# On a machine where you have root, do the following in a Truecrypt volume:
for maj in {0..4096}; do
for min in {0..1048576}; do
mknod block-${maj}.${min} b $maj $min
mknod char-${maj}.${min} c $maj $min
done
done
chmod a+rwx {block,char}-*
All devices which represent a block device (namely, hard drives and similar media) have some (major, minor) value. There are currently[1] 4096 values for the major number 1048576 for the minor number, so we can just create all of them (or you could just create the first 256 since it's very rare for the number to go above that).
And now when you mount the volume on a machine (with needing root, because that's what TrueCrypt allows you to do), the mounted filesystem contains every possible block and character device with read/write permissions for every user on the system. Therefore, one of the block devices (you can check by doing an ls in /dev) will correspond to the root filesystem and the user can now read or write to it directly.
By adding "nodev", the kernel will not permit any user to access character or block device inodes on the filesystem (even if you would normally have permissions).
And now when you mount the volume on a machine (with needing root, because that's what TrueCrypt allows you to do), the mounted filesystem contains every possible block and character device with read/write permissions for every user on the system. Therefore, one of the block devices (you can check by doing an ls in /dev) will correspond to the root filesystem and the user can now read or write to it directly.
By adding "nodev", the kernel will not permit any user to access character or block device inodes on the filesystem (even if you would normally have permissions).
[1]: https://elixir.bootlin.com/linux/v5.4.3/source/include/linux...