2

I have a luks encrypted volume on my 18.04 Kubuntu Laptop. When I double click on it in Dolphin I'm asked for the luks password and the volume is mounted. Everything is fine.

But this volume is also used by another user that isn't in sudo group (and can't be for other reasons). This user is asked for an admin password when he tries to decrypt the volume. I also sometimes connect myself remotely to the computer through x2go/SSH. In this case I'm also asked to enter the admin credentials. I would like to allow all users in a specified group to decrypt the luks volume without having to enter the admin password whatever they way the connect (either directly on the laptop or remotely - from the local network)

I spent hours and hours trying to set a pkla file in /etc/polkit-1/localauthority/50-local.d/ and/or in /var/lib/polkit-1/localauthority/50-local.d/ without any success.

The content of the pkla file is as this:

[Authorize mounting of luks volumes ]   
Identity=unix-user:*  
Action=org.freedesktop.udisks2.encrypted-unlock-system;org.freedesktop.udisks2.filesystem-mount-system  
ResultAny=yes  
ResultInactive=yes  
ResultActive=yes

The file seems to be completely ignored. I tried also to edit directly the file /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla and to allow all udisks2 actions for all users but it didn't work either.

The only tweak that works is editing default permissions in the /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy but the solution is not acceptable as I want to allow only some users.

A similar case of non working pkla has been raised here but not solved.

Any idea? Is there a way to check or debug pkla files?

Olorin
  • 3,488
Azelic
  • 31
  • Maybe the prompt is for a different polkit action? What do the log entries for those polkit prompts say? – Olorin Jan 22 '19 at 08:27
  • When I get the credential prompt I can see the action requiring the authentification. In this case it is org.freedesktop.udisks2.encrypted-unlock-system and org.freedesktop.udisks2.filesystem-mount(the latter was wrong in my pkla but even after correction it doesn't work.). I checked the log. The only relevant line is these one: polkitd(authority=local)[20362]: Operator of unix-session:9 FAILED to authenticate to gain authorization for action org.freedesktop.udisks2.encrypted-unlock-system for system-bus-name::1.131 [/usr/bin/dolphin] (owned by unix-user:fy) – Azelic Jan 24 '19 at 05:21
  • Nothing about pkla files. – Azelic Jan 24 '19 at 05:28

1 Answers1

1

I answer my own question as I solved the issue in the meantime:
I used Libreoffice to edit the pkla file. Atfer checking the file with the command cat -A filename.pkla I discovered that there was a hidden line at the top of the file. This line was neither visible with libreoffice nor with nano. I suppose this line prevented polkit to read the file but no error was reported in logs. I edited a brand new file with nano and now it works.

Azelic
  • 31