SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If I plug a Luks encrypted external drive into my laptop, I enter the password and it opens. If I mount an internal Luks encrypted partition (noauto in fstab), as well as the password, it asks for the root password as well, despite the fact that I am the "owner" of the partition.
Does your fstab entry include the "user" option? You need that to allow a non-root user to mount. Using "users" instead of "user" allows any user to unmount, not just the user who mounted it.
Note: You really should include the "nosuid" and "nodev" options also. Think about the security implications of a user-mounted filesystem that might include suid and device inodes.
Last edited by rknichols; 05-23-2022 at 11:37 AM.
Reason: add note
Does your fstab entry include the "user" option? You need that to allow a non-root user to mount. Using "users" instead of "user" allows any user to unmount, not just the user who mounted it.
I had "owner" in there instead of "user", but changing it to "user" has made no difference.
Quote:
Originally Posted by rknichols
Note: You really should include the "nosuid" and "nodev" options also. Think about the security implications of a user-mounted filesystem that might include suid and device inodes.
I'll bear that in mind, once I get it working as I want! Its really irritating having to use two passwords when one ought to do it...!
I had "owner" in there instead of "user", but changing it to "user" has made no difference.
Are you perhaps issuing the mount command with both the device and the mount point? You need to use just one of those and have the mount command get the other from /etc/fstab. When you supply both, /etc/fstab is ignored.
I'm actually doing it from Dolphin (Plasma5's file manager).
If I plug in an encrypted external drive, it appears in the devices window, I click on it, enter the password and it opens. The external drive doesn't have a defined mount point, and gets mounted under /run/media/myname/ExtDrive. I've tried commenting out the line in fstab, hoping it would be treated the same way as an external drive, but it didn't make any difference. It still mounted, but only after supplying the root password as well.
But here's a thing that may be relevant: Even when the fstab line is active, it still mounts the drive under /run/media/myname/ rather than its designated mount point! I have no idea why. I'm assuming that the filesystem type should be ext4 (or whatever) in fstab, and not luks, or some derivation? I've not tried this before, so I'm guessing some stuff here!
I'll come back shortly and post an anonymised version of the fstab line, see if I've done everything right. I've never had a problem before adding drives or nfs shares.
Note: You really should include the "nosuid" and "nodev" options also. Think about the security implications of a user-mounted filesystem that might include suid and device inodes.
That's already the default, see man mount:
Code:
owner
Allow an ordinary user to mount the filesystem if that user
is the owner of the device. This option implies the
options nosuid and nodev (unless overridden by subsequent
options, as in the option line owner,dev,suid).
[..]
users
Allow any user to mount and to unmount the filesystem, even
when some other ordinary user mounted it. This option
implies the options noexec, nosuid, and nodev (unless
overridden by subsequent options, as in the option line
users,exec,dev,suid).
Despite the /mnt/hd directory command, it still gets mounted to /run/media/myname which makes me think that the fstab entry is being ignored. But why?
I am the "owner" of the partition I'm trying to mount. I'm not sure if it should be necessary or not, but I'm in the sys and disk groups. I can't think of any other reason why this doesn't work!
If I plug a Luks encrypted external drive into my laptop, I enter the password and it opens. If I mount an internal Luks encrypted partition (noauto in fstab), as well as the password, it asks for the root password as well, despite the fact that I am the "owner" of the partition.
Why? And How do I stop it?
--
Pete
I'm not 100% sure, because I just returned to Slackware, but I've been using KDE for a long time, and in other distroes it mounts in /var/run/media with owner/group as root. So you can't access the disk, even if everthing in there is owned by user user. I'm fairly sure polkit is the one causing the password prompt, and fairly sure polkit allows you to "escalate" you to do something you wouldn't normally be allowed to do.
You can write a polkit rule to get rid of the password prompt. Should be in /usr/share/polkit/rules.d.
Personally I didn't use an external disk much, so I would go into the folder and change the owner/group, and as far as I remember you only need to do that once for each disk. But that's only advisable if the disk is only for user owned stuff anyways.
No user should be in the disk group. It means you can read, write and destroy anything on the disk.
Noted. Thanks!
Quote:
Originally Posted by zeebra
'm not 100% sure, because I just returned to Slackware, but I've been using KDE for a long time, and in other distroes it mounts in /var/run/media with owner/group as root. So you can't access the disk, even if everthing in there is owned by user user. I'm fairly sure polkit is the one causing the password prompt, and fairly sure polkit allows you to "escalate" you to do something you wouldn't normally be allowed to do.
You can write a polkit rule to get rid of the password prompt. Should be in /usr/share/polkit/rules.d.
There seems to be a rule in there already that allows those in the "plugdev" group to mount and unmount things. But perhaps that only applies to plugable devices? It would explain why I don't get asked for root password when I plug in an external drive. I think you are on to something here.
I need to figure out the syntax and apply it to a non-plugable partition, and looking at it now, it that looks above my pay-grade!
I'll have a look in the morning when I'm not half-asleep!
I found a suggestion over on the archlinux board from someone who was having a similar issue. The suggestion there was to create a "10-mount-system.rules" file containing:
I found a suggestion over on the archlinux board from someone who was having a similar issue. The suggestion there was to create a "10-mount-system.rules" file containing:
Tried it, but it didn't work. I'm not familiar with polkit rules, but from what I've read, it sounds like the right approach.
Any hints welcome!
--
Pete
That doesn't change anything, because that's basically the same as the (first part of) plugdev rule you mentioned above, except the group under that rule in this case has another name. So in a way the group is irrelevant, if you read the rules backward (which makes it easier to understand). It's the long org.xy.z thing that actually matters.
I would guess one of these could be relevant:
org.freedesktop.udisks2.filesystem-mount
org.freedesktop.udisks2.open-device
org.freedesktop.udisks2.open-device-system
So, you could test and make the same rule as above, but you can use a group like myusergroup or any group you're a member of by now.
But I'm no expert on polkit, and like I said I don't really use external disks very much, and when I do I don't use polkit for it.
Thanks for the info! I'll have a read of that documentation - thanks for the pointer! I'll also checkout that pkaction command.
I'm beginning to wonder if I'm looking at this from the wrong angle. The actual message that comes up is "Authentication is required to unlock the encrypted device", and I've just noticed that it is generated by "PolicyKit1 Kde Agent" (this latter only appears in the small box on the panel at the bottom of the screen, not the main window). To me, that is pointing to the pkaction command you mention. I'll go and have a closer look at this.
What is puzzling me is why I don't need the root password to mount external encrypted disks, but I do for internal ones.
<sigh!> Whoever said computers were logical!
UPDATE: All those polkit scripts seem to refer to removable devices, which aren't the problem. I'm beginning to think I'm asking the impossible! Google shows quite a few similar questions, but no solutions!
--
Pete
Last edited by pchristy; 05-24-2022 at 04:33 AM.
Reason: UPDATE
Anyways, looking at that message, I guess it would be one of these 2:
org.freedesktop.udisks2.encrypted-unlock
org.freedesktop.udisks2.encrypted-unlock-system
Quote:
Originally Posted by pchristy
UPDATE: All those polkit scripts seem to refer to removable devices, which aren't the problem. I'm beginning to think I'm asking the impossible! Google shows quite a few similar questions, but no solutions!
Well, since it does that, it should mean that there is an action for that purpose. The purpose of making a polkit rule like above with "YES", is that it automatically grants the request (without password) to people in that particular group it refers to.
But I have no idea what action it is, sorry.
Btw. If you make/test rules, put a high leading number in front, so it's loaded last. Like 90-myrule.rules
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.