The policykit action setting files are here (you can modify them as you want):
The files are named:
org.freedesktop.$component.policy
Where $component can be (not exhaustive list, there are more, but better dont touch those you dont know what they do):
udisks - disk management
upower - power management, including sleep, hibernate
policykit - policykit's own settings
Unfortunately the files are xml so you have to muck arount with those tags and stuff, but basically each action has its defined section by <action> tags:
Code: Select all
<action id="org.freedesktop.udisks.filesystem-mount">
<description>Mount a device</description>
<description xml:lang="da">Montér en enhed</description>
<description xml:lang="de">Gerät einhängen</description>
<description xml:lang="pt_BR">Montar um dispositivo</description>
<message>Authentication is required to mount the device</message>
<message xml:lang="da">Autorisering er påkrævet for at montere et fil system</message>
<message xml:lang="de">Zugriffsrechte werden benötigt um das Gerät einzuhängen</message>
<message xml:lang="pt_BR">Autenticação é requerida para montar o dispositivo</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
The above example is the filesystem (auto)mount action (cd, usb and whatnot). The restrictions are defined in the "allow_status" sections, where the status (active, inactive) is defined by the status of the current user as seen by consolekit (the "parent" of policykit). "any" refers to either active or inactive.
You can see the status by issuing the "ck-list-sessions" command.
For my current session:
Code: Select all
$ ck-list-sessions
Session3:
unix-user = '0'
realname = 'root'
seat = 'Seat1'
session-type = ''
active = FALSE
x11-display = ''
x11-display-device = ''
display-device = '/dev/pts/0'
remote-host-name = ''
is-local = TRUE
on-since = '2013-07-16T13:53:53.899425Z'
login-session-id = '1'
idle-since-hint = '2013-07-17T19:41:42.142898Z'
Session2:
unix-user = '1000'
realname = 'Kertesz Laszlo'
seat = 'Seat1'
session-type = ''
active = TRUE
x11-display = ':0'
x11-display-device = '/dev/tty7'
display-device = ''
remote-host-name = ''
is-local = TRUE
on-since = '2013-07-16T13:52:53.443631Z'
login-session-id = '1'
You need to look for the 'x11-display' line, it has to have a value (usually ':0') - this is the graphical session (X server). Now the typical issue is that if you dont use a graphical manager (gdm, kdm, lightdm can do it) or other means to set up a consolekit-friendly "active" session, you will fall in the "inactive"
category because your x session will be inactive from consolekit/policykit's point of view ( you have "active = FALSE" in the ck-list-sessions list) because nobody told them you have a session.
The auth default for "inactive" is
Code: Select all
<allow_inactive>no</allow_inactive>
So you will get rejected for actions that have "no" in the "allow_inactive" section.
Say you insert a USB stick -> udisks monitors the attached devices and sees the inserted drive, wants to auto mount it so asks for permission from policykit -> policykit asks your status from consolekit and then loads the corresponding action from the udisks policy file -> outright refuses -> your error message.
You can modify every single "allow_inactive" or "allow_any" action to "yes" (default accept) or auth_admin (asks for sudo password as needed) if you want (might be a security risk though setting "inactive/any" to "yes").
Or make sure you have an "active" session - using a capable display manager is the simplest solution. I dont know how you can do without it, i tried with "ck-launch-session" when 4.8 had these issues, but didnt work for me (maybe i wasnt perseverent enough...). So i installed lightdm.