I won the struggle against hal and policykit

kjon · 2009-02-10 14:57:18

Mwhahaha... 'me so happy'...

Well, the point is I manage in certain way to restore the old behavior of hal using policykit, that is to 'force' hal to do *what I say* and nothing else than that. I restored the functionality of having power and storage groups to shutdown/reboot and mount/umount using a policykit trick that I'm going to explain now.

(1) Create /etc/Policykit/Policykit.conf as follows

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<config version="0.1">

       <match user="$storage_users">
               <match action="org.freedesktop.hal.storage.*">
                       <return result="yes"/>
               </match>
               <match action="hal-storage-mount-fixed-extra-options">
                       <return result="yes" />
               </match>
               <match action="hal-storage-mount-removable-extra-options">
                       <return result="yes" />
               </match>
       </match>

    <match user="$power_users">
        <match action="org.freedesktop.hal.power-management.shutdown">
            <return result="yes"/>
        </match>
        <match action="org.freedesktop.hal.power-management.reboot">
            <return result="yes"/>
        </match>
    </match>

</config>

(2) Create /etc/rc.d/polkitparser and chmod +x it

#!/bin/bash

# general config
. /etc/rc.conf
. /etc/rc.d/functions

        stat_busy "Parsing groups for policykit handling"
    export storage_users=$(cat /etc/group | grep -i storage | cut -d ':' -f 4 | sed 's/,/|/')
    export power_users=$(cat /etc/group | grep -i power | cut -d ':' -f 4 | sed 's/,/|/')
    stat_done
exit 0

(3) Add polkitparser to your DAEMONS list on rc.conf *before* hal.

(4) Enjoy!

I hope it helps.

P.S. For slim users: **its very important** to add

session        optional    ck_connector.so

to /etc/pam/login and modify .xinitrc to start your X session with

exec ck-launch-session YOUR-WM

p.s. Hell, my fault: /etc/pam/login -> /etc/pam.d/login (sorry )

Edit 2: Please double check the change I made on the header of PolicyKit.conf. There was a weird token that, when copied, generated an invalid file. Please copy this new file. For checking your configuration use polkit-config-file-validate

Last edited by kjon (2009-02-13 17:50:15)

kjon · 2009-02-10 15:13:10

It seems I was the only one who had policykit issues.. TT_TT boooo

hutch · 2009-02-10 16:11:37

i also have this kind of problems, i waas almost crying yesterday night ;(

I'll try your solution this eveneng

hrobeers · 2009-02-10 16:34:09

Thanks! this works for me, I had the same problem.

My girlfriend didn't like the pmount command

fwojciec · 2009-02-10 17:07:35

Why do you need the script? Isn't editing /etc/pam.d/login and adding ck-launch-session to ~/.xinitrc enough? That's all I had to do on all my systems to have everything working correctly.

kgas · 2009-02-10 18:25:20

Thanks kjon. After the hal upgrade I think mostly lxde/slim users got this issue (I am having gnome in another hard disk and no problem faced). I could not even mount my USB with fat32 fs. But the wiki is there to help and I got this issue resolved from the guidelines given in the wiki.
The point I want to mention is upgrade fails when already hal policy is there in /usr/share/Policykit/policy.After moving the files upgrade went smooth.Like pacman why this did not put the files with .new or so in the directory?

arch_nemesis · 2009-02-10 19:26:50

So, as someone who is newly experiencing usb drive mounting issues, but did not until very recently have any problems, are the contents of this thread a fix for something that is broken, or an additional configuration step that is now required due to an updated hal?

I'll give it a shot later either way, I'm just curious.

kjon · 2009-02-10 20:12:08

@fwojciec

I posted this approach due to **it didn't work for me**, that's all. I modified .xinitrc as you explained, but I couldn't mount anything.

p0ft · 2009-02-10 22:30:39

Well I've had the same problems and was going completely nuts until I saw your post. I didn't need to use your script, tho (but followed the other steps). It's funny cause people are able to handle this problem in different ways.

I've edited the PolicyKit configuration file then added the ck connector to pam.d and ck session to my .xinitrc. Tried the later first, but only when I edited the PolicyKit.conf file it worked.

Now I'm able to automount my pocketpc as a non-root user. \o/

Thanks

methuselah · 2009-02-11 01:30:33

fwojciec wrote:

Why do you need the script? Isn't editing /etc/pam.d/login and adding ck-launch-session to ~/.xinitrc enough? That's all I had to do on all my systems to have everything working correctly.

I found a different thread that fixed both my xfce4/slim shutdown and reboot problems as well as the mounting issue with the PolicyKit.conf edit..... was this the correct way to fix everything?

