Adding permissions for udiskie-mount to policykit

Faheem Mitha faheem at faheem.info
Wed Apr 20 16:59:48 UTC 2016 

Hi,

I have a question about giving permissions for udiskie-mount to run
inside a cron file. This apparently involves policykit.

I'm using Debian jessie/stable (8.4). I have

     pkaction --version
     pkaction version 0.105

When I try to mount an external USB drive using udiskie-mount from
inside a cron job, I get an error as follows below. Using
udiskie-mount directly from the command line works fine.

     + udiskie-mount -o umask=0022 /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose
     DEBUG [2016-04-19 23:00:01,762] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.yml'
     DEBUG [2016-04-19 23:00:01,764] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.json'
     Unable to init server: Could not connect: Connection refused
     Unable to init server: Could not connect: Connection refused
     DEBUG [2016-04-19 23:00:02,020] udiskie.config: IgnoreDevice(match={'is_block': False}, value=True) created
     DEBUG [2016-04-19 23:00:02,021] udiskie.config: IgnoreDevice(match={'is_external': False}, value=True) created
     DEBUG [2016-04-19 23:00:02,021] udiskie.config: IgnoreDevice(match={'is_ignored': True}, value=True) created
     DEBUG [2016-04-19 23:00:02,021] udiskie.udisks2: found device owning "/dev/disk/by-uuid/4E1AEA7B1AEA6007": "/org/freedesktop/UDisks2/block_devices/sde1"
     DEBUG [2016-04-19 23:00:02,021] udiskie.mount: mounting /org/freedesktop/UDisks2/block_devices/sde1 with {'options': ['umask=0022'], 'fstype': 'ntfs'}
     ERROR [2016-04-19 23:00:02,027] udiskie.mount: failed to mount /org/freedesktop/UDisks2/block_devices/sde1:
     GDBus.Error:org.freedesktop.UDisks2.Error.NotAuthorizedCanObtain: Not authorized to perform operation

I followed up with a question at unix.stackexchange.com
(https://unix.stackexchange.com/q/277606/4671) which summarizes the
current status of this issue. I've copied the current contents of that
question below. Some guidance on how to fix this issue would be
appreciated.

                                                  Regards, Faheem Mitha

######################################################################

I asked the udiskie maintainer about this, in
https://github.com/coldfix/udiskie/issues/102, see
https://github.com/coldfix/udiskie/issues/102#issuecomment-211908721

He said I should add permissions to polkit, so I added
/etc/polkit-1/rules.d/50-udiskie.rules per the script in
https://github.com/coldfix/udiskie/wiki/Permissions, as follows:

     polkit.addRule(function(action, subject) {
       var YES = polkit.Result.YES;
         // NOTE: there must be a comma at the end of each line except for the last:
           var permission = {
                   // // required for udisks1:
     	      // "org.freedesktop.udisks.filesystem-mount": YES,
     	      // "org.freedesktop.udisks.luks-unlock": YES,
            	      // "org.freedesktop.udisks.drive-eject": YES,
     	      // "org.freedesktop.udisks.drive-detach": YES,
     	      // // required for udisks2:
     	      // "org.freedesktop.udisks2.filesystem-mount": YES,
                   // "org.freedesktop.udisks2.encrypted-unlock": YES,
     	      // "org.freedesktop.udisks2.eject-media": YES,
     	      // "org.freedesktop.udisks2.power-off-drive": YES,
                   // required for udisks2 if using udiskie from another seat (e.g. systemd):
                   "org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
                   "org.freedesktop.udisks2.filesystem-unmount-others": YES,
                   "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
                   "org.freedesktop.udisks2.eject-media-other-seat": YES,
                   "org.freedesktop.udisks2.power-off-drive-other-seat": YES
     	      };
     	      if (subject.isInGroup("backup")) {
     	        return permission[action.id];
     	      }
     	     });

I restarted using

# systemctl restart polkitd
But the mounting still doesn't work.

>From a big picture perspective, I don't really understand why mounting
directly from the command line is treated differently from a cron
job. Can someone enlighten me?

@derobert kindly informed me that the version of PolicyKit in Debian
jessie doesn't recognise Javascript syntax, which may explain why this
is not working. So presumably I need a version in a different syntax.

UPDATE: Per the instructions at the bottom of
https://github.com/coldfix/udiskie/wiki/Permissions (section
"PolicyKit") I created the file
/etc/polkit-1/localauthority/50-local.d/10-udiskie.pkla with the
contents:

     [udiskie]
     Identity=unix-group:backup
     Action=org.freedesktop.udisks2.filesystem-mount-other-seat;org.freedesktop.udisks2.filesystem-unmount-others;org.freedesktop.udisks2.encrypted-unlock-other-seat;org.freedesktop.udisks2.eject-media-other-seat;org.freedesktop.udisks2.power-off-drive-other-seat
     ResultAny=yes

but still no luck. This is apparently the old, not JS version of the
syntax, which works with Jessie.

The section Debugging a problem: Pollkit suggests adding the stanza

     polkit.addRule(function(action, subject) {
       var prefix = "org.freedesktop.udisks";
         if (action.id.slice(0, prefix.length) == prefix)
             polkit.log(action.id);
     	});
     	to the file /etc/polkit-1/rules.d/10-udisks.rules.

Does anyone happen to know what the correct syntax and filename would
be for the "old" syntax? I'd just be guessing here.

More information about the polkit-devel mailing list