<div dir="ltr">Thank you again for your help, it is sincerely appreciated. >> This file sets default policy. There could be other settings that >> change it. E.g. I have in /etc/polkit-1/rules.d/90-default-privs.rules >> check /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d In PCLinuxOS, there is no /etc/polkit-1/rules.d or /usr/share/polkit-1/rules.d directory; I don't know why, I am not a developer or packager, just a user. However, I snooped around and did find this file: /etc/polkit-1/localauthority/50-local.d/10-storage-group-mount-override.pkla which has this contents: ##### BEGIN [storage group mount override] Identity=unix-group:polkituser Action=org.freedesktop.udisks2.* ResultAny=yes ResultInactive=yes ResultActive=yes ##### END As you speculated, I believed this file is somehow overriding the default policies in: /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy So I went back and changed /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy in the <action id="org.freedesktop.udisks2.filesystem-mount-system"> section, and changed <allow_active>yes</allow_active> to <allow_active>auth_admin</allow_active> Additionally, I removed /etc/polkit-1/localauthority/50-local.d/10-storage-group-mount-override.pkla I probably could have just deleted the ResultActive=yes line... I rebooted, and just as you speculated, now when using the KDE device manager to mount ROOT3, I am prompted for the root password, and then the filesystem mounts. However, even though the box titled "Remember authorization" is selected, if I unmount ROOT3, and then use the KDE device notifier to mount it again, I am again asked for the root password again. Even if I could figure out why I am repeatedly asked for the root password, more important to me is that that I have another entry in my /etc/fstab that looks like this (also showing original ROOT3 line): LABEL=HOME3 /mnt/HOME3 ext4 noauto,user,ro 1 2 LABEL=ROOT3 /mnt/ROOT3 ext4 noauto,nouser,ro 1 2 I do want any user to be able to mount HOME3 (user is set); I do not want any user to able to mount ROOT3 (nouser is set); I read up some more, and learned about the x-udisks-auth option in /etc/fstab. I changed my ROOT3 entry in /etc/fstab to this: LABEL=ROOT3 /mnt/ROOT3 ext4 noauto,nouser,ro,x-udisks-auth 1 2 and putzed around with the policy file again In summary, I have: -- removed /etc/polkit-1/localauthority/50-local.d/10-storage-group-mount-override.pkla -- in /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy, inside the <action id="org.freedesktop.udisks2.filesystem-fstab"> block, I changed <allow_active>yes</allow_active> to <allow_active>auth_admin</allow_active> (The prior changes I made to this file were undone; only this one line number 259 is different from the official PCLinuxOS release. -- added x-udisks-auth to the ROOT3 entry in /etc/fstab Right now, with these 3 changes, any regular user can mount or unmount HOME3 (without root password), but that regular user is prompted for the root password to mount or unmount ROOT3. That's exactly the behavior I want. I'm not yet sure what I may have unintentionally broken (for example, I have not yet plugged in a portable USB drive), but I'm pretty happy right now regardless. Questions: 1. Is udisk supposed to ignore the "nouser" option in /etc/fstab and do whatever polkit tell it to? 2. It looks to me like whenever a filesystem has "nouser" set in /etc/fstab, "x-udisks-auth" should also be set since "/bin/mount" does not know about "x-udisks-auth", and "udisksctl mount" seems to ignore "nouser". Additionally, "<allow_active>auth_admin</allow_active>" must be set in inside the <action id="org.freedesktop.udisks2.filesystem-fstab"> section to get consistent results between running "mount" or "udiskctl mount" Is that correct? Again, a big thank you. Paul. * </div><div class="gmail_extra"> <div class="gmail_quote">On Fri, Feb 13, 2015 at 11:51 AM, Andrei Borzenkov <<a href="mailto:arvidjaar@gmail.com" target="_blank">arvidjaar@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">В Fri, 13 Feb 2015 10:24:39 -0600 Paul Novak <<a href="mailto:k9jenius@gmail.com">k9jenius@gmail.com</a>> пишет: > > >> System devices require authentication for > >> org.freedesktop.udisks2.filesystem-mount-system action; other devices - > >> for org.freedesktop.udisks2.filesystem-mount. Check whether polkit > >> grants you it: > > Running as non-root user, > > pkcheck -a org.freedesktop.udisks2.filesystem-mount-system -p $$ > > returns no visible output, so running > > echo $? > > returns 0 > > I believe this means that polkit is granting permission to me (non-root > user) > Correct. > > I went to the > > <action id="org.freedesktop.udisks2.filesystem-mount-system"> > > section, and changed > > <allow_active>yes</allow_active> > to <allow_active>auth_admin</allow_active> > > towards the end of the section. > > I rebooted (I wasn't sure if I needed to but I just wanted to be sure). > I (non-root) could still mount ROOT3 using the KDE device notifier > and running "udisksctl mount -b /dev/sda1" on the command line. > This file sets default policy. There could be other settings that change it. E.g. I have in /etc/polkit-1/rules.d/90-default-privs.rules 