[blfs-support] Automounting

Dan McGhee beesnees at grm.net
Tue Dec 10 09:59:08 PST 2013

On 12/09/2013 04:55 PM, Dan McGhee wrote:
> On 12/09/2013 03:41 PM, David Brodie wrote:
>> On 09/12/13 21:28, Dan McGhee wrote:
>>> Thank you for this example. This is the syntax I don't understand. I
>>> don't speak Java. :-)
>> Ahem, java*script*...completely different. ;)
>>>> The polkit daemon usually has its own user and group.
>>> This is new! As I was checking my logs and where things are, the problem
>>> may be that polkitd didn't get installed. How that happened I'll never
>>> know. But I did find a configuration option in './configure --help"
>>> --"--with-polkitd-user=<user>" I wonder if this is what caused polkitd
>>> not to compile. We'll see. I suppose user should be root.
>> No, it should have its own non-root user/group - have another read of
>> the instructions in the book.
>> David
> It was a forest and trees thing again. I had created the polkitd user
> and group. I just didn't remember.
> There is incomplete success to report. I relied on "whereis" to find
> polkitd--I know better--but I did find it where is was supposed to be in
> /usr/lib/polkit-1. I changed ownership and groupship of it to polkitd
> and also did the "chown" changes root:messagebus for the dbus daemon. I
> now have the icons for the various partitions on my hard drive and for
> my usb drive when I insert it. However, when I click on the icons, I get
> the message "Failed to mount <Partition Name>, Not authorized to perform
> operation."
> I deviated slightly from the polkit rule and used my group name instead
> to "users." I thought that for trouble shooting it might be easier. Now
> it's just something really simple, as was the other stuff. Is it
> necessary to create the group "users" or is this a sudo thing?
> Thanks for the help thus far, David.
> Dan
I've done some reading, learning (I hope) and "playing." I'm still not 
successful in automounting these drives even though the appropriate 
icons appear. Pole cat, er polkit, apparently is operating OK because 
when I try to run gparted as an unprivileged user, I get the message 
"Only root can run gparted." Also when I select "Shutdown" or "Reboot" 
in my session, I get asked for my password. The only thing that's amiss 
is this automounting stuff.

First off, it's not a sudo thing. I learned that polkit operates 
independently of sudo and sudo independently of polkit.

Here's the appropriate section of 

> <action id="org.freedesktop.udisks2.filesystem-mount-system">
> <description>Mount a filesystem on a system device</description>
> <defaults>
> <allow_any>auth_admin</allow_any>
> <allow_inactive>auth_admin</allow_inactive>
> <allow_active>auth_admin_keep</allow_active>
> </defaults>
> </action>

I learned, reading in the Arch Wiki, that ">auth_admin<" means that 
authentification as an administrative user is required. This is the 
polkit rule that David suggested yesterday.

> /etc/polkit-1/rules.d/10-udisks2.rules:
> /* Allow members of group users to do anything with udisks2! */
> polkit.addRule(function(action, subject) {
>       if (action.id.indexOf("org.freedesktop.udisks2.") == 0 &&
> subject.isInGroup("users")) {
>           return polkit.Result.YES;
>       }
> });

I wrote that rule, but instead of creating the "users" group, I just 
changed that to "dan," my group. It was after trying this and it not 
completely working that I read about "auth_admin" and learned that the 
admin policy rule was in /etc/polkit-1/rules.d/50-default.rules. I 
copied this to 40-admin.rules, because the file said not to edit it 
because it gets changed, which contains:

> polkit.addAdminRule(function(action, subject) {
> return ["unix-group:dan"];
> });

The original file contained "unix-group:wheel."

I still couldn't get the drives to mount. I don't know if this last 
"admin" rule satisfied the "auth_admin" or not. So all until now is 
"Question 1."

"Question 2" involves a possible conflict in polkit policies. I don't 
know enough to be able to answer this one myself. But in digging around 
I found /usr/share/polkit-1/actions/org.freedesktop.usdisks.policy also. 
It contains a similar line to the one for udisks2, but with a possible 
glaring exception:

> <action id="org.freedesktop.udisks.filesystem-mount">
> <description>Mount a device</description>
> <defaults>
> <allow_any>no</allow_any>
> <allow_inactive>no</allow_inactive>
> <allow_active>yes</allow_active>
> </defaults>
> </action>
I thing the "<allow_active>yes<allow_active" means that as long as I am 
logged into a tty, which I am, I should be able to mount filesystems 
without authentification. But the udisks2 policy used "auth_adm" which 
is obviously different. So, "Question 2" becomes, is this a conflict 
that requires resolution somehow?

And, lastly, Question 3. I use the Package Users Management System. 
Files get installed with the ownership and group of the name of the 
particular user. In my case, I use <package name>-<version>. In this 
case the polkit files are owned by user polkit-0.112 and are in a group 
by the same name. Until yesterday there was only one exception to what I 
do and that was 'xorg' which must be root:root and SUID. Yesterday I 
learned that polkitd must be "polkitd:polkitd" with the "sticky bit" set 
for the group. Other than these two applications, all the other ones 
that I have run fine as they are. The only thing I must do is be 
judicious in setting the sticky bit for those applications which need it.

If my management system is causing this problem, I can fix it. First, 
however, I need to discover that this is the problem. Would someone who 
uses polkit check the ownership and permission of /usr/share/polkit-1/* 
and let me know what they are? It's possible that they must be 
"polkitd:polkitd," but before a run 'chown -R' I'd like to get some info.

I think that I've learned to defeat the whole system by editing the 
policy files by replacing "auth_admin" with "yes" in the areas that are 
causing me problems. But, since the use of polkit is dictated by what I 
want to do, I want to learn to use the system rather than defeat it.

I'm sorry that this post is so long. Thanks to those who have born with 
it so far. I sure hope someone has the info to help me get this thing 
off the ground.


More information about the blfs-support mailing list