Closed GoogleCodeExporter closed 9 years ago
It is not so easy unfortunately.
Suid bit is not solution, it is too dangerous and in principle allows very
nasty operations. Code is not written to allow suid and I think there are
better approaches.
The requirement for user to map own devices is in principle blocked by these
things:
- device-mapper subsystem support (it requires root to operate). There were
ideas to implement "user private" devices but it never reach upstream.
- LUKS requires temporary dmcrypt devices when working with keyslots (thus
limited by previous item even in header operations). I implemented alternative
approach already (in git, not yet in release), so manipulating with LUKS header
on device will require only user access to device (similar to Truecrypt format
support).
So the only operation which require root is activation/deactivation and suspend.
There are some alternatives which uses suid (see cryptmount project) but I do
not think this proper way.
Usually distros use udisks2 or similar daemon to mount LUKS for user and I
think it works pretty reliably.
I would prefer that device-mapper subsystem allows "user" devices (see also
Issue#208), then you can just map your device (all checks will be based on
device access rights by default).
So sorry, I am not going to support suid bit in cryptsetup.
Original comment by gmazyl...@gmail.com
on 8 Jun 2014 at 4:05
Original issue reported on code.google.com by
f.wa...@googlemail.com
on 4 Jun 2014 at 1:50