You are not logged in.
Hi,
I recently upgraded and have now nautlius 2.28.2-1 together with devicekit-disks 009-1 installed.
As usual mounting/unmounting USB disks in nautilus stopped working. I searched the wiki, forums, bugs and google to gather information about this topic, but you know ...
When I try to mount a disk (they all show up in nautilus) nautilus pops up an error declaring me "Not Authorized". After quite some reading I think nautilus now uses devicekit-disks to actually mount my USB disks, so I tried to mount it with devicekit-disks:
[resi@nomad ~]$ devkit-disks --mount /dev/sdc
Mount failed: Not Authorized
In older versions of nautilus I used to edit some files in /etc to grant myself permissions (PolicyKit.conf), but this does not work anymore.
I found a hint and edited /usr/share/polkit-1/actions/org.freedesktop.devicekit.disks.policy (this one is coming with devicekit-disks) and modified the default for the actions org.freedesktop.devicekit.disks.filesystem-mount action:
<allow_any>yes</allow_any>
Having done so I can now mount the USB disks using nautilus, devicekit-disks or palimpsest (suffering from the same "Not Authorized" problem). Unmounting has a little flaw though, it seems like nautilus tries to eject the medium when unmounting, but then again its "Not Authorized" to do so.
However, this is the only solution I could come up with. Since the file I modified will probably be replaced without notice during the next upgrade I fear I will have to go all the way again, not remembering anymore what I did to fix this (otoh, after writing this I probably will).
And since the values in org.freedesktop.devicekit.disks.policy are declared as defaults (and by the fact it lives under /usr) I assume there has to be a site configuration file somewhere in /etc.
Where should I but my customizations? I mean, whats the proper way to do so?
Thanks,
Christoph
P.S.: I like nautilus, it makes me unhappy to use thunar/pmount/whatever to mount my disks.
Offline
Haven't touch policy files for long. Did you add yourself into the "storage" group? Since in default devicekit-disks should allow users in "storage" group to mount disks automatically.
Archlinux x86_64 on Thinkpad T400
Intel X4500MHD / ATI HD3470 Graphics, 2G RAM, 160G HD
Offline
This actually worked. Thank you!
Offline
Now this is interesting. Does this mean we don't need HAL anymore?
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
Now this is interesting. Does this mean we don't need HAL anymore?
The trend is to abandon HAL and leave its work to devicekit-disks/power and udev, but at present HAL is still needed and under code maintenance only. (However, I am not sure which parts of it are still functioning)
Archlinux x86_64 on Thinkpad T400
Intel X4500MHD / ATI HD3470 Graphics, 2G RAM, 160G HD
Offline
Haven't touch policy files for long. Did you add yourself into the "storage" group? Since in default devicekit-disks should allow users in "storage" group to mount disks automatically.
I think the group settings are ok. So there must be something else I miss.
[resi@nomad ~]$ groups
root wheel uucp video audio optical storage nobody users samba
EDIT: To test this I just created a user being member of all groups. Still not authorized ...
Last edited by resi (2009-12-16 18:42:46)
Offline
me again ... this whole *kit stuff seems so odd to me.
I finally read all the devicekit, then the policykit docs, Syu-ed and have now devicekit-disks 009-3 installed.
Using polkit-actions without arguments prints a list of registered actions (known to policykit). This list was pretty short:
[resi@nomad ~]$ polkit-action
org.freedesktop.policykit.read
org.freedesktop.policykit.revoke
org.freedesktop.policykit.grant
org.freedesktop.policykit.modify-defaults
PolicyKit considers all *.policy files under /usr/share/PolicyKit/policy/, only the policykit package installs its files (well, its one file) there.
devicekit-disks (and probably some other packages providing *.policy files) seems to forget about that. So I added a symlink:
[root@nomad policy]# ln -s /usr/share/polkit-1/actions/org.freedesktop.devicekit.disks.policy /usr/share/PolicyKit/policy/
Thats not enough, the file seems to be out of date. I had to replace all auth_admin_keep defaults with auth_admin_keep_session until the file validated.
