我正在使用 Debian jessie/stable (8.4)。
当我尝试udiskie-mount从 cron 作业内部安装外部 USB 驱动器时,出现如下错误。udiskie-mount直接从命令行使用效果很好。
+ udiskie-mount -o umask=0022 /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose
DEBUG [2016-04-19 23:00:01,762] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.yml'
DEBUG [2016-04-19 23:00:01,764] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.json'
Unable to init server: Could not connect: Connection refused
Unable to init server: Could not connect: Connection refused
DEBUG [2016-04-19 23:00:02,020] udiskie.config: IgnoreDevice(match={'is_block': False}, value=True) created
DEBUG [2016-04-19 23:00:02,021] udiskie.config: IgnoreDevice(match={'is_external': False}, value=True) created
DEBUG [2016-04-19 23:00:02,021] udiskie.config: IgnoreDevice(match={'is_ignored': True}, value=True) created
DEBUG [2016-04-19 23:00:02,021] udiskie.udisks2: found device owning "/dev/disk/by-uuid/4E1AEA7B1AEA6007": "/org/freedesktop/UDisks2/block_devices/sde1"
DEBUG [2016-04-19 23:00:02,021] udiskie.mount: mounting /org/freedesktop/UDisks2/block_devices/sde1 with {'options': ['umask=0022'], 'fstype': 'ntfs'}
ERROR [2016-04-19 23:00:02,027] udiskie.mount: failed to mount /org/freedesktop/UDisks2/block_devices/sde1:
GDBus.Error:org.freedesktop.UDisks2.Error.NotAuthorizedCanObtain: Not authorized to perform operation
我向 udiskie 维护者询问了这个问题,https://github.com/coldfix/udiskie/issues/102, 看https://github.com/coldfix/udiskie/issues/102#issuecomment-211908721
他说我应该向 polkit 添加权限,所以我
/etc/polkit-1/rules.d/50-udiskie.rules按照脚本添加了https://github.com/coldfix/udiskie/wiki/Permissions, 如下:
polkit.addRule(function(action, subject) {
var YES = polkit.Result.YES;
// NOTE: there must be a comma at the end of each line except for the last:
var permission = {
// // required for udisks1:
// "org.freedesktop.udisks.filesystem-mount": YES,
// "org.freedesktop.udisks.luks-unlock": YES,
// "org.freedesktop.udisks.drive-eject": YES,
// "org.freedesktop.udisks.drive-detach": YES,
// // required for udisks2:
// "org.freedesktop.udisks2.filesystem-mount": YES,
// "org.freedesktop.udisks2.encrypted-unlock": YES,
// "org.freedesktop.udisks2.eject-media": YES,
// "org.freedesktop.udisks2.power-off-drive": YES,
// required for udisks2 if using udiskie from another seat (e.g. systemd):
"org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
"org.freedesktop.udisks2.filesystem-unmount-others": YES,
"org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
"org.freedesktop.udisks2.eject-media-other-seat": YES,
"org.freedesktop.udisks2.power-off-drive-other-seat": YES
};
if (subject.isInGroup("backup")) {
return permission[action.id];
}
});
根据维护者的评论,我注释掉了除了“从另一个座位使用 udiskie”部分之外的所有内容。
我重新开始使用
# systemctl restart polkitd
但安装还是不行。
从大局来看,我真的不明白为什么直接从命令行安装与 cron 作业的处理方式不同。有人可以启发我吗?
