bd -literal -offset indent
$ party host debug-the-deploy --group staff
.Ed
.Sh SECURITY
The OS group is the perimeter,
.Xr tmux 1 Ns 's
.Cm server-access
allowlist is the per-user filter.
Both are universal across the supported platforms (Linux, FreeBSD,
NetBSD, OpenBSD, illumos, Solaris, macOS), so the mechanism is one
liner:
.Xr chgrp 1
+
.Xr chmod 1 .
No ACL syscalls are invoked.
.Pp
Trust is anchored in unforgeable primitives:
.Xr mkdir 2
and
.Xr bind 2
set the owner to the calling effective UID, and
.Xr chown 1
requires root.
A group member who plants a forged directory cannot fake its
ownership, cannot redirect the socket path, and cannot forge a socket
elsewhere.
.Pp
.Nm
is designed for small, mutually trusted groups: a hacklab, a tech
team, a circle of friends, not strangers across the internet.
It assumes you already know and trust the people you are adding to
the group; it does not try to be a public access-control system.
.Sh CAVEATS
On filesystems with NFSv4-style inherited ACLs (macOS HFS+/APFS,
FreeBSD/illumos ZFS), an ACE on
.Ev PARTY_SOCKET_DIR
can override the mode bits
.Nm
sets, widening access (e.g.\& an inherited
.Ql everyone@:rx
survives our
.Ql chmod 0750 )
or narrowing it (e.g.\& a
.Ql deny everyone:
blocks group members our
.Xr chgrp 1
tried to admit).
The script does not invoke
.Xr getfacl 1
or
.Xr getextattr 8
to verify effective access; re-introducing per-platform ACL plumbing
would unwind the simplification this design commits to.
The FS gate is therefore best-effort on those filesystems; the
auth gate
.Po
.Xr tmux 1
.Cm server-access
.Pc
remains authoritative regardless.
The default
.Ev PARTY_SOCKET_DIR Ns = Ns Pa /tmp
rarely has ACL trouble in practice; if you deploy on a custom dir
with restrictive inherited ACLs, expect to handle traversal at the
ACL layer for your intended group members.
Strangers stay out via
.Cm server-access
either way.
.Pp
.Cm server-access
decides who may
.Em attach ,
not who can see that a party
.Em exists .
Hiding a party's existence, meaning the host, its name, group, and
creation time recorded in the
.Pa roster ,
falls to the FS gate, not the auth gate: on an ACL-shadowed dir where the
mode bits do not hold, a non-member may read that metadata even though
.Cm server-access
still blocks the join.
The
.Cm list
subcommand re-checks group membership before printing, as defense in
depth, but treat discovery as confidential only insofar as the filesystem
enforces it.
.Pp
An active
.Cm join
lands you in your own
.Ql __party_guest_<you>
session on the shared server.
Any write-capable invitee can create sessions there, including one named
for someone else; if they pre-create yours, your next active
.Cm join
attaches to it.
This is inside the trust boundary by design, not a defended one;
invitees are people you already trust.
If you do not trust an invitee that far, invite them read-only
.Pq Fl r ,
which cannot create sessions, or not at all.
.Pp
.Nm
requires
.Xr tmux 1
\(>= 3.3 for
.Cm server-access .
Older
.Xr tmux 1
versions are refused at host time rather than degrading to the FS
gate alone.
.Pp
The
.Cm role
subcommand can flip a client between the guest session and the host
session, but it cannot change the read-only state of an attached
client;
.Xr tmux 1
.Cm switch-client
has no equivalent of
.Cm attach Fl r .
The watcher boundary is set at
.Cm join Fl -passive
time and is fixed for the life of that client.
.Sh SEE ALSO
.Xr tmux 1 ,
.Xr screen 1 ,
.Xr write 1 ,
.Xr chgrp 1 ,
.Xr chmod 1
.Sh HISTORY
.Nm
was written for the UNIX Social Club
.Pq Lk https://club.unix.rocks/ ,
inspired by many years of collective working sessions using
.Ql screen -x
across collectives.
.Sh AUTHORS
.Nm
was written by
.An veg
and
.An kol3rby .
See the
.Pa party
script header for additional credits.
Issues and contributions welcome!