You are not logged in.

#1 2009-02-10 14:57:18

kjon
Member
From: Temuco, Chile
Registered: 2008-04-16
Posts: 398

I won the struggle against hal and policykit

Mwhahaha... 'me so happy'...

Well, the point is I manage in certain way to restore the old behavior of hal using policykit, that is to 'force' hal to do *what I say* and nothing else than that. I restored the functionality of having power and storage groups to shutdown/reboot and mount/umount using a policykit trick that I'm going to explain now.

(1) Create /etc/Policykit/Policykit.conf as follows

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<config version="0.1">

       <match user="$storage_users">
               <match action="org.freedesktop.hal.storage.*">
                       <return result="yes"/>
               </match>
               <match action="hal-storage-mount-fixed-extra-options">
                       <return result="yes" />
               </match>
               <match action="hal-storage-mount-removable-extra-options">
                       <return result="yes" />
               </match>
       </match>

    <match user="$power_users">
        <match action="org.freedesktop.hal.power-management.shutdown">
            <return result="yes"/>
        </match>
        <match action="org.freedesktop.hal.power-management.reboot">
            <return result="yes"/>
        </match>
    </match>

</config>

(2) Create /etc/rc.d/polkitparser and chmod +x it

#!/bin/bash

# general config
. /etc/rc.conf
. /etc/rc.d/functions

        stat_busy "Parsing groups for policykit handling"
    export storage_users=$(cat /etc/group | grep -i storage | cut -d ':' -f 4 | sed 's/,/|/')
    export power_users=$(cat /etc/group | grep -i power | cut -d ':' -f 4 | sed 's/,/|/')
    stat_done
exit 0

(3) Add polkitparser to your DAEMONS list on rc.conf *before* hal.

(4) Enjoy!

I hope it helps.

P.S. For slim users: **its very important** to add

session        optional    ck_connector.so

to /etc/pam/login and modify .xinitrc to start your X session with

exec ck-launch-session YOUR-WM

p.s. Hell, my fault: /etc/pam/login -> /etc/pam.d/login (sorry big_smile)

Edit 2: Please double check the change I made on the header of PolicyKit.conf. There was a weird token that, when copied, generated an invalid file. Please copy this new file. For checking your configuration use polkit-config-file-validate

Last edited by kjon (2009-02-13 17:50:15)


They say that if you play a Win cd backward you hear satanic messages. That's nothing! 'cause if you play it forwards, it installs windows.

Offline

#2 2009-02-10 15:13:10

kjon
Member
From: Temuco, Chile
Registered: 2008-04-16
Posts: 398

Re: I won the struggle against hal and policykit

It seems I was the only one who had policykit issues.. TT_TT boooo


They say that if you play a Win cd backward you hear satanic messages. That's nothing! 'cause if you play it forwards, it installs windows.

Offline

#3 2009-02-10 16:11:37

hutch
Member
From: Lusiana - Italy
Registered: 2008-10-16
Posts: 13

Re: I won the struggle against hal and policykit

i also have this kind of problems, i waas almost crying yesterday night ;(

I'll try your solution this eveneng

Offline

#4 2009-02-10 16:34:09

hrobeers
Member
From: Belgium
Registered: 2008-11-05
Posts: 79

Re: I won the struggle against hal and policykit

Thanks! this works for me, I had the same problem.

My girlfriend didn't like the pmount command tongue

Offline

#5 2009-02-10 17:07:35

fwojciec
Member
Registered: 2007-05-20
Posts: 1,411

Re: I won the struggle against hal and policykit

Why do you need the script?  Isn't editing /etc/pam.d/login and adding ck-launch-session to ~/.xinitrc enough?  That's all I had to do on all my systems to have everything working correctly.

Offline

#6 2009-02-10 18:25:20

kgas
Member
From: Qatar
Registered: 2008-11-08
Posts: 718

Re: I won the struggle against hal and policykit

Thanks kjon. After the hal upgrade I think mostly lxde/slim users got this issue (I am having gnome in another hard disk and no problem faced). I could not even mount my USB with fat32 fs. But the wiki is there to help and I got this issue resolved from the guidelines given in the wiki.
The point I want to mention is upgrade fails when already hal policy is there in /usr/share/Policykit/policy.After moving the files upgrade went smooth.Like pacman why this did not put the files with .new or so in the directory?

