OpenDoas with Veracrypt?

I use doas instead of sudo. And I use a symbolic link to bind sudo to doas to try to subside any issues with programs trying to use sudo. I tried to make and mount a veracrypt volume but got this:

Failed to obtain administrator privileges: sudo: invalid option – ‘S’
usage: doas [-Lns] [-C config] [-u user] command [args]

Is there some way to get around this? How could I force veracrypt to use doas?

Any help is appreciated,
Thank you.

What is the S option for sudo supposed to do?
Have you looked at the man page?

1 Like

-S , --stdin
Write the prompt to the standard error and read the password from the standard input instead of using the terminal device.

I believe there is an equivalent argument in opendoas for -n

-n Non interactive mode, fail if the matching rule doesn’t have the nopass option.

Edit: Nevermind -n doesn’t work as it requires the nopass option in doas.conf which allows a user to escalate without a password.

So is this an official veracrypt setup script that you are running, which is giving the password to sudo via the -S flag?
Can you see why it is doing this?

My guess is that OpenBSD developers, when making doas, decided that the -S method of authentication was too insecure and refused to implement it; I have no source that this is actually the case, however.

1 Like

It’s a bummer that all those tools depend on sudo and it’s flags.

You can do something trivial and stupid as I do for my yay doas wrapper that had also sudo flags.

just shift the flag out.

if you name this script in $PATH sudo, it will call your doas with dropped flags.

It can be done in some smart way, I just never cared and had to do it quickly.


I tried this and Veracrypt gave the same error but for -p

-p prompt, --prompt =prompt
Use a custom password prompt with optional escape sequences. The following percent (‘ % ’) escape sequences are supported by the sudoers policy

So I don’t think this is going to be easily solved with just a wrapper for doas. I have attempted to go to the source forge for Veracrypt and made a feature request for opendoas support but I haven’t gotten a response on the post as of yet. Should I make a submission on the github too?

The thing is I knew yay was putting the flags in order, so I echoed the stuff that the program (in your case veracrypt) is calling with sudo, then I observe the flags and modify the output.

And you have modified the script, I’ve been shifting diferent flag than “-p” ?

There is also a posibility veracrypt is not calling “sudo” but “/usr/bin/sudo” so it’s not even looking in your $PATH for “sudo”

1 Like

I know this, but I still got sudo working in the way you are suggesting. I made the wrapper you mentioned and copied it to /usr/bin/sudo and echoed out -S, but then it said -p is also being used. I could just echo that out too. But I can’t imagine Veracrypt is going to be too happy with all of those custom reponses and stuff just missing from what it was expecting. I asked for a feature request but haven’t gotten a response yet so I’m just kind of waiting. I might even try to make the change myself if need be.
I might still attempt to use the wrapper for all of the options veracrypt uses though just to be sure.
Thank you

Question: why not just read through and modify the script your calling? Long as you branch from main you can just manually update it too

1 Like

Are you referring to the Doas wrapper mentioned or Veracrypt itself? I am attempting to create and mount a veracrypt virtual volume.

Sorry for a second there I was under the impression that you were using an intermediate script to call veracrypt.

In this case, yes the wrapper would be the only way to do things, but that’s not as simple as modifying the script making a call to sudo itself

1 Like

You are right. After removing all of the sudo flags in the wrapper. It doesn’t appear to work. Authentication appears to fail everytime, despite putting in the right password. This could come down to the method that Veracrypt is trying to use to authenicate with what it thinks is sudo. By just depositing directly into stdin. Which is what the -S flag was for. So somehow something else is getting in? Or this method is just straight up failing with doas? I’m unsure.
But direct modification of Veracrypt may be required.
I am just going to use sudo for this specific time considering I don’t plan on accessing the documents in recent time. But this is definitely going to keep me from using Veracrypt as often as I would like to.

1 Like