A user provided volume/device should always be mounted with "nosuid,nodev" options,some people will add "noexec" into the mix but i find it not to be very useful.
Most "sane" mount front ends will also not mount any arbitrary file system on these user provided volumes/devices.They will only mount file systems they explicitly allow and file systems that are already known by the system ie file systems whose modules are already loaded.This is done to prevent misuse of mount to load kernel modules that are not already loaded.
The problem is with what options were used with mount command and TrueCrypt uses bad options.Here,TrueCrypt is used not for its encryption feature,but for its bad mount command usage.Any other tool with the same bad usage will do in carrying out the exploit.
So perhaps TrueCrypt in linux has a serious security issue should be changed to read Linux has a serious security issue
Doesn't sound particular to TrueCrypt.
I remember fielding a support call from a customer running Coherent on the Commodore Z8000 system who fabricated a floppy with pretty much the same properties--used a user-space program to create a floppy with setuid and then mounted it.
There are "standard practices" when it comes to usage of the mount tool and TrueCrypt does not follow them and its inability to follow them is what leads to this privilege escalation.
Another "standard practice" TrueCrypt is not following is its creation of the mount point with 0777 permissions at "/media",a directory that is world readable.A "standard practice" is to have mount points at "/run/media/$USER" or "/media/$USER" or anywhere else where only the owner of the mount point has access to it.This is another security issue that need to be addressed.
Everywhere I look to see how to use TrueCrypt on Linux, I see it being used as just another encrypted block device. This strongly indicates that any policy issues that you're bringing up aren't the fault of TrueCrypt, but rather are issues with whatever mount scripts you're using.
Can you point me to some documentation that would give me cause to believe otherwise?
What steps are involved when mounting a TrueCrypt volume?
This is what happens when you mount a TrueCrypt volume using their GUI application in linux.
1. A TrueCrypt volume is unlocked by TrueCrypt.
2. The unlocked volume is mounted by TrueCrypt.
The mounting "script" in this case is TrueCrypt and hence it is TrueCrypt's fault.
If you unlock the volume using TrueCrypt and then mount the unlocked volume using udisks,then it would be udisks' fault.
If you unlock the volume using TrueCrypt and then mount the volume yourself,then it will be your fault.
The fault is in the person who is doing the mounting and in TrueCrypt's GUI application case,TrueCrypt is the one who is doing the mounting and hence its TrueCrypt's fault.
How are you using TrueCrypt GUI if TrueCrypt is not the part that does the mounting?
I am not aware of any documentations but i am aware of discussions around "best practices" when it comes to usage of the mount command.
> The mounting "script" in this case is TrueCrypt and hence it is TrueCrypt's fault.
I was completely unaware of the existence of a TrueCrypt GUI. I understood TrueCrypt to be the block device encryption software that filled the same role as LUKS.
So, you should refine your claim. Rather than saying "TrueCrypt mounts things insecurely." say "There are helper scripts distributed with TrueCrypt that mount things insecurely. They should be fixed.".
> I am aware of discussions around "best practices" when it comes to usage of the mount command.
The thing about Best Practices is that they don't work in all circumstances. If the volume mounting scripts packaged with TrueCrypt get updated, any defaults should be configurable, as there exist folks who need suid binaries in their TC volumes, as well as folks who don't like mounting things in /run . :)
A user provided volume/device should always be mounted with "nosuid,nodev" options,some people will add "noexec" into the mix but i find it not to be very useful.
Most "sane" mount front ends will also not mount any arbitrary file system on these user provided volumes/devices.They will only mount file systems they explicitly allow and file systems that are already known by the system ie file systems whose modules are already loaded.This is done to prevent misuse of mount to load kernel modules that are not already loaded.
The problem is with what options were used with mount command and TrueCrypt uses bad options.Here,TrueCrypt is used not for its encryption feature,but for its bad mount command usage.Any other tool with the same bad usage will do in carrying out the exploit.