This is a very polite way to picture this issue.
I have been searching the web low and high for days now to find out what’s up with PolicyKit and this posting finally pushed me in the right direction - thanks for this. The documentation at freedesktop.org is misleading, to say the least, because it doesn’t clearly state what the state of the art is. At the suse.org websites there is nothing about the current implementation of PolicyKit.
My use case: I’m using OpenSuse 12.3 and I have a eSATA disk in an external casing sitting on the desktop (the real one) used for archiving stuff. From the user’s point of view this disk should be handled like a USB drive; you just switch it on and off when you need it. No problem with a real USB drive, Opensuse mounts the disk automagically. But not with this drive: from the OS’s point of view it isn’t a removable drive; it doesn’t matter it is in an external casing, it is a system disk and needs manual mounting with root password.
A fstab entry doesn’t help with that; it’s the PolicyKit stubbornly asking for root password. There are “solutions” all over the place on the net, but most of them don’t work because either they are targeted at the real old PolicyKit version or they are focusing on the current PolicyKit version, but don’t work as well.
Actually the solution is pretty easy once you know it. First the things to forget about:
- Anything related to fstab. We want the drive to be used temporarily.
- Any documentation still on the freedesktop.org website about PolicyKit which is not designated as “latest”.
- Any attempt to resolve the issue by using the KDE system settings module “Actions Policy”. Doesn’t work.
- Anything about subdirectories named /etc/polkit-1/localauthority and about .pkla files. Doesn’t work.
The only place with some substantial documentation is the “latest” compartment containing the polkit Reference Manual at freedesktop.org. But before going there you should have read this blog article by the maintainer of PolicyKit written in June 2012 (one year ago, that is) where he explains why he has changed the whole configuration business of PolicyKit radically. Using such beasts as simple text files like the .pkla files must have been too easy so he changed it all to JavaScript. Needless to say that the whole file system layout of the configuration has changed since. Now it all is in .rules files here and there.
Anyway, that alone would have been too easy. Suse has added one layer on top of it: Instead of editing these Javascript .rules files you are meant to edit one config file (a simple text file, for a change) and then let a custom program read this source config file and write your custom config to such a Javascript file. And here we go:
Opensuse provides three text config files:
/etc/polkit-default-privs.local
/etc/polkit-default-privs.standard
/etc/polkit-default-privs.restrictive
The names of the latter two speak for themselves; they are meant to serve as prefab config files for either home user or corporate users. In the file /etc/sysconfig/security there is a setting CHECK_POLKIT_PRIVS=“” which of course may be set either to “standard” or “restrictive” (defaulting to “standard”).
/etc/polkit-default-privs.local is the one and only file to be edited which then is meant to override the default config file (standard or restrictive). So far it is just a template. As your first step you can just cut and paste lines from one of the two other config files into the polkit-default-privs.local file; in this case that would be this single line:
org.freedesktop.udisks2.filesystem-mount-system auth_admin:auth_admin:auth_admin_keep
You would just change the final value to “yes” and then you have …
… and finally the second and final step:
And that’s it. The changed configuration gets written to the file /etc/polkit-1/rules.d/90-default-privs.rules which apparently is the decisive one to be used by PolicyKit (see the “latest” documentation).
I’m not sure about that. On my system actually there wasn’t such a file written at all. The only file I have met in that vicinity was one file /var/lib/polkit-1/localauthority/75-polkitkde.d/org.freedesktop.udisks2.filesystem.pkla which obviously had been written during my experiments with the KDE system settings module.
One last note: This simple config (once you know it) will pop up the SuSEplugger when the disk is powered up. I first observed that I had to click at the icon of the drive to actually mount it without being prompted for any password. Later I didn’t need to click at all; it went just automagically without any interaction. Don’t know how that delay at the first time came about; maybe I was too impatient then.