I have one USB 1TG eternal disk. I plan to use this disk to back up files in my main drive.
I created the encrypted disk drive with LUKS and the btrfs format, following the guide. [1] The working log is [2]. Now I am looking for a way to mount and use this drive by “user” permission.
Here is the current status. The “/dev/sdb” is the encrypted disk with LUKS and the btrfs format. The “/dev/sda” is just to compare the situation. It’s another USB external disk with an unencrypted and vfat format.
$ lsblk -r -p -o NAME,TYPE,FSTYPE,UUID,SIZE,LABEL | grep -v "^/dev/loop"
NAME TYPE FSTYPE UUID SIZE LABEL
/dev/sda disk 232.9G
/dev/sda1 part vfat 1A53-9E55 232.9G
/dev/sdb disk 931.5G
/dev/sdb1 part crypto_LUKS XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX 931.5G
/dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX crypt btrfs XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX 931.5G backup
...
In the case of the “/dev/sdb1”, the LUKS encrypted disk, it was mounted as root, and I couldn’t write the file on the disk.
The mounted filesystem itself may have it’s own permissions and the UID/GID is what is more important than the actual name of the user or group. If the jaruga user has a UID of 1001 on the system that the files were wirtten on and jaruga on the current system has a UID of 1000, they won’t match.
Another thing to consider is that if the root user mounts the volume in a location that other users cannot read/write to, users won’t be able to access or write to it due to the FS hierarchy perms.
For mounts in /run, these are usually done through something like gvfs, which is designed to make the mounts specific to the users. This is so if a user mounts their Google Drive via Gnome Accounts, another user won’t be able to get access to their personal files for that mount. udisks does something very similar, per the man page:
ACCESS CONTROL
By default, logged-in users in active log-in sessions are permitted to perform operations (for example, mounting, unlocking or modifying) on
devices attached to the seat their session is on. Access-control is fine-grained and based on polkit(8), see the “Authorization Checks” chapter
in the udisks documentation for more information. Note that the x-udisks-auth option can be used in the /etc/fstab and /etc/crypttab files to
specify that additional authorization is required to mount resp. unlock the device (typically requiring the user to authenticate as an
administrator).
If you man polkit, there is a chapter called “AUTHORIZATION RULES” that describes how polkit rules work, but if you want to use udisks, specifically, you likely need to define the access rules that way.
I plan to add the entry of this disk to the /etc/crypttab, but I didn’t plan to set the /etc/fstab because I don’t use the disk as a permanent mount state.
I am reading the man polkit, and also ArchLinux’s Polkit page.[1] It seems I need to set up the files below.