@derobert 好心地告诉我,Debian jessie 中的 PolicyKit 版本无法识别 Javascript 语法,这也许可以解释为什么这不起作用。所以想必我需要一个不同语法的版本。
更新:按照底部的说明https://github.com/coldfix/udiskie/wiki/Permissions/etc/polkit-1/localauthority/50-local.d/10-udiskie.pkla(“PolicyKit”部分)我创建了包含以下内容的 文件:
[udiskie]
Identity=unix-group:backup
Action=org.freedesktop.udisks2.filesystem-mount-other-seat;org.freedesktop.udisks2.filesystem-unmount-others;org.freedesktop.udisks2.encrypted-unlock-other-seat;org.freedesktop.udisks2.eject-media-other-seat;org.freedesktop.udisks2.power-off-drive-other-seat
ResultAny=yes
但仍然没有运气。这显然是旧的,而不是 JS 版本的语法,适用于 Jessie。
这部分调试问题:Pollkit 建议添加节
polkit.addRule(function(action, subject) {
var prefix = "org.freedesktop.udisks";
if (action.id.slice(0, prefix.length) == prefix)
polkit.log(action.id);
});
到文件/etc/polkit-1/rules.d/10-udisks.rules。有谁知道“旧”语法的正确语法和文件名是什么?我只是在这里猜测。
答案1
经过相当多的拉扯之后,我最终决定使用通配符,以保持我的理智,正如建议的那样https://github.com/coldfix/udiskie/wiki/Ubuntu-Debian-installation-guide。
我创建了文件
/etc/polkit-1/localauthority/50-local.d/10-udiskie.pkla:内容为:
[udisks]
Identity=unix-group:plugdev
Action=org.freedesktop.udisks.*
ResultAny=yes
[udisks2]
Identity=unix-group:plugdev
Action=org.freedesktop.udisks2.*
ResultAny=yes
随着脚本
#!/bin/bash
set -ex
udiskie-mount -o umask=0022 /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose
udiskie-umount /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose
我得到以下输出:
+ udiskie-mount -o umask=0022 /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose
DEBUG [2016-04-21 15:29:01,634] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.yml'
DEBUG [2016-04-21 15:29:01,637] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.json'
Unable to init server: Could not connect: Connection refused
Unable to init server: Could not connect: Connection refused
DEBUG [2016-04-21 15:29:01,862] udiskie.config: IgnoreDevice(match={'is_block': False}, value=True) created
DEBUG [2016-04-21 15:29:01,862] udiskie.config: IgnoreDevice(match={'is_external': False}, value=True) created
DEBUG [2016-04-21 15:29:01,862] udiskie.config: IgnoreDevice(match={'is_ignored': True}, value=True) created
DEBUG [2016-04-21 15:29:01,866] udiskie.udisks2: found device owning "/dev/disk/by-uuid/4E1AEA7B1AEA6007": "/org/freedesktop/UDisks2/block_devices/sde1"
DEBUG [2016-04-21 15:29:01,866] udiskie.mount: mounting /org/freedesktop/UDisks2/block_devices/sde1 with {'fstype': 'ntfs', 'options': ['umask=0022']}
DEBUG [2016-04-21 15:29:03,354] udiskie.udisks2: +++ device_mounted: /org/freedesktop/UDisks2/block_devices/sde1
DEBUG [2016-04-21 15:29:03,354] udiskie.udisks2: +++ device_changed: /org/freedesktop/UDisks2/block_devices/sde1
INFO [2016-04-21 15:29:03,354] udiskie.mount: mounted /org/freedesktop/UDisks2/block_devices/sde1 on /media/faheem/My Passport
+ udiskie-umount /dev/disk/by-uuid/4E1AEA7B1AEA6007 --verbose
DEBUG [2016-04-21 15:29:03,490] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.yml'
DEBUG [2016-04-21 15:29:03,492] udiskie.config: Failed to read config file: [Errno 2] No such file or directory: '/home/faheem/.config/udiskie/config.json'
DEBUG [2016-04-21 15:29:03,679] udiskie.config: IgnoreDevice(match={'is_block': False}, value=True) created
DEBUG [2016-04-21 15:29:03,679] udiskie.config: IgnoreDevice(match={'is_external': False}, value=True) created
