Skip to main content
Topic: Mount veracrypt without sudo (Read 565 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

Mount veracrypt without sudo

As you may know, veracrypt is tightly coupled to sudo, which makes it difficult to work with containers on systems that use doas. When I try to mount this happens:

Code: [Select]
user@host> veracrypt                                                                                                                               ~
/usr/include/c++/13.2.1/bits/stl_vector.h:1125: std::vector<_Tp, _Alloc>::reference std::vector<_Tp, _Alloc>::operator[](size_type) [with _Tp = char; _Alloc = std::allocator<char>; reference = char&; size_type = long unsigned int]: Assertion '__n < this->size()' failed.
user@host>

I would like to mount the container in veracrypt as before and work with files through the file manager. That is, I don’t want to open a terminal and mount something there...

Have any of the doas users succeeded in doing this? I managed to find this recommendation, but it doesn't work for me. After adding pkexec to the exec directive, a password entry window appears, but veracrypt does not start. I run this command in the terminal and saw the help O_o?

Code: [Select]
user@host> pkexec veracrypt                                                                                                                        ~
Usage: veracrypt [--auto-mount <str>] [--backup-headers] [--background-task] [-C] [-c] [--create-keyfile] [--delete-token-keyfiles] [-d] [--display-password] [--encryption <str>] [--explore] [--export-token-keyfile] [--filesystem <str>] [-f] [--fs-options <str>] [--hash <str>] [-h] [--import-token-keyfiles] [-k <str>] [-l] [--list-token-keyfiles] [--list-securitytoken-keyfiles] [--list-emvtoken-keyfiles] [--load-preferences] [--mount] [-m <str>] [--new-hash <str>] [--new-keyfiles <str>] [--new-password <str>] [--new-pim <str>] [--non-interactive] [--stdin] [-p <str>] [--pim <str>] [--protect-hidden <str>] [--protection-hash <str>] [--protection-keyfiles <str>] [--protection-password <str>] [--protection-pim <str>] [--random-source <str>] [--restore-headers] [--save-preferences] [--quick] [--size <str>] [--slot <str>] [--test] [-t] [--token-lib <str>] [--token-pin <str>] [-v] [--version] [--volume-properties] [--volume-type <str>] [--no-size-check] [--legacy-password-maxlength] [--use-dummy-sudo-password] [Volume path] [Mount point]
  --auto-mount=<str>           	Auto mount device-hosted/favorite volumes
  --backup-headers             	Backup volume headers
  --background-task            	Start Background Task
  -C, --change                 	Change password or keyfiles
  -c, --create                 	Create new volume
  --create-keyfile             	Create new keyfile
  --delete-token-keyfiles      	Delete security token keyfiles
  -d, --dismount               	Dismount volume
  --display-password           	Display password while typing
  --encryption=<str>           	Encryption algorithm
  --explore                    	Open explorer window for mounted volume
  --export-token-keyfile       	Export keyfile from token
  --filesystem=<str>           	Filesystem type
  -f, --force                  	Force mount/dismount/overwrite
  --fs-options=<str>           	Filesystem mount options
  --hash=<str>                 	Hash algorithm
  -h, --help                   	Display detailed command line help
  --import-token-keyfiles      	Import keyfiles to security token
  -k, --keyfiles=<str>         	Keyfiles
  -l, --list                   	List mounted volumes
  --list-token-keyfiles        	List token keyfiles
  --list-securitytoken-keyfiles	List security token keyfiles
  --list-emvtoken-keyfiles     	List EMV token keyfiles
  --load-preferences           	Load user preferences
  --mount                      	Mount volume interactively
  -m, --mount-options=<str>    	VeraCrypt volume mount options
  --new-hash=<str>             	New hash algorithm
  --new-keyfiles=<str>         	New keyfiles
  --new-password=<str>         	New password
  --new-pim=<str>              	New PIM
  --non-interactive            	Do not interact with user
  --stdin                      	Read password from standard input
  -p, --password=<str>         	Password
  --pim=<str>                  	PIM
  --protect-hidden=<str>       	Protect hidden volume
  --protection-hash=<str>      	Hash algorithm for protected hidden volume
  --protection-keyfiles=<str>  	Keyfiles for protected hidden volume
  --protection-password=<str>  	Password for protected hidden volume
  --protection-pim=<str>       	PIM for protected hidden volume
  --random-source=<str>        	Use file as source of random data
  --restore-headers            	Restore volume headers
  --save-preferences           	Save user preferences
  --quick                      	Enable quick format
  --size=<str>                 	Size in bytes
  --slot=<str>                 	Volume slot number
  --test                       	Test internal algorithms
  -t, --text                   	Use text user interface
  --token-lib=<str>            	Security token library
  --token-pin=<str>            	Security token PIN
  -v, --verbose                	Enable verbose output
  --version                    	Display version information
  --volume-properties          	Display volume properties
  --volume-type=<str>          	Volume type
  --no-size-check              	Disable check of container size against disk free space.
  --legacy-password-maxlength  	Use legacy maximum password length (64 UTF-8 bytes)
  --use-dummy-sudo-password    	Use dummy password in sudo to detect if it is already authenticated
[1] user@host>                                             

