Encrypted File Systems, Part 5

As described earlier, I’ve been trying to come up with a way to make the automatically-mounted TrueCrypt-encrypted home directory, on my Ubuntu Linux machine, also automatically unmount when I log off. I’ve finally done so, and I’ve learned some fascinating things about Linux in the process.

The first problem that I ran into was figuring out when the user was trying to log out. There’s a script that’s supposed to be called automatically on logout, ~/.bash_logout (some other distributions apparently use ~/.logout instead), so I tried sticking a truecrypt -d command in that file. It was called when I logged off of a text-mode terminal, but it gave me the usual “Running with effective user id 0 (set-euid root) is not supported” error — you have to use sudo, or be logged in as root, in order to run it for anything. Since I didn’t want to enter my password just to log out, I started looking for ways around this.

The answer turned out to be fairly simple: modifying the sudoers file with the visudo command. I added this line to the end:

headgeek ALL=PASSWD:ALL, NOPASSWD:/usr/bin/truecrypt

Note that it has to go at the end of the file, because in case of conflicts (like having the headgeek account as part of the administrator group, but having a second line that applied only to it), sudo uses the last matching item listed.

(You can find more information on hacking the sudo command on this page.)

Once that was added, anytime I tried to run sudo truecrypt, it allowed it without asking me for my password. Cool — one problem down. 🙂

Now the encrypted drive was automatically unmounted when I logged off. Great! Except… it only worked when I logged out of a text-mode shell, not when I log out of GNOME. I spend the vast majority of my time in GNOME, and that’s where I primarily wanted it to work from. But there’s apparently no script run when you log off of GNOME, and no way to log off of it via a script either. Back to the drawing board.

After contemplating several methods of doing this (including having a script run by cron every minute, watching for when I had logged out… I discarded that one because it was inefficient, but it probably would have worked), here’s what I settled on.

I picked up the Boot-Up Manager package (“bum”), which gave me an easy-to-use graphical way to disable the automatic boot into the GNOME GUI. Then I made a little script, ~/.bash_login, containing the following code (explanation below):

ucount=`who | grep -c -w ^$USER` if [ "$ucount" = 1 ]; then echo 'Primary shell, starting GUI in five seconds (control+c to cancel)' sleep 5s startx sudo truecrypt -d /home/$USER logout else echo 'Secondary shell, not starting GUI.' fi

(Sorry for the formatting, it’s properly indented here but my blog software squashes it all over to the left side.)

The first line is slightly complex. It runs a who command (which shows what users are logged into the system at the moment), piping the output to the grep program. grep is asked to count (-c) the number of lines containing whole-words (-w) of the user’s login name ($USER) at the beginning of the line (the ‘^’ symbol). Since those two commands are inside of single-back-quotes, it takes the output from the grep command (which, since we asked for a count, is simply a number) and assigns it to the variable ucount.

After that, things are fairly self-explanatory. If there’s only one of me logged on, then of course this copy has to be it; it gives me five seconds to abort it (using the sleep program), then goes into the GUI with the startx command. When I log out of GNOME, it continues the script where it left off, unmounting the TrueCrypt drive before logging out. If who says that there’s more than one of me (which can happen if I switch to a different terminal with Control+Alt+F2 or some such while I’m still logged into the GUI), it doesn’t bother with any of that, instead just allowing me to go about my business.

It all works. 🙂 However, be advised that there is a price: when you use startx to get into the GUI, GNOME doesn’t give you the option to shut down or restart; you can ONLY log out. It’s easy enough to shut down (via shutdown 0) or restart (via shutdown -r 0) the system instead of using logout if that’s what you desire. There may be some other subtle differences in it as well, though I haven’t spotted any yet.

Of course, since I’m the only user on this system, I don’t particularly need that extra security — if I log out of the GUI, it’s usually because I’m shutting the system down or rebooting it. I simply wanted to figure out how to do it in case I ever do need to give someone else that I don’t fully trust access to the system (kids, anyone?), and because I’ve seen other people request it before with no answer.

While the TrueCrypt portion of this thread is (probably) finished, this may not be the last Encrypted File System entry here. While I like TrueCrypt a lot, I hear that it has to be upgraded separately after each major kernel update, which sounds like a major pain in the tail. dm-crypt sounds like a decent contender (once I poke at it for a while to make sure it’s equally trustworthy), and as it’s built on an integrated part of the kernel itself, presumably it wouldn’t need to be separately upgraded. If/when I experiment with it, I’ll write anything interesting that I find here.

4 Comments

  1. Interesting. Glad you found a way to do it. sudoers is a pretty useful file, especially under Ubuntu where hacking it is even more often useful.

    Users of sudo (writing here for the benefit of the lurkers) should know that the “sudoers” manpage has a lot of EBNF stuff in the beginning. Although it has a long and intriguing introduction to this notation, this is only designed to keep the rif-raf out. Ordinary mortals should type /EXAMPLES, hit return, and read some fairly self-explanatory examples of /etc/sudoer usage. (This is a good idea in many such manpages, sudoer being an extreme example.)

    One should always use the visudo command to edit, to lock the file. If you don’t like the default editor under Ubuntu or other Debian derivitives, use update-alternatives –config editor. (Others should change some environmental variable, either EDITOR or VISUAL I think. Since I like vi, I never do.)

  2. WordPress turns two dashes together into an em-dash (a longer dash). To avoid that, use the <code> and </code> tags around any command-line stuff.

Comments are closed.