Hi, I have a setup where the first time my user logs in I am asked for the password after which the openlucks partition is mounted and available for things like my email. This means that the end user will actually be calling the "cryptsetup luksOpen" command line. Currently this is impossible to do nicely, since you need to be root to call that line :( I've investigated methods to do this and I came up with 2 answers; the first is make cryptsetup suid root, so the user can do this. But I don't like that very much as any user can now also format partitions due to that functionality also being available from the same command line. The second idea is thus something I want to suggest here. Could you split out the cryptsetup command so the 'luksOpen' functionality becomes available as a separate command, preferably one that a normal user can run? Possibly with suid-0, so the user is at least not possible to reformat any partitions without proper credentials ;) Thanks! -- Thomas Zander
Attachment:
pgpfHEedEg4qS.pgp
Description: PGP signature
