-
Notifications
You must be signed in to change notification settings - Fork 53
Permissions
udiskie requires permission for some polkit_ actions which are usually
granted when using a desktop environment. If your login session is not
properly activated you may need to customize your polkit settings. Create the
file /etc/polkit-1/rules.d/50-udiskie.rules with permissions 644, and with the following contents:
.. code-block:: javascript
polkit.addRule(function(action, subject) {
var YES = polkit.Result.YES;
var permission = {
// required for udisks1:
"org.freedesktop.udisks.filesystem-mount": YES,
"org.freedesktop.udisks.luks-unlock": YES,
"org.freedesktop.udisks.drive-eject": YES,
"org.freedesktop.udisks.drive-detach": YES,
// required for udisks2:
"org.freedesktop.udisks2.filesystem-mount": YES,
"org.freedesktop.udisks2.encrypted-unlock": YES,
"org.freedesktop.udisks2.eject-media": YES,
"org.freedesktop.udisks2.power-off-drive": YES,
// required for udisks2 if using udiskie from another seat (e.g. systemd):
"org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
"org.freedesktop.udisks2.filesystem-unmount-others": YES,
"org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
"org.freedesktop.udisks2.encrypted-unlock-system": YES,
"org.freedesktop.udisks2.eject-media-other-seat": YES,
"org.freedesktop.udisks2.power-off-drive-other-seat": YES
};
if (subject.isInGroup("storage")) {
return permission[action.id];
}
});
This configuration allows all members of the storage group to run udiskie.
The XXX-other-seat class of permissions is required for cases where a device is accessed from another login session. This includes, for example,
- running udiskie over SSH
- running udiskie as systemd service
- running udiskie in a cron job
- using a udev rule to unlock a device
In order to handle internal devices or devices that are mentioned in your
/etc/fstab, you have to further add permissions of the form
org.freedesktop.udisks2.XXX-system or
org.freedesktop.udisks2.XXX-fstab. For more information, see the
documentation of UDisks2 permissions_.
.. _polkit: http://www.freedesktop.org/wiki/Software/polkit/ .. _UDisks2 permissions: https://udisks.freedesktop.org/docs/latest/udisks-polkit-actions.html
PolicyKit
Some systems still run on polkit's predecessor PolicyKit_, which has a
different config format. For example, to authorize members of the *storage*
group to use udiskie for all cases, create the file
``/etc/polkit-1/localauthority/50-local.d/10-udisks.pkla`` with the following
content:
.. code-block:: cfg
[udisks1]
Identity=unix-group:storage
Action=org.freedesktop.udisks.filesystem-mount;org.freedesktop.udisks.luks-unlock;org.freedesktop.udisks.drive-eject;org.freedesktop.udisks.drive-detach
ResultAny=yes
[udisks2]
Identity=unix-group:storage
Action=org.freedesktop.udisks2.filesystem-mount;org.freedesktop.udisks2.filesystem-mount-system;org.freedesktop.udisks2.encrypted-unlock;org.freedesktop.udisks2.eject-media;org.freedesktop.udisks2.power-off-drive
ResultAny=yes
[udisks2-other-seat]
Identity=unix-group:storage
Action=org.freedesktop.udisks2.filesystem-mount-other-seat;org.freedesktop.udisks2.filesystem-unmount-others;org.freedesktop.udisks2.encrypted-unlock-other-seat;org.freedesktop.udisks2.eject-media-other-seat;org.freedesktop.udisks2.power-off-drive-other-seat
ResultAny=yes
.. _PolicyKit: http://www.freedesktop.org/wiki/Software/PolicyKit/