Or should I undo all of that and then add ck-launch-session to ~/.xinitrc and run the "exec ck-launch-session YOUR-WM"?

At the moment my ~/.xinitrc is:

exec startxfce4

and my PolicyKit.conf is:

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

<!-- See the manual page PolicyKit.conf(5) for file format -->

<config version="0.1">
 <match user="seventy3"> <!-- replace with your login or delete the line if you want to allow all users to manipulate devices (keep security issues in mind though) -->
               <match action="org.freedesktop.hal.storage.*">
                       <return result="yes"/>
               </match>
               <match action="hal-storage-mount-fixed-extra-options"> <!-- for internal devices mounted with extra options like a wished mount point -->
                       <return result="yes" />
               </match>
               <match action="hal-storage-mount-removable-extra-options"> <!-- for external devices mounted with extra options like a wished mount point -->
                       <return result="yes" />
               </match>
       </match>  <!-- don't forget to delete this line if you deleted the first one -->
               <match action="org.freedesktop.hal.power-management.shutdown">
                       <return result="yes"/>
               </match>
               <match action="org.freedesktop.hal.power-management.reboot">
                       <return result="yes"/>
       </match>
</config>

..... and everything works again after both edits to my PolicyKit.conf.

Last edited by methuselah (2009-02-11 01:32:04)

peart · 2009-02-11 02:47:17

Methuselah,

I believe your current config is working for the wrong reasons. ConsoleKit will give you access to (some) restricted privileges if you have a ConsoleKit session. But since you don't have one (the absence of ck-launch-session), you had to add a rule that basically says "give absolutely everybody the right to shut down." The use of ck-launch-session is both easier and cleaner.

Apparently, getting a ConsoleKit session doesn't automatically give you access to removable storage, though. Those rights have to be explicitely given. So, I think it would be best to remove the power-management stuff from PolicyKit.conf, and add ck-launch-session to your .xinitrc.

methuselah · 2009-02-11 04:29:17

peart wrote:

Methuselah,
I believe your current config is working for the wrong reasons. ConsoleKit will give you access to (some) restricted privileges if you have a ConsoleKit session. But since you don't have one (the absence of ck-launch-session), you had to add a rule that basically says "give absolutely everybody the right to shut down." The use of ck-launch-session is both easier and cleaner.
Apparently, getting a ConsoleKit session doesn't automatically give you access to removable storage, though. Those rights have to be explicitely given. So, I think it would be best to remove the power-management stuff from PolicyKit.conf, and add ck-launch-session to your .xinitrc.

Thank you. I will redo it the correct way. Thanks again for the info.

EDIT: All I did was add that part to /etc/pam.d/login and change my ~/.xinitrc to match. Everything works good. (didn't work when removing the PolicyKit power-management parts.)

Last edited by methuselah (2009-02-11 04:59:07)

psyodin · 2009-02-12 01:07:39

The point I want to mention is upgrade fails when already hal policy is there in /usr/share/Policykit/policy.After moving the files upgrade went smooth.Like pacman why this did not put the files with .new or so in the directory?

where do you move those files to?

i did everything as suggested in the original post but still same problem:

 org.freedesktop.hal.storage.mount-removable no <-- (action, result).

this happens with flash and external HD's that had worked before

i DO have the files listed by kgas in /usr/share/Policykit/policy , perhaps i need to fix that?

/etc/Policykit/Policykit.conf :

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">
<config version="0.1">

       <match user="$storage_users">
               <match action="org.freedesktop.hal.storage.*">
                       <return result="yes"/>
               </match>
               <match action="hal-storage-mount-fixed-extra-options">
                       <return result="yes" />
               </match>
               <match action="hal-storage-mount-removable-extra-options">
                       <return result="yes" />
               </match>
       </match>

    <match user="$power_users">
        <match action="org.freedesktop.hal.power-management.shutdown">
            <return result="yes"/>
        </match>
        <match action="org.freedesktop.hal.power-management.reboot">
            <return result="yes"/>
        </match>
    </match>

</config>

/etc/rc.d/polkitparser: (which i did chmod +x)

#!/bin/bash

# general config
. /etc/rc.conf
. /etc/rc.d/functions

        stat_busy "Parsing groups for policykit handling"
    export storage_users=$(cat /etc/group | grep -i storage | cut -d ':' -f 4 | sed 's/,/|/')
    export power_users=$(cat /etc/group | grep -i power | cut -d ':' -f 4 | sed 's/,/|/')
    stat_done
exit 0

/etc/pam.d/login: (i use slim)( i didnt see etc/pam/login only etc/pam.d/login)

