Web lists-archives.com

Re: How to limit udisks2 rules to a specific device?




On 2018-04-08 20:00, Brian wrote:
> On Sun 08 Apr 2018 at 18:50:50 +0200, Mikhail Morfikov wrote:
> 
> [...]
>> I've seen that people use something similar to the following rule:
>> -----------------------------------------
>> /etc/polkit-1/localauthority/50-local.d/20-udisks2.pkla
>> -----------------------------------------
>> [Allow morfik to mount devices]
>> Identity=unix-user:morfik;
>> Action=org.freedesktop.udisks2.*;
>> ResultAny=no
>> ResultInactive=no
>> ResultActive=yes
>> -----------------------------------------
>> And this is a little bit better than the previous solution because it gives me
>> the ability to specify users/groups , and only the parties can do some actions,
>> like for instance mounting a device (to be viewed via pkaction). The problem
>> here is that I can't choose which devices should be accessed by the identity --
>> I'm able only to set which actions can be allowed.
>>
>> In the polkit manual[1], there's an example that would do exactly what I want.
>> I'm speaking about this:
>> ----------------------------------------------------------------------
>> polkit.addRule(function(action, subject) {
>>     if (action.id.indexOf("org.freedesktop.udisks2.") == 0 &&
>>         action.lookup("drive.vendor") == "SEAGATE" &&
>>         action.lookup("drive.model") == "ST3300657SS" &&
>>         subject.isInGroup("engineers")) {
>>             return polkit.Result.YES;
>>         }
>>     }
>> });
>> ----------------------------------------------------------------------
>> I bet there's also probably something like:
>>   action.lookup("drive.serial")
>> but I don't really know how to get those values yet.
>>
>> Anyways, I don't think the above rule can be used with the polkit version that's
>> currently in Debian, which is 0.105 . That rule can be used when you deal with
>> 0.106+ , and 0.113 is available in the experimental branch, but unfortunately it
>> can't be installed due to dependencies problems.
>>
>> Is there a way to convert that rule somewhat or is this functionality specific
>> to the polkit v0.106+?  Or maybe is there another way to achieve what I want?
> 
> Converting from the JavaScript to the old style? Probably not. Converting
> the other way? Maybe.
> 
> https://lists.debian.org/debian-user/2016/01/msg00209.html
> 
I think I need the newer polkit version.

Attachment: signature.asc
Description: OpenPGP digital signature