-
Notifications
You must be signed in to change notification settings - Fork 53
Permissions
udiskie requires permission for some polkit actions which are usually granted when using a desktop environment. If your login session is not properly activated you may need to customize your polkit settings.
The following is an example of how to grant mount permissions to use all
udiskie functions to all members of the storage group (you could of course
choose any other group). To do so, create the file
/etc/polkit-1/rules.d/50-udiskie.rules
with permissions 644
and the
following contents:
polkit.addRule(function(action, subject) {
var YES = polkit.Result.YES;
var permission = {
// required for udisks1:
"org.freedesktop.udisks.filesystem-mount": YES,
"org.freedesktop.udisks.luks-unlock": YES,
"org.freedesktop.udisks.drive-eject": YES,
"org.freedesktop.udisks.drive-detach": YES,
// required for udisks2:
"org.freedesktop.udisks2.filesystem-mount": YES,
"org.freedesktop.udisks2.encrypted-unlock": YES,
"org.freedesktop.udisks2.eject-media": YES,
"org.freedesktop.udisks2.power-off-drive": YES,
// required for udisks2 if using udiskie from another seat (e.g. systemd):
"org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
"org.freedesktop.udisks2.filesystem-unmount-others": YES,
"org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
"org.freedesktop.udisks2.encrypted-unlock-system": YES,
"org.freedesktop.udisks2.eject-media-other-seat": YES,
"org.freedesktop.udisks2.power-off-drive-other-seat": YES
};
if (subject.isInGroup("storage")) {
return permission[action.id];
}
});
The XXX-other-seat class of permissions is required for cases where a device is accessed from another login session. This includes, for example,
- running udiskie over SSH
- running udiskie as systemd service
- running udiskie in a cron job
- using a udev rule to unlock a device
In order to handle internal devices or devices that are mentioned in your
/etc/fstab
, you have to further add permissions of the form
org.freedesktop.udisks2.XXX-system
or
org.freedesktop.udisks2.XXX-fstab
. For more information, see the
documentation of UDisks2 permissions.
Some systems still run on polkit's predecessor PolicyKit, which has a
different config format. For example, to authorize members of the storage
group to use udiskie for all cases, create the file
/etc/polkit-1/localauthority/50-local.d/10-udisks.pkla
with the following
content:
[udisks1]
Identity=unix-group:storage
Action=org.freedesktop.udisks.filesystem-mount;org.freedesktop.udisks.luks-unlock;org.freedesktop.udisks.drive-eject;org.freedesktop.udisks.drive-detach
ResultAny=yes
[udisks2]
Identity=unix-group:storage
Action=org.freedesktop.udisks2.filesystem-mount;org.freedesktop.udisks2.filesystem-mount-system;org.freedesktop.udisks2.encrypted-unlock;org.freedesktop.udisks2.eject-media;org.freedesktop.udisks2.power-off-drive
ResultAny=yes
[udisks2-other-seat]
Identity=unix-group:storage
Action=org.freedesktop.udisks2.filesystem-mount-other-seat;org.freedesktop.udisks2.filesystem-unmount-others;org.freedesktop.udisks2.encrypted-unlock-other-seat;org.freedesktop.udisks2.eject-media-other-seat;org.freedesktop.udisks2.power-off-drive-other-seat
ResultAny=yes