3

I have VeraCrypt installed on a server and want to think about making it available to users on the server to make encrypted files in their home directories. What are the security vulnerabilities to think about?

For example, running VeraCrypt requires root permissions for it even to create a local file and I don't want users to be able to screw with a server system volume. I also don't want privilege escalations risks like those mentioned here.

Root permissions for VeraCrypt could be made available to users by adding the following to /etc/sudoers.tmp:

%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt

Can users use VeraCrypt without these privilege escalation risks and without being able to change the computer in any places other than their home directories?

Bruni
  • 10,542
BlandCorporation
  • 792

1 Answers1

0

Short answer: No

More elaborate answer: that depends on how much you trust your users and whether they act in good intention.

Allowing ordinary users to mount VeraCrypt volumes opens an array of attack vectors such as mounting maliciously crafted volumes.

For example please carefully review the following answer and comments:

https://security.stackexchange.com/questions/178610/is-it-secure-to-mount-veracrypt-without-sudo-password-in-this-way

If you trust your users you can allow them mounting volumes_

How can user mount an encrypted file container in VeraCrypt?

but please review the comments.

Pawel Debski
  • 2,704
  • 8
  • 28
  • 40