It's both a historical and security restriction.
Historically, most drives weren't removable. So it made sense to restrict mounting to people who had legitimate physical access, and they would likely have access to the root account. The fstab entries allow administrators to delegate mounting to other users for removable drives.
From a security point of view, there are three major problems with allowing arbitrary users to mount arbitrary block devices or filesystem images at arbitrary locations.
- Mounting to a non-owned location shadows the files at that location. For example: mount a filesystem of your choice on
/etc
, with an /etc/shadow
containing a root password that you know. This is fixed by allowing a user to mount a filesystem only on a directory that he owns.
- Filesystem drivers have often not been tested as thoroughly with malformed filesystem. A buggy filesystem driver could allow a user supplying a malformed filesystem to inject code into the kernel.
- Mounting a filesystem can allow the mounter to cause some files to appear that he would not otherwise have permission to create. Setuid executable and device files are the most obvious examples, and they are fixed by the
nosuid
and nodev
options which are implied by having user
in /etc/fstab
.
So far enforcing user
when mount
is not called by root is enough. But more generally being able to create a file owned by another user is problematic: the content of that file risks being attributed by the purported owner instead of the mounter. A casual attribute-preserving copy by root to a different filesystem would produce a file owned by the declared-but-uninvolved owner. Some programs check that a request to use a file is legitimate by checking that the file is owned by a particular user, and this would no longer be safe (the program must also check that the directories on the access path are owned by that user; if arbitrary mounting was allowed, they would also have to check that none of these directories are a mount point where the mount was created neither by root nor by the desired user).
For practical purposes, it is possible nowadays to mount a filesystem without being root, through FUSE. FUSE drivers run as the mounting user so there is no risk of privilege escalation by exploiting a bug in kernel code. FUSE filesystems can only expose files that the user has the permission to create, which solves the last issue above.
If you use TC GUI, you should set some favorite volumes -- you can read more about it here. It's simple. First you have to mount your volumes one by one and specify mount points:
Then you just add them to favorites:
The more you add, the bigger will be the list of favorite volumes:
Next time you want to mount them, you just have to use Favorites
menu:
Or if you want to use a terminal, just type the following line:
$ truecrypt --auto-mount=favorites
It will mount all the favorite volumes you have on the list.
If you want to do it as a normal user, you can add that user to truecrypt
group:
# groupadd truecrypt
# adduser user truecrypt
and set an appropriate entry in sudo config file:
# Users in the truecrypt group are allowed to run TrueCrypt as root.
%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt
You should consider using LUKS instead. It's a way easier to configure every aspect of encrypted volumes.
Best Answer
I would suggest you attempt adding your mounts to your fstab. It can be found at
/etc/fstab
on most systems.fstab will allow you to restrict who has access and who can mount which devices to which mount points. The option you are looking for will most likely be
uid
. You can determine a user's UID by examining/etc/passwd
. Typically, you will be using uid 1000 as the first user created on the system.This example shows how I mount a remote filesystem locally using sshfs. I have restricted it so that only my user is allowed to do such a thing. There are additional options in this sshfs example that you will most likely not need, but I think if you take a look it might clear things up.
further reading
Mount TrueCrypt volumes as a normal user
tl;dr
Set up uid and even guid in your fstab to restrict access to certain users. This will restrict mounting/unmounting as well as file access if set up correctly. Also, investigate whether or not you are utilizing FUSE, as that can cause additional conflict.