Bug 28001 - After upgrade to Mageia8 veracrypt doesn't work with sudo as before
Summary: After upgrade to Mageia8 veracrypt doesn't work with sudo as before
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Nicolas Lécureuil
QA Contact:
URL:
Whiteboard:
Keywords: IN_RELEASENOTES8
Depends on:
Blocks:
 
Reported: 2021-01-02 09:20 CET by Uli Selle
Modified: 2024-08-22 23:02 CEST (History)
4 users (show)

See Also:
Source RPM: veracrypt-1.24u7-7.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Uli Selle 2021-01-02 09:20:51 CET 
Description of problem:

- in Mageia7 in "/etc/sudoers/" there is a column:
  - %crypt ALL = NOPASSWD:/usr/bin/veracrypt

The effect was that users of the group "crypt" could use veracrypt without the need to use the root password. Veracrypt mounts the encrypted container to a defined mountpoint.

After upgrading mga7 to mga8b2 this column seems to have no effect any more, members of "crypt" have to know the root password to mount the container.

I dont know, if this is a bug. If it isn't im sorry...

Greetings,
U.Selle
Comment 1 Jani Välimaa 2021-01-02 12:56:21 CET 
I think since veracrypt-1.24u2 one have to use '--use-dummy-sudo-password' when starting veracypt to use the old behavior with sudo.

https://github.com/veracrypt/VeraCrypt/releases/tag/VeraCrypt_1.24-Update2

"Add CLI switch (--use-dummy-sudo-password) to force use of old sudo behavior of sending a dummy password"

Source RPM: sudo-1.9.4p2-1.mga8.src.rpm => veracrypt-1.24u7-3.mga8
Version: 8 => Cauldron

Comment 2 Jani Välimaa 2021-01-02 12:58:10 CET 
See also https://bbs.archlinux.org/viewtopic.php?pid=1906246#p1906246
Jani Välimaa 2021-01-02 13:14:03 CET

Summary: After Upgrade from Mageia7 to Mageia8 sudo has no effect as before => After upgrade to Mageia8 veracrypt doesn't work with sudo as before

Aurelien Oudelet 2021-01-02 18:45:04 CET

CC: (none) => ouaurelien
Keywords: (none) => FOR_ERRATA8

Comment 3 Lewis Smith 2021-01-02 21:36:35 CET 
Thanks Jani for your quick detective work.
This looks more like for Release Notes than Errata, since the product is behaving as it should. It is not a Mageia bug.

I am unclear whether the 'old' behaviour worked with *no* password for users of the group "crypt"; or whether it required the normal (= user) 'su' password.
Are we talking about a password still required, but not the same one?

Would this work in /etc/sudoers ?:
%crypt ALL = NOPASSWD:/usr/bin/veracrypt --use-dummy-sudo-password
@Uli : can you try that? It might get bounced as an invalid line. If it does work, then we might adjust the RPM accordingly.

CC: (none) => lewyssmith

Comment 4 Uli Selle 2021-01-03 03:54:08 CET 
Hello,

@ Lewis: tried it with:
%crypt ALL = NOPASSWD:/usr/bin/veracrypt --use-dummy-sudo-password

-> now veracrypt requires a password for mounting the encrypted volume
  - but neither the user password nor the superuser password is accepted!
  - so vc can't mount the volume

Went back to "%crypt ALL = NOPASSWD:/usr/bin/veracrypt"
and started vc in this way:

"veracrypt --use-dummy-sudo-password"

Now vc shows the old behaviour:
- it starts, i can choose the encrypted volume (with pw) and it is mounted from vc without requireing any additional password

Seems its a change in the behaviour of veracrypt...?
Comment 5 Lewis Smith 2021-01-04 21:44:42 CET 
Thank you for trying that.
> Seems its a change in the behaviour of veracrypt...?
Exactly, as Jani identified in comment 1 then 2.
To be in Release Notes.
Not sure whether we can close this.

Keywords: FOR_ERRATA8 => FOR_RELEASENOTES8

Aurelien Oudelet 2021-01-28 21:31:28 CET

Whiteboard: (none) => 8rc

Comment 6 Morgan Leijström 2021-02-10 23:12:20 CET 
Not sure what to write. Please describe.

