FS#35357 - [udisks2] support mounting for users in storage group

Attached to Project: Arch Linux
Opened by Felipe Contreras (felipec) - Sunday, 19 May 2013, 01:13 GMT
Last edited by Jan de Groot (JGC) - Tuesday, 21 May 2013, 23:02 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Ionut Biru (wonder)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

By default users are forced to eternally type the root password each time they want to mount a local partition, even when they are in the 'storage' group, which is meant *precisely* to avoid this; if the storage group doesn't allow users in this group from mounting partitions, then what does it do?

Fortunately the developers of polkit allowed distributions to configure sane defaults, so this does the trick:

cat > /etc/polkit-1/rules.d/10-udisks2.rules <<EOF
// override for storage group users
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.freedesktop.udisks2.") == 0 &&
subject.isInGroup("storage")) {
return polkit.Result.YES;
}
}
);
EOF

Currently each and every user is forced to do this, even though we know it's the right thing to do, and we know it's a sane default.

It's described in the wiki page:
https://wiki.archlinux.org/index.php/PolicyKit

It's described on other wiki pages:
https://wiki.archlinux.org/index.php/Enlightenment

It's described in forums:
http://bbs.archbang.org/viewtopic.php?id=2720

And in descendant distributions:
http://wiki.manjaro.org/index.php/Access_Partitions_Without_Entering_a_Password

Let's not fool ourselves into thinking that upstream wants us to ship without vendor configurations; they provide a minimal configuration and expect distributions to provide sane defaults depending on their needs.

We do have a standard 'storage' group, so lets use it by adding the aforementioned configuration.
This task depends upon

Closed by  Jan de Groot (JGC)
Tuesday, 21 May 2013, 23:02 GMT
Reason for closing:  Won't implement
Comment by Felipe Contreras (felipec) - Sunday, 19 May 2013, 05:45 GMT
Here's the file with the rule.
Comment by Matthias Dienstbier (fs4000) - Sunday, 19 May 2013, 10:18 GMT
This rule allows users in the storage group to do pretty everything with your hard disks. This is almost equivalent with giving them root priviledges.

If you want your users to be able to mount filesystems on system disks then you can add them to /etc/fstab. The gnome-disk-utility has a nice GUI for doing this.

I'm against adding such a rule. Even if it is limited to mounting.
Comment by Ionut Biru (wonder) - Sunday, 19 May 2013, 10:35 GMT
i'm against touching upstream rules. if the default rules do not suite you well, you are free to overwrite them in /etc/udev/
Comment by Felipe Contreras (felipec) - Monday, 20 May 2013, 09:15 GMT
  • Field changed: Percent Complete (100% → 0%)
There are no "upstream rules", the rules are left for distributions entirely.

If the 'storage' group can't mount a partition, what's the purpose of such group?

No, it's not the same as giving them root privileges, they can only do operations with udisks2, nothing more. udisks2 is meant to operate on storage devices, which is exactly what the 'storage' group is for.

gnome-disk-utility will *ask* for the root password, essentially ignoring the fact that the user is in the 'storage' group.

For all intents and purposes it's as if the 'storage' group didn't exist at all.
Comment by Ionut Biru (wonder) - Monday, 20 May 2013, 09:26 GMT
i don't mind being ask for root or any admin password. if you add your luser into wheel group, polkit is asking for luser password instead of roots.

i maintain my decision. the current implementation works for desktop usage. if you are not happy with it, you are free to change the behavior in your system.
Comment by Felipe Contreras (felipec) - Tuesday, 21 May 2013, 22:58 GMT
  • Field changed: Percent Complete (100% → 0%)
So let me get this straight: you won't allow discussion, and you won't answer perfectly reasonable questions? Is that right Mr. despot?
Comment by Jan de Groot (JGC) - Tuesday, 21 May 2013, 23:00 GMT
The storage group is something ancient leftover before ACLs and policykit/polkit came in.
The default rules allow users to mount removable devices. Fixed disks are only mountable if you enter the root password. If you want users to mount a fixed disk partition, you should configure it that way.
Your polkit rule allows pretty much every udisks operation for users in the storage group. Regular users who are member of the storage group could even format your fixed disk partitions with that.

Looking at other operating systems, I don't see any implementation that allows disk management to users who are in some magic group which is not "Administrators" or in case of linux "root".

Loading...