Skip to content

Permissions

William Vigolo da Silva edited this page Aug 25, 2017 · 5 revisions

udiskie requires permission for some polkit actions which are usually granted when using a desktop environment. If your login session is not properly activated you may need to customize your polkit settings. Create the file /etc/polkit-1/rules.d/50-udiskie.rules with permissions 644, and with the following contents:

polkit.addRule(function(action, subject) {
  var YES = polkit.Result.YES;
  // NOTE: there must be a comma at the end of each line except for the last:
  var permission = {
    // required for udisks1:
    "org.freedesktop.udisks.filesystem-mount": YES,
    "org.freedesktop.udisks.luks-unlock": YES,
    "org.freedesktop.udisks.drive-eject": YES,
    "org.freedesktop.udisks.drive-detach": YES,
    // required for udisks2:
    "org.freedesktop.udisks2.filesystem-mount": YES,
    "org.freedesktop.udisks2.encrypted-unlock": YES,
    "org.freedesktop.udisks2.eject-media": YES,
    "org.freedesktop.udisks2.power-off-drive": YES,
    // required for udisks2 if using udiskie from another seat (e.g. systemd):
    "org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
    "org.freedesktop.udisks2.filesystem-unmount-others": YES,
    "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
    "org.freedesktop.udisks2.eject-media-other-seat": YES,
    "org.freedesktop.udisks2.power-off-drive-other-seat": YES
  };
  if (subject.isInGroup("storage")) {
    return permission[action.id];
  }
});

This configuration allows all members of the storage group to run udiskie.

The XXX-other-seat class of permissions is required for cases where a device is accessed from another login session. This includes, for example,

  • running udiskie over SSH
  • running udiskie as systemd service
  • running udiskie in a cron job
  • using a udev rule to unlock a device

In order to handle internal devices or devices that are mentioned in your /etc/fstab, you have to further add permissions of the form org.freedesktop.udisks2.XXX-system or org.freedesktop.udisks2.XXX-fstab. For more information, see the documentation of UDisks2 permissions.

PolicyKit

Some systems still run on polkit's predecessor PolicyKit, which has a different config format. For example, to authorize members of the storage group to use udiskie for all cases, create the file /etc/polkit-1/localauthority/50-local.d/10-udisks.pkla with the following content:

[udisks1]
Identity=unix-group:storage
Action=org.freedesktop.udisks.filesystem-mount;org.freedesktop.udisks.luks-unlock;org.freedesktop.udisks.drive-eject;org.freedesktop.udisks.drive-detach
ResultAny=yes

[udisks2]
Identity=unix-group:storage
Action=org.freedesktop.udisks2.filesystem-mount;org.freedesktop.udisks2.encrypted-unlock;org.freedesktop.udisks2.eject-media;org.freedesktop.udisks2.power-off-drive
ResultAny=yes

[udisks2-other-seat]
Identity=unix-group:storage
Action=org.freedesktop.udisks2.filesystem-mount-other-seat;org.freedesktop.udisks2.filesystem-unmount-others;org.freedesktop.udisks2.encrypted-unlock-other-seat;org.freedesktop.udisks2.eject-media-other-seat;org.freedesktop.udisks2.power-off-drive-other-seat
ResultAny=yes
You can’t perform that action at this time.