unable to mount external drive from cron (using udisksctl)

Question

GOAL

I'd like to mount an external drive using cron for automatic backups, preferably with udisksctl.

PROBLEM

udisksctl mount -b /dev/sdXY works fine from the command line or shell script, but when I run it from cron (using my own cron table), it fails with the message

Error creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address (polkit-error-quark, 0)
Error mounting /dev/sdXY: GDBus.Error:org.freedesktop.UDisks2.Error.NotAuthorizedCanObtain: Not authorized to perform operation

WHAT I'VE TRIED

In /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy, I edited the action org.freedesktop.udisks2.filesystem-mount, changing the default value of allow_inactive from auth_admin to yes, so it matches the value of allow_active, so that section now looks like this:

    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>

I tried both sudo systemctl restart polkit.service and rebooting my machine, but I still get the same message and can't run udisksctl mount from cron.

System info

$ uname -a
Linux <hostname> 5.15.0-97-generic #107-Ubuntu SMP Wed Feb 7 13:26:48 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian

I've posted my answer but not with cron instead with udev and systemd approach. — rusty, Feb 25 '24 at 12:23

Raffa · Accepted Answer · 2024-02-25T13:50:39.223

3

Ubuntu 23.10 and later

Create and edit a .rules file under /etc/polkit-1/rules.d/ like:

sudo nano /etc/polkit-1/rules.d/10-udisks.rules

... and to allow a certain user, copy/paste the following in it, changing user to your username:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.udisks2.filesystem-mount" &&
        subject.user == "user") {
        return polkit.Result.YES;
    }
});

... or, this instead, to allow any user:

polkit.addRule(function(action) {
    if (action.id == "org.freedesktop.udisks2.filesystem-mount") {
        return polkit.Result.YES;
    }
});

Ubuntu 23.04 and earlier

Create and edit a .pkla file under /etc/polkit-1/localauthority/50-local.d/ like:

sudo nano /etc/polkit-1/localauthority/50-local.d/10-udisks.pkla

... and to allow a certain user, copy/paste the following in it, changing user to your username:

[Allow Mounting From User Cron]
Identity=unix-user:user
Action=org.freedesktop.udisks2.filesystem-mount
ResultAny=yes

... or, this instead, to allow any user:

[Allow Mounting From User Cron]
Identity=unix-user:*
Action=org.freedesktop.udisks2.filesystem-mount
ResultAny=yes

edited Feb 25 '24 at 13:50

answered Feb 24 '24 at 09:16

Raffa

32,237

I tried this followed by a ... restart polkit.service, but it still fails with the same message. I'm not sure how this rule would alter behavior under cron. I can already mount/umount from the command line, and it doesn't change that. – petermao Feb 25 '24 at 05:58
Ok, reading the polkit man page, I understand why this solution should work, but it does not (for me). – petermao Feb 25 '24 at 06:29
1

@petermao I believe this solution requires polkit > 1.06, which doesn't appear in the Ubuntu world until 23.10 (Mantic) - see for example PolicyKit rules never come into effect and What's going on with PolicyKit? – steeldriver Feb 25 '24 at 12:09
1

@steeldriver Ah ... Tested on 23.10 so missed that ... Now added for 23.04 and earlier ... Thanks a ton :-) – Raffa Feb 25 '24 at 13:52
@petermao I edited the answer and added a way for older versions of polkitd ... Please accept my apology for the inconvenience. – Raffa Feb 25 '24 at 14:04
@raffa thank you so much for taking the time to write up this up. I've adopted your solution, whcih is much more aligned with the intent of polkit. – petermao Feb 25 '24 at 20:40
I'd like to add that this solution works without needing to run sudo systemctl restart polkit.service. After adding the pkla file as described above, it just works! – petermao Feb 25 '24 at 20:42

score 0 · Answer 2 · answered Feb 25 '24 at 06:15

0

Solution (with security implications?)

I changed the allow_any default from auth_admin to yes, followed by ... restart polkit.service. Now the drive mounts from cron. The entry in the ...Udisks2.policy file now looks like this:

    <defaults>
      <allow_any>yes</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>

Q: Are there any negative security implications with this setting?

answered Feb 25 '24 at 06:15

petermao

43

I see no security harm with that more than a dedicated rule file AFAIK ... But the default policy files might be overwritten/altered on system/package updates so, not guaranteed to hold your modification then. – Raffa Feb 25 '24 at 13:56