For now i put a link to this bug at

https://wiki.mageia.org/en/Mageia_8_Release_Notes#Veracrypt

Whiteboard: 8rc => (none)
CC: (none) => fri
Keywords: FOR_RELEASENOTES8 => 8rc1, IN_RELEASENOTES8

Comment 7 Lewis Smith 2021-02-11 19:29:21 CET 
VERACRYPT
After upgrade to Mageia8 veracrypt does not work with sudo as before.
Since veracrypt-1.24u2 one has to use '--use-dummy-sudo-password' when starting veracypt to get the old behaviour with sudo.
 https://github.com/veracrypt/VeraCrypt/releases/tag/VeraCrypt_1.24-Update2
"Add CLI switch (--use-dummy-sudo-password) to force use of old sudo behavior of sending a dummy password"
See also https://bbs.archlinux.org/viewtopic.php?pid=1906246#p1906246
[and reference this bug 28001]
Comment 8 Morgan Leijström 2021-02-11 19:53:34 CET 
Thanks. I shortened it a bit as the Release notes page is huge already. Solution stated, and details are in the links for the interested.

https://wiki.mageia.org/en/Mageia_8_Release_Notes#VeraCrypt
Comment 9 Lewis Smith 2021-02-11 19:55:02 CET 
Thanks.
Comment 10 John L. ten Wolde 2021-03-10 08:39:51 CET 
In my opinion, an elegant solution (completely hidden from the end user) is to simply change the 'Exec=' line within veracrypt.desktop to:

  ┌────
  │ Exec=/usr/bin/veracrypt --use-dummy-sudo-password
  └────

This works perfectly for me when starting veracrypt via KRunner.

Of course users running from the command line will still need to be (made) aware of the new switch...

CC: (none) => johnltw

Comment 11 Lewis Smith 2021-03-10 20:40:08 CET 
From comment 1:
> use '--use-dummy-sudo-password' when starting veracypt to use the
> old behavior with sudo.
Agreeing to some extent with the previous comment (nicely presented), the problem with building this in is that is provides the *old* behaviour of veracrypt, a deviation from standard veracrypt usage as it is now.
This is a dicey thing to do: we might be pressed to hide (where possible) all software evolutions yielding a behavioural change. And, of course, new users would then find it not conforming with the current 'book'.
Users must ultimately live with such changes. Progress - as often bad as good.
Comment 12 Morgan Leijström 2021-03-10 20:58:32 CET 
Well expressed, Lewis :)
Comment 13 Aurelien Oudelet 2021-03-21 17:59:08 CET 
(In reply to Lewis Smith from comment #11)
> From comment 1:
> > use '--use-dummy-sudo-password' when starting veracypt to use the
> > old behavior with sudo.
> Agreeing to some extent with the previous comment (nicely presented), the
> problem with building this in is that is provides the *old* behaviour of
> veracrypt, a deviation from standard veracrypt usage as it is now.
> This is a dicey thing to do: we might be pressed to hide (where possible)
> all software evolutions yielding a behavioural change. And, of course, new
> users would then find it not conforming with the current 'book'.
> Users must ultimately live with such changes. Progress - as often bad as
> good.

So closing WONTFIX?

Assigning to package maintainer who can say this.

Assignee: bugsquad => mageia
Version: Cauldron => 8
Source RPM: veracrypt-1.24u7-3.mga8 => veracrypt-1.24u7-7.mga8.src.rpm

Comment 14 Marja Van Waes 2024-08-22 23:02:22 CEST 
We stopped supporting Mageia 8 almost 8 months ago 
https://blog.mageia.org/en/2023/12/30/mageia-8-end-of-life/

That means we also stopped fixing Mageia 8 bugs and that this bug report needs to be closed, regardless of whether it was fixed for Mageia 8 or not.

If this particular bug did not get fixed for Mageia 8, then we do regret that.

If this issue is still present in Mageia 9 or cauldron, then please reopen this report, write a comment and adjust the "Version:" field.

If you are not yet a member of one or our teams, then please consider becoming one. https://wiki.mageia.org/en/Contributing
Mageia is a community project, meaning that we, the users, make Mageia together.

The more active contributors we have, the more bug reports will get fixed.
Besides, being active in a team can be very rewarding. It was and is certainly rewarding to me :-D

Resolution: (none) => OLD
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.