How can user mount an encrypted file container in VeraCrypt?

permissions mount sudo users veracrypt
12,635

Solution 1

I did it. The solution's adapted from here: https://wiki.archlinux.org/index.php/TrueCrypt#Mount_volumes_as_a_normal_user and from my other question regarding modern sudoers config: adding local content in /etc/sudoers.d/ instead of directly modifying sodoers file via visudo

  1. Create a new group called say veracryptusers and give it the necessary permissions to use VeraCrypt without root password. Any user that belongs to that group will be able to use VeraCrypt.

Note: this dramatically increases attack surface for user rights elevation, so be sure to add only trusted users to this group.

# groupadd veracryptusers
  1. Now let's give this group sudo permissions limited to VeraCrypt:
$ sudo visudo -f /etc/sudoers.d/veracrypt
  GNU nano 2.5.3        File: /etc/sudoers.d/veracrypt.tmp                      

# Users in the veracryptusers group are allowed to run veracrypt as root.
%veracryptusers ALL=(root) NOPASSWD:/usr/bin/veracrypt

Also please make sure that veracrypt and /usr/bin have the proper permissions and are NOT writable by groups nor others:

$ ls -al /usr/bin/vera*
-rwxr-xr-x 1 root root 6341016 paź 17  2016 /usr/bin/veracrypt
$ ls -ald /usr/bin
drwxr-xr-x 2 root root 69632 lip 25 10:09 /usr/bin

Otherwise a malicious user may replace the executable and gain total root right at his wish.

Now reboot (or relogin) to have groups membership revaluated and voilà - you can mount and unmount your favourite volumes.

Please also be sure to review privilege escalation loophole described at the link below and before adding users to the group consider whether you can trust them

Solution 2

Warning: Only use @Pawel Debski solution if agree the following:

  • Any user or hacker getting access to an user account in veracryptusers group can run any commands as root, by downloading a prepared container file containing malicious code running as root.

So using that solution you might consider to use a special user profile for veracrypt. As a result, sodo is easier to use.

Steps to test the security problem:

  1. Create a container file (ext2-4)
  2. Copy or create a binary file (e.g. whoami)
  3. Change binary owner to root
  4. Add setuid to the binary
  5. Call the binary with a non-root-user account

The binary will run with root privilege.

Hint: I added this solution as the warning at Pawel Debski is inconspicuously. The risk is much greater than the benefit as long as the system has an internet connection.

Share:
12,635

Related videos on Youtube

Pawel Debski
Author by

Pawel Debski

Salesforce, Cornerstone on Demand, GxP Validation, TIBCO, WebMethods, SAP, Java, Microsoft.Net C#, SQL, Oracle, Informatica, Business Objects, IT Outsourcing To join us: cv ! econsulting @ pl To contract us: salesteam ! econsulting @ pl

Updated on September 18, 2022

Comments

  • Pawel Debski
    Pawel Debski over 1 year

    I have a number of external media with VeraCrypt encrypted file containers and I would like the users to mount and use them without giving root privileges to the users.

    However at the moment VeraCrypt's always asking for user/admin password apparently sudo-ing mount operation:

    VeraCrypt fails to mount pdebski not in sodoers

    How can a user, who's not in the sudoers file mount an .hc file?

  • Tom K.
    Tom K. about 6 years
  • forest
    forest about 6 years
    This answer is incorrect and will lead to trivial privilege escalation. As I answered in the link @TomK. provided, this solution provides no protection and will be giving anyone in the veracryptusers group full root access. Do not do this.
  • Pawel Debski
    Pawel Debski almost 6 years
    It is a very good idea to add this as an answer. Tx.
  • Pawel Debski
    Pawel Debski almost 5 years
    Russel, read carefully priviledge escalation descriptions from other answers. Your solution does not address the problem and there is no way to avoid the loophole. Both answers are applicable to personal system or when you're working with trusted users.
  • Pawel Debski
    Pawel Debski about 3 years
    It is not if you trust the users. If you had a malicious user or a system would be somehow exposed, for example accessible to anyone in a lobby, obviously you'd not use the solution proposed. If you had a knife you can make a sandwich or you can cut yourself. It is up to you.
  • Zanna
    Zanna almost 3 years
    If you want people to answer you as to whether this is a good plan, I suggest posting it as a question instead of as an answer (I'd tell you in this comment if I knew, but unfortunately I don't)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Allow chown command to www-data user
Sudo is not asking for password on Ubuntu 16.04
How to add my user account to admin group (13.10 desktop)
How to add flags and/or arguments to a command in the 'sudoers' file
sudo mkdir creates directory as nobody nogroup on mounted directory, then chown not permitted
How to access drives that are mounted by other users?
What is "root" and how can I become it?
How do I allow a user to only run the apt-get update command with sudo?
Suddenly can't run sudo
sshfs is mounting filesystems as another user