Home / ubuntu / Questions / 930724
Accepted
Pawel Debski
Asked: 2017-07-01 06:46:17 +0800 CST

How can user mount an encrypted file container in VeraCrypt?

  • 772

I have a number of external media with VeraCrypt encrypted file containers and I would like the users to mount and use them without giving root privileges to the users.

However at the moment VeraCrypt's always asking for user/admin password apparently sudo-ing mount operation:

VeraCrypt fails to mount pdebski not in sodoers

How can a user, who's not in the sudoers file mount an .hc file?

permissions

4 Answers

  1. Warning: Only use @Pawel Debski solution if agree the following:

    • Any user or hacker getting access to an user account in veracryptusers group can run any commands as root, by downloading a prepared container file containing malicious code running as root.

    So using that solution you might consider to use a special user profile for veracrypt. As a result, sodo is easier to use.

    Steps to test the security problem:

    1. Create a container file (ext2-4)
    2. Copy or create a binary file (e.g. whoami)
    3. Change binary owner to root
    4. Add setuid to the binary
    5. Call the binary with a non-root-user account

    The binary will run with root privilege.

    Hint: I added this solution as the warning at Pawel Debski is inconspicuously. The risk is much greater than the benefit as long as the system has an internet connection.

    • 5

  2. You can allow other users to run sudo to access only certain programs. For instance, I allow user www-data to run /sbin/ipset to ban users who try to hack in to my web server. I admit this was on a raspberry pi running a modified version of debian.

    I created a file in folder /etc/sudoers.d The contents of the file were

    www-data ALL=(ALL) NOPASSWD: /sbin/ipset
    • 0
  3. Best Answer

    I did it. The solution's adapted from here: https://wiki.archlinux.org/index.php/TrueCrypt#Mount_volumes_as_a_normal_user and from my other question regarding modern sudoers config: adding local content in /etc/sudoers.d/ instead of directly modifying sodoers file via visudo

    1. Create a new group called say veracryptusers and give it the necessary permissions to use VeraCrypt without root password. Any user that belongs to that group will be able to use VeraCrypt.

    Note: this dramatically increases attack surface for user rights elevation, so be sure to add only trusted users to this group.

    # groupadd veracryptusers
    1. Now let's give this group sudo permissions limited to VeraCrypt:
    $ sudo visudo -f /etc/sudoers.d/veracrypt
  GNU nano 2.5.3        File: /etc/sudoers.d/veracrypt.tmp                      

# Users in the veracryptusers group are allowed to run veracrypt as root.
%veracryptusers ALL=(root) NOPASSWD:/usr/bin/veracrypt

    Also please make sure that veracrypt and /usr/bin have the proper permissions and are NOT writable by groups nor others:

    $ ls -al /usr/bin/vera*
-rwxr-xr-x 1 root root 6341016 paź 17  2016 /usr/bin/veracrypt
$ ls -ald /usr/bin
drwxr-xr-x 2 root root 69632 lip 25 10:09 /usr/bin

    Otherwise a malicious user may replace the executable and gain total root right at his wish.

    Now reboot (or relogin) to have groups membership revaluated and voilà - you can mount and unmount your favourite volumes.

    Please also be sure to review privilege escalation loophole described at the link below and before adding users to the group consider whether you can trust them

    • -1

  4. What about this? Am I wrong or right or what?

    Just simply create a user for veracrypt and add it in /etc/sudoers.d

    • -1