Re: sudo udisksctl
On Sun 18 Feb 2024 at 10:23:52 (+0700), Max Nikulin wrote:
> I have decided to ask the following in a separate thread.
>
> On 17/02/2024 02:59, David Wright wrote
> (Re: f3tools vs Silicon Power 4T drive):
> > lulu () { sudo udisksctl unlock --block-device
> > /dev/disk/by-partlabel/Lulu01 && mount /media/lulu01
> > }
>
> I am evaluating if udisks2 D-Bus API allows to create a tool as
> convenient as pmount(1) that is smart enough to unlock a device before
> mounting it (optionally with specified name of mountpoint)
>
> pmount /dev/sda1 mybackup
>
> I have puzzled by your function however. I believed that udisks was
> created to allow *regular* users to mount drives. If you are using
> sudo why do not you use "cryptsetup open" directly? Otherwise
> udisksctl can ask password if policy does not allow disk operations
> for the current user.
>
> P.S. Unfortunately mount name is hardcoded in udisksd. It is either
> label or UUID, it can not be specified when a partition is mounted.
Because policykit allows me to unlock partitions only if they're
local. I rely on being able to unlock partitions remotely. For
example, if I wakeonlan the PC in the basement, I need to be able
to unlock its /home before I can login as myself.
As a demonstration:
$ hostname
bhost
$ udisksctl unlock --block-device /dev/disk/by-partlabel/Nokia01
Passphrase:
Unlocked /dev/sdc1 as /dev/dm-2.
$ udisksctl lock --block-device /dev/disk/by-partlabel/Nokia01
Locked /dev/sdc1.
$
is fine, but ssh to a laptop and back to this machine:
$ ssh ahost
Linux ahost 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
[ … ]
You have new mail.
Last login: Sun Feb 18 04:18:39 2024 from 192.168.1.14
$ ssh bhost
Linux bhost 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64
[ … ]
You have new mail.
Last login: Sun Feb 18 04:18:44 2024 from 192.168.1.16
$ udisksctl unlock --block-device /dev/disk/by-partlabel/Nokia01
Passphrase:
==== AUTHENTICATING FOR org.freedesktop.udisks2.encrypted-unlock ===
Authentication is required to unlock the encrypted device Multiple Card Reader (/dev/sdc1)
Authenticating as: root
Password:
[ pressed ^C ]
That's what I'm avoiding with sudo.
Cheers,
David.
Reply to: