As you may know, veracrypt is tightly coupled to sudo, which makes it difficult to work with containers on systems that use doas. When I try to mount this happens:
user@host> veracrypt ~
/usr/include/c++/13.2.1/bits/stl_vector.h:1125: std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator[](size_type) [with _Tp = char; _Alloc = std::allocator<char>; reference = char&; size_type = long unsigned int]: Assertion '__n < this->size()' failed.
user@host>
I would like to mount the container in veracrypt as before and work with files through the file manager. That is, I don’t want to open a terminal and mount something there...
Have any of the doas users succeeded in doing this? I managed to find this (https://www.pclinuxos.com/forum/index.php/topic,152803.msg1308781.html?PHPSESSID=13i1ebniqeqoc1t8tqi4j9u6jh#msg1308781) recommendation, but it doesn't work for me. After adding pkexec to the exec directive, a password entry window appears, but veracrypt does not start. I run this command in the terminal and saw the help O_o?
user@host> pkexec veracrypt ~
Usage: veracrypt [--auto-mount <str>] [--backup-headers] [--background-task] [-C] [-c] [--create-keyfile] [--delete-token-keyfiles] [-d] [--display-password] [--encryption <str>] [--explore] [--export-token-keyfile] [--filesystem <str>] [-f] [--fs-options <str>] [--hash <str>] [-h] [--import-token-keyfiles] [-k <str>] [-l] [--list-token-keyfiles] [--list-securitytoken-keyfiles] [--list-emvtoken-keyfiles] [--load-preferences] [--mount] [-m <str>] [--new-hash <str>] [--new-keyfiles <str>] [--new-password <str>] [--new-pim <str>] [--non-interactive] [--stdin] [-p <str>] [--pim <str>] [--protect-hidden <str>] [--protection-hash <str>] [--protection-keyfiles <str>] [--protection-password <str>] [--protection-pim <str>] [--random-source <str>] [--restore-headers] [--save-preferences] [--quick] [--size <str>] [--slot <str>] [--test] [-t] [--token-lib <str>] [--token-pin <str>] [-v] [--version] [--volume-properties] [--volume-type <str>] [--no-size-check] [--legacy-password-maxlength] [--use-dummy-sudo-password] [Volume path] [Mount point]
--auto-mount=<str> Auto mount device-hosted/favorite volumes
--backup-headers Backup volume headers
--background-task Start Background Task
-C, --change Change password or keyfiles
-c, --create Create new volume
--create-keyfile Create new keyfile
--delete-token-keyfiles Delete security token keyfiles
-d, --dismount Dismount volume
--display-password Display password while typing
--encryption=<str> Encryption algorithm
--explore Open explorer window for mounted volume
--export-token-keyfile Export keyfile from token
--filesystem=<str> Filesystem type
-f, --force Force mount/dismount/overwrite
--fs-options=<str> Filesystem mount options
--hash=<str> Hash algorithm
-h, --help Display detailed command line help
--import-token-keyfiles Import keyfiles to security token
-k, --keyfiles=<str> Keyfiles
-l, --list List mounted volumes
--list-token-keyfiles List token keyfiles
--list-securitytoken-keyfiles List security token keyfiles
--list-emvtoken-keyfiles List EMV token keyfiles
--load-preferences Load user preferences
--mount Mount volume interactively
-m, --mount-options=<str> VeraCrypt volume mount options
--new-hash=<str> New hash algorithm
--new-keyfiles=<str> New keyfiles
--new-password=<str> New password
--new-pim=<str> New PIM
--non-interactive Do not interact with user
--stdin Read password from standard input
-p, --password=<str> Password
--pim=<str> PIM
--protect-hidden=<str> Protect hidden volume
--protection-hash=<str> Hash algorithm for protected hidden volume
--protection-keyfiles=<str> Keyfiles for protected hidden volume
--protection-password=<str> Password for protected hidden volume
--protection-pim=<str> PIM for protected hidden volume
--random-source=<str> Use file as source of random data
--restore-headers Restore volume headers
--save-preferences Save user preferences
--quick Enable quick format
--size=<str> Size in bytes
--slot=<str> Volume slot number
--test Test internal algorithms
-t, --text Use text user interface
--token-lib=<str> Security token library
--token-pin=<str> Security token PIN
-v, --verbose Enable verbose output
--version Display version information
--volume-properties Display volume properties
--volume-type=<str> Volume type
--no-size-check Disable check of container size against disk free space.