And hurray:
[resi@nomad ~]$ polkit-action
org.freedesktop.policykit.read
org.freedesktop.policykit.revoke
org.freedesktop.policykit.grant
org.freedesktop.policykit.modify-defaults
org.freedesktop.devicekit.disks.filesystem-mount
org.freedesktop.devicekit.disks.filesystem-mount-system-internal
org.freedesktop.devicekit.disks.filesystem-check
org.freedesktop.devicekit.disks.filesystem-check-system-internal
org.freedesktop.devicekit.disks.filesystem-unmount-others
org.freedesktop.devicekit.disks.filesystem-lsof
org.freedesktop.devicekit.disks.filesystem-lsof-system-internal
org.freedesktop.devicekit.disks.drive-eject
org.freedesktop.devicekit.disks.drive-detach
org.freedesktop.devicekit.disks.change
org.freedesktop.devicekit.disks.change-system-internal
org.freedesktop.devicekit.disks.drive-ata-smart-refresh
org.freedesktop.devicekit.disks.drive-ata-smart-selftest
org.freedesktop.devicekit.disks.drive-ata-smart-retrieve-historical-data
org.freedesktop.devicekit.disks.luks-unlock
org.freedesktop.devicekit.disks.luks-lock-others
org.freedesktop.devicekit.disks.linux-md
org.freedesktop.devicekit.disks.cancel-job-others
org.freedesktop.devicekit.disks.inhibit-polling
org.freedesktop.devicekit.disks.drive-set-spindown
polkit-auth shows my authorizations, thus:
[resi@nomad ~]$ polkit-auth | grep mount
org.freedesktop.devicekit.disks.filesystem-mount
org.freedesktop.devicekit.disks.filesystem-mount-system-internal
org.freedesktop.devicekit.disks.filesystem-unmount-others
It seems to me that I am authorized for all actions listed above, I guess thats because this user is in both the wheel and root groups.
However, when I try to actually mount something nothing has changed.
[resi@nomad ~]$ devkit-disks --mount /dev/sdc
Mount failed: Not Authorized
Since policykit is now properly configured I can use polkit-action or polkit-gnome-authorization to modify the default values in the way polkit expects me to (not tampering with with the *.policy files).
[resi@nomad ~]$ polkit-action --action org.freedesktop.devicekit.disks.filesystem-mount
action_id: org.freedesktop.devicekit.disks.filesystem-mount
description: Mount a device
message: Authentication is required to mount the device
default_any: yes (factory default: no)
default_inactive: yes (factory default: no)
default_active: yes
But even now mounting fails because I'm not authorized.
Back to the start, if I change the factory defaults in org.freedesktop.devicekit.disks.policy mounting succeeds.
I think there might be 2 bugs involved here:
1.) missing links to policy files in /usr/share/PolicyKit/policy/
2.) policykit fails to consider overrides for factory defaults
What do you think?
Offline
Using polkit-actions without arguments prints a list of registered actions (known to policykit). This list was pretty short:
[resi@nomad ~]$ polkit-action org.freedesktop.policykit.read org.freedesktop.policykit.revoke org.freedesktop.policykit.grant org.freedesktop.policykit.modify-defaults
I have that too, but automounting works. The reason is that there are 2 policykit versions atm, PolicyKit and policykit-1. PolicyKit is being phased out. Try doing pkaction and you should see a much much longer list. If I were you I'd stop messing around with policykit, revert all the changes you've made and reinstall both of them. Then maybe automounting will work. Personally I've never had to configure anything at all and automounting just works.
"You can watch for your administrator to install the latest kernel with watch uname -r" - From the watch man page
Offline
I have that too, but automounting works. The reason is that there are 2 policykit versions atm, PolicyKit and policykit-1. PolicyKit is being phased out. Try doing pkaction and you should see a much much longer list. If I were you I'd stop messing around with policykit, revert all the changes you've made and reinstall both of them. Then maybe automounting will work. Personally I've never had to configure anything at all and automounting just works.
What is the exact difference between PolicyKit and PolKit? The descriptions of the two packages are the same, I got quite confused with this.
I don't recommend to edit policies manually either, since all these files may be overwritten during upgrades.
Archlinux x86_64 on Thinkpad T400
Intel X4500MHD / ATI HD3470 Graphics, 2G RAM, 160G HD
Offline
polkit is a newer version of policykit that isn't api compatible with the old one, but some programs haven't been rewritten to use it yet so both of them are installed, under different names so they don't conflict. the old policykit will eventually go away though. and yeah, in general try not to edit anything under /usr
"You can watch for your administrator to install the latest kernel with watch uname -r" - From the watch man page
Offline
I have that too, but automounting works. The reason is that there are 2 policykit versions atm, PolicyKit and policykit-1. PolicyKit is being phased out. Try doing pkaction and you should see a much much longer list. If I were you I'd stop messing around with policykit, revert all the changes you've made and reinstall both of them. Then maybe automounting will work. Personally I've never had to configure anything at all and automounting just works.
Ahhh, I didn't know about the 2 versions.
Of course I don't like messing around in /usr, so I removed the policykit stuff and reinstalled polkit.
I'm still not authorized to mount anything, but at least pkcheck confirms this ;-).
[resi@nomad ~]$ pkcheck --action-id org.freedesktop.devicekit.disks.filesystem-mount --process $BASHPID
Not authorized.
I need to learn how to configure polkit configuration now.
Offline
Of course I don't like messing around in /usr, so I removed the policykit stuff and reinstalled polkit.
Ok, good. I think you can put stuff under /etc/polkit-1 and it overrides the stuff in /usr/share but I'm not sure tbh.