Offline

#7 2009-02-10 19:26:50

arch_nemesis
Member
Registered: 2008-12-19
Posts: 115

Re: I won the struggle against hal and policykit

So, as someone who is newly experiencing usb drive mounting issues, but did not until very recently have any problems, are the contents of this thread a fix for something that is broken, or an additional configuration step that is now required due to an updated hal?

I'll give it a shot later either way, I'm just curious.

Offline

#8 2009-02-10 20:12:08

kjon
Member
From: Temuco, Chile
Registered: 2008-04-16
Posts: 398

Re: I won the struggle against hal and policykit

@fwojciec

I posted this approach due to **it didn't work for me**, that's all. I modified .xinitrc as you explained, but I couldn't mount anything. big_smile


They say that if you play a Win cd backward you hear satanic messages. That's nothing! 'cause if you play it forwards, it installs windows.

Offline

#9 2009-02-10 22:30:39

p0ft
Member
From: Brazil
Registered: 2009-02-02
Posts: 8

Re: I won the struggle against hal and policykit

Well I've had the same problems and was going completely nuts until I saw your post. I didn't need to use your script, tho (but followed the other steps). It's funny cause people are able to handle this problem in different ways.

I've edited the PolicyKit configuration file then added the ck connector to pam.d and ck session to my .xinitrc. Tried the later first, but only when I edited the PolicyKit.conf file it worked.

Now I'm able to automount my pocketpc as a non-root user. \o/

Thanks big_smile


:: i wanna see movies of my dreams

Offline

#10 2009-02-11 01:30:33

methuselah
Member
Registered: 2007-10-02
Posts: 570

Re: I won the struggle against hal and policykit

fwojciec wrote:

Why do you need the script?  Isn't editing /etc/pam.d/login and adding ck-launch-session to ~/.xinitrc enough?  That's all I had to do on all my systems to have everything working correctly.

I found a different thread that fixed both my xfce4/slim shutdown and reboot problems as well as the mounting issue with the PolicyKit.conf edit..... was this the correct way to fix everything?


Or should I undo all of that and then add ck-launch-session to ~/.xinitrc and run the "exec ck-launch-session YOUR-WM"?


At the moment my ~/.xinitrc is:

exec startxfce4

and my PolicyKit.conf is:

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

<!-- See the manual page PolicyKit.conf(5) for file format -->

<config version="0.1">
 <match user="seventy3"> <!-- replace with your login or delete the line if you want to allow all users to manipulate devices (keep security issues in mind though) -->
               <match action="org.freedesktop.hal.storage.*">
                       <return result="yes"/>
               </match>
               <match action="hal-storage-mount-fixed-extra-options"> <!-- for internal devices mounted with extra options like a wished mount point -->
                       <return result="yes" />
               </match>
               <match action="hal-storage-mount-removable-extra-options"> <!-- for external devices mounted with extra options like a wished mount point -->
                       <return result="yes" />
               </match>
       </match>  <!-- don't forget to delete this line if you deleted the first one -->
               <match action="org.freedesktop.hal.power-management.shutdown">
                       <return result="yes"/>
               </match>
               <match action="org.freedesktop.hal.power-management.reboot">
                       <return result="yes"/>
       </match>
</config>

..... and everything works again after both edits to my PolicyKit.conf.

Last edited by methuselah (2009-02-11 01:32:04)

Offline

#11 2009-02-11 02:47:17

peart
Member
From: Kanuckistan
Registered: 2003-07-28
Posts: 510

Re: I won the struggle against hal and policykit

Methuselah,

I believe your current config is working for the wrong reasons.  ConsoleKit will give you access to (some) restricted privileges if you have a ConsoleKit session.  But since you don't have one (the absence of ck-launch-session), you had to add a rule that basically says "give absolutely everybody the right to shut down."  The use of ck-launch-session is both easier and cleaner.

