1

I have been using the following guideline (see link below) to isolate versions of Ubuntu on my rig by introducing a requirement for a password to access them (through FILES etc): How to make Ubuntu ask for password when mounting partitions? This basically modified /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla as detailed in this question. (See the link for details.)

However, this doesn't now seem to work for the latest OS Noble Numbat 24.04. Can someone suggest what I might be doing wrong and/or suggest another way to do this.

Thanks.

I have been trying to make a comparison between 22.04 (work) and 24.04 (doesn't work). My conclusion is that polkit is not working (24.04) when I have modified the /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla as described above. As a test I run the following on 22.04 and then 24.04: -

pkcheck -u --process $$ --action-id org.freedesktop.udisks2.filesystem-mount-system

For 22.04 it shows the 'Authentication Request' Splash and for 24.04 it doesn't.

pkaction --verbose --action-id org.freedesktop.udisks2.filesystem-mount-system

Is the same for 22.04 & 24.04

systemctl status polkit.service

Is more or less the same for 22.04 and 24.04 expect the locale is difference en_GB.UTF-8 (22.04) & en_US.UTF-8 (24.04). Could this affect it is somehow, perhaps?

sudo systemctl | grep running | grep polkit
polkit.service    loaded active running   Authorization Manager

for both 22.04 & 24.04

Any ideas?

Thanks.

I have added some debugging to CLib using information from: -

https://wiki.ubuntu.com/DebuggingPolicykit

When running

pkcheck -u --process $$ --action-id org.freedesktop.udisks2.filesystem-mount-system

I get the following report: -

GLib-GIO-DEBUG: 14:05:26.841: Using cross-namespace EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)

I couldn't work out what version of GDBus 24.04 was using, sorry. I thought is might help shed some light on the problem.

Having added some debugging (& still not working) I will now add the output of: -

 systemctl status polkit.service

Starting polkit.service - Authorization Manager...
Started polkitd version 124
Loading rules from directory /etc/polkit-1/rules.d
Loading rules from directory /usr/share/polkit-1/rules.d
Finished loading, compiling and executing 16 rules
Started polkit.service - Authorization Manager
Acquired the name org.freedesktop.PolicyKit1 on the system bus
Registered Authentication Agent for unix-session:c1 (system bus name :1.43 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Registered Authentication Agent for unix-session:3 (system bus name :1.81 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Unregistered Authentication Agent for unix-session:c1 (system bus name :1.43, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)  (disconnected from bus)

Contents of: - ls -al /usr/share/polkit-1/rules.d/

I have added this as I wonder if one of the files, perhaps, should not be there. I looked in com.ubuntu.desktop.rules and I think I counted 8 rules (8 methods?) so I suspect the others are from the other files (?).

-rw-r--r-- 1 root root 1176 Apr 12 07:51 20-gnome-initial-setup.rules
-rw-r--r-- 1 root root  104 Apr  3 19:26 49-ubuntu-admin.rules
-rw-r--r-- 1 root root  325 Apr  3 19:26 50-default.rules
-rw-r--r-- 1 root root 3373 Jun  5  2023 com.ubuntu.desktop.rules
-rw-r--r-- 1 root root  523 Apr  8 16:58 gamemode.rules
-rw-r--r-- 1 root root  556 Apr 18 17:54 gnome-control-center.rules
-rw-r--r-- 1 root root  182 Mar 31 00:24 org.a11y.brlapi.rules
-rw-r--r-- 1 root root  368 Apr  1 19:13 org.freedesktop.bolt.rules
-rw-r--r-- 1 root root  251 Apr  5 12:36 org.freedesktop.fwupd.rules
-rw-r--r-- 1 root root  287 Apr  8 15:39 org.freedesktop.GeoClue2.rules
-rw-r--r-- 1 root root  282 Apr  4 19:48 org.freedesktop.NetworkManager.rules
-rw-r--r-- 1 root root  334 Mar 31 09:13 org.freedesktop.packagekit.rules
-rw-r--r-- 1 root root  594 Apr 18 14:39 org.gtk.vfs.file-operations.rules
-rw-r--r-- 1 root root  519 Apr 16 10:55 sssd-pcsc.rules
-rw-r--r-- 1 root root  527 Feb 27 17:26 systemd-networkd.rules
david
  • 937

1 Answers1

2

Please note that I am not an expert on this. It is also possibly not a complete answer - but see more below.

(From the comments) Starting with Ubuntu 23.10, Ubuntu finally upgraded Polkit from the antique version they were using (which used pkla files) to the current version (which has used rule files for years now). (See link below for a recent description of how this now works (I think)).

https://linuxconfig.org/introduction-to-polkit-navigating-authorization-frameworks-in-linux

These two directories(+file) are the ones that now seem to contain the relevant data: -

/usr/share/polkit-1/rules.d/com.ubuntu.desktop.rules
/etc/polkit-1/rules.d/com.ubuntu.desktop.rules

The relevant rule is the following one: -

org.freedesktop.udisks2.file-system-mount

Following details from the link above I did attempt to make a copy of the relevant rule in the first dir/file and put it into an identically named file in the second and modify the return value from 'YES' to 'auth_admin_keep'.

This did not seem to work and I have reverted to just updating the original file in first directory above. (Line 17 at the end of the second rule.) This did seem to work although it is advised, (WARNING) in the link above, that this file could be over-written at any time during an update.

Note: The /etc/polkit-1/rules.d is in the polkitd group as the 'other' permissions are all off. (There must a reason for that.) When set like this the rules increases from 16 to 17 suggesting the extra rule is loaded but doesn't work. It is as if the two directories are loaded in the wrong order? Note that systemctl status polkit.services lists them with /etc/... first?

I hope this is of some help.

david
  • 937