[SOLVED] Why can't I do certain things as user with polkit-gnome?

twilight0 · 2012-03-17 10:52:15

Hi everyone,

I re-installed Arch from scratch a week ago and I am still trying to get things optimized.

So I have GNOME 3 along with GDM and the polkit-gnome package as well. The polkit agent is autostarted according to gnome-session-properties, but when I do this:

ps -ef | grep polkit-gnome

root 2304 2299 0 12:24 pts/0 00:00:00 grep polkit-gnome

Polkit agent doesn't seem to autostart. However I can power-off, reboot, mount/unmount usb sticks as user, but can't edit connections with network-manager and can't mount my e-SATA external hard disk as user

I added my user in the network group and I can now edit connections as user, but is this a safe practice? If it safe and supposed to be like that, I 'll edit the wiki because I didn't find any relative information about it.

I also found that I had to add a polkit rule in another topic, but that didn't work:

nano /etc/polkit-1/localauthority/50-local.d/org.freedesktop.NetworkManager.pkla

[nm-applet]
Identity=unix-group:network
Action=org.freedesktop.NetworkManager.*
ResultAny=yes
ResultInactive=no
ResultActive=yes

Well, actually it did after I added my user to the network group.

As for the e-SATA thing, do I have to add some special udev rule?

Last edited by twilight0 (2012-03-19 19:29:19)

Strike0 · 2012-03-17 12:39:35

Great thread! Don't have an esata, but will contribute as I see fit later of course. How about adding the user to the storage group?

As for the safe practise with "network" group, I would say it depends much on individual usage patterns (who uses the PC, in which foreign networks, do you need a governed network policy, etc.) but also on whether networkmanager configuraton prohibits storing login credentials un-hashed. A further useful quirk may include prohibiting overwriting of resolv.conf in some cases to route via known DNS. But many more may be useful depending on the case: one resource on it.

twilight0 · 2012-03-17 13:15:47

Yes, I forgot to say that my user is also in the storage group.

AFAIK Linux treats e-SATA disks the same way normal SATA does, so perhaps I need some special udev/polkit rule?

I have only one user sitting on my laptop, that's me, so no need for special permissions regarding something. I don't care about resolv.conf, when I have dnsmasq running I configure it to use resolv.conf.custom.

wonder · 2012-03-17 13:47:52

imo, you did NOT specify what you cannot do. second, you did not specify if you use gnome-shell or fallback mode. Just after you specify something, i could aswer your questions.

and NO, you are NOT supposed to edit pkla or add your user to useless groups like storage, everything works out of the box.

Last edited by wonder (2012-03-17 13:48:12)

Strike0 · 2012-03-17 14:43:41

I understand you may want to safeguard user's polkit tinkering with what should work out-the-box.

Nonetheless, your comment is fairly unconstructive IMHO. I guess you just over-read OP stating that mounting an eSATA (external SATA disk) as an ordinary user apparently does not work. And that gnome-shell and not fallback is at question can be assumed I would say.

twilight0 · 2012-03-17 23:28:51

wonder wrote:

imo, you did NOT specify what you cannot do. second, you did not specify if you use gnome-shell or fallback mode. Just after you specify something, i could aswer your questions.
and NO, you are NOT supposed to edit pkla or add your user to useless groups like storage, everything works out of the box.

I have already stated what doesn't work they way I would like to:

twilight0 wrote:

but can't edit connections with network-manager and can't mount my e-SATA external hard disk as user

Ok then, remove my user from the storage and network group, remove any custom polkit rules, but then I end up to the point where Linus points out "too much security is non-sense". Then log in as root and do it the way "screw this I am back to Windows". Thanks for the aggressive answer.

Also it doesn't matter if I use the shell or fallback, or does it? So storage and other groups are useless, yes?

Strike0 wrote:

I understand you may want to safeguard user's polkit tinkering with what should work out-the-box.
Nonetheless, your comment is fairly unconstructive IMHO. I guess you just over-read OP stating that mounting an eSATA (external SATA disk) as an ordinary user apparently does not work. And that gnome-shell and not fallback is at question can be assumed I would say.

I would really like to have a setup much Ubuntu like, except being Arch based, like Linus said, connect to a network as a user, mount all sorts of removable media as user, use Virtualbox as user, but pacman for example should always be used by root.

Am I asking something unnatural?

What is an OP by the way?

