F42 Change Proposal: Unprivileged Disk Management (system-wide)

This is already solved. You can just set it to get automounted/unlocked on boot. Disks even has a usable UI for this called “Edit Encryption Options…” and “Edit Mount Options…”. If you leave the passphrase empty you will get asked on boot. They are just “editors” for /etc/fstab and /etc/crypttab and can basically just do anything you could do there but have sensible defaults.

Security wise it does not get better than this. You can allow some users to unlock the partition afterwards but this has the difference that the password is entered in normal user space. It is simpler to create a fake password entry there or log the password in some way.

For a very simple system with no user switching or other way of multiple users needing access at the same time you could do it the following way.

For reference i assume the devices have these UUID:

# blkid /dev/sdb1 /dev/mapper/luks-5e96650f-574f-4c6c-bb6b-0c655c5bac41
/dev/sdb1: UUID="5e96650f-574f-4c6c-bb6b-0c655c5bac41" TYPE="crypto_LUKS"
/dev/mapper/luks-5e96650f-574f-4c6c-bb6b-0c655c5bac41: LABEL="user" UUID="e45eb0cb-8782-4c5b-8365-c44cf57664d6" TYPE="ext4"

The only rule required is unlock-system for an encrypted partition.
For unencrypted the mount-system one is required.
encrypted-lock-others and filesystem-unmount-others help if user A forgot to unmount and lock the volume and user B wants to use it. filesystem-mount-system would allow mounting it if user A left it unlocked by user B. All of these options are not without problems and should be considered carefully.

polkit.addRule(function (action, subject) {
	if (
		(
			// enable to allow password changes (needs current password)
			// action.id == "org.freedesktop.udisks2.encrypted-change-passphrase-system" ||
			// enable to allow locking in case another user unlocked it
			// action.id == "org.freedesktop.udisks2.encrypted-lock-others" ||
			action.id == "org.freedesktop.udisks2.encrypted-unlock-system"
		) &&
		action.lookup("id.usage") == "crypto" &&
		action.lookup("id.uuid") == "5e96650f-574f-4c6c-bb6b-0c655c5bac41" &&
		subject.active == true && subject.local == true &&
		subject.isInGroup("disksadm")) {
		return polkit.Result.AUTH_SELF;
	}
	if (
		(
			// enable to allow unmount in case another user mounted it
			// action.id == "org.freedesktop.udisks2.filesystem-unmount-others" ||
			action.id == "org.freedesktop.udisks2.filesystem-mount-system"
		) &&
		action.lookup("id.usage") == "filesystem" &&
		action.lookup("id.uuid") == "e45eb0cb-8782-4c5b-8365-c44cf57664d6" &&
		subject.active == true && subject.local == true &&
		subject.isInGroup("disksadm")) {
		return polkit.Result.AUTH_SELF;
	}
});

This still leaves the option for any user in diskadm to deny others access to the file system by simply opening a file and keeping it open. Another way to break things would be unmounting while the other user still expects things to be mounted.

If the UUID checks are removed then this allows unmounting anything and even /boot and can break system updates easily.

I tried other ways to allow something like this and even some real “disk administrator” like setup. Most of the time it was way too easy to screw something up and sometimes even way too simple to get root.

Edit: removed all the scary stuff.

2 Likes

Let me say I did not understand everything you wrote.

I need to look at this. This would only be a good option if there is a UI, and as KDE Plasma is not a main desktop, having this in GNOME Disks (and making a docs page) would be enough.

At least on Plasma and on GNOME too I think, the filemanager itselt has some mounting capabilities with udisks2. This is what I am referring to.

But as normally nonremovable drives may not be mounted and unmounted regularly, I suppose this is the wrong approach.

This sounds really good!

On Plasma and GNOME the partitionmanagers are very different. Does it use different polkit actions per action? On KDE it once launches privileged.

This Proposal is very open and will likely be split into

  • make removable SSDs be detected as such
  • allow disk admin things for nonwheel

But as you already said, allowing this lowlevel disk management has a high risk for root access. Thats why the udisks2 actions done by at least KDE Dolphin are way safer.

I think it could be nice to have these, but direct people how to edit their fstab graphically, to have them automount.

Can you explain the difference between encrypted-unlock and encrypted-unlock-system?

So the thing you explained is nice in documentation, but likely hard to automate.

They should not be detected as removable and forcing them to be can cause some problems.

They should just be detected as non-system.

SUBSYSTEM=="usb", ACTION=="add|change", KERNEL=="sd[a-z]", ENV{UDISKS_SYSTEM}="0"

Would be a better way. For most of the drives the media is not removable with media meaning the flash for a SSD.

A USB micro SD card reader has removable set as the card is removable.
A USB thumb drive based of exactly the same micro SD hardware has removable not set.
They may be basically the same hardware with only a few bits in the controller changed to get it non-removable. In some cases they do not advertise but still execute the eject command. How do you remove and re-instert a card that is soldered down?

The system hint is set by default. It is removed if the media is removable or the drive is connected by USB or IEEE.1394 aka FireWire or a Memory Stick device. It does the same as the udev override.

The action is…

  • org.freedesktop.udisks2.encrypted-unlock if the device was created by the user.
    I think a filesystem image attached by the user should trigger this.
  • org.freedesktop.udisks2.encrypted-unlock-crypttab if it is in /etc/crypttab and has an option x-udisks-auth.
    This can be set by “require additional authorization” in Disks.
  • org.freedesktop.udisks2.encrypted-unlock-system if it has HintSystem = true.
    Any device not created by a user or using USB or IEEE.1394 matches this.
  • org.freedesktop.udisks2.encrypted-unlock-other-seat if you are on a different seat.
  • org.freedesktop.udisks2.encrypted-unlock is the default and matches anything not matched until here.

Seat is by default set to “seat0”. It may change for devices connected to some USB docks with integrated graphics but should not change in most cases.

3 Likes

Thanks, this is a really good point!

This change proposal has now been submitted to FESCo with ticket #3246 for voting.

To find out more, please visit our Changes Policy documentation.

I could understand if it doesnt get accepted. We also found severa points where many components could be solved better, like detecting the removable drives as removable.

But for PCs with shared drives, it could still be useful.

This change has been rejected by FESCo and will not be included in Fedora Linux 42.

To find out more about how our changes policy works, please visit our docs site.