search

coldfix / udiskie

Automounter for removable media
MIT License
886 stars 54 forks source link

Locking LUKS device: Not authorized #227

Open cyberpunkrocker-zero opened 3 years ago

cyberpunkrocker-zero commented 3 years ago

I have an encrypted laptop (Arch Linux), with LUKS encrypted /boot partition on an USB stick. After booting I'm usually removing the USB stick. I can unmount and close the LUKS partition on the USB stick via a root terminal before that, but because I'm lazy, and because udiskie already seems to have the functionality, I'd like to use udiskie tray app for that.

However, when I click the 'Lock /dev/sdb1', I get the following error:

$ udiskie --tray
unmounted /org/freedesktop/UDisks2/block_devices/dm_2d0
failed to lock /org/freedesktop/UDisks2/block_devices/sdb1: GDBus.Error:org.freedesktop.UDisks2.Error.NotAuthorizedCanObtain: Not authorized to perform operation

When I plug the USB stick back in, udiskie mounts it and asks for the LUKS passphrase, and then unlocks the partition. Just as it is supposed to do...

How come udiskie has permissions to unlock a device, but not to lock it? Is this an udiskie issue, or should I make some adjustments somewhere to my system?

coldfix commented 3 years ago

The permissions are defined using polkit rules, see Permissions. It's possible to give yourself only unlocking but no unlocking authorization. It also plays a role from which seat (ssh/tty/desktop/systemd) you unlock/lock the device. If you lock/unmount a device from a different seat than was used to lock it, you may need the XXX-other-seat permissions.

On the other hand, it could also be that udisks has misjudged whether the unlocked device is e.g. a system-internal device or external device. In any case, it doesn't look like a udiskie issue to me. You can check whether you can lock/unlock using udisksctl:

udisksctl unlock -b /dev/sdX

# later:

udisksctl lock -b /dev/sdX

I expect the same problem will occur. If you need further insight, keep another terminal window open while un-/locking with the following command running:

journalctl -n 20 -f -u udisks2.service
coldfix commented 3 years ago

Oh wait, I didn't fully read through your post.

So your situation is that first you unlock+mount the USB drive as root as part of your boot process, and then later try to lock it as user using udisks? In that case it's not surprising that this won't with default permissions.

You definitely also need at least the org.freedesktop.udisks2.encrypted-lock-others permission, but I can't promise this will be sufficient.

coldfix commented 3 years ago

Another possibility that may prevent locking even in case of sufficient authorizations is if your device is known in /etc/crypttab under a different mapper name than it was opened as. That will completely confuse udisks2 for some reason.

joooeey commented 1 year ago

You definitely also need at least the org.freedesktop.udisks2.encrypted-lock-others permission, but I can't promise this will be sufficient.

This didn't work for me on a Linux Mint. I'm using Udiskie because Lightdm and hence Thunar keeps crashing.