'org.freedesktop.udisks2.filesystem-mount-system': [ 'auth_admin', 'auth_admin', 'auth_admin_keep' ], check /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d You can also simply create additional file to override these settings. > > - is udisks supposed to ignore the "nouser" setting in /etc/fstab > and just go by whatever polkit tell it? > > - do I need to reboot after changing > /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy > You need to restart polkit daemon <div class="HOEnZb"><div class="h5"> > - even if ROOT3 were not set to "nouser", why am I (non-root) > allowed to mount ROOT3 using udisksctl even after I set every > occurance of <allow_active> to auth_admin? > > Paul. > * > > > On Fri, Feb 13, 2015 at 12:24 AM, Andrei Borzenkov <<a href="mailto:arvidjaar@gmail.com">arvidjaar@gmail.com</a>> > wrote: > > > В Thu, 12 Feb 2015 11:59:40 -0600 > > Paul Novak <<a href="mailto:k9jenius@gmail.com">k9jenius@gmail.com</a>> пишет: > > > > > I'm trying to track down what I think is a bug that > > > can be seen using the KDE device notifier (although > > > according to the KDE folks, the problem in either in > > > udisk or polkit (either a bug or misconfiguration). > > > > > > I'm just a user; I'm not a developer. > > > > > > Before I write a bug report, I'm asking for confirmation > > > that what I'm seeing is in fact a bug and not expected/ > > > desired behavior. > > > > > > I have verified this issue running LiveDVDs of > > > Kubuntu, Mint, and PCLinuxOS. I used LiveDVDs > > > to eliminate any possibility of the problem > > > being related to my personal computer. > > > > > > > Live DVDs could intentionally loosen permission checks. After all you > > are supposed to be the sole user and cannot interfere with anything. > > > > > I have many partitions on my primary hard drive that > > > are not normally mounted. One of them (for example) > > > is LABEL-ed ROOT3 and I have an entry in /etc/fstab > > > that looks like this: > > > > > > LABEL=ROOT3 /mnt/ROOT3 ext4 noauto,nouser,ro 1 2 > > > > > > I don't want non-root users to be able to mount or unmount > > > that partition, so I have set the "nouser" attribute. > > > > > > In a (non-root) terminal, if I run > > > > > > mount /mnt/ROOT3 > > > > > > I will (correctly) get this error: > > > > > > mount: only root can mount LABEL=ROOT3 on /mnt/ROOT3 > > > > > > However, if I (non-root user) click on the KDE Device Notifier and > > > configure it to look at all devices (not just removable), > > > then find the ROOT3 partition, and then click on the "little belt" > > > icon to the right of the ROOT3, the Device Notifier does mount > > > the filesystem read-only. Because the filestem is mounted > > > read-only, I know the Device Notifier (or the tools it calls) > > > is reading /etc/fstab. But I also know that "nouser" is > > > apparently being ignored. > > > > > > I filed a bug report again the KDE Device Notifier, but they closed > > > it saying the device notifier calls udisk with calls polkit when > > > dealing with mounts, so the problem was either a bug or a > > > misconfiguration of polkit or udisk. > > > > > > > use "udiskctl info -b /dev/sdXN" to check whether partition is > > considered system or not: > > > > bor@opensuse:~> udisksctl info -b /dev/sda1 > > /org/freedesktop/UDisks2/block_devices/sda1: > > org.freedesktop.UDisks2.Block: > > Configuration: [('fstab', {'fsname': <b'/dev/sda1'>, > > 'dir': <b'/boot'>, 'type': <b'ext2'>, 'opts': <b'defaults'>, 'freq': <1>, > > 'passno': <2>})] > > ... > > HintSystem: true > > > > System devices require authentication for > > org.freedesktop.udisks2.filesystem-mount-system action; other devices - > > for org.freedesktop.udisks2.filesystem-mount. Check whether polkit > > grants you it: > > > > bor@opensuse:~> pkcheck -a > > org.freedesktop.udisks2.filesystem-mount-system -p $$ > > polkit\56retains_authorization_after_challenge=1 > > Authorization requires authentication and -u wasn't passed. > > > > So here poilkit will require explicit authentication for system > > devices. As opposed to > > > > bor@opensuse:~> pkcheck -a org.freedesktop.udisks2.filesystem-mount -p $$ > > bor@opensuse:~/src/udisks> echo $? > > 0 > > > > Finally try explicitly mount from command line > > > > udisksctl mount -b /dev/sdXN > > > > Note that it also depends on whether you have udisks or udisks2 and > > polkit or polkit2 ... but you got an idea? > > > > > I don't want to write a needless bug report if in fact > > > this is behavior is not a bug. Could someone please > > > let me know if this is expected behavior ("ro" is used, > > > but "nouser" seems to be ignored)? > > > > > > Yesterday I posted a similar message to the polkit-devel > > > mailing list, but I haven't heard anything from anyone > > > there. > > > > > > Thanks. > > > > > > Paul. > > > > > > _______________________________________________ > > > devkit-devel mailing list > > > <a href="mailto:devkit-devel@lists.freedesktop.org">devkit-devel@lists.freedesktop.org</a> > > > <a href="http://lists.freedesktop.org/mailman/listinfo/devkit-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/devkit-devel</a> > > > > </div></div></blockquote></div> </div>