Skip to content

Permissions

Jump to bottom Edit New page
Thomas Gläßle edited this page Jul 24, 2023 · 11 revisions

udiskie requires permission for some polkit actions which are usually granted when using a desktop environment. If your login session is not properly activated you may need to customize your polkit settings.

The following is an example of how to grant mount permissions to use all udiskie functions to all members of the storage group (you could of course choose any other group). To do so, create the file /etc/polkit-1/rules.d/50-udiskie.rules with permissions 644 and the following contents:

polkit.addRule(function(action, subject) {
  var YES = polkit.Result.YES;
  var permission = {
    // required for udisks1:
    "org.freedesktop.udisks.filesystem-mount": YES,
    "org.freedesktop.udisks.luks-unlock": YES,
    "org.freedesktop.udisks.drive-eject": YES,
    "org.freedesktop.udisks.drive-detach": YES,
    // required for udisks2:
    "org.freedesktop.udisks2.filesystem-mount": YES,
    "org.freedesktop.udisks2.encrypted-unlock": YES,
    "org.freedesktop.udisks2.eject-media": YES,
    "org.freedesktop.udisks2.power-off-drive": YES,
    // required for udisks2 if using udiskie from another seat (e.g. systemd):
    "org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
    "org.freedesktop.udisks2.filesystem-unmount-others": YES,
    "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
    "org.freedesktop.udisks2.encrypted-unlock-system": YES,
    "org.freedesktop.udisks2.eject-media-other-seat": YES,
    "org.freedesktop.udisks2.power-off-drive-other-seat": YES
  };
  if (subject.isInGroup("storage")) {
    return permission[action.id];
  }
});

The XXX-other-seat class of permissions is required for cases where a device is accessed from another login session. This includes, for example,

  • running udiskie over SSH
  • running udiskie as systemd service
  • running udiskie in a cron job
  • using a udev rule to unlock a device

In order to handle internal devices or devices that are mentioned in your /etc/fstab, you have to further add permissions of the form org.freedesktop.udisks2.XXX-system or org.freedesktop.udisks2.XXX-fstab. For more information, see the documentation of UDisks2 permissions.

PolicyKit

Some systems still run on polkit's predecessor PolicyKit, which has a different config format. For example, to authorize members of the storage group to use udiskie for all cases, create the file /etc/polkit-1/localauthority/50-local.d/10-udisks.pkla with the following content:

[udisks1]
Identity=unix-group:storage
Action=org.freedesktop.udisks.filesystem-mount;org.freedesktop.udisks.luks-unlock;org.freedesktop.udisks.drive-eject;org.freedesktop.udisks.drive-detach
ResultAny=yes

[udisks2]
Identity=unix-group:storage
Action=org.freedesktop.udisks2.filesystem-mount;org.freedesktop.udisks2.filesystem-mount-system;org.freedesktop.udisks2.encrypted-unlock;org.freedesktop.udisks2.eject-media;org.freedesktop.udisks2.power-off-drive
ResultAny=yes

[udisks2-other-seat]
Identity=unix-group:storage
Action=org.freedesktop.udisks2.filesystem-mount-other-seat;org.freedesktop.udisks2.filesystem-unmount-others;org.freedesktop.udisks2.encrypted-unlock-other-seat;org.freedesktop.udisks2.eject-media-other-seat;org.freedesktop.udisks2.power-off-drive-other-seat
ResultAny=yes
Add a custom footer
Add a custom sidebar
Clone this wiki locally