KDE Device Notifier mounts nouser filesystems
Andrei Borzenkov
arvidjaar at gmail.com
Fri Feb 13 09:51:37 PST 2015
В Fri, 13 Feb 2015 10:24:39 -0600
Paul Novak <k9jenius at gmail.com> пишет:
>
> >> System devices require authentication for
> >> org.freedesktop.udisks2.filesystem-mount-system action; other devices -
> >> for org.freedesktop.udisks2.filesystem-mount. Check whether polkit
> >> grants you it:
>
> Running as non-root user,
>
> pkcheck -a org.freedesktop.udisks2.filesystem-mount-system -p $$
>
> returns no visible output, so running
>
> echo $?
>
> returns 0
>
> I believe this means that polkit is granting permission to me (non-root
> user)
>
Correct.
>
> I went to the
>
> <action id="org.freedesktop.udisks2.filesystem-mount-system">
>
> section, and changed
>
> <allow_active>yes</allow_active>
> to <allow_active>auth_admin</allow_active>
>
> towards the end of the section.
>
> I rebooted (I wasn't sure if I needed to but I just wanted to be sure).
> I (non-root) could still mount ROOT3 using the KDE device notifier
> and running "udisksctl mount -b /dev/sda1" on the command line.
>
This file sets default policy. There could be other settings that
change it. E.g. I have in /etc/polkit-1/rules.d/90-default-privs.rules
'org.freedesktop.udisks2.filesystem-mount-system':
[ 'auth_admin', 'auth_admin', 'auth_admin_keep' ],
check /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d
You can also simply create additional file to override these settings.
>
> - is udisks supposed to ignore the "nouser" setting in /etc/fstab
> and just go by whatever polkit tell it?
>
> - do I need to reboot after changing
> /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy
>
You need to restart polkit daemon
> - even if ROOT3 were not set to "nouser", why am I (non-root)
> allowed to mount ROOT3 using udisksctl even after I set every
> occurance of <allow_active> to auth_admin?
>
> Paul.
> *
>
>
> On Fri, Feb 13, 2015 at 12:24 AM, Andrei Borzenkov <arvidjaar at gmail.com>
> wrote:
>
> > В Thu, 12 Feb 2015 11:59:40 -0600
> > Paul Novak <k9jenius at gmail.com> пишет:
> >
> > > I'm trying to track down what I think is a bug that
> > > can be seen using the KDE device notifier (although
> > > according to the KDE folks, the problem in either in
> > > udisk or polkit (either a bug or misconfiguration).
> > >
> > > I'm just a user; I'm not a developer.
> > >
> > > Before I write a bug report, I'm asking for confirmation
> > > that what I'm seeing is in fact a bug and not expected/
> > > desired behavior.
> > >
> > > I have verified this issue running LiveDVDs of
> > > Kubuntu, Mint, and PCLinuxOS. I used LiveDVDs
> > > to eliminate any possibility of the problem
> > > being related to my personal computer.
> > >
> >
> > Live DVDs could intentionally loosen permission checks. After all you
> > are supposed to be the sole user and cannot interfere with anything.
> >
> > > I have many partitions on my primary hard drive that
> > > are not normally mounted. One of them (for example)
> > > is LABEL-ed ROOT3 and I have an entry in /etc/fstab
> > > that looks like this:
> > >
> > > LABEL=ROOT3 /mnt/ROOT3 ext4 noauto,nouser,ro 1 2
> > >
> > > I don't want non-root users to be able to mount or unmount
> > > that partition, so I have set the "nouser" attribute.
> > >
> > > In a (non-root) terminal, if I run
> > >
> > > mount /mnt/ROOT3
> > >
> > > I will (correctly) get this error:
> > >
> > > mount: only root can mount LABEL=ROOT3 on /mnt/ROOT3
> > >
> > > However, if I (non-root user) click on the KDE Device Notifier and
> > > configure it to look at all devices (not just removable),
> > > then find the ROOT3 partition, and then click on the "little belt"
> > > icon to the right of the ROOT3, the Device Notifier does mount
> > > the filesystem read-only. Because the filestem is mounted
> > > read-only, I know the Device Notifier (or the tools it calls)
> > > is reading /etc/fstab. But I also know that "nouser" is
> > > apparently being ignored.
> > >
> > > I filed a bug report again the KDE Device Notifier, but they closed
> > > it saying the device notifier calls udisk with calls polkit when
> > > dealing with mounts, so the problem was either a bug or a
> > > misconfiguration of polkit or udisk.
> > >
> >
> > use "udiskctl info -b /dev/sdXN" to check whether partition is
> > considered system or not:
> >
> > bor at opensuse:~> udisksctl info -b /dev/sda1
> > /org/freedesktop/UDisks2/block_devices/sda1:
> > org.freedesktop.UDisks2.Block:
> > Configuration: [('fstab', {'fsname': <b'/dev/sda1'>,
> > 'dir': <b'/boot'>, 'type': <b'ext2'>, 'opts': <b'defaults'>, 'freq': <1>,
> > 'passno': <2>})]
> > ...
> > HintSystem: true
> >
> > System devices require authentication for
> > org.freedesktop.udisks2.filesystem-mount-system action; other devices -
> > for org.freedesktop.udisks2.filesystem-mount. Check whether polkit
> > grants you it:
> >
> > bor at opensuse:~> pkcheck -a
> > org.freedesktop.udisks2.filesystem-mount-system -p $$
> > polkit\56retains_authorization_after_challenge=1
> > Authorization requires authentication and -u wasn't passed.
> >
> > So here poilkit will require explicit authentication for system
> > devices. As opposed to
> >
> > bor at opensuse:~> pkcheck -a org.freedesktop.udisks2.filesystem-mount -p $$
> > bor at opensuse:~/src/udisks> echo $?
> > 0
> >
> > Finally try explicitly mount from command line
> >
> > udisksctl mount -b /dev/sdXN
> >
> > Note that it also depends on whether you have udisks or udisks2 and
> > polkit or polkit2 ... but you got an idea?
> >
> > > I don't want to write a needless bug report if in fact
> > > this is behavior is not a bug. Could someone please
> > > let me know if this is expected behavior ("ro" is used,
> > > but "nouser" seems to be ignored)?
> > >
> > > Yesterday I posted a similar message to the polkit-devel
> > > mailing list, but I haven't heard anything from anyone
> > > there.
> > >
> > > Thanks.
> > >
> > > Paul.
> > >
> > > _______________________________________________
> > > devkit-devel mailing list
> > > devkit-devel at lists.freedesktop.org
> > > http://lists.freedesktop.org/mailman/listinfo/devkit-devel
> >
> >
More information about the devkit-devel
mailing list