Unix: add doas elevation support

Prefer sudo when available and fall back to doas on Unix. Run doas authentication through a PTY while keeping service communication on stdin/stdout pipes, and use a no-fork service mode for the doas path.

Keep doas authentication terminal descriptors close-on-exec and close the slave descriptor after attaching it as the controlling terminal. Preserve startup diagnostics through stderr until service synchronization completes, then redirect no-fork service stderr away from the closed parent pipe.

Use noninteractive privilege-helper auth checks for both sudo and doas so cached, nopass, or persisted sessions do not need an unnecessary VeraCrypt password prompt. Keep the PTY password path for doas when authentication is required.

Use a shared Unix DOAS_USER helper for FUSE and mount ownership, backed by getpwnam_r and guarded so non-OpenBSD platforms only trust it for VeraCrypt's internal doas no-fork service path. Detach asynchronous child-reaper threads to avoid leaking joinable pthread handles.
This commit is contained in:
Mounir IDRASSI
2026-06-21 18:09:09 +09:00
parent 26adb5e882
commit 47786ddce8
8 changed files with 623 additions and 131 deletions
+1 -27
View File
@@ -21,14 +21,12 @@
#ifdef TC_LINUX
#include <sys/utsname.h>
#endif
#ifdef TC_OPENBSD
#include <pwd.h>
#endif
#include <stdio.h>
#include <unistd.h>
#include "Platform/FileStream.h"
#include "Platform/MemoryStream.h"
#include "Platform/SystemLog.h"
#include "Core/Unix/UnixUser.h"
#include "Driver/Fuse/FuseService.h"
#include "Volume/VolumePasswordCache.h"
@@ -43,26 +41,6 @@ namespace VeraCrypt
static bool SamePath (const string& path1, const string& path2);
#endif
#ifdef TC_OPENBSD
static bool GetDoasUserIds (uid_t *uid, gid_t *gid)
{
const char *env = getenv ("DOAS_USER");
if (!env || !env[0])
return false;
struct passwd *pw = getpwnam (env);
if (!pw)
return false;
if (uid)
*uid = pw->pw_uid;
if (gid)
*gid = pw->pw_gid;
return true;
}
#endif
// Struct to hold terminal emulator information
struct TerminalInfo {
const char* name;
@@ -657,11 +635,9 @@ namespace VeraCrypt
catch (...) { }
}
#ifdef TC_OPENBSD
gid_t doasGid;
if (GetDoasUserIds (nullptr, &doasGid))
return doasGid;
#endif
return getgid();
}
@@ -679,11 +655,9 @@ namespace VeraCrypt
catch (...) { }
}
#ifdef TC_OPENBSD
uid_t doasUid;
if (GetDoasUserIds (&doasUid, nullptr))
return doasUid;
#endif
return getuid();
}