Adding permissions for udiskie-mount to policykit

Question

I'm using Debian jessie/stable (8.4).

When I try to mount an external USB drive using udiskie-mount from inside a cron job, I get an error as follows below. Using udiskie-mount directly from the command line works fine.

+ udiskie-mount -o umask=0022 /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose
DEBUG [2016-04-19 23:00:01,762] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.yml'
DEBUG [2016-04-19 23:00:01,764] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.json'
Unable to init server: Could not connect: Connection refused
Unable to init server: Could not connect: Connection refused
DEBUG [2016-04-19 23:00:02,020] udiskie.config: IgnoreDevice(match={'is_block': False}, value=True) created
DEBUG [2016-04-19 23:00:02,021] udiskie.config: IgnoreDevice(match={'is_external': False}, value=True) created
DEBUG [2016-04-19 23:00:02,021] udiskie.config: IgnoreDevice(match={'is_ignored': True}, value=True) created
DEBUG [2016-04-19 23:00:02,021] udiskie.udisks2: found device owning "/dev/disk/by-uuid/4E1AEA7B1AEA6007": "/org/freedesktop/UDisks2/block_devices/sde1"
DEBUG [2016-04-19 23:00:02,021] udiskie.mount: mounting /org/freedesktop/UDisks2/block_devices/sde1 with {'options': ['umask=0022'], 'fstype': 'ntfs'}
ERROR [2016-04-19 23:00:02,027] udiskie.mount: failed to mount /org/freedesktop/UDisks2/block_devices/sde1:
GDBus.Error:org.freedesktop.UDisks2.Error.NotAuthorizedCanObtain: Not authorized to perform operation

I asked the udiskie maintainer about this, in https://github.com/coldfix/udiskie/issues/102, see https://github.com/coldfix/udiskie/issues/102#issuecomment-211908721

He said I should add permissions to polkit, so I added /etc/polkit-1/rules.d/50-udiskie.rules per the script in https://github.com/coldfix/udiskie/wiki/Permissions, as follows:

polkit.addRule(function(action, subject) {
  var YES = polkit.Result.YES;
    // NOTE: there must be a comma at the end of each line except for the last:
      var permission = {   
              // // required for udisks1:
              // "org.freedesktop.udisks.filesystem-mount": YES,
              // "org.freedesktop.udisks.luks-unlock": YES,
              // "org.freedesktop.udisks.drive-eject": YES,
              // "org.freedesktop.udisks.drive-detach": YES,
              // // required for udisks2:
              // "org.freedesktop.udisks2.filesystem-mount": YES,
              // "org.freedesktop.udisks2.encrypted-unlock": YES,
              // "org.freedesktop.udisks2.eject-media": YES,
              // "org.freedesktop.udisks2.power-off-drive": YES,
              // required for udisks2 if using udiskie from another seat (e.g. systemd):
              "org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
              "org.freedesktop.udisks2.filesystem-unmount-others": YES,
              "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
              "org.freedesktop.udisks2.eject-media-other-seat": YES,
              "org.freedesktop.udisks2.power-off-drive-other-seat": YES
              };
              if (subject.isInGroup("backup")) {
                return permission[action.id];
              }
             });

I commented out everything except the "using udiskie from another seat" part, per the maintainer's comments.

I restarted using

# systemctl restart polkitd

But the mounting still doesn't work.

From a big picture perspective, I don't really understand why mounting directly from the command line is treated differently from a cron job. Can someone enlighten me?

@derobert kindly informed me that the version of PolicyKit in Debian jessie doesn't recognise Javascript syntax, which may explain why this is not working. So presumably I need a version in a different syntax.

UPDATE: Per the instructions at the bottom of https://github.com/coldfix/udiskie/wiki/Permissions (section "PolicyKit") I created the file /etc/polkit-1/localauthority/50-local.d/10-udiskie.pkla with the contents:

[udiskie]
Identity=unix-group:backup
Action=org.freedesktop.udisks2.filesystem-mount-other-seat;org.freedesktop.udisks2.filesystem-unmount-others;org.freedesktop.udisks2.encrypted-unlock-other-seat;org.freedesktop.udisks2.eject-media-other-seat;org.freedesktop.udisks2.power-off-drive-other-seat
ResultAny=yes

but still no luck. This is apparently the old, not JS version of the syntax, which works with Jessie.

