search

mhogomchungu / zuluCrypt

zuluCrypt is a front end to cryptsetup and tcplay and it allows easy management of encrypted block devices
https://mhogomchungu.github.io/zuluCrypt
Other
513 stars 60 forks source link

VeraCrypt volumes mounted with 777 permissions but their files are 666 #138

Closed ghost closed 4 years ago

ghost commented 4 years ago

I apologize since this is probably a stupid question, but I'm having trouble with permissions.

Title says it all. Basically, my VeraCrypt volumes mounted to /run/media/private/vtnpp/ with zuluCrypt-gui or zuluMount-gui have 777 permissions, but all their content has 666 permissions.

Which means I cannot execute script stored on them, for instance.

$ chmod +x script.sh doesn't work either, even with sudo. script.sh still has 666 permission.

As I was searching for a solution, I came accross this part in the changelog:

version 4.6.2
-- feature added:users who are members of "zulumount-exec" group will have their volumes opened with "exec" mount option.
   This will allow them to be able to execute commands from the mount point.The default and recommended option is not mount with "noexec" option.

So I created zulumount-exec group and added myself to it:

$ sudo groupadd zulumount-exec
$ sudo gpasswd -a vtnpp zulumount-exec

then I mounted a VeraCrypt volume again but it doesn't make any difference, all files in my VeraCrypt volume have 666 permissions.

$ ./script.sh

zsh: permission denied: ./script.sh

I don't have this issue with a LUKS1 container that I created with zuluCrypt-gui. The container is also mounted to /run/media/private/vtnpp/ and chmod command works fine.

I also tried:

# chmod -R 777 /run/media/private/sdb/

to no avail.

A few relevant outputs:

$ stat /run/media/private/vtnpp/sdb

  File: /run/media/private/vtnpp/sdb
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fe02h/65026d    Inode: 5           Links: 1
Access: (0777/drwxrwxrwx)  Uid: ( 1000/  vtnpp)   Gid: ( 1000/ UNKNOWN)
Access: 2019-12-20 16:18:31.073914200 +0100
Modify: 2019-12-20 16:18:31.073914200 +0100
Change: 2019-12-20 16:18:31.073914200 +0100
 Birth: -
$ stat /run/media/private/vtnpp/sdb/Linux/script.sh

  File: /run/media/private/vtnpp/sdb/Linux/script.sh
  Size: 7495            Blocks: 16         IO Block: 4096   regular file
Device: fe02h/65026d    Inode: 162316      Links: 1
Access: (0666/-rw-rw-rw-)  Uid: ( 1000/  vtnpp)   Gid: ( 1000/ UNKNOWN)
Access: 2019-12-27 13:20:32.111947500 +0100
Modify: 2019-12-27 13:20:22.000000000 +0100
Change: 2019-12-27 13:20:31.790423300 +0100
 Birth: -
$ ls /run/media/private/vtnpp/sdb/Linux/                   
drwxrwxrwx vtnpp 1000   4 KB Fri Dec 27 13:20:31 2019 ./               
drwxrwxrwx vtnpp 1000   4 KB Tue Dec 17 17:50:22 2019 ../              
.rw-rw-rw- vtnpp 1000 491 B  Fri Dec 27 13:03:08 2019 script.sh
$ chmod +x /run/media/private/vtnpp/sdb/Linux/script.sh
$ ls /run/media/private/vtnpp/sdb/Linux/                  
drwxrwxrwx vtnpp 1000   4 KB Fri Dec 27 13:20:31 2019 ./               
drwxrwxrwx vtnpp 1000   4 KB Tue Dec 17 17:50:22 2019 ../              
.rw-rw-rw- vtnpp 1000 491 B  Fri Dec 27 13:03:08 2019 script.sh
$ stat /run/media/private/vtnpp/LUKS1.bin

