To Root or Not to Root?

Depending on how system security was configured when you installed Linux on your system (or how you configured it afterward, e.g., with Bastille Linux), you may be accustomed to performing certain filesystem-related tasks only as root. That makes sense on most multiuser systems because traditionally, ordinary users don't need to be able, for example, to format filesystems or create new volumes.

However, BestCrypt is designed to be used not only by root but also by rank-and-file users. (After all, root isn't the only one with sensitive data.) Furthermore, conventional wisdom tells us to avoid using root privileges for routine, nonadministrative activities. Mounting and using encrypted volumes that protect your word-processing documents doesn't and shouldn't constitute an administrative function.

BestCrypt itself, as installed by default, can be run by ordinary users. But BestCrypt depends on your system's native mkfs tools to format new containers. Therefore, any user who needs to create BestCrypt containers will need execute privileges on /sbin/mkfs, /sbin/mkfs.msdos, et. al. If you're the only user on your system (e.g., it's a laptop system) there's nothing wrong with these files being world-executable; in fact, they may already be world-executable. If you don't want all local users to be able to make filesystems, make those binaries group-executable and add selected users to the group that owns them; you may even want to create a special group for this purpose.

Actually mounting containers is handled directly by BestCrypt; it doesn't matter what /sbin/mount's permissions are. Users may only mount BestCrypt volumes on mountpoints that they own, so you don't need to worry about unprivileged users mounting their personal data vaults over /bin. By the way, BestCrypt explicitly supports the creation of encrypted home directories; for instructions see www.jetico.com/linux.htm#tricks.