The section Debugging a problem: Pollkit suggests adding the stanza

polkit.addRule(function(action, subject) {
  var prefix = "org.freedesktop.udisks";
  if (action.id.slice(0, prefix.length) == prefix)
    polkit.log(action.id);
});

to the file /etc/polkit-1/rules.d/10-udisks.rules. Does anyone happen to know what the correct syntax and filename would be for the "old" syntax? I'd just be guessing here.

Answer 1

After a fair amount of hair-pulling, I finally decided to use wildcards, in the interest of preserving my sanity, as suggested by https://github.com/coldfix/udiskie/wiki/Ubuntu-Debian-installation-guide.

I created the file /etc/polkit-1/localauthority/50-local.d/10-udiskie.pkla: with the contents:

[udisks]
Identity=unix-group:plugdev
Action=org.freedesktop.udisks.*
ResultAny=yes
[udisks2]
Identity=unix-group:plugdev
Action=org.freedesktop.udisks2.*
ResultAny=yes

With the script

#!/bin/bash
set -ex
udiskie-mount -o umask=0022 /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose
udiskie-umount /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose

I get the following output:

+ udiskie-mount -o umask=0022 /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose
DEBUG [2016-04-21 15:29:01,634] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.yml'
DEBUG [2016-04-21 15:29:01,637] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.json'
Unable to init server: Could not connect: Connection refused
Unable to init server: Could not connect: Connection refused
DEBUG [2016-04-21 15:29:01,862] udiskie.config: IgnoreDevice(match={'is_block': False}, value=True) created
DEBUG [2016-04-21 15:29:01,862] udiskie.config: IgnoreDevice(match={'is_external': False}, value=True) created
DEBUG [2016-04-21 15:29:01,862] udiskie.config: IgnoreDevice(match={'is_ignored': True}, value=True) created
DEBUG [2016-04-21 15:29:01,866] udiskie.udisks2: found device owning "/dev/disk/by-uuid/4E1AEA7B1AEA6007": "/org/freedesktop/UDisks2/block_devices/sde1"
DEBUG [2016-04-21 15:29:01,866] udiskie.mount: mounting /org/freedesktop/UDisks2/block_devices/sde1 with {'fstype': 'ntfs', 'options': ['umask=0022']}
DEBUG [2016-04-21 15:29:03,354] udiskie.udisks2: +++ device_mounted: /org/freedesktop/UDisks2/block_devices/sde1
DEBUG [2016-04-21 15:29:03,354] udiskie.udisks2: +++ device_changed: /org/freedesktop/UDisks2/block_devices/sde1
INFO [2016-04-21 15:29:03,354] udiskie.mount: mounted /org/freedesktop/UDisks2/block_devices/sde1 on /media/faheem/My Passport
+ udiskie-umount /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose
DEBUG [2016-04-21 15:29:03,490] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.yml'
DEBUG [2016-04-21 15:29:03,492] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.json'
DEBUG [2016-04-21 15:29:03,679] udiskie.config: IgnoreDevice(match={'is_block': False}, value=True) created
DEBUG [2016-04-21 15:29:03,679] udiskie.config: IgnoreDevice(match={'is_external': False}, value=True) created
DEBUG [2016-04-21 15:29:03,679] udiskie.config: IgnoreDevice(match={'is_ignored': True}, value=True) created
DEBUG [2016-04-21 15:29:03,681] udiskie.udisks2: found device owning "/dev/disk/by-uuid/4E1AEA7B1AEA6007": "/org/freedesktop/UDisks2/block_devices/sde1"
DEBUG [2016-04-21 15:29:03,681] udiskie.mount: unmounting /org/freedesktop/UDisks2/block_devices/sde1
DEBUG [2016-04-21 15:29:03,691] udiskie.udisks2: +++ device_changed: /org/freedesktop/UDisks2/block_devices/sde1
DEBUG [2016-04-21 15:29:03,712] udiskie.udisks2: +++ device_unmounted: /org/freedesktop/UDisks2/block_devices/sde1
INFO [2016-04-21 15:29:03,712] udiskie.mount: unmounted /org/freedesktop/UDisks2/block_devices/sde1

NOTES AND COMMENTS:

1) Policykit or Polkit, whatever it is, is a giant pain.