  File: /run/media/private/vtnpp/LUKS1.bin
  Size: 1024            Blocks: 2          IO Block: 1024   directory
Device: fe03h/65027d    Inode: 2           Links: 3
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-12-27 16:18:31.000000000 +0100
Modify: 2019-12-27 16:18:29.000000000 +0100
Change: 2019-12-27 16:18:29.000000000 +0100
 Birth: -
$ stat /run/media/private/vtnpp/LUKS1.bin/script.sh

  File: /run/media/private/vtnpp/LUKS1.bin/script.sh
  Size: 491             Blocks: 2          IO Block: 1024   regular file
Device: fe03h/65027d    Inode: 17          Links: 1
Access: (0666/-rw-rw-rw-)  Uid: ( 1000/  vtnpp)   Gid: (  985/   users)
Access: 2019-12-27 16:28:15.000000000 +0100
$ ls /run/media/private/vtnpp/LUKS1.bin

drwxrwxrwx   root  root   1 KB Fri Dec 27 16:18:29 2019 ./                  
dr-x------ vtnpp users 100 B  Fri Dec 27 16:18:13 2019 ../                 
drwx------ vtnpp users   1 KB Fri Dec 27 15:23:40 2019 .Trash-1000/        
.rw-rw-rw- vtnpp users 3.6 MB Fri Dec 27 14:36:26 2019 test.7z
.rw-rw-rw- vtnpp users 491 B  Fri Dec 27 13:03:08 2019 script.sh       
$ chmod +x /run/media/private/vtnpp/LUKS1.bin/script.sh  
$ stat /run/media/private/marvin/ProtonMail.bin/test.sh

  File: /run/media/private/marvin/ProtonMail.bin/test.sh
  Size: 0               Blocks: 0          IO Block: 1024   regular empty file
Device: fe03h/65027d    Inode: 18          Links: 1
Access: (0755/-rwxr-xr-x)  Uid: ( 1000/  marvin)   Gid: (  985/   users)
Access: 2019-12-27 16:28:31.000000000 +0100
Modify: 2019-12-27 16:28:31.000000000 +0100
Change: 2019-12-27 16:28:45.000000000 +0100
 Birth: -
$ ls /run/media/private/vtnpp/LUKS1.bin

drwxrwxrwx   root  root   1 KB Fri Dec 27 16:18:29 2019 ./                  
dr-x------ vtnpp users 100 B  Fri Dec 27 16:18:13 2019 ../                 
drwx------ vtnpp users   1 KB Fri Dec 27 15:23:40 2019 .Trash-1000/        
.rw-rw-rw- vtnpp users 3.6 MB Fri Dec 27 14:36:26 2019 test.7z
.rwxrwxrwx vtnpp users 491 B  Fri Dec 27 13:03:08 2019 script.sh*

What am I doing wrong?

mhogomchungu commented 4 years ago

What file system are you using?

ghost commented 4 years ago

VeraCrypt containers are formatted to ntfs (because I also need to access them on Windows)

LUKS1 container is formatted to ext4

mhogomchungu commented 4 years ago
  1. Create a text file at /etc/zuluCrypt/generic_fs_options
  2. In it, add ntfs fmask=0000
  3. Unlock the volume again and all files will now have 0777 permissions,
ghost commented 4 years ago

Thank you, it works!

I'm curious as to why this isn't the default behavior?

mhogomchungu commented 4 years ago

That line will change the default fmask options for all mounted ntfs file system.

You can use different defaults for different mount points by doing the following

  1. Create a text file at /etc/zuluCrypt/fs_options
  2. Add UUID=XYZ fmask=0000 where XYZ is the UUID of the file system and you can find out UUID's of file systems by running "blkid" tool.

These two config files allows customization of mount options per file system and per mount point.

A list of options you can override is here: https://github.com/mhogomchungu/zuluCrypt/blob/34f4e283a10c9c4716346fa7cf1839aa90ab0720/zuluCrypt-cli/lib/mount_volume.c#L222

I'm curious as to why this isn't the default behavior?

Somebody said i should do it this way because "security" but their reasoning wasn't very convincing so i wont try to explain it to you.