mounting removable media on SLES11 (policy driven)

This document (7003564) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Server 11

Situation

On SUSE Linux Enterprise Server or SUSE Linux Enterprise Desktop 11 and Gnome desktop environment, mounting or unmounting removable media is policy driven.

PolicyKit is an application-level toolkit or authorization framework for centralizing the decision making process with respect to granting access to privileged operations for unprivileged applications. It is typically used by privileged user space daemons to control access. Whenever a process from the user session tries to carry out an action in the system context, PolicyKit is queried. The answer PolicyKit gives depends on the policy defined for this process. It can be yes, no, or authentication needed.

At the moment, not all applications requiring privileges make use of PolicyKit. One of them are mounting, unmounting and ejecting removable devices and setting them will be explained in this document.

To modify or set privileges, a system administrator can either use the graphical Authorizations tool available with GNOME, use the command line tools shipped with PolicyKit, or modify the configuration files. While the GUI and the command line tools are a good solution for making temporary changes, editing the configuration files should be the preferred way to make permanent changes.

Start the Authorizations tool either via the GNOME main menu by selecting More Applications> Tools>Authorizations or by pressingAlt+F2 and entering polkit-gnome-authorization.

Continuing, the document explains the use of command line tools and editing configuration files.

Resolution

1) Mount removable media

If a user inserts a DVD, a pop-up window asks for root authentication ("System policy prevents ejecting removable media"). The root password needs to be entered, to continue mounting the DVD.


a) To avoid getting the authentication window every time a removable media is inserted, and to allow a specific user to mount removable media, run the following command as root:

polkit-auth --user username --grant org.freedesktop.hal.storage.mount-removable


b) To allow all locally logged in users on the active console to mount removable media permanently, run the following commands as root:

echo 'org.freedesktop.hal.storage.mount-removable no:no:yes' >> /etc/polkit-default-privs.local

/sbin/set_polkit_default_privs

(echo writes the policy to the file /etc/polkit-default-privs.local;
set_polkit_default_privs activates the settings;
no:no:yes grants (yes) or blocks (no) privileges, from left to right, for any user, user not in the active session, and user in the active session)


2) Eject removable media

If the same user wants to eject the DVD after use, right click on the icon, "Eject Volume" will open the same or similar window ("System policy prevents ejecting removable media") and requires root authentication, before the DVD can be ejected.


a) To avoid authentication every time a removable media needs to be ejected, run the following command as   root:

polkit-auth --user username --grant org.freedesktop.hal.storage.eject


b) To allow all locally logged in users on the active console to eject removable media, run the following commands as root:

echo 'org.freedesktop.hal.storage.eject no:no:yes' >> /etc/polkit-default-privs.local

/sbin/set_polkit_default_privs


3) Revoke granted permission

If the system administrator (root) wants to revoke these permanent permissions (see 1 and 2), depending on what was used to grant them, the following steps set them back:


a) If the same user should not be able to mount or eject removable media without root authentication anymore and polkit-auth was run to grant them, run the following command(s) as root:

polkit-auth --user linux --revoke org.freedesktop.hal.storage.mount-removable

polkit-auth --user linux --revoke org.freedesktop.hal.storage.eject



b) If echo was used to write the policy into /etc/polkit-default-privs.local, open /etc/polkit-default-privs.local with your favorite text editor and remove the lines granting the authorization:

org.freedesktop.hal.storage.mount-removable no:no:yes
org.freedesktop.hal.storage.eject no:no:yes

After the file was saved run:

/sbin/set_polkit_default_privs

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7003564
  • Creation Date: 17-Jun-2009
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center