I've never been using udisks/udisks2 before because I didn't really need it, but now I thought I could see what the tool is capable of and give it a chance.
When it comes to mounting devices, I have two simple rules: 1) only root can do it. 2) in some cases only defined users can mount some specific devices. So I want to forbid all users (except root) to access all devices that people can possibly plug into a USB port. But devices can be distinguished by, for instance, some serial number (or something else). I have a USB drive, and I want it to be accessed and mounted by my regular user without asking me for password each time I do so. So far, I created two UDEV rules: ------------------------------------- SUBSYSTEMS=="usb", \ ENV{UDISKS_IGNORE}="1", \ ENV{UDISKS_AUTO}="0", \ ENV{UDISKS_SYSTEM}="1" ATTRS{serial}=="some-serial-number", \ ENV{UDISKS_IGNORE}="1", \ ENV{UDISKS_AUTO}="0", \ ENV{UDISKS_SYSTEM}="0" ------------------------------------- The two rules do their job. Basically, the first rule marks all USB devices as internal/system, and the second rule allows only the specific device to be accessed by a regular user (later on in udisks). This, of course, allow all regular users (not just me) to mount the device, so it's not really what I want, but it's close enough to use it in this form. I've seen that people use something similar to the following rule: ----------------------------------------- /etc/polkit-1/localauthority/50-local.d/20-udisks2.pkla ----------------------------------------- [Allow morfik to mount devices] Identity=unix-user:morfik; Action=org.freedesktop.udisks2.*; ResultAny=no ResultInactive=no ResultActive=yes ----------------------------------------- And this is a little bit better than the previous solution because it gives me the ability to specify users/groups , and only the parties can do some actions, like for instance mounting a device (to be viewed via pkaction). The problem here is that I can't choose which devices should be accessed by the identity -- I'm able only to set which actions can be allowed. In the polkit manual[1], there's an example that would do exactly what I want. I'm speaking about this: ---------------------------------------------------------------------- polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.udisks2.") == 0 && action.lookup("drive.vendor") == "SEAGATE" && action.lookup("drive.model") == "ST3300657SS" && subject.isInGroup("engineers")) { return polkit.Result.YES; } } }); ---------------------------------------------------------------------- I bet there's also probably something like: action.lookup("drive.serial") but I don't really know how to get those values yet. Anyways, I don't think the above rule can be used with the polkit version that's currently in Debian, which is 0.105 . That rule can be used when you deal with 0.106+ , and 0.113 is available in the experimental branch, but unfortunately it can't be installed due to dependencies problems. Is there a way to convert that rule somewhat or is this functionality specific to the polkit v0.106+? Or maybe is there another way to achieve what I want? -- Morfik [1] https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
signature.asc
Description: OpenPGP digital signature