4

THIS POST IS NOT A DUPLICATE ALTHOUGH IT HAS BEEN MARKED AS SUCH. NO WHERE ON THE ALLEGED DUPLICATE PAGE DOES IT MENTION EXTERNAL DRIVES OR HOW TO DIFFERENTIATE THEM INSIDE POLKIT

I did some research and found my question asked already. It is a duplicate of is it possible to make ubuntu ask for my password before mounting usb-drives?

the problem is, they did not answer that persons question, at all. He did not ask about encrypting a drive. His issue, as is mine, is not protecting a single flash/usb drive, it is protecting his Ubuntu system from someone inserting a usb/flash drive

He, as well as I, want Ubuntu to prompt for our password before mounting any USB drive that gets inserted. How can I do this? I found this topic How to make Ubuntu ask for password when mounting partitions? but that is for either all drives, or for specific ones. All drives will not work for my setup, as I do not require it to mount internal drives. The individual drives setup will not work either, because in this case the UUID is unknown, so setting it up ahead of time is not possible.

I thought the original poster stated the problem well, and it was not a case of misunderstood question, the person answering just did not answer the question asked.

I went to add to that already started topic, but the guide that popped up suggested I not ask further questions if the topic is not answered. I hope I did the right thing by creating a new topic.

EDIT: More explanation was asked for. I have internal drives, that do not get mounted when the machine boots. They are dm-crypt encrypted drives that get mounted when I enter my key at the cryptsetup prompt, after the machine is booted and logged in. So requiring the password for ALL drives will not work. As I mentioned the UUID of an unknown usb/flash drive is well, unknown, so the specific drive setup in fstab will not work either. Is there a way to require it for all External drives, but not the Internal ones?

I appreciate all the suggestions, even the off-topic ones that do not answer the question I asked

EDIT again: Thinking about it, could udev be used to write some rule for this? I do not understand udev well enough yet, but it seems like that could be useful

EDIT: Anders not sure what on that page I should be looking at, but I do not see how to accomplish my goal, with info on that page. Please share your idea

Community
  • 1
grinch
  • 103
  • 1
  • 9
  • You could stop it automounting, but it could still be mounted from the side pane... Also, take a look Removable Media, in Details, in System Settings. – Wilf Dec 12 '13 at 21:40
  • 1
    Well, AFIK, physical access is root access. There are almost endless ways to access data if you have physical access and nothing is password protecting a usb prevents booting another OS, removing the hard drive, etc, etc. – Panther Dec 12 '13 at 21:53
  • all you need is to be found here. If you still can't manage update your question with where you are stuck and exactly what you did and i will look at it. : ) – Anders F. U. Kiær Dec 12 '13 at 23:22
  • IMHO, the accepted answer describes how to change Polkit behavior which is what you want to do. – Braiam Dec 16 '13 at 01:55
  • Braiam I already accepted the answer and commented that it was exactly what I was looking for. Why is this comment necessary, and why is this marked as a duplicate? It is not a duplicate of the password for USB drives that I cited in my original post and someone posted to top of the page. It is not a duplicate of the post that the accepted answer author cited either. that page does not address the external vs internal issue, that the answer author did here. The question is unique, because the other question did not answer the question, at all. The answer is also unique. Unique is not a dupl. – grinch Dec 16 '13 at 14:14
  • This is not a duplicate. It should not be marked as such. No where does that post mention external drives and how to differentiate them – grinch Aug 14 '15 at 16:50

1 Answers1

2

If you understand what is happening in this answer then it is easy to change it to the way you want it to behave.

Just make a file named /etc/polkit-1/localauthority/90-mandatory.d/external_mnt.pkla with the following context:

[external mount pass]
       Identity=unix-group:admin;unix-group:sudo
       Action=org.freedesktop.udisks.filesystem-mount
       ResultActive=auth_admin_keep

This should ask a password when an external device is mounted, but shouldn't ask when an internal is mounted.

Where to find more info about these things: In the manuals: man pklocalauthority and man polkit.

Regarding the comment: How does the system know to only ask on external drives? For that to know you should look into the source code of udisks, device.c, on line 6674 starts an if branch, which is:

if (is_device_in_fstab (device, NULL))
{
  action_id = NULL;
}
else
{
  if (device->priv->device_is_system_internal)
    action_id = "org.freedesktop.udisks.filesystem-mount-system-internal";
  else
    action_id = "org.freedesktop.udisks.filesystem-mount";
}

So you can see that org.freedesktop.udisks.filesystem-mount is only for mounts which are not considered internal. And what is considered internal? That is also coded in that file, just look it up if you are curios.

Note: I just tested this, and it have worked for me.

Community
  • 1
falconer
  • 15,026
  • 3
  • 48
  • 68
  • Thank you for answering. That page provides no configuration examples like this. I am reading the man page linked from it, but do not see the "external/internal" distinction there either. How does the system know to only ask on external drives? Without seeing something like this in the man page, I am cautious about adding "random" files to my system. Is it the name of the file external_mnt.pkla, is the configuration header[external mount pass](which just looks like a description)? Can you provide the man page where external/internal is explained? – grinch Dec 13 '13 at 15:44
  • It seems like the action line should have the differentiation for internal or external but it does not Action=org.freedesktop.udisks.filesystem-mount Digging through freedesktop docs, I found org.freedesktop.udisks.filesystem-mount-system-internal but am not able to find the -external equivalent – grinch Dec 13 '13 at 15:51
  • 'pkaction' is not showing me anything for external either. I am looking for something in the docs that says "org.freedesktop.udisks.filesystem-mount" is external only but am unable to find it. Anyone have docs on this? – grinch Dec 13 '13 at 15:57
  • @user224859 I updated the answer. – falconer Dec 13 '13 at 15:59
  • This worked perfectly! It is exactly the answer I was looking for. System prompted me for sudo pass when plugging in USB, but did not prompt when mounting my internal encrypted drive. Not sure how this all works, as I am new to this AskUbuntu system, I'd like this marked as solved, with this answer. Do I just hit the 'up' arrow next to your solution? Anything else I need to do? – grinch Dec 13 '13 at 16:13