KDE Device Notifer ignores nouser in /etc/fstab

Paul Novak k9jenius at gmail.com
Wed Feb 11 08:12:30 PST 2015 

I'm trying to figure out what I think is a problem
that can be seen by using the KDE device notifier.
I've tried it on 4 distributions (PCLinuxOS,
Suse, Kubuntu, and Mint) with identical results.

I have an extra partition on my hard drive 
LABEL-ed ROOT3.  I intentionally have the
"nouser" attribute set in /etc/fstab so that 
a non-root user cannot mount or unmount this 
filesystem.  I have an entry for it in /etc/fstab 
that look like this:

LABEL=ROOT3	/mnt/ROOT3	ext4 noauto,nouser,ro 	1 2

As a normal (non-root) user, in a terminal, if I
run "mount /mnt/ROOT3", it (correctly) fails with 
the message:

    mount: only root can mount LABEL=HOME3 on /mnt/HOME3

This is the behavior I desire: that only "root" can mount
LABEL=ROOT3, but any user can mount LABEL=HOME3.  I have
verified that root and run the mount command (I don't have
some cryptic typo in /etc/fstab).

But running KDE as a normal (non-root) user, if I click on the
device manager and configure it to look at all devices,
not just removable, find the ROOT3 storage volume, and click
on the "little belt" icon, the ROOT3 filesystem will 
mount read-only.  In other words, "nouser" does not seem 
to have any effect when I'm using the device manager as non-root.

I wrote a bug report against KDE/device manager (344009), but
they closed it saying the device manager calls udisk which
calls polkit, and it's an issue with polkit in some manner 
(configuration or bug), not a problem with with KDE.    
They did seem to imply it was a problem, but not definitely,
and certainly not theirs.  

What I would like to happen is that when a non-root user
running KDE opens the device manager and clicks on ROOT3,
either the user is prompted for the root password, or
the command is denied with an error.   I certainly don't 
want non-root users to be able to mount ROOT3, but I do 
want them to able to mount the other filesystems I have 
in /etc/fstab that are not tagged "nouser" without having 
to enter any password.

I tried finding some useful documentation about polkit, the
best being on the Arch Linux website, but I couldn't really
make sense of it.  But given that at least 4 large distributions
share the same issue, I'm not even convinced that the behavior
I'm seeing is not some intended feature somehow...

Can anything be done to get the behavior I'm looking for?
 
xr200

More information about the polkit-devel mailing list