--legacy-password-maxlength Use legacy maximum password length (64 UTF-8 bytes)
--use-dummy-sudo-password Use dummy password in sudo to detect if it is already authenticated
[1] user@host>
Offtopic but pkexec(polkit) is literally worse than sudo in terms of depending on weird libraries and the like.
You don't have access to a root shell or to cryptsetup in those systems?
Of course have.
But as I already said, I want to mount containers through veracrypt itself, and not through the terminal or another way.
https://security.stackexchange.com/questions/194166/why-is-suid-disabled-for-shell-scripts-but-not-for-binaries (https://security.stackexchange.com/questions/194166/why-is-suid-disabled-for-shell-scripts-but-not-for-binaries)
That approach might work if you can write something suitable (ie not a shell script) to do the mounting then make it setuid, although it has security issues so it's not really recommended now. There's probably a better way though! ;D
No I can not! 🤣
Would some kind of /etc/fstab entry help, using the noauto and user options?
https://askubuntu.com/questions/1100114/mount-share-cifs-folder-without-sudo (https://askubuntu.com/questions/1100114/mount-share-cifs-folder-without-sudo)
The exact entry and syntax would most likely require changing from that described above, and some relevant man pages studied for current flag meanings, besides this brief overview here:
https://wiki.archlinux.org/title/fstab (https://wiki.archlinux.org/title/fstab)
I repeat: I need to mount containers only through veracrypt itself and work with files only through the file manager.
Installing sudo or editing fstab is absolutely unacceptable.
You can run VC from the root shell, as root, it just lets you, i don't get the purpose of this question.
Is that file manager only running as a normal user? chown -r the path to the mount from the root shell to that user.
Listen, if you don't understand the purpose of the question, please refrain from answering. I don’t have the time or desire to describe why installing sudo, editing fstab, running vc or a file manager as root is impossible! I don't mean to be rude, but you're bringing me to this point.
Why is it impossible (or unacceptable?), you neither described it nor answered it? I have 3 file managers running as root at this moment.
If you prefer using doas instead of sudo why haven't you explained why you paradoxically tried with the much worse polkit?
What containers? If they're not of this distro why did you place this question under System initially?
Why did you not comment on the fact that you can both run VC as root directly and you can chown the mount to your normal user for it's access?
If it has to go your way and your way only I again ask what is the purpose of this question?
You don't have time to to write an OP which explains what you are trying to to achieve very well.
You don't have time to expand further or explain why other solutions are 'impossible'.
You do have time to be rude ?
Maybe you should make time to look at your priorities in life?
https://github.com/veracrypt/VeraCrypt/issues/887 (https://github.com/veracrypt/VeraCrypt/issues/887)
https://github.com/veracrypt/VeraCrypt/issues/823 (https://github.com/veracrypt/VeraCrypt/issues/823)
This seems to relate to 2 open unresolved issues on the VeraCrypt github repo. Doas support requires a feature that Doas doesn't do and won't do. Either you need to go around the problem (i.e. reconsider some of the workarounds suggested here or on those issues, or use an alternative to doas or VeraCrypt) or through it, and write the support for polkit into VeraCrypt yourself - otherwise it's just a case of waiting for it to be added. I can appreciate your frustration but surely if there was an easy solution then the VeraCrypt developers would know about it. I can't think of much else to suggest - PAM perhaps, or a custom udev rule? Doubtful it would get you anywhere if Polkit hasn't. Besides setuid you can also have setcap attributes which are a bit more fine grained, to add to my first suggestion incidentally. Sorry I can't be of more help.