policy on removable

i using policy kit to restrict removable mounting to prompt for root password, but on 11.2, I am unable to do so.

i read out, ver 11.2 not longer using hal and policykit, rather sth like freedesktop.org policy.

any idea or guide for me?

thanks in advance.

This is a good question, and as I’m not yet using 11.2, I don’t know what (if anything) has changed here.

See if this thread helps:

Permissions question - openSUSE Forums

Interestingly, for Ubuntu, there is a similar config file in a different location:

[SOLVED] authentication for removable drives - Ubuntu Forums](http://ohioloco.ubuntuforums.org/showthread.php?p=9021908)

i tried the conf either way, policykit or the polkit-1, both have no response at all.

do we need to restart any services, or how to check if the policy daemon is running or sth?

i got no problem with 10.2 and 11.0 though.

I’m not using 11.2 so I can’t test/verify this, but you could check the configuration of

YAST->Security and users->Local security->Predefined security configurations

I have seen several reports online that suggest removable disk behaviour can be changed here.

One old thread I found with opposite ‘problem’ to yours:

USB devices require root password to mount - openSUSE Forums

I tried on config there, yes, indeed it will prompt for the password for mounting USB, when i set the security to server type.

However, doing so create another problem, which is it also prompt for password for reboot, shutdown etc.

I just need to restrict the removable mounting, by GUI or command, I thought out there should alot admin like me which would like to restrict the usage of removable?

Have you tried editing /usr/share/PolicyKit/policy/org.freedesktop.hal.storage.policy accordingly?

<action id="org.freedesktop.hal.storage.mount-removable">
    <description>Mount file systems from removable drives.</description>
    <message>System policy prevents mounting removable media</message>
    <defaults>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep_always</allow_active>
    </defaults>
  </action>

I would have thought that this should still work for openSUSE 11.2. Anyone else able to offer more advice on restricting user r/w access to removable media?

this is one of the file that I tried to edit, and seems like the config file have no effect on the setting, even restart hal service, or even reboot the entire system.

It is could the bug or sth?

On you previous solution, YAST->Security and users->Local security->Predefined security configurations, I tried to set to network server, and it does prompt for the password when mounting removable, however, it prompt the user for password when rebooting, which is also an issue to me.

I also try to manual edit the
/usr/share/polkit-1/actions/org.freedesktop.consolekit.policy

<action id=“org.freedesktop.consolekit.system.restart”>
<description>Restart the system</description>
<message>System policy prevents restarting the system</message>
<defaults>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>

It still prompt for the password.

Another one that I tried, is running the GUI, Authorization, again, it does nth no matter what i change. It is quite confusing on this version. Anyone got any clue?

:wink:

with numerous trials and errors and readings, finally I found the solution for me.

edit this file
/etc/polkit-default-privs.local

and add in 2 entry (yes, they work in pair)
org.freedesktop.hal.storage.mount-removable auth_admin_keep_always
org.freedesktop.devicekit.disks.filesystem-mount auth_admin

then run the command
#set_polkit_default_privs

thanks everyone for your ideas.

edit this file
/etc/polkit-default-privs.local

and add in 2 entry (yes, they work in pair)
org.freedesktop.hal.storage.mount-removable auth_admin_keep_always
org.freedesktop.devicekit.disks.filesystem-mount auth_admin

then run the command
#set_polkit_default_privs

Good work! Thanks for the update. I must admit I’m not familiar with the updated policykit config or command(s).

:wink: we all learning from each other, I also have a lot to learn.