[SOLVED] How to use veracrypt without needing root?

A Traveller · 06-08-2019, 01:47 PM

Hi all.

Please see the link below for info on what I wish to achieve.

https://www.pclinuxos.com/forum/inde...,149247.0.html

One of the bits of advice given in reply to the above post was "If you want to use veracrypt, then investigate how to set up sudo for it to allow it to run from your normal account."

I consequently searched the web and found the following post, which seemed relevant, so I followed the instructions and replaced the word 'truecrypt' with 'veracrypt, i.e. the following code.

# chmod 4755 /usr/bin/veracrypt

After doing this, now veracrypt won't even load from the normal terminal. It gives me the following error.

(process:13268): Gtk-WARNING **: 19:31:12.868: This process is currently running setuid or setgid.
This is not a supported use of GTK+. You must create a helper
program instead. For further details, see:

http://www.gtk.org/setuid.html

Refusing to initialize GTK+.

I then tried to fix this by searching the web again and using the following code, but I am still getting the same error.

chmod u+s /usr/bin/veracrypt

Does anyone know how I can get it back to how it was and if so, what the correct way is of achieving what I am looking for?

Any help would be most appreciated as I have NO idea what I'm doing!

Thanks.

MensaWater · 06-10-2019, 12:00 PM

You got the same error after chmod because you were doing essentially the same thing. You can set permissions with octal values (e.g. 4755) or by specifying user/group/other and special bit (e.g. u+s).

You're trying to run a GUI version of veracrypt using setuid/setgid and GTK+ tells you it doesn't allow that.

You could add your program to sudoers (see visudo command) for specific user (e.g. your own login) then run the program with "sudo /usr/bin/veracrypt". That tells it to run as the root user which is not exactly the same as putting the setuid/setgid bit on veracrypt itself. You might run into other issues with DISPLAY and XAUTHORITY if they were set by your login.

Alternatively it appears you can do non-GUI version of veracrypt. Try doing "unset DISPLAY" and see if you get the same error when running veracrypt.

In general putting setuid/setgid on programs is a bad idea. It should be done very seldom. It is better to run things as non-root users if they allow it or if not to run them via sudo which at least requires the password to be re-entered and only gives access to the commands desired.

I haven't used veracrypt myself so can't offer much other assistance.

A Traveller · 06-12-2019, 01:51 PM

Thanks for your reply, MensaWater.

I have searched for info on your suggestion of 'unset display' and still don't understand what it does exactly. I don't want to risk my computer not working altogether as I don't have the knowledge to fix things if they go wrong, which as you can see is my current situation.

So I take it there is no recommended method to have full access to files through a program that can only be opened by entering the administrator/root password, whether Veracrypt or anything else. I tried changing the permissions in 'Properties' to 'nobody' and 'no group' and also my log in username, but that, nor 'root' allows the files to be cut and paste elsewhere.

MensaWater · 06-12-2019, 02:10 PM

Quote:

Originally Posted by A Traveller

I have searched for info on your suggestion of 'unset display' and still don't understand what it does exactly.

1) unset DISPLAY (NOT "unset display" - Linux is case sensitive).

2) The DISPLAY variable is used by X-Windows (GUI) applications to tell them where to show the GUI. You can see its current value by typing "echo $DISPLAY". Many applications check to see if you're capable of GUI by examining the setting of DISPLAY variable. If it is not set the applications usually assume you can only do character/text based work on your terminal and won't try to run the GUI.

Typing "unset DISPLAY" in your current terminal removes the value that was "set" (if any). It only "unsets" it for the current terminal session so has no impact on global setup or other terminal sessions that might be running.

You can get it "set" again simply by logging out and logging back in. The initial "set" of display might be in a system profile (global or local to the user) or might be generated by how you attached to the terminal (e.g. in PuTTY if one enables X-11 forwarding it sets DISPLAY by default but if not it doesn't set that.)

Alternatively you can do something like the following to save the original DISPLAY variable, unset it then add it back:
export OLDDISPLAY=$DISPLAY
unset DISPLAY
Run your commands for vercrypt
export DISPLAY=$OLDDISPLAY

Note that in general it is a bad idea to hard code the DISPLAY variable in a system profile because it would override any dynamic setting such as that done by X-11 forwarding. Despite that many users do it to this day and have issues because of it.

My read of veracrypt overview suggests it has both a GUI (GTK+ based) version and a character/text version hence my suggestion to "unset DISPLAY" then rerunning the command to see if it gives you the character/text version instead of the error.

A Traveller · 06-16-2019, 08:04 AM

Thanks for the reply, MensaWater.

Re-installing the software made things go back to the way they were.

I think I understand the permissions issue better now (not fully, however) by endless experimenting!

Thanks for the help.