Apparently, getting a ConsoleKit session doesn't automatically give you access to removable storage, though.  Those rights have to be explicitely given.  So, I think it would be best to remove the power-management stuff from PolicyKit.conf, and add ck-launch-session to your .xinitrc.

Offline

#12 2009-02-11 04:29:17

methuselah
Member
Registered: 2007-10-02
Posts: 570

Re: I won the struggle against hal and policykit

peart wrote:

Methuselah,

I believe your current config is working for the wrong reasons.  ConsoleKit will give you access to (some) restricted privileges if you have a ConsoleKit session.  But since you don't have one (the absence of ck-launch-session), you had to add a rule that basically says "give absolutely everybody the right to shut down."  The use of ck-launch-session is both easier and cleaner.

Apparently, getting a ConsoleKit session doesn't automatically give you access to removable storage, though.  Those rights have to be explicitely given.  So, I think it would be best to remove the power-management stuff from PolicyKit.conf, and add ck-launch-session to your .xinitrc.

Thank you. I will redo it the correct way. Thanks again for the info.


EDIT: All I did was add that part to /etc/pam.d/login and change my ~/.xinitrc to match. Everything works good. (didn't work when removing the PolicyKit power-management parts.)

Last edited by methuselah (2009-02-11 04:59:07)

Offline

#13 2009-02-12 01:07:39

psyodin
Member
From: rocky mountains USA
Registered: 2008-11-13
Posts: 30

Re: I won the struggle against hal and policykit

The point I want to mention is upgrade fails when already hal policy is there in /usr/share/Policykit/policy.After moving the files upgrade went smooth.Like pacman why this did not put the files with .new or so in the directory?

where do you move those files to?

i did everything as suggested in the original post but still same problem:

 org.freedesktop.hal.storage.mount-removable no <-- (action, result).

this happens with flash and external HD's that had worked before

i DO have the files listed by kgas in  /usr/share/Policykit/policy , perhaps i need to fix that?

/etc/Policykit/Policykit.conf :

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">
<config version="0.1">

       <match user="$storage_users">
               <match action="org.freedesktop.hal.storage.*">
                       <return result="yes"/>
               </match>
               <match action="hal-storage-mount-fixed-extra-options">
                       <return result="yes" />
               </match>
               <match action="hal-storage-mount-removable-extra-options">
                       <return result="yes" />
               </match>
       </match>

    <match user="$power_users">
        <match action="org.freedesktop.hal.power-management.shutdown">
            <return result="yes"/>
        </match>
        <match action="org.freedesktop.hal.power-management.reboot">
            <return result="yes"/>
        </match>
    </match>

</config>

/etc/rc.d/polkitparser: (which i did chmod +x)

#!/bin/bash

# general config
. /etc/rc.conf
. /etc/rc.d/functions

        stat_busy "Parsing groups for policykit handling"
    export storage_users=$(cat /etc/group | grep -i storage | cut -d ':' -f 4 | sed 's/,/|/')
    export power_users=$(cat /etc/group | grep -i power | cut -d ':' -f 4 | sed 's/,/|/')
    stat_done
exit 0

/etc/pam.d/login: (i use slim)( i didnt see etc/pam/login only etc/pam.d/login)

#%PAM-1.0
auth        required    pam_securetty.so
auth        requisite    pam_nologin.so
auth        required    pam_unix.so nullok
auth        required    pam_tally.so onerr=succeed file=/var/log/faillog
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth        required    pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
account        required    pam_access.so
account        required    pam_time.so
account        required    pam_unix.so
#password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password    required    pam_unix.so md5 shadow use_authtok
session        required    pam_unix.so
session        required    pam_env.so
session        required    pam_motd.so
session        required    pam_limits.so
session        optional    pam_mail.so dir=/var/spool/mail standard
session        optional    pam_lastlog.so
session         optional        ck_connector.so

,xinitrc:

#!/bin/sh

#
# ~/.xinitrc
#
# Executed by startx (run your window manager from here)
#



exec ck-launch-session openbox-session

thanks for any help


download>install>configure>enjoy, arch tastes good

Offline

#14 2009-02-12 01:29:50

jacko
Member
Registered: 2007-11-23
Posts: 840

Re: I won the struggle against hal and policykit

session        optional    ck_connector.so

This has to be wrong, it's called pam_ck_connector.so Just use locate and double check for yourself.

are you replacing $storage_user and $power_user with your login username? echo $storage_user gives me no result and as such automounting stops working.