Strike0 · 2012-03-18 00:53:26

OP is abbreviated for original poster, I was too lazy to scroll up and look for your nickname when writing.
How do you mount your e-SATA as administrator? You have an fstab entry for it?

cfr · 2012-03-18 02:45:45

wonder wrote:

and NO, you are NOT supposed to edit pkla or add your user to useless groups like storage, everything works out of the box.

Adding your user to the storage group is included in the instructions for adding a user at https://wiki.archlinux.org/index.php/Be … ing_a_User and also mentioned at https://wiki.archlinux.org/index.php/Groups#Groups. Could you please explain which of the groups are no longer recommended so that those of us who followed the guide can adjust our setups and somebody can update the instructions?

Also, what exactly is supposed to work out of the box? Mounting removable media does not generally work here, though it does work in some particular cases.

Last edited by cfr (2012-03-18 02:51:52)

wonder · 2012-03-18 07:35:29

Is enough to have your user in users group, which is the default one. Everything else is handled by consolekit+udev-acl+polkit.

maybe your esata drive is not even detected by kernel...

cfr · 2012-03-18 19:05:05

$ groups
lp wheel games video audio optical storage scanner power users <user-group> <local-addition>

Apart from the last two, all of these are based on additions recommended by the wiki's guide. Are all of these deprecated (apart maybe from wheel)?

jon · 2012-03-18 19:24:39

twilight0 wrote:

I would really like to have a setup much Ubuntu like, except being Arch based, like Linus said, connect to a network as a user, mount all sorts of removable media as user, use Virtualbox as user, but pacman for example should always be used by root.
Am I asking something unnatural?

Un-natural? Perhaps. But mostly for servers. Personally, I used Ubuntu's settings as a starting point for my own. This is for my laptop where I am the only user, and I don't want to be bothered by typing in passwords for every-day things.

I put my settings in: /etc/polkit-1/localauthority/50-local.d/com.arch.desktop.pkla

[Mounting, checking, etc. of internal drives]
Identity=unix-group:admin;unix-group:wheel
Action=org.freedesktop.udisks.filesystem-*;org.freedesktop.udisks.drive-ata-smart*
ResultActive=yes

[Change CPU Frequency scaling]
Identity=unix-group:admin;unix-group:wheel
Action=org.gnome.cpufreqselector
ResultActive=yes

[Setting the clock]
Identity=unix-group:admin;unix-group:wheel
Action=org.gnome.clockapplet.mechanism.*;org.gnome.settingsdaemon.datetimemechanism.*;org.kde.kcontrol.kcmclock.save
ResultActive=yes

[Adding or changing system-wide NetworkManager connections]
Identity=unix-group:admin;unix-group:wheel
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultActive=yes

[Printer administration]
Identity=unix-group:lpadmin;unix-group:admin;unix-group:wheel
Action=org.opensuse.cupspkhelper.mechanism.*
ResultActive=yes

I'm not sure about e-sata drives, but I can mount both internal sata and external USB drives just fine.

Also this file assumes you are in the "wheel" group, which you should be if you have "su" powers.

Hope this helps.

twilight0 · 2012-03-19 16:47:31

jon I 'll consider your suggestion for any custom pkla files I make in the future.

My e-SATA drive is detected but it asks the root password every time I try to mount it. I also followed the beginner guide to remember which groups I included my regular user account.

When I finally make myself able to mount e-SATA drives without root password I 'll let you know by marking this thread SOLVED.

twilight0 · 2012-03-19 19:29:01

Solved... I looked over at Arch's wiki again and found this:

https://wiki.archlinux.org/index.php/Ud … SATA-Ports

Now the hard drive is recognized as an external device and can be mounted by the user with no special polkit rules.

As for the networkmanager as I said adding the user in the network group and adding a polkit rule is enough.

Thanks for the answers.

Arch Linux

#1 2012-03-17 10:52:15

[SOLVED] Why can't I do certain things as user with polkit-gnome?

#2 2012-03-17 12:39:35

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#3 2012-03-17 13:15:47

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#4 2012-03-17 13:47:52

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#5 2012-03-17 14:43:41

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#6 2012-03-17 23:28:51

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#7 2012-03-18 00:53:26

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#8 2012-03-18 02:45:45

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#9 2012-03-18 07:35:29

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#10 2012-03-18 19:05:05

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#11 2012-03-18 19:24:39

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#12 2012-03-19 16:47:31

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

#13 2012-03-19 19:29:01

Re: [SOLVED] Why can't I do certain things as user with polkit-gnome?

Board footer