#%PAM-1.0
auth        required    pam_securetty.so
auth        requisite    pam_nologin.so
auth        required    pam_unix.so nullok
auth        required    pam_tally.so onerr=succeed file=/var/log/faillog
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth        required    pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
account        required    pam_access.so
account        required    pam_time.so
account        required    pam_unix.so
#password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password    required    pam_unix.so md5 shadow use_authtok
session        required    pam_unix.so
session        required    pam_env.so
session        required    pam_motd.so
session        required    pam_limits.so
session        optional    pam_mail.so dir=/var/spool/mail standard
session        optional    pam_lastlog.so
session         optional        ck_connector.so

,xinitrc:

#!/bin/sh

#
# ~/.xinitrc
#
# Executed by startx (run your window manager from here)
#



exec ck-launch-session openbox-session

thanks for any help

jacko · 2009-02-12 01:29:50

session optional ck_connector.so

This has to be wrong, it's called pam_ck_connector.so Just use locate and double check for yourself.

are you replacing $storage_user and $power_user with your login username? echo $storage_user gives me no result and as such automounting stops working.

I really hope linux fixes these issues the correct way, this is the biggest hack yet I have had to use to get something so simple to work.

Last edited by jacko (2009-02-12 01:38:46)

kjon · 2009-02-12 16:33:25

guys, $storage_user and $power_user will never give you any result. Those variables get erased due to the 'destruction' of the environment. (It's like running sudo and creating an environment variable, when you escape from it, the environment does the same --unless you tell sudo explicitly to keep this new environment--). If you want to experiment a little bit, 'cat /etc/groups' and run my script. You'll see what happens. (remember to echo $storage_user and $power_user)

Now, about my /etc/rc.d/polkitparser, that tiny script scans /etc/groups and replaces the 'commas' by 'pipes' to be recognized by /etc/policykit/PolicyKit.conf. That file can't understand groups yet, so that's why /etc/groups get parsed in order to get every user from very specific groups. In this case, power and storage. Obviously, this solution won't work on you if you aren't member of those groups. The scope of this solution is to recover the KISS fashion of the power and storage groups.

I've used this solution on a computer lab, where there are more than 500 users (and 40 machines for all of them), so it would be quite unpractical to place every single user in the syntax 'user1|user2|....|user500' for each policykit.conf on the diferent machines.

Last edited by kjon (2009-02-12 16:47:12)

kjon · 2009-02-12 16:37:27

@psyodin

I just created /etc/PolicyKit/PolicyKit.conf and my script. Nothing else. I rebooted my pc (or, if you prefer, on a root shell, run my script and restart dbus an hal --on the same script, to preserve the environment variables--) and problem solved.

@ALL

If you have doubts, please email me. I've a little bit away from forums due to long nights of heavy work (Being a lab admin is driving me nuts...).

Last edited by kjon (2009-02-12 16:39:11)

ras0ir · 2009-02-13 15:00:12

I got everything working with only these modifications: (no scripts, daemons etc.)

my PolicyKit.conf

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

<!-- See the manual page PolicyKit.conf(5) for file format -->

<config version="0.1">
     <define_admin_auth group="wheel"/>
</config>

I've added this line to the /etc/pam.d/login (this is needed for SLiM):

session     optional     ck_connector.so

And finally, added this line to the ~/.xinitrc:

exec ck-launch-session startxfce4

as you see in PolicyKit.conf, i defined admin group as wheel, so i've added my user to the "wheel" group. Everything works using this way!

kjon · 2009-02-13 18:05:18

Yeah, that's right, you're giving the heaven's (and hell's) powers to the wheel group. However it's a security risk for me. I don't want to have too much powerful groups on my computer.

However, it's up to you

IceHand · 2009-02-13 18:15:01

Thank you for the instructions
Just a quick note:

kjon wrote:

(1) Create /etc/Policykit/Policykit.conf as follows

It should be: "/etc/PolicyKit/PolicyKit.conf"

ras0ir · 2009-02-14 00:35:54

kjon wrote:

Yeah, that's right, you're giving the heaven's (and hell's) powers to the wheel group. However it's a security risk for me. I don't want to have too much powerful groups on my computer.
However, it's up to you

Yeah, you're right, so i've replaced

<define_admin_auth group="wheel"/>

line with this one:

<define_admin_auth user="ras0ir"/>

and it worked too .

ap_ · 2009-02-14 13:38:11

Thank you kjon! I was going nuts with my desktop PC not mounting usb HDD, since the instructions in the wiki didn't work. Now works perfectly!

Funnily enough, I didn't have any problems with my laptop.