I'm still not authorized to mount anything, but at least pkcheck confirms this ;-).
[resi@nomad ~]$ pkcheck --action-id org.freedesktop.devicekit.disks.filesystem-mount --process $BASHPID Not authorized.
I need to learn how to configure polkit configuration now.
ok yeah i tried that and i am authorized. my /usr/share/polkit-1/actions/org.freedesktop.devicekit.disks.policy shows this:
<action id="org.freedesktop.devicekit.disks.filesystem-mount">
<description>Mount a device</description>
<description xml:lang="da">Montér en enhed</description>
<message>Authentication is required to mount the device</message>
<message xml:lang="da">Autorisering er påkrævet for at montere et fil system</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
I might poke around for a bit and see what that stuff means
Edit: ok, looks like /etc/polkit-1 is completely unrelated. However, a workaround to your original problem would be to change allow_any to "yes" for the following actions:
org.freedesktop.devicekit.disks.filesystem-mount
org.freedesktop.devicekit.disks.filesystem-unmount-others
org.freedesktop.devicekit.disks.drive-eject
org.freedesktop.devicekit.disks.drive-detach
you should probably play around and bit and change as few of those as possible. then add this (the missing / is intentional) to /etc/pacman.conf:
NoUpgrade = usr/share/polkit-1/actions/org.freedesktop.devicekit.disks.policy
Edit 2: but before you do that, try this (the output is there for comparison, see if you have active = TRUE and is-local = TRUE):
$ ck-list-sessions
Session2:
unix-user = '1000'
realname = 'Pirate Jonno'
seat = 'Seat1'
session-type = ''
active = TRUE
x11-display = ':0'
x11-display-device = '/dev/tty7'
display-device = ''
remote-host-name = ''
is-local = TRUE
on-since = '2009-12-17T00:41:14.708048Z'
login-session-id = '4294967295'
Last edited by PirateJonno (2009-12-17 10:32:52)
"You can watch for your administrator to install the latest kernel with watch uname -r" - From the watch man page
Offline
How did you log into your desktop? I am wondering if it's something related to the ConsoleKit? This authentication problem is really annoying, since we are almost automatically granted these permissions in default.
Hope this helps: https://bugs.launchpad.net/ubuntu/+sour … bug/478274
Archlinux x86_64 on Thinkpad T400
Intel X4500MHD / ATI HD3470 Graphics, 2G RAM, 160G HD
Offline
Thanks PirateJonno, I appreciate your help there.
My policy file looks the same.
Only if I change <allow_any> to "yes" I get authorization.
I'm still a bit unsure about the meaning of <allow_any>, <allow_inactive> and <allow_active>, but I'm aware these relate to sessions directly on the host or remote logins.
Most of the time I'm using ssh or vnc, so that might be the reason I need to set <allow_any>.
However, now that I feel so close to a solution I'd prefer to not change the policy file but use some local configuration overrides. I just don't have enough time right now to play around with this, got to do similar but still completly unrelated work ;-)
Offline
No problem. I too have similar but unrelated work, this is my way of procrastinating about it . Well anyway, i think allow_any just means anyone is allowed to do it without authorization, whereas allow_(in)active seems to relate to consolekit sessions but im not 100% sure yet (see leeyee's post). in one of the man pages i read it said something about an active session being one thats on a display, whereas inactive is on a different tty or has been fast-user-switched out of or something. anyway i think the ck-list-sessions output would be helpful
"You can watch for your administrator to install the latest kernel with watch uname -r" - From the watch man page
Offline
After reading leeyees post I tried again with ck sessions. I almost forgot about that in my ssh logins. So here we go:
[resi@nomad ~]$ ck-launch-session
[resi@nomad ~]$ ck-list-sessions
Session7:
unix-user = '1000'
realname = 'Christoph Rissner'
seat = 'Seat1'
session-type = ''
active = FALSE
x11-display = ''
x11-display-device = ''
display-device = '/dev/pts/0'
remote-host-name = ''
is-local = TRUE
on-since = '2009-12-17T11:12:37.181697Z'
login-session-id = '4294967295'
/dev/pts/0 is the correct terminal, but now I see that the session is marked inactive. A quick pkcheck confirms this, I can now leave allow_any = no but only need allow_inactive.
How do I activate a console kit session? I assumed ck-lauch-session in an interactive shell would be enough, but thats obviously not true.
So everything seems to be fine, I just was awfully misguided on my way.
Offline
active = FALSE
yup, thought so. no idea how you activate a session but i'd suggest you read the launchpad link, seems like people there had your exact problem. also check daemon.log for consolekit messages.