I really hope linux fixes these issues the correct way, this is the biggest hack yet I have had to use to get something so simple to work.

Last edited by jacko (2009-02-12 01:38:46)

Offline

#15 2009-02-12 16:33:25

kjon
Member
From: Temuco, Chile
Registered: 2008-04-16
Posts: 398

Re: I won the struggle against hal and policykit

guys, $storage_user and $power_user will never give you any result. Those variables get erased due to the 'destruction' of the environment. (It's like running sudo and creating an environment variable, when you escape from it, the environment does the same --unless you tell sudo explicitly to keep this new environment--). If you want to experiment a little bit, 'cat /etc/groups' and run my script. You'll see what happens. (remember to echo $storage_user and $power_user)

Now, about my /etc/rc.d/polkitparser, that tiny script scans /etc/groups and replaces the 'commas' by 'pipes' to be recognized by /etc/policykit/PolicyKit.conf. That file can't understand groups yet, so that's why /etc/groups get parsed in order to get every user from very specific groups. In this case, power and storage. Obviously, this solution won't work on you if you aren't member of those groups. The scope of this solution is to recover the KISS fashion of the power and storage groups.

I've used this solution on a computer lab, where there are more than 500 users (and 40 machines for all of them), so it would be quite unpractical to place every single user in the syntax 'user1|user2|....|user500' for each policykit.conf on the diferent machines.

Last edited by kjon (2009-02-12 16:47:12)


They say that if you play a Win cd backward you hear satanic messages. That's nothing! 'cause if you play it forwards, it installs windows.

Offline

#16 2009-02-12 16:37:27

kjon
Member
From: Temuco, Chile
Registered: 2008-04-16
Posts: 398

Re: I won the struggle against hal and policykit

@psyodin

I just created /etc/PolicyKit/PolicyKit.conf and my script. Nothing else. I rebooted my pc (or, if you prefer, on a root shell, run my script and restart dbus an hal --on the same script, to preserve the environment variables--) and problem solved.

@ALL

If you have doubts, please email me. I've a little bit away from forums due to long nights of heavy work (Being a lab admin is driving me nuts...).

Last edited by kjon (2009-02-12 16:39:11)


They say that if you play a Win cd backward you hear satanic messages. That's nothing! 'cause if you play it forwards, it installs windows.

Offline

#17 2009-02-13 15:00:12

ras0ir
Member
From: Ankara/Turkey
Registered: 2008-06-20
Posts: 65
Website

Re: I won the struggle against hal and policykit

I got everything working with only these modifications: (no scripts, daemons etc.)

my PolicyKit.conf

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">

<!-- See the manual page PolicyKit.conf(5) for file format -->

<config version="0.1">
     <define_admin_auth group="wheel"/>
</config>

I've added this line to the /etc/pam.d/login (this is needed for SLiM):

session     optional     ck_connector.so

And finally, added this line to the ~/.xinitrc:

exec ck-launch-session startxfce4

as you see in PolicyKit.conf, i defined admin group as wheel, so i've added my user to the "wheel" group. Everything works using this way!

Offline

#18 2009-02-13 18:05:18

kjon
Member
From: Temuco, Chile
Registered: 2008-04-16
Posts: 398

Re: I won the struggle against hal and policykit

Yeah, that's right, you're giving the heaven's (and hell's) powers to the wheel group. However it's a security risk for me. I don't want to have too much powerful groups on my computer.

However, it's up to you big_smile


They say that if you play a Win cd backward you hear satanic messages. That's nothing! 'cause if you play it forwards, it installs windows.

Offline

#19 2009-02-13 18:15:01

IceHand
Member
From: Germany
Registered: 2007-05-06
Posts: 53
Website

Re: I won the struggle against hal and policykit

Thank you for the instructions smile
Just a quick note:

kjon wrote:

(1) Create /etc/Policykit/Policykit.conf as follows

It should be: "/etc/PolicyKit/PolicyKit.conf"

Offline

#20 2009-02-14 00:35:54

ras0ir
Member
From: Ankara/Turkey
Registered: 2008-06-20
Posts: 65
Website

Re: I won the struggle against hal and policykit

kjon wrote:

Yeah, that's right, you're giving the heaven's (and hell's) powers to the wheel group. However it's a security risk for me. I don't want to have too much powerful groups on my computer.