Re: Mount veracrypt without sudo

Reply #1
Offtopic but pkexec(polkit) is literally worse than sudo in terms of depending on weird libraries and the like.

You don't have access to a root shell or to cryptsetup in those systems?

Re: Mount veracrypt without sudo

Reply #2
Of course have.
But as I already said, I want to mount containers through veracrypt itself, and not through the terminal or another way.

Re: Mount veracrypt without sudo

Reply #4
No I can not! 🤣

Re: Mount veracrypt without sudo

Reply #5
Would some kind of  /etc/fstab entry help, using the noauto and user options?
https://askubuntu.com/questions/1100114/mount-share-cifs-folder-without-sudo
The exact entry and syntax would most likely require changing from that described above, and some relevant man pages studied for current flag meanings, besides this brief overview here:
https://wiki.archlinux.org/title/fstab

Re: Mount veracrypt without sudo

Reply #6
I repeat: I need to mount containers only through veracrypt itself and work with files only through the file manager.

Installing sudo or editing fstab is absolutely unacceptable.

Re: Mount veracrypt without sudo

Reply #7
You can run VC from the root shell, as root, it just lets you, i don't get the purpose of this question.

Is that file manager only running as a normal user? chown -r the path to the mount from the root shell to that user.

Re: Mount veracrypt without sudo

Reply #8
Listen, if you don't understand the purpose of the question, please refrain from answering. I don’t have the time or desire to describe why installing sudo, editing fstab, running vc or a file manager as root is impossible! I don't mean to be rude, but you're bringing me to this point.

Re: Mount veracrypt without sudo

Reply #9
Why is it impossible (or unacceptable?), you neither described it nor answered it? I have 3 file managers running as root at this moment.
If you prefer using doas instead of sudo why haven't you explained why you paradoxically tried with the much worse polkit?
What containers? If they're not of this distro why did you place this question under System initially?
Why did you not comment on the fact that you can both run VC as root directly and you can chown the mount to your normal user for it's access?

If it has to go your way and your way only I again ask what is the purpose of this question?

Re: Mount veracrypt without sudo

Reply #10
Quote from: doheka – on
Listen, if you don't understand the purpose of the question, please refrain from answering. I don’t have the time or desire to describe why installing sudo, editing fstab, running vc or a file manager as root is impossible! I don't mean to be rude, but you're bringing me to this point.
You don't have time to to write an OP which explains what you are trying to to achieve very well.
You don't have time to expand further or explain why other solutions are 'impossible'.
You do have time to be rude ?
Maybe you should make time to look at your priorities in life?

Re: Mount veracrypt without sudo

Reply #11
https://github.com/veracrypt/VeraCrypt/issues/887
https://github.com/veracrypt/VeraCrypt/issues/823

This seems to relate to 2 open unresolved issues on the VeraCrypt github repo. Doas support requires a feature that Doas doesn't do and won't do. Either you need to go around the problem (i.e. reconsider some of the workarounds suggested here or on those issues, or use an alternative to doas or VeraCrypt) or through it, and write the support for polkit into VeraCrypt yourself - otherwise it's just a case of waiting for it to be added. I can appreciate your frustration but surely if there was an easy solution then the VeraCrypt developers would know about it. I can't think of much else to suggest - PAM perhaps, or a custom udev rule? Doubtful it would get you anywhere if Polkit hasn't. Besides setuid you can also have setcap attributes which are a bit more fine grained, to add to my first suggestion incidentally. Sorry I can't be of more help.