<div dir="ltr"><div>Thank you for your very helpful & informative reply.<br><br>>> Live DVDs could intentionally loosen permission checks. <br>>> After all you are supposed to be the sole user and cannot <br>>> interfere with anything.<br><br>I had not thought of that. Nonetheless, I have verified <br>the problem exists on a clean install of 64 bit PCLinuxOS <br>KDE. All of the commands below are run on that system.<br><br>Synaptic reports this:<br><br> udisks2 version 2.1.3-2pclos2014<br> polkit version 0.103-2pclos2013 <br><br>I think polkit is version 1 because files are located in<br>/usr/share/polkit-1 (see below). I'm assuming udisks<br>is version 2 based on the name.<br><br><br>Here's my entry in /etc/fstab:<br><br>LABEL=ROOT3 /mnt/ROOT3 ext4 noauto,nouser,ro 1 2<br><br><br><br>>> use "udisksctl info -b /dev/sdXN" to check whether partition is<br>>> considered system or not:<br><br>LABEL=ROOT3 is on /dev/sda1, so <br><br>"udisksctl info -b /dev/sda1" reports below (run as non-root), <br>full output, not just the HintSystem in case there's something <br>else useful there. (note it does see the "noauto,nouser,ro" <br>settings, but note later in the output ReadOnly is false, <br>just pointing it out, don't know if "ro" and "ReadOnly" are<br>related).<br><br><br>##### BEGIN OUTPUT<br>/org/freedesktop/UDisks2/block_devices/sda1:<br> org.freedesktop.UDisks2.Block:<br> Configuration: [('fstab', {'fsname': <b'LABEL=ROOT3'>, 'dir': <b'/mnt/ROOT3'>, 'type': <b'ext4'>, 'opts': <b'noauto,nouser,ro'>, 'freq': <1>, 'passno': <2>})]<br> CryptoBackingDevice: '/'<br> Device: /dev/sda1<br> DeviceNumber: 2049<br> Drive: '/org/freedesktop/UDisks2/drives/Hitachi_HTS545032B9A300_100425PBNC001YKAPV0R'<br> HintAuto: false<br> HintIconName: <br> HintIgnore: false<br> HintName: <br> HintPartitionable: true<br> HintSymbolicIconName: <br> HintSystem: true<br> Id: by-id-ata-Hitachi_HTS545032B9A300_100425PBNC001YKAPV0R-part1<br> IdLabel: ROOT3<br> IdType: ext4<br> IdUUID: 3140959a-7709-4cfa-a1bf-5424167d1a4c<br> IdUsage: filesystem<br> IdVersion: 1.0<br> MDRaid: '/'<br> MDRaidMember: '/'<br> PreferredDevice: /dev/sda1<br> ReadOnly: false<br> Size: 16106127360<br> Symlinks: /dev/block/8:1<br> /dev/disk/by-id/ata-Hitachi_HTS545032B9A300_100425PBNC001YKAPV0R-part1<br> /dev/disk/by-id/scsi-SATA_Hitachi_HTS5450100425PBNC001YKAPV0R-part1<br> /dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0-part1<br> /dev/disk/by-uuid/3140959a-7709-4cfa-a1bf-5424167d1a4c<br> /dev/disk/by-label/ROOT3<br> /dev/disk/by-id/wwn-0x5000cca5edef2434-part1<br> /dev/disk/by-id/edd-int13_dev80-part1<br> org.freedesktop.UDisks2.Filesystem:<br> MountPoints: <br> org.freedesktop.UDisks2.Partition:<br> Flags: 0<br> IsContained: false<br> IsContainer: false<br> Name: <br> Number: 1<br> Offset: 1048576<br> Size: 16106127360<br> Table: '/org/freedesktop/UDisks2/block_devices/sda'<br> Type: 0x83<br> UUID: <br><br><br>##### END OUTPUT<br><br>HintSystem is set to "true"<br><br><br>>> System devices require authentication for<br>>> org.freedesktop.udisks2.filesystem-mount-system action; other devices -<br>>> for org.freedesktop.udisks2.filesystem-mount. Check whether polkit<br>>> grants you it:<br><br>Running as non-root user,<br><br> pkcheck -a org.freedesktop.udisks2.filesystem-mount-system -p $$<br><br>returns no visible output, so running<br><br> echo $?<br><br>returns 0<br><br>I believe this means that polkit is granting permission to me (non-root user)<br><br>>> udisksctl mount -b /dev/sdXN<br><br>Running as non-root user,<br><br> udisksctl mount -b /dev/sda1 <br> Mounted /dev/sda1 at /mnt/ROOT3.<br><br>/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy<br>is very big (2500+ lines). Because of that, I don't want to <br>include it directly in this reply, so I have provided it <br>as an attachment (I hope that's OK).<br><br>I thought maybe I needed to modify:<br><br> /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy<br><br>I went to the <br><br> <action id="org.freedesktop.udisks2.filesystem-mount-system"> <br><br>section, and changed <br><br> <allow_active>yes</allow_active><br>to <allow_active>auth_admin</allow_active><br><br>towards the end of the section.<br><br>I rebooted (I wasn't sure if I needed to but I just wanted to be sure).<br>I (non-root) could still mount ROOT3 using the KDE device notifier<br>and running "udisksctl mount -b /dev/sda1" on the command line.<br><br>Thinking maybe I misunderstood if I the device was type system or not, <br>I went back to "org.freedesktop.udisks2.filesystem-mount-system" <br>and changed all occurrences (in all sections of the file) of<br><br> <allow_active>yes</allow_active><br> to <allow_active>auth_admin</allow_active><br><br>rebooted (didn't know if that needed), and I (non-root) can still<br>mount ROOT3 using the device notifier or calling udisksctl on the <br>command line.<br><br>Questions:<br><br>- is udisks supposed to ignore the "nouser" setting in /etc/fstab <br></div> and just go by whatever polkit tell it?<br><div><br>- do I need to reboot after changing <br> /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy<br><br>- even if ROOT3 were not set to "nouser", why am I (non-root)<br>allowed to mount ROOT3 using udisksctl even after I set every<br>occurance of <allow_active> to auth_admin?<br><br>Paul.<br>* <br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 13, 2015 at 12:24 AM, Andrei Borzenkov <span dir="ltr"><<a href="mailto:arvidjaar@gmail.com" target="_blank">arvidjaar@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">В Thu, 12 Feb 2015 11:59:40 -0600<br>
