Re: How to limit udisks2 rules to a specific device?

To: debian-user@lists.debian.org
Subject: Re: How to limit udisks2 rules to a specific device?
From: Brian <ad44@cityscape.co.uk>
Date: Sun, 8 Apr 2018 19:00:49 +0100
Message-id: <[🔎] 08042018185026.5fc4a759c593@desktop.copernicus.org.uk>
In-reply-to: <[🔎] dfd9708f-4436-12fd-475d-a8f79be1de5d@gmail.com>
References: <[🔎] dfd9708f-4436-12fd-475d-a8f79be1de5d@gmail.com>

On Sun 08 Apr 2018 at 18:50:50 +0200, Mikhail Morfikov wrote:

[...]
> I've seen that people use something similar to the following rule:
> -----------------------------------------
> /etc/polkit-1/localauthority/50-local.d/20-udisks2.pkla
> -----------------------------------------
> [Allow morfik to mount devices]
> Identity=unix-user:morfik;
> Action=org.freedesktop.udisks2.*;
> ResultAny=no
> ResultInactive=no
> ResultActive=yes
> -----------------------------------------
> And this is a little bit better than the previous solution because it gives me
> the ability to specify users/groups , and only the parties can do some actions,
> like for instance mounting a device (to be viewed via pkaction). The problem
> here is that I can't choose which devices should be accessed by the identity --
> I'm able only to set which actions can be allowed.
> 
> In the polkit manual[1], there's an example that would do exactly what I want.
> I'm speaking about this:
> ----------------------------------------------------------------------
> polkit.addRule(function(action, subject) {
>     if (action.id.indexOf("org.freedesktop.udisks2.") == 0 &&
>         action.lookup("drive.vendor") == "SEAGATE" &&
>         action.lookup("drive.model") == "ST3300657SS" &&
>         subject.isInGroup("engineers")) {
>             return polkit.Result.YES;
>         }
>     }
> });
> ----------------------------------------------------------------------
> I bet there's also probably something like:
>   action.lookup("drive.serial")
> but I don't really know how to get those values yet.
> 
> Anyways, I don't think the above rule can be used with the polkit version that's
> currently in Debian, which is 0.105 . That rule can be used when you deal with
> 0.106+ , and 0.113 is available in the experimental branch, but unfortunately it
> can't be installed due to dependencies problems.
> 
> Is there a way to convert that rule somewhat or is this functionality specific
> to the polkit v0.106+?  Or maybe is there another way to achieve what I want?

Converting from the JavaScript to the old style? Probably not. Converting
the other way? Maybe.

https://lists.debian.org/debian-user/2016/01/msg00209.html

-- 
Brian.

Reply to:

Follow-Ups:
- Re: How to limit udisks2 rules to a specific device?
  - From: Mikhail Morfikov <mmorfikov@gmail.com>

References:
- How to limit udisks2 rules to a specific device?
  - From: Mikhail Morfikov <mmorfikov@gmail.com>

Prev by Date: How to limit udisks2 rules to a specific device?
Next by Date: Re: how do i tell usb to leave keyboard alone?
Previous by thread: How to limit udisks2 rules to a specific device?
Next by thread: Re: How to limit udisks2 rules to a specific device?
Index(es):
- Date
- Thread