PolicyKit (and KDE), Navit and more

Well, I woke up this morning and the site wasn’t working, which isn’t good! So I did a quick fix (gave it an extra 128MB of RAM in VMware and turned on wp-super-cache) and started looking into hosting options. That’s going to be a fun area to get into. Sigh. Still, seems to be holding up so far.

After that I did the forums, and took care of things arising from there. I backported the latest x11-driver-video-intel to 2008 Spring as well (after doing it for 2009, see yesterday). Prompted by this thread, I took a deeper look at what the heck PolicyKit does, exactly, and what’s going wrong in this case, which has been reported by several people.

The symptom is that, if you have a partition on an internal drive that isn’t automatically mounted at boot, it will be shown in Dolphin’s sidebar, but trying to click on it will give you an error message at the bottom of the Dolphin window, saying: “An error occurred while accessing ‘(thepartition)’. the system responded: org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.storage.mount-fixed auth_admin_keep_always <-- (action, result)"

Cryptic, much? :)

Well, here's what's going on here. PolicyKit is essentially a generic system for restricting access to actions by users. It lets developers specify that a certain action can only be performed by certain users, or only with admin privileges, or only when a user is active, or only when a user is logged in to a local console, or a combination of the above (for instance, only the user adamw can perform the action, and only when he's logged in locally). Technically speaking PolicyKit has all sorts of advantages over the old, rather hackish frameworks like 'just run stuff as root via gksu or kdesu', console-helper, and things like that. Firstly, it's much more fine-grained, and secondly, it separates out the actual actions that require raised privileges. So it allows, say, a partition management application to be run by a regular user, and then ask for root privileges only if it needs them to alter the partition table. And only that specific action would be done with root privileges: the rest of the application continues to run unprivileged. This has obvious big security benefits over running the entire thing as root.

So, PolicyKit is shiny and useful. But, in this case, it's tripping us up. Why? Well, let's look at the message in more detail:

org.freedesktop.Hal.Device.PermissionDeniedByPolicy: org.freedesktop.hal.storage.mount-fixed auth_admin_keep_always

PermissionDeniedByPolicy is why it won’t mount: it’s telling us PolicyKit isn’t letting us. What ultimately happened is Dolphin asked HAL to mount the device, and it refused, because HAL is now integrated with PolicyKit. Why doesn’t it let us? Well, org.freedesktop.hal.storage.mount-fixed is the specific PolicyKit ‘action’ that’s failing here. That’s the action for mounting a fixed storage device – that is, a permanent storage device, like an internal hard disk partition. The counterpart is a removable storage device, like a USB key. And, finally, auth_admin_keep_always is the access policy granted to the current user. What auth_admin_keep_always means is ‘allow this user to perform the action, but only after authenticating for admin privileges. But once the user has authenticated once, remember that authentication for the rest of this session.’

So, PolicyKit is set to allow regular users to mount fixed partitions, but only if they give the root password first. Why does Dolphin just fall over, instead of asking for the root password? That would be because Dolphin does not, yet, have PolicyKit integration – so it doesn’t know that, in this case, it should call the helper provided by PolicyKit-kde to ask the user to authenticate as root. Since it doesn’t do that, PolicyKit knows the root authentication wasn’t performed, and refuses permission to mount the partition.

So THAT is why you can’t mount an internal drive partition via Dolphin in KDE 4 on Mandriva 2009 (and any other distribution where this is PolicyKit’s default configuration). Whew. What’s to be done?

I filed a bug with KDE about this issue. It has been accepted by one of the lead Dolphin developers, Peter Penz, so hopefully it will be worked on and we’ll be able to integrate this into Dolphin before 2009 Spring comes out. I let our KDE team know about the issue, so they can monitor it. If integration for Dolphin is not forthcoming, we could adjust the default policy in KDE to allow users to mount partitions without authentication, but of course that would be rather less secure.

What can you do if you’re annoyed by this bug (or a similar one) and can’t wