KDE Device Notifier mounts nouser filesystems
Paul Novak
k9jenius at gmail.com
Fri Feb 13 13:19:53 PST 2015
Thank you again for your help, it is sincerely appreciated.
>> This file sets default policy. There could be other settings that
>> change it. E.g. I have in /etc/polkit-1/rules.d/90-default-privs.rules
>> check /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d
In PCLinuxOS, there is no /etc/polkit-1/rules.d or
/usr/share/polkit-1/rules.d directory; I don't know why,
I am not a developer or packager, just a user.
However, I snooped around and did find this file:
/etc/polkit-1/localauthority/50-local.d/10-storage-group-mount-override.pkla
which has this contents:
##### BEGIN
[storage group mount override]
Identity=unix-group:polkituser
Action=org.freedesktop.udisks2.*
ResultAny=yes
ResultInactive=yes
ResultActive=yes
##### END
As you speculated, I believed this file is somehow overriding
the default policies in:
/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy
So I went back and changed
/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy
in the <action id="org.freedesktop.udisks2.filesystem-mount-system">
section, and changed
<allow_active>yes</allow_active>
to <allow_active>auth_admin</allow_active>
Additionally, I removed
/etc/polkit-1/localauthority/50-local.d/10-storage-group-mount-override.pkla
I probably could have just deleted the ResultActive=yes line...
I rebooted, and just as you speculated, now when using the KDE device
manager
to mount ROOT3, I am prompted for the root password, and then the filesystem
mounts. However, even though the box titled "Remember authorization" is
selected, if I unmount ROOT3, and then use the KDE device notifier to
mount it again, I am again asked for the root password again.
Even if I could figure out why I am repeatedly asked for the root password,
more important to me is that that I have another entry in my
/etc/fstab that looks like this (also showing original ROOT3 line):
LABEL=HOME3 /mnt/HOME3 ext4 noauto,user,ro 1 2
LABEL=ROOT3 /mnt/ROOT3 ext4 noauto,nouser,ro 1 2
I do want any user to be able to mount HOME3 (user is set);
I do not want any user to able to mount ROOT3 (nouser is set);
I read up some more, and learned about the x-udisks-auth
option in /etc/fstab. I changed my ROOT3 entry in /etc/fstab
to this:
LABEL=ROOT3 /mnt/ROOT3 ext4 noauto,nouser,ro,x-udisks-auth 1 2
and putzed around with the policy file again
In summary, I have:
-- removed
/etc/polkit-1/localauthority/50-local.d/10-storage-group-mount-override.pkla
-- in /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy,
inside the <action id="org.freedesktop.udisks2.filesystem-fstab">
block, I changed
<allow_active>yes</allow_active>
to <allow_active>auth_admin</allow_active>
(The prior changes I made to this file were undone; only this one
line number 259 is different from the official PCLinuxOS release.
-- added x-udisks-auth to the ROOT3 entry in /etc/fstab
Right now, with these 3 changes, any regular user can mount
or unmount HOME3 (without root password), but that regular
user is prompted for the root password to mount or unmount
ROOT3. That's exactly the behavior I want. I'm not yet sure
what I may have unintentionally broken (for example, I have
not yet plugged in a portable USB drive), but I'm pretty happy
right now regardless.
Questions:
1. Is udisk supposed to ignore the "nouser" option in /etc/fstab and
do whatever polkit tell it to?
2. It looks to me like whenever a filesystem has "nouser" set
in /etc/fstab, "x-udisks-auth" should also be set since
"/bin/mount" does not know about "x-udisks-auth", and
"udisksctl mount" seems to ignore "nouser".
Additionally, "<allow_active>auth_admin</allow_active>" must be
set in inside the <action id="org.freedesktop.udisks2.filesystem-fstab">
section to get consistent results between running "mount" or
"udiskctl mount"
Is that correct?
Again, a big thank you.
Paul.
*
On Fri, Feb 13, 2015 at 11:51 AM, Andrei Borzenkov <arvidjaar at gmail.com>
wrote:
> В Fri, 13 Feb 2015 10:24:39 -0600
> Paul Novak <k9jenius at gmail.com> пишет:
>
> >
> > >> System devices require authentication for
> > >> org.freedesktop.udisks2.filesystem-mount-system action; other devices
> -
> > >> for org.freedesktop.udisks2.filesystem-mount. Check whether polkit
> > >> grants you it:
> >
> > Running as non-root user,
> >
> > pkcheck -a org.freedesktop.udisks2.filesystem-mount-system -p $$
> >
> > returns no visible output, so running
> >
> > echo $?
> >
> > returns 0
> >
> > I believe this means that polkit is granting permission to me (non-root
> > user)
> >
>
> Correct.
>
> >
> > I went to the
> >
> > <action id="org.freedesktop.udisks2.filesystem-mount-system">
> >
> > section, and changed
> >
> > <allow_active>yes</allow_active>
> > to <allow_active>auth_admin</allow_active>
> >
> > towards the end of the section.
> >
> > I rebooted (I wasn't sure if I needed to but I just wanted to be sure).
> > I (non-root) could still mount ROOT3 using the KDE device notifier
> > and running "udisksctl mount -b /dev/sda1" on the command line.
> >
>
> This file sets default policy. There could be other settings that
> change it. E.g. I have in /etc/polkit-1/rules.d/90-default-privs.rules
>
> 'org.freedesktop.udisks2.filesystem-mount-system':
> [ 'auth_admin', 'auth_admin', 'auth_admin_keep' ],
>
> check /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d
>
> You can also simply create additional file to override these settings.
>
> >
> > - is udisks supposed to ignore the "nouser" setting in /etc/fstab
> > and just go by whatever polkit tell it?
> >
> > - do I need to reboot after changing
> > /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy
> >
>
> You need to restart polkit daemon
>
> > - even if ROOT3 were not set to "nouser", why am I (non-root)
> > allowed to mount ROOT3 using udisksctl even after I set every
> > occurance of <allow_active> to auth_admin?
> >
> > Paul.
> > *
> >
> >
> > On Fri, Feb 13, 2015 at 12:24 AM, Andrei Borzenkov <arvidjaar at gmail.com>
> > wrote:
> >
> > > В Thu, 12 Feb 2015 11:59:40 -0600
> > > Paul Novak <k9jenius at gmail.com> пишет:
> > >
> > > > I'm trying to track down what I think is a bug that
> > > > can be seen using the KDE device notifier (although
> > > > according to the KDE folks, the problem in either in
> > > > udisk or polkit (either a bug or misconfiguration).
> > > >
> > > > I'm just a user; I'm not a developer.
> > > >
> > > > Before I write a bug report, I'm asking for confirmation
> > > > that what I'm seeing is in fact a bug and not expected/
> > > > desired behavior.
> > > >
> > > > I have verified this issue running LiveDVDs of
> > > > Kubuntu, Mint, and PCLinuxOS. I used LiveDVDs
> > > > to eliminate any possibility of the problem
> > > > being related to my personal computer.
> > > >
> > >
> > > Live DVDs could intentionally loosen permission checks. After all you
> > > are supposed to be the sole user and cannot interfere with anything.
> > >
> > > > I have many partitions on my primary hard drive that
> > > > are not normally mounted. One of them (for example)
> > > > is LABEL-ed ROOT3 and I have an entry in /etc/fstab
> > > > that looks like this:
> > > >
> > > > LABEL=ROOT3 /mnt/ROOT3 ext4 noauto,nouser,ro 1 2
> > > >
> > > > I don't want non-root users to be able to mount or unmount
> > > > that partition, so I have set the "nouser" attribute.
> > > >
> > > > In a (non-root) terminal, if I run
> > > >
> > > > mount /mnt/ROOT3
> > > >
> > > > I will (correctly) get this error:
> > > >
> > > > mount: only root can mount LABEL=ROOT3 on /mnt/ROOT3
> > > >
> > > > However, if I (non-root user) click on the KDE Device Notifier and
> > > > configure it to look at all devices (not just removable),
> > > > then find the ROOT3 partition, and then click on the "little belt"
> > > > icon to the right of the ROOT3, the Device Notifier does mount
> > > > the filesystem read-only. Because the filestem is mounted
> > > > read-only, I know the Device Notifier (or the tools it calls)
> > > > is reading /etc/fstab. But I also know that "nouser" is
> > > > apparently being ignored.
> > > >
> > > > I filed a bug report again the KDE Device Notifier, but they closed
> > > > it saying the device notifier calls udisk with calls polkit when
> > > > dealing with mounts, so the problem was either a bug or a
> > > > misconfiguration of polkit or udisk.
> > > >
> > >
> > > use "udiskctl info -b /dev/sdXN" to check whether partition is
> > > considered system or not:
> > >
> > > bor at opensuse:~> udisksctl info -b /dev/sda1
> > > /org/freedesktop/UDisks2/block_devices/sda1:
> > > org.freedesktop.UDisks2.Block:
> > > Configuration: [('fstab', {'fsname': <b'/dev/sda1'>,
> > > 'dir': <b'/boot'>, 'type': <b'ext2'>, 'opts': <b'defaults'>, 'freq':
> <1>,
> > > 'passno': <2>})]
> > > ...
> > > HintSystem: true
> > >
> > > System devices require authentication for
> > > org.freedesktop.udisks2.filesystem-mount-system action; other devices -
> > > for org.freedesktop.udisks2.filesystem-mount. Check whether polkit
> > > grants you it:
> > >
> > > bor at opensuse:~> pkcheck -a
> > > org.freedesktop.udisks2.filesystem-mount-system -p $$
> > > polkit\56retains_authorization_after_challenge=1
> > > Authorization requires authentication and -u wasn't passed.
> > >
> > > So here poilkit will require explicit authentication for system
> > > devices. As opposed to
> > >
> > > bor at opensuse:~> pkcheck -a org.freedesktop.udisks2.filesystem-mount
> -p $$
> > > bor at opensuse:~/src/udisks> echo $?
> > > 0
> > >
> > > Finally try explicitly mount from command line
> > >
> > > udisksctl mount -b /dev/sdXN
> > >
> > > Note that it also depends on whether you have udisks or udisks2 and
> > > polkit or polkit2 ... but you got an idea?
> > >
> > > > I don't want to write a needless bug report if in fact
> > > > this is behavior is not a bug. Could someone please
> > > > let me know if this is expected behavior ("ro" is used,
> > > > but "nouser" seems to be ignored)?
> > > >
> > > > Yesterday I posted a similar message to the polkit-devel
> > > > mailing list, but I haven't heard anything from anyone
> > > > there.
> > > >
> > > > Thanks.
> > > >
> > > > Paul.
> > > >
> > > > _______________________________________________
> > > > devkit-devel mailing list
> > > > devkit-devel at lists.freedesktop.org
> > > > http://lists.freedesktop.org/mailman/listinfo/devkit-devel
> > >
> > >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/devkit-devel/attachments/20150213/cf4c060d/attachment.html>
More information about the devkit-devel
mailing list