Re: sudo udisksctl

To: debian-user@lists.debian.org
Subject: Re: sudo udisksctl
From: David Wright <deblis@lionunicorn.co.uk>
Date: Sat, 17 Feb 2024 22:40:35 -0600
Message-id: <[🔎] ZdGKQ1YwJALY2AeJ@axis.corp>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] uqrt8a$167k$1@ciao.gmane.io>
References: <[🔎] uqrt8a$167k$1@ciao.gmane.io>

On Sun 18 Feb 2024 at 10:23:52 (+0700), Max Nikulin wrote:
> I have decided to ask the following in a separate thread.
> 
> On 17/02/2024 02:59, David Wright wrote
> (Re: f3tools vs Silicon Power 4T drive):
> >   lulu ()   {     sudo udisksctl unlock --block-device
> > /dev/disk/by-partlabel/Lulu01 && mount /media/lulu01
> >   }
> 
> I am evaluating if udisks2 D-Bus API allows to create a tool as
> convenient as pmount(1) that is smart enough to unlock a device before
> mounting it (optionally with specified name of mountpoint)
> 
>     pmount /dev/sda1 mybackup
> 
> I have puzzled by your function however. I believed that udisks was
> created to allow *regular* users to mount drives. If you are using
> sudo why do not you use "cryptsetup open" directly? Otherwise
> udisksctl can ask password if policy does not allow disk operations
> for the current user.
> 
> P.S. Unfortunately mount name is hardcoded in udisksd. It is either
> label or UUID, it can not be specified when a partition is mounted.

Because policykit allows me to unlock partitions only if they're
local. I rely on being able to unlock partitions remotely. For
example, if I wakeonlan the PC in the basement, I need to be able
to unlock its /home before I can login as myself.

As a demonstration:

  $ hostname
  bhost
  $ udisksctl unlock --block-device /dev/disk/by-partlabel/Nokia01
  Passphrase: 
  Unlocked /dev/sdc1 as /dev/dm-2.
  $ udisksctl lock --block-device /dev/disk/by-partlabel/Nokia01
  Locked /dev/sdc1.
  $ 

is fine, but ssh to a laptop and back to this machine:

  $ ssh ahost
  Linux ahost 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
  [ … ]
  You have new mail.
  Last login: Sun Feb 18 04:18:39 2024 from 192.168.1.14
  $ ssh bhost
  Linux bhost 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64
  [ … ]
  You have new mail.
  Last login: Sun Feb 18 04:18:44 2024 from 192.168.1.16
  $ udisksctl unlock --block-device /dev/disk/by-partlabel/Nokia01
  Passphrase: 
  ==== AUTHENTICATING FOR org.freedesktop.udisks2.encrypted-unlock ===
  Authentication is required to unlock the encrypted device Multiple Card  Reader (/dev/sdc1)
  Authenticating as: root
  Password: 
  [ pressed ^C ]

That's what I'm avoiding with sudo.

Cheers,
David.

Reply to:

Follow-Ups:
- Re: sudo udisksctl
  - From: Max Nikulin <manikulin@gmail.com>

References:
- sudo udisksctl
  - From: Max Nikulin <manikulin@gmail.com>

Prev by Date: Re: partition reporting full, but not
Next by Date: Re: sudo udisksctl
Previous by thread: sudo udisksctl
Next by thread: Re: sudo udisksctl
Index(es):
- Date
- Thread