-
Notifications
You must be signed in to change notification settings - Fork 53
Permissions
udiskie requires permission for some polkit actions which are usually
granted when using a desktop environment. If your login session is not
properly activated you may need to customize your polkit settings. Create the
file /etc/polkit-1/rules.d/50-udiskie.rules
with the following contents:
polkit.addRule(function(action, subject) {
var YES = polkit.Result.YES;
// NOTE: there must be a comma at the end of each line except for the last:
var permission = {
// required for udisks1:
"org.freedesktop.udisks.filesystem-mount": YES,
"org.freedesktop.udisks.luks-unlock": YES,
"org.freedesktop.udisks.drive-eject": YES,
"org.freedesktop.udisks.drive-detach": YES,
// required for udisks2:
"org.freedesktop.udisks2.filesystem-mount": YES,
"org.freedesktop.udisks2.encrypted-unlock": YES,
"org.freedesktop.udisks2.eject-media": YES,
"org.freedesktop.udisks2.power-off-drive": YES,
// required for udisks2 if using udiskie from another seat (e.g. systemd):
"org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
"org.freedesktop.udisks2.filesystem-unmount-others": YES,
"org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
"org.freedesktop.udisks2.eject-media-other-seat": YES,
"org.freedesktop.udisks2.power-off-drive-other-seat": YES
};
if (subject.isInGroup("storage")) {
return permission[action.id];
}
});
This configuration allows all members of the storage group to run udiskie.
The XXX-other-seat class of permissions is required for cases where a device is accessed from another login session. This includes, for example,
- running udiskie over SSH
- running udiskie as systemd service
- running udiskie in a cron job
- using a udev rule to unlock a device
Some systems still run on polkit's predecessor PolicyKit, which has a
different config format. For example, to authorize members of the storage
group to use udiskie for all cases, create the file
/etc/polkit-1/localauthority/50-local.d/10-udisks.pkla
with the following
content:
[udisks1]
Identity=unix-group:storage
Action=org.freedesktop.udisks.filesystem-mount;org.freedesktop.udisks.luks-unlock;org.freedesktop.udisks.drive-eject;org.freedesktop.udisks.drive-detach
ResultAny=yes
[udisks2]
Identity=unix-group:storage
Action=org.freedesktop.udisks2.filesystem-mount,org.freedesktop.udisks2.encrypted-unlock,org.freedesktop.udisks2.eject-media,org.freedesktop.udisks2.power-off-drive
ResultAny=yes
[udisks2-other-seat]
Identity=unix-group:storage
Action=org.freedesktop.udisks2.filesystem-mount-other-seat,org.freedesktop.udisks2.filesystem-unmount-others,org.freedesktop.udisks2.encrypted-unlock-other-seat,org.freedesktop.udisks2.eject-media-other-seat,org.freedesktop.udisks2.power-off-drive-other-seat
ResultAny=yes