Last edited by ap_ (2009-02-14 13:38:31)

man in black · 2009-02-14 19:00:33

ras0ir wrote:

<define_admin_auth user="ras0ir"/>
and it worked too .

Yes, it worked like a charm!

kjon · 2009-02-15 22:09:25

I guess a different approach might be parsing wheel from /etc/groups and add those users to define_admin_auth using the same technique shown on polkitparser.
Again, is up to you

man in black · 2009-02-17 03:07:50

This is the way I did it. The result: CDs and DVDs automounts in Nautilus and my NTFS and HFSplus partitions mounts with a single click in the sidebar, but they don't automount at login. And a regular user can now reboot and shutdown - just the way I want it! Hey, I'm a lazy guy

First,

sudo gpasswd -a username storage

In /etc/PolicyKit/PolicyKit.conf

<config version="0.1">
<match action="org.freedesktop.hal.storage.mount-removable">
<return result="yes" />
</match>
<match action="org.freedesktop.hal.storage.eject-removable">
<return result="yes" />
</match>
<match action="org.freedesktop.hal.storage.mount-fixed">
<return result="yes"/>
</match>
<match action="hal-storage-mount-fixed-extra-options">
<return result="yes"/>
</match>
<match action="hal-storage-mount-removable-extra-options">
<return result="yes"/>
</match>
</config>

Create the file /etc/hal/fdi/policy/disable-automount.fdi

<device>
   <match key="storage.hotpluggable" bool="false">
     <match key="storage.removable" bool="false">
       <merge key="storage.automount_enabled_hint" type="bool">false</merge>
     </match>
   </match>
</device>

Add this line in /etc/pam.d/login

session            optional   pam_ck_connector.so

Add this in /etc/dbus-1/system.d/hal.conf

<policy group="storage">
   <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
   <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
</policy>

And finally, in ~ .xinitrc:

exec ck-launch-session your-WM

It seems to work just fine, but the automounted partitions is owned root:root.

Have someone got a clue how to automount users:username?

EDIT: I figured it out!

In Gnome, fire up gconf-editor

Go to system>storage>default_options>ntfs-3g>mount_options

Edit the options so it will work for your needs.

Last edited by man in black (2009-02-17 17:56:03)

R00KIE · 2009-02-17 12:33:47

Don't you want sed 'y/,/|/' instead?
sed 's/,/|/' really isn't doing the trick for me (tried it in the terminal), it replaced the first comma but not the second one as in
user1,user2,user3 -> user1|user2,user3
sed 'y/,/|/' seems to replace everything correctly.

Arch Linux

#1 2009-02-10 14:57:18

I won the struggle against hal and policykit

#2 2009-02-10 15:13:10

Re: I won the struggle against hal and policykit

#3 2009-02-10 16:11:37

Re: I won the struggle against hal and policykit

#4 2009-02-10 16:34:09

Re: I won the struggle against hal and policykit

#5 2009-02-10 17:07:35

Re: I won the struggle against hal and policykit

#6 2009-02-10 18:25:20

Re: I won the struggle against hal and policykit

#7 2009-02-10 19:26:50

Re: I won the struggle against hal and policykit

#8 2009-02-10 20:12:08

Re: I won the struggle against hal and policykit

#9 2009-02-10 22:30:39

Re: I won the struggle against hal and policykit

#10 2009-02-11 01:30:33

Re: I won the struggle against hal and policykit

#11 2009-02-11 02:47:17

Re: I won the struggle against hal and policykit

#12 2009-02-11 04:29:17

Re: I won the struggle against hal and policykit

#13 2009-02-12 01:07:39

Re: I won the struggle against hal and policykit

#14 2009-02-12 01:29:50

Re: I won the struggle against hal and policykit

#15 2009-02-12 16:33:25

Re: I won the struggle against hal and policykit

#16 2009-02-12 16:37:27

Re: I won the struggle against hal and policykit

#17 2009-02-13 15:00:12

Re: I won the struggle against hal and policykit

#18 2009-02-13 18:05:18

Re: I won the struggle against hal and policykit

#19 2009-02-13 18:15:01

Re: I won the struggle against hal and policykit

#20 2009-02-14 00:35:54

Re: I won the struggle against hal and policykit

#21 2009-02-14 13:38:11

Re: I won the struggle against hal and policykit

#22 2009-02-14 19:00:33

Re: I won the struggle against hal and policykit

#23 2009-02-15 22:09:25

Re: I won the struggle against hal and policykit

#24 2009-02-17 03:07:50

Re: I won the struggle against hal and policykit

#25 2009-02-17 12:33:47

Re: I won the struggle against hal and policykit

Board footer