2) The syntax used after version 105 is Javascript - nobody knows why. The syntax used for version 105 or earlier is as shown above. The version in Jessie is 105. See e.g. https://lists.debian.org/debian-user/2016/01/msg00209.html and http://blog.gmane.org/gmane.comp.freedesktop.policykit/month=20150901

3) pkaction gives a list of all registered actions. With the script above in place, the udisks2 actions listed are:

org.freedesktop.udisks2.ata-check-power
org.freedesktop.udisks2.ata-secure-erase
org.freedesktop.udisks2.ata-smart-enable-disable
org.freedesktop.udisks2.ata-smart-selftest
org.freedesktop.udisks2.ata-smart-simulate
org.freedesktop.udisks2.ata-smart-update
org.freedesktop.udisks2.ata-standby
org.freedesktop.udisks2.ata-standby-other-seat
org.freedesktop.udisks2.ata-standby-system
org.freedesktop.udisks2.cancel-job
org.freedesktop.udisks2.cancel-job-other-user
org.freedesktop.udisks2.eject-media
org.freedesktop.udisks2.eject-media-other-seat
org.freedesktop.udisks2.eject-media-system
org.freedesktop.udisks2.encrypted-change-passphrase
org.freedesktop.udisks2.encrypted-change-passphrase-system
org.freedesktop.udisks2.encrypted-lock-others
org.freedesktop.udisks2.encrypted-unlock
org.freedesktop.udisks2.encrypted-unlock-crypttab
org.freedesktop.udisks2.encrypted-unlock-other-seat
org.freedesktop.udisks2.encrypted-unlock-system
org.freedesktop.udisks2.filesystem-fstab
org.freedesktop.udisks2.filesystem-mount
org.freedesktop.udisks2.filesystem-mount-other-seat
org.freedesktop.udisks2.filesystem-mount-system
org.freedesktop.udisks2.filesystem-unmount-others
org.freedesktop.udisks2.loop-delete-others
org.freedesktop.udisks2.loop-modify-others
org.freedesktop.udisks2.loop-setup
org.freedesktop.udisks2.manage-md-raid
org.freedesktop.udisks2.manage-swapspace
org.freedesktop.udisks2.modify-device
org.freedesktop.udisks2.modify-device-other-seat
org.freedesktop.udisks2.modify-device-system
org.freedesktop.udisks2.modify-drive-settings
org.freedesktop.udisks2.modify-system-configuration
org.freedesktop.udisks2.open-device
org.freedesktop.udisks2.open-device-system
org.freedesktop.udisks2.power-off-drive
org.freedesktop.udisks2.power-off-drive-other-seat
org.freedesktop.udisks2.power-off-drive-system
org.freedesktop.udisks2.read-system-configuration-secrets
org.freedesktop.udisks2.rescan

There is also a list at Udisks polkit actions.

I could entertain myself by trying to reduce this list while still allowing udiskie to mount and unmount in a cron job. The question is, is this worth the trouble? And do these restrictions really provide any additional security?

4) I'm still getting the following. This is apparently a warning - it does not seem to be stopping anything from working.

Unable to init server: Could not connect: Connection refused

UPDATE: After some discussion with Thomas G. (as he put it, "Great that it worked. However, it might not be the best idea to allow every udisks action."), I changed this to

[udisks2]
Identity=unix-user:faheem
Action=org.freedesktop.udisks2.filesystem-mount-other-seat;org.freedesktop.udisks2.filesystem-mount
ResultAny=yes

which still seems to work.

Followups: discussion of a possible patch to the Debian udiskie package.