mounting removable media on SLES11 (policy driven)
This document (7003564) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11
Situation
PolicyKit is an application-level toolkit or authorization framework for centralizing the decision making process with respect to granting access to privileged operations for unprivileged applications. It is typically used by privileged user space daemons to control access. Whenever a process from the user session tries to carry out an action in the system context, PolicyKit is queried. The answer PolicyKit gives depends on the policy defined for this process. It can be
yes,
no, or
authentication needed.
At the moment, not all applications requiring privileges make use of PolicyKit. One of them are mounting, unmounting and ejecting removable devices and setting them will be explained in this document.
To modify or set privileges, a system administrator can either use the graphical tool available with GNOME, use the command line tools shipped with PolicyKit, or modify the configuration files. While the GUI and the command line tools are a good solution for making temporary changes, editing the configuration files should be the preferred way to make permanent changes.
Start the Authorizations tool either via the GNOME main menu by selecting or by pressingAlt+F2 and entering polkit-gnome-authorization.
Continuing, the document explains the use of command line tools and editing configuration files.
Resolution
If a user inserts a DVD, a pop-up window asks for root authentication ("System policy prevents ejecting removable media"). The root password needs to be entered, to continue mounting the DVD.
a) To avoid getting the authentication window every time a removable media is inserted, and to allow a specific user to mount removable media, run the following command as root:
polkit-auth --user username --grant org.freedesktop.hal.storage.mount-removable
b) To allow all locally logged in users on the active console to mount removable media permanently, run the following commands as root:
echo 'org.freedesktop.hal.storage.mount-removable no:no:yes' >> /etc/polkit-default-privs.local
/sbin/set_polkit_default_privs
(echo writes the policy to the file /etc/polkit-default-privs.local;
set_polkit_default_privs activates the settings;
no:no:yes grants (yes) or blocks (no) privileges, from left to right, for any user, user not in the active session, and user in the active session)
2) Eject removable media
If the same user wants to eject the DVD after use, right click on the icon, "Eject Volume" will open the same or similar window ("System policy prevents ejecting removable media") and requires root authentication, before the DVD can be ejected.
a) To avoid authentication every time a removable media needs to be ejected, run the following command as root:
polkit-auth --user username --grant org.freedesktop.hal.storage.eject
b) To allow all locally logged in users on the active console to eject removable media, run the following commands as root:
echo 'org.freedesktop.hal.storage.eject no:no:yes' >> /etc/polkit-default-privs.local
/sbin/set_polkit_default_privs
3) Revoke granted permission
If the system administrator (root) wants to revoke these permanent permissions (see 1 and 2), depending on what was used to grant them, the following steps set them back:
a) If the same user should not be able to mount or eject removable media without root authentication anymore and polkit-auth was run to grant them, run the following command(s) as root:
polkit-auth --user linux --revoke org.freedesktop.hal.storage.mount-removable
polkit-auth --user linux --revoke org.freedesktop.hal.storage.eject
b) If echo was used to write the policy into /etc/polkit-default-privs.local, open /etc/polkit-default-privs.local with your favorite text editor and remove the lines granting the authorization:
org.freedesktop.hal.storage.mount-removable no:no:yes
org.freedesktop.hal.storage.eject no:no:yes
After the file was saved run:
/sbin/set_polkit_default_privs
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7003564
- Creation Date: 17-Jun-2009
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com