Paul Novak <<a href="mailto:k9jenius@gmail.com">k9jenius@gmail.com</a>> пишет:<br>
<span class=""><br>
> I'm trying to track down what I think is a bug that<br>
> can be seen using the KDE device notifier (although<br>
> according to the KDE folks, the problem in either in<br>
> udisk or polkit (either a bug or misconfiguration).<br>
><br>
> I'm just a user; I'm not a developer.<br>
><br>
> Before I write a bug report, I'm asking for confirmation<br>
> that what I'm seeing is in fact a bug and not expected/<br>
> desired behavior.<br>
><br>
> I have verified this issue running LiveDVDs of<br>
> Kubuntu, Mint, and PCLinuxOS. I used LiveDVDs<br>
> to eliminate any possibility of the problem<br>
> being related to my personal computer.<br>
><br>
<br>
</span>Live DVDs could intentionally loosen permission checks. After all you<br>
are supposed to be the sole user and cannot interfere with anything.<br>
<span class=""><br>
> I have many partitions on my primary hard drive that<br>
> are not normally mounted. One of them (for example)<br>
> is LABEL-ed ROOT3 and I have an entry in /etc/fstab<br>
> that looks like this:<br>
><br>
> LABEL=ROOT3 /mnt/ROOT3 ext4 noauto,nouser,ro 1 2<br>
><br>
> I don't want non-root users to be able to mount or unmount<br>
> that partition, so I have set the "nouser" attribute.<br>
><br>
> In a (non-root) terminal, if I run<br>
><br>
> mount /mnt/ROOT3<br>
><br>
> I will (correctly) get this error:<br>
><br>
> mount: only root can mount LABEL=ROOT3 on /mnt/ROOT3<br>
><br>
> However, if I (non-root user) click on the KDE Device Notifier and<br>
> configure it to look at all devices (not just removable),<br>
> then find the ROOT3 partition, and then click on the "little belt"<br>
> icon to the right of the ROOT3, the Device Notifier does mount<br>
> the filesystem read-only. Because the filestem is mounted<br>
> read-only, I know the Device Notifier (or the tools it calls)<br>
> is reading /etc/fstab. But I also know that "nouser" is<br>
> apparently being ignored.<br>
><br>
> I filed a bug report again the KDE Device Notifier, but they closed<br>
> it saying the device notifier calls udisk with calls polkit when<br>
> dealing with mounts, so the problem was either a bug or a<br>
> misconfiguration of polkit or udisk.<br>
><br>
<br>
</span>use "udiskctl info -b /dev/sdXN" to check whether partition is<br>
considered system or not:<br>
<br>
bor@opensuse:~> udisksctl info -b /dev/sda1<br>
/org/freedesktop/UDisks2/block_devices/sda1:<br>
org.freedesktop.UDisks2.Block:<br>
Configuration: [('fstab', {'fsname': <b'/dev/sda1'>, 'dir': <b'/boot'>, 'type': <b'ext2'>, 'opts': <b'defaults'>, 'freq': <1>, 'passno': <2>})]<br>
...<br>
HintSystem: true<br>
<br>
System devices require authentication for<br>
org.freedesktop.udisks2.filesystem-mount-system action; other devices -<br>
for org.freedesktop.udisks2.filesystem-mount. Check whether polkit<br>
grants you it:<br>
<br>
bor@opensuse:~> pkcheck -a org.freedesktop.udisks2.filesystem-mount-system -p $$<br>
polkit\56retains_authorization_after_challenge=1<br>
Authorization requires authentication and -u wasn't passed.<br>
<br>
So here poilkit will require explicit authentication for system<br>
devices. As opposed to<br>
<br>
bor@opensuse:~> pkcheck -a org.freedesktop.udisks2.filesystem-mount -p $$<br>
bor@opensuse:~/src/udisks> echo $?<br>
0<br>
<br>
Finally try explicitly mount from command line<br>
<br>
udisksctl mount -b /dev/sdXN<br>
<br>
Note that it also depends on whether you have udisks or udisks2 and<br>
polkit or polkit2 ... but you got an idea?<br>
<span class=""><br>
> I don't want to write a needless bug report if in fact<br>
> this is behavior is not a bug. Could someone please<br>
> let me know if this is expected behavior ("ro" is used,<br>
> but "nouser" seems to be ignored)?<br>
><br>
> Yesterday I posted a similar message to the polkit-devel<br>
> mailing list, but I haven't heard anything from anyone<br>
> there.<br>
><br>
> Thanks.<br>
><br>
> Paul.<br>
><br>
</span>> _______________________________________________<br>
> devkit-devel mailing list<br>
> <a href="mailto:devkit-devel@lists.freedesktop.org">devkit-devel@lists.freedesktop.org</a><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/devkit-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/devkit-devel</a><br>
<br>
</blockquote></div><br></div>