DEBUG [2016-04-21 15:29:03,679] udiskie.config: IgnoreDevice(match={'is_ignored': True}, value=True) created
DEBUG [2016-04-21 15:29:03,681] udiskie.udisks2: found device owning "/dev/disk/by-uuid/4E1AEA7B1AEA6007": "/org/freedesktop/UDisks2/block_devices/sde1"
DEBUG [2016-04-21 15:29:03,681] udiskie.mount: unmounting /org/freedesktop/UDisks2/block_devices/sde1
DEBUG [2016-04-21 15:29:03,691] udiskie.udisks2: +++ device_changed: /org/freedesktop/UDisks2/block_devices/sde1
DEBUG [2016-04-21 15:29:03,712] udiskie.udisks2: +++ device_unmounted: /org/freedesktop/UDisks2/block_devices/sde1
INFO [2016-04-21 15:29:03,712] udiskie.mount: unmounted /org/freedesktop/UDisks2/block_devices/sde1
注释和评论:
1) Policykit 或 Polkit,无论它是什么,都是一个巨大的痛苦。
2)版本105之后使用的语法是Javascript - 没有人知道为什么。 105 或更早版本使用的语法如上所示。 Jessie 中的版本是 105。参见例如https://lists.debian.org/debian-user/2016/01/msg00209.html和http://blog.gmane.org/gmane.comp.freedesktop.policykit/month=20150901
3)pkaction给出所有已注册操作的列表。上面的脚本就位后,udisks2列出的操作如下:
org.freedesktop.udisks2.ata-check-power
org.freedesktop.udisks2.ata-secure-erase
org.freedesktop.udisks2.ata-smart-enable-disable
org.freedesktop.udisks2.ata-smart-selftest
org.freedesktop.udisks2.ata-smart-simulate
org.freedesktop.udisks2.ata-smart-update
org.freedesktop.udisks2.ata-standby
org.freedesktop.udisks2.ata-standby-other-seat
org.freedesktop.udisks2.ata-standby-system
org.freedesktop.udisks2.cancel-job
org.freedesktop.udisks2.cancel-job-other-user
org.freedesktop.udisks2.eject-media
org.freedesktop.udisks2.eject-media-other-seat
org.freedesktop.udisks2.eject-media-system
org.freedesktop.udisks2.encrypted-change-passphrase
org.freedesktop.udisks2.encrypted-change-passphrase-system
org.freedesktop.udisks2.encrypted-lock-others
org.freedesktop.udisks2.encrypted-unlock
org.freedesktop.udisks2.encrypted-unlock-crypttab
org.freedesktop.udisks2.encrypted-unlock-other-seat
org.freedesktop.udisks2.encrypted-unlock-system
org.freedesktop.udisks2.filesystem-fstab
org.freedesktop.udisks2.filesystem-mount
org.freedesktop.udisks2.filesystem-mount-other-seat
org.freedesktop.udisks2.filesystem-mount-system
org.freedesktop.udisks2.filesystem-unmount-others
org.freedesktop.udisks2.loop-delete-others
org.freedesktop.udisks2.loop-modify-others
org.freedesktop.udisks2.loop-setup
org.freedesktop.udisks2.manage-md-raid
org.freedesktop.udisks2.manage-swapspace
org.freedesktop.udisks2.modify-device
org.freedesktop.udisks2.modify-device-other-seat
org.freedesktop.udisks2.modify-device-system
org.freedesktop.udisks2.modify-drive-settings
org.freedesktop.udisks2.modify-system-configuration
org.freedesktop.udisks2.open-device
org.freedesktop.udisks2.open-device-system
org.freedesktop.udisks2.power-off-drive
org.freedesktop.udisks2.power-off-drive-other-seat
org.freedesktop.udisks2.power-off-drive-system
org.freedesktop.udisks2.read-system-configuration-secrets
org.freedesktop.udisks2.rescan
还有一个列表位于Udisk polkit 操作。
我可以通过尝试减少这个列表来娱乐自己,同时仍然允许 udiskie 在 cron 作业中挂载和卸载。问题是,这值得这么麻烦吗?这些限制真的能提供额外的安全保障吗?
4)我仍然收到以下信息。这显然是一个警告 - 它似乎并没有阻止任何东西的工作。
Unable to init server: Could not connect: Connection refused
更新:之后与 Thomas G. 的一些讨论(正如他所说,“这很有效。但是,允许每个 udisk 操作可能不是最好的主意。”),我将其更改为
[udisks2]
Identity=unix-user:faheem
Action=org.freedesktop.udisks2.filesystem-mount-other-seat;org.freedesktop.udisks2.filesystem-mount
ResultAny=yes
这似乎仍然有效。