However, it's up to you big_smile

Yeah, you're right, so i've replaced

<define_admin_auth group="wheel"/>

line with this one:

<define_admin_auth user="ras0ir"/>

and it worked too wink.

Offline

#21 2009-02-14 13:38:11

ap_
Member
From: Finland
Registered: 2008-10-14
Posts: 48

Re: I won the struggle against hal and policykit

Thank you kjon! I was going nuts with my desktop PC not mounting usb HDD, since the instructions in the wiki didn't work. Now works perfectly!

Funnily enough, I didn't have any problems with my laptop.

Last edited by ap_ (2009-02-14 13:38:31)

Offline

#22 2009-02-14 19:00:33

man in black
Member
From: Umeå, Sweden
Registered: 2009-02-13
Posts: 2

Re: I won the struggle against hal and policykit

ras0ir wrote:
<define_admin_auth user="ras0ir"/>

and it worked too wink.

Yes, it worked like a charm!

Offline

#23 2009-02-15 22:09:25

kjon
Member
From: Temuco, Chile
Registered: 2008-04-16
Posts: 398

Re: I won the struggle against hal and policykit

I guess a different approach might be parsing wheel from /etc/groups and add those users to define_admin_auth using the same technique shown on polkitparser. big_smile
Again, is up to you big_smile


They say that if you play a Win cd backward you hear satanic messages. That's nothing! 'cause if you play it forwards, it installs windows.

Offline

#24 2009-02-17 03:07:50

man in black
Member
From: Umeå, Sweden
Registered: 2009-02-13
Posts: 2

Re: I won the struggle against hal and policykit

This is the way I did it. The result: CDs and DVDs automounts in Nautilus and my NTFS and HFSplus partitions mounts with a single click in the sidebar, but they don't automount at login. And a regular user can now reboot and shutdown - just the way I want it! Hey, I'm a lazy guy wink

First,

sudo gpasswd -a username storage

In /etc/PolicyKit/PolicyKit.conf

<config version="0.1">
<match action="org.freedesktop.hal.storage.mount-removable">
<return result="yes" />
</match>
<match action="org.freedesktop.hal.storage.eject-removable">
<return result="yes" />
</match>
<match action="org.freedesktop.hal.storage.mount-fixed">
<return result="yes"/>
</match>
<match action="hal-storage-mount-fixed-extra-options">
<return result="yes"/>
</match>
<match action="hal-storage-mount-removable-extra-options">
<return result="yes"/>
</match>
</config>

Create the file /etc/hal/fdi/policy/disable-automount.fdi

<device>
   <match key="storage.hotpluggable" bool="false">
     <match key="storage.removable" bool="false">
       <merge key="storage.automount_enabled_hint" type="bool">false</merge>
     </match>
   </match>
</device>

Add this line in /etc/pam.d/login

session            optional   pam_ck_connector.so

Add this in /etc/dbus-1/system.d/hal.conf

<policy group="storage">
   <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
   <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
</policy>

And finally, in ~ .xinitrc:

exec ck-launch-session your-WM

It seems to work just fine, but the automounted partitions is owned root:root.

Have someone got a clue how to automount users:username?

EDIT: I figured it out!

In Gnome, fire up gconf-editor

Go to system>storage>default_options>ntfs-3g>mount_options

Edit the options so it will work for your needs.

Last edited by man in black (2009-02-17 17:56:03)

Offline

#25 2009-02-17 12:33:47

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: I won the struggle against hal and policykit

Don't you want sed 'y/,/|/' instead?
sed 's/,/|/' really isn't doing the trick for me (tried it in the terminal), it replaced the first comma but not the second one as in
user1,user2,user3 -> user1|user2,user3
sed 'y/,/|/' seems to replace everything correctly.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

Board footer

Powered by FluxBB