P.S. was that the only session listed? because gdm should create one automatically
Edit: oh wait you're in ssh? well its probably a good idea to test it locally when you have the time
Last edited by PirateJonno (2009-12-17 11:07:01)
"You can watch for your administrator to install the latest kernel with watch uname -r" - From the watch man page
Offline
There were actually 2 sessions, the ssh and another one running in Xvnc (using ck-launch-session .... to start my WM). Both are marked inactive.
After reading --debug info from console-kit-daemon I found this one:
Dec 17 12:40:05 nomad console-kit-daemon[14664]: DEBUG: Debugging enabled
Dec 17 12:40:05 nomad console-kit-daemon[14664]: WARNING: Failed to acquire org.freedesktop.ConsoleKit
Dec 17 12:40:05 nomad console-kit-daemon[14664]: WARNING: Could not acquire name; bailing out
(which reminds my to fix my ntp lookup).
leading me there:
http://www.linux-archive.org/ubuntu-use … n-log.html
Somebody mentions consolekit still depends on policykit, so I reinstalled it and console-kit-daemon starts up without warnings.
The session is still marked inactive, maybe thats due to the ssh login. Also the vnc session is inactive.
I will try this from a local console when I'm at home, also using the display manager login (I use entrance).
Thanks for helping me so far, I feel even closer to a solution than ever :-)
Offline
oh ok, i have no idea how consolekit works from ssh or xvnc so better do local just in case yeah. good idea to reinstall policykit
haha ok, sorry i just assumed you were using gdm since it had gnome in the title. in that case it may be an issue with entrance (no idea why though). anyway im off to bed now
"You can watch for your administrator to install the latest kernel with watch uname -r" - From the watch man page
Offline
Yesterday evening I tried this stuff on a local console and using gdm to login. Guess what, it just worked.
So after all, I learned a lot about console-, pol(icy)- and devicekit. Although I was sceptic about the yet-another-permission-managment-stuff when I first read about it, I now think this will turn out really nice.
What remains for me is to learn about consolekit settings.
- Whats the special thing gdm does and entrance doesn't?
- How do I activate sessions in ssh/vnc? Why are these session inactive and local (instead of active and remote, if the difference matters)?
- Ad vnc: Can I fire up my favorite WM (e17 for what its worth) and make the ck session active? Or do I need a gnome-session?
- How can I grant (specific) actions to some users/groups?
I don't know yet when I will have time again to further play with this, but I will post my findings then.
Thanks a lot for helping me there.
Offline
oh ok, thats good to know. i second the *kit stuff, its a nice solution, just needs some ironing out really.
not too sure what entrance isn't doing but ill have a look at the consolekit source to see what active means. been meaning to patch it so my system wont shut down when mythtv is running, anyway.
to grant specific actions to users/groups check out 'man pklocalauthority'
"You can watch for your administrator to install the latest kernel with watch uname -r" - From the watch man page
Offline
to grant specific actions to users/groups check out 'man pklocalauthority'
Well I did that, but I will do again since it didn't work out in the first attempt :-)
Offline
well i haven't actually tried it, but give it a go anyway i guess. anyway i think i just found a bug in the consolekit code where the "idle-hint" property is listed as "active". maybe that is getting set to false somehow and it rolls over? ill just report this then keep looking
edit: ok so i found in this file: http://cgit.freedesktop.org/ConsoleKit/ … /ck-seat.c a command that may let you activate your session anywhere (on line 276):
dbus-send --system --dest=org.freedesktop.ConsoleKit --type=method_call --print-reply --reply-timeout=2000 /org/freedesktop/ConsoleKit/Seat1 org.freedesktop.ConsoleKit.Seat.ActivateSession objpath:/org/freedesktop/ConsoleKit/Session2
Last edited by PirateJonno (2009-12-18 11:19:00)
"You can watch for your administrator to install the latest kernel with watch uname -r" - From the watch man page
Offline
Good idea, but its not working:
Session5:
unix-user = '1000'
realname = 'Christoph Rissner'
seat = 'Seat1'
session-type = ''
active = FALSE
x11-display = ''
x11-display-device = ''
display-device = '/dev/pts/0'
remote-host-name = ''
is-local = TRUE
on-since = '2009-12-18T12:59:42.342058Z'
login-session-id = '4294967295'
[resi@nomad ~]$ tty
/dev/pts/0
[resi@nomad ~]$ dbus-send --system --dest=org.freedesktop.ConsoleKit --type=method_call --print-reply --reply-timeout=2000 /org/freedesktop/ConsoleKit/Seat1 org.freedesktop.ConsoleKit.Seat.ActivateSession objpath:/org/freedesktop/ConsoleKit/Session5
Error org.freedesktop.DBus.GLib.UnmappedError.CkSeatError.Code0: Unable to activate session
Offline
maybe try it as root? anyway its a pretty ugly command, there must be a way to get it active in the first place...
"You can watch for your administrator to install the latest kernel with watch uname -r" - From the watch man page
Offline