freebsd bug veracrypt not able to create a basic file container volume

[justanotherscript]

Expected behavior

Changes between 1.26.7 and1.26.14 not all but to describe the error (25 August 2024) :
FreeBSD:
Fix privilege escalation prompts not showing up (GH #1349)
Support automatic detection and mounting of ext2/3/4, exFAT, NTFS filesystems (GH #1350)
Use correct Disk Utility location when "check filesystem" is ran (GH #1273)

Observed behavior

privilege escalation prompts are appearing for example when trying to create a a basic file container volume but after typing in the correct sudo password "Not enough data available" appears as error.

Steps to reproduce

creating a new veracrypt basic/ standard file container volume

Screenshots

Your Environment

Please tell us more about your environment

VeraCrypt version: veracrypt-1.26.15 (freebsd package)

Operating system and version: FreeBSD-14.1-RELEASE

System type: 64-bit amd64

[tarastella]

I wonder if I am experiencing the same issue from a different angle.
I'm running under FreeBSD 14.1 with veracrypt 1.26.15 installed from ports.

If I run veracrypt as a user, both GUI or text interface, and
I try to mount a volume (with the correct volume and sudo passwords), I receive the message:
"Error: Not enough data available".

As an example, the command line is:
veracrypt --text --load-preferences --mount /home/user/volume.dsk /home/user/Documents/volume/ '--pim=0' '--keyfiles=' '--protect-hidden=no' '--slot=1'

If I run the above command with sudo, that works perfectly, ex:
sudo veracrypt --text --load-preferences --mount /home/user/volume.dsk /home/user/Documents/volume/ '--pim=0' '--keyfiles=' '--protect-hidden=no' '--slot=1'

veracrypt, under the hood, invoke sudo to process the actual mount command.

I used truss and the command that fails seems to be:
sudo -S -p /usr/local/bin/veracrypt --core-service

truss trace here

With the following problem:
effective uid is not 0, is /usr/local/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

I use ZFS, but the filesystem has setuid attribute activated by default

$ zfs get setuid zroot/usr
NAME       PROPERTY  VALUE   SOURCE
zroot/usr  setuid    on      default

And that is also confirmed by the fact I can run sudo in other contexts without problems.
Thanks a million!

@justanotherscript can you check with truss if you have the same problem please?

P.S. Not sure mine is actually a veracrypt bug, but I can't understand what I am doing wrong.

[justanotherscript]

@tarastella thanks for the idea i tried the same as described above this time with the veracrypt gui port. And there the exact error is being shown except this time it doesnt even ask me for a sudo password like before, but just shows me the error "Not enough data available". Just to make it clear before you answered I installed veracrypt with "pkg install veracrypt" and now I also tried it with "cd /usr/ports/security/veracrypt/ && make install clean". I will also provide as above the screenshots of the behavior of the port package.

[justanotherscript]

I know FreeBSD might not be the biggest priority, but maybe you can take a look at it when you get a chance. Thank you in advance @idrassi

[tarastella]

Out of curiosity @justanotherscript, can you run through the process with sudo (if you haven't already)?
Open a terminal, do "sudo veracrypt", and check if you have the same error message.
Thanks

[justanotherscript]

When I ran the package the whole time as root the error doesn't occurs (but the thing here that the package seems to be a more recent version than the ports version at least in this case ). In the most recent version the error should have been fixed to escalate the privileges without the need to start it from beginning with sudo.

The screenshots are from the prebuild binary package:

![error_not_appearing_run_as_root](https://github.com/user-attachment

s/assets/85b41816-f6c6-48d7-9281-1a6a576d5b0e)

[tarastella]

As we're in the realm of curiosity, and to understand if my issue is the same as yours, can you please run this command as a user please?

truss -s 1024 -f -o vera.out veracrypt

and reproduce the error. Then attach here the vera.out.
I wonder if you have the same problem when veracrypt under the hood calls sudo.
Thanks

[justanotherscript]

![cant_upload_vera out](https://github.com/user-attachments/assets/789dd149-5daa-4eb4-a8a4-a9a67c7e120

a)

[justanotherscript]

https://file.io/wvpMae9yr7ng

[tarastella]

Hey @justanotherscript! Thanks for sharing.

I have limited capabilities when it comes to programming, but looking at your trace, I have the feeling we share the same privilege elevation issue:

 1105: write(2,"effective uid is not 0, is /usr/local/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?",139) = 139 (0x8b)
 1106: read(0,": effective uid is not 0, is /usr/local/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?",32768) = 141 (0x8d)

I've also tried to read the source code of Veracrypt, and, with my limited knowledge, I am not totally sure that this is purely related to Veracrypt itself. It seems that the sudo suid bit is somehow ignored. In my case, I'm sure that the suid bit is working, and the filesystem has suid allowed.

I've also tried to post a message in the FreeBSD forum, but nothing so far.
Honestly, I have no other means to triage this any further.

[edit] I forgot to mention that I might have tracked it down to this call of line 416:

VeraCrypt/src/Core/Unix/CoreService.cpp

Line 286 in 3bb5184

if (request.RequiresElevation())

const char *args[] = { "sudo", "-S", "-p", "", appPath.c_str(), TC_CORE_SERVICE_CMDLINE_OPTION, nullptr };

[tarastella]

I might need to apologise.
I found out in this post:
https://superuser.com/questions/1578875/why-does-sudo-fail-with-strace

that strace is calling a variant of exec() that does not honour the suid for security reasons.
I've done some experiments with truss, and it might follow the same pattern.

So, what I wrote so far, i.e., receiving the message "effective uid is not 0" from the elevation of VeraCrypt might be due to me using truss itself, and it might be unrelated to the actual issue that returns "Not enough data."

I tried to help, but I might have steered the conversation in the wrong direction.
I still stand by the issue I described in my first comment.

At this point, I'm happy to follow any direction to help troubleshoot this.

[justanotherscript]

Don't worry too much you have already helped a lot and tried to find the cause. When the time comes, core developers will certainly address the issue. In any case, thank you for your time and effort.