Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Thunar "not authorized" to mount disks?

Linux Kernel, Network, and Services configuration.
Message
Author
User avatar
llabtaem
Posts: 74
Joined: 2012-06-20 04:03
Location: Plant Earth

Re: Thunar "not authorized" to mount disks?

#21 Post by llabtaem »

Hey andrewrogers(OP), I had this same problem before and it was a policy kit issue. I am running Debian Testing 64Bit with Mate as well as Slim. When I updated my computer a few days ago I ran into this issue again; but only this time it wasn't as easy as editing the udisk2 policy kit as it was for udisk (unless I am a moron; that is another possibility too). I searched on the net for a few hours looking for the solution similar to the poster above me (AnInkedSoul) and wasn't getting anything. I found this same solution from sites like Arch's Wiki and others so I looked at all of them and with some trial and error I got my drives to work with this:
  • [Storage Permissions]
    Identity=unix-user:USERNAME
    Action=org.freedesktop.udisks2.filesystem-mount;org.freedesktop.udisks2.filesystem-mount-system
    ResultAny=yes
    ResultInactive=yes
    ResultActive=yes
This of course goes under /etc/polkit-1/localauthority/50-local.d/org.freedesktop.udisks2.pkla You have to make the file and from my understanding you can name it what ever you want so long as it ends with ' . pkla '

So I am now able to access my drives no matter what. The really weird thing about it is when I would first boot up my machine or rebooted it I could not access my hard drives. I would have to kill X with CRTL ALT BACKSPACE then re-login in order to access my drives. It would then prompt me for sudo's password; but the above fix will not for either or. I would like that feature back so if I can figure it out I'll edit this response. So far no matter what I use auth_admin, auth_admin_keep, auth_self_keep, etc. I cannot access the drives. I believe this to be a really weird bug, but I am not 100% sure. Hopefully this helps you or others out there that may be experiencing this issue.
Image

User avatar
gradinaruvasile
Posts: 935
Joined: 2010-01-31 22:03
Location: Cluj, Romania
Contact:

Re: Thunar "not authorized" to mount disks?

#22 Post by gradinaruvasile »

The policykit action setting files are here (you can modify them as you want):

Code: Select all

/usr/share/polkit-1/actions/
The files are named:
org.freedesktop.$component.policy

Where $component can be (not exhaustive list, there are more, but better dont touch those you dont know what they do):

udisks - disk management
upower - power management, including sleep, hibernate
policykit - policykit's own settings

Unfortunately the files are xml so you have to muck arount with those tags and stuff, but basically each action has its defined section by <action> tags:

Code: Select all

  <action id="org.freedesktop.udisks.filesystem-mount">
    <description>Mount a device</description>
    <description xml:lang="da">Montér en enhed</description>
    <description xml:lang="de">Gerät einhängen</description>
    <description xml:lang="pt_BR">Montar um dispositivo</description>
    <message>Authentication is required to mount the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at montere et fil system</message>
    <message xml:lang="de">Zugriffsrechte werden benötigt um das Gerät einzuhängen</message>
    <message xml:lang="pt_BR">Autenticação é requerida para montar o dispositivo</message>
    <defaults>
      <allow_any>auth_admin_keep</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>
The above example is the filesystem (auto)mount action (cd, usb and whatnot). The restrictions are defined in the "allow_status" sections, where the status (active, inactive) is defined by the status of the current user as seen by consolekit (the "parent" of policykit). "any" refers to either active or inactive.

You can see the status by issuing the "ck-list-sessions" command.
For my current session:

Code: Select all

$ ck-list-sessions 
Session3:
	unix-user = '0'
	realname = 'root'
	seat = 'Seat1'
	session-type = ''
	active = FALSE
	x11-display = ''
	x11-display-device = ''
	display-device = '/dev/pts/0'
	remote-host-name = ''
	is-local = TRUE
	on-since = '2013-07-16T13:53:53.899425Z'
	login-session-id = '1'
	idle-since-hint = '2013-07-17T19:41:42.142898Z'
Session2:
	unix-user = '1000'
	realname = 'Kertesz Laszlo'
	seat = 'Seat1'
	session-type = ''
	active = TRUE
	x11-display = ':0'
	x11-display-device = '/dev/tty7'
	display-device = ''
	remote-host-name = ''
	is-local = TRUE
	on-since = '2013-07-16T13:52:53.443631Z'
	login-session-id = '1'
You need to look for the 'x11-display' line, it has to have a value (usually ':0') - this is the graphical session (X server). Now the typical issue is that if you dont use a graphical manager (gdm, kdm, lightdm can do it) or other means to set up a consolekit-friendly "active" session, you will fall in the "inactive"
category because your x session will be inactive from consolekit/policykit's point of view ( you have "active = FALSE" in the ck-list-sessions list) because nobody told them you have a session.
The auth default for "inactive" is

Code: Select all

<allow_inactive>no</allow_inactive>
So you will get rejected for actions that have "no" in the "allow_inactive" section.

Say you insert a USB stick -> udisks monitors the attached devices and sees the inserted drive, wants to auto mount it so asks for permission from policykit -> policykit asks your status from consolekit and then loads the corresponding action from the udisks policy file -> outright refuses -> your error message.

You can modify every single "allow_inactive" or "allow_any" action to "yes" (default accept) or auth_admin (asks for sudo password as needed) if you want (might be a security risk though setting "inactive/any" to "yes").

Or make sure you have an "active" session - using a capable display manager is the simplest solution. I dont know how you can do without it, i tried with "ck-launch-session" when 4.8 had these issues, but didnt work for me (maybe i wasnt perseverent enough...). So i installed lightdm.

flabdablet
Posts: 24
Joined: 2011-11-22 10:37
Location: Bruthen, Australia

Re: Thunar "not authorized" to mount disks?

#23 Post by flabdablet »

Sorry to necro this, but I'm also mysteriously unable to mount things or shut down after an aptitude upgrade and I'm in the process of tracking down what broke.

I can restore the missing abilities using allow_any actions in polkit (either by adding .pkla files or by editing the xml, both work) but it seems to me that I shouldn't have to, because ck-list-sessions shows this:

Code: Select all

Session14:
	unix-user = '1000'
	realname = 'Stephen'
	seat = 'Seat1'
	session-type = ''
	active = TRUE
	x11-display = ':0'
	x11-display-device = '/dev/tty7'
	display-device = ''
	remote-host-name = ''
	is-local = TRUE
	on-since = '2014-06-05T06:47:56.681852Z'
	login-session-id = '6'
Consolekit clearly thinks I have an active session, so what do I need to do (or not do) in order to get policykit to agree?

Possibly relevant:

Code: Select all

stephen@kitchen:~$ pgrep dbus|xargs ps -l
F S   UID   PID  PPID  C PRI  NI ADDR SZ WCHAN  TTY        TIME CMD
5 S   102  2512     1  0  80   0 -  7231 ?      ?          0:00 /usr/bin/dbus-daemon --system
1 S   109  7327     1  0  80   0 -  6080 ?      ?          0:00 /usr/bin/dbus-launch --autolaunch f4cfa9297d141d028d956b5e4fed537b --binary-
1 S   109  7328     1  0  80   0 -  7089 ?      ?          0:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0 S   109  7333  7330  0  80   0 -  7062 ?      ?          0:00 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork 
1 S  1000  7393     1  0  80   0 -  6080 -      ?          0:00 /usr/bin/dbus-launch --exit-with-session startxfce4
1 S  1000  7394     1  0  80   0 -  7354 -      ?          0:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
And I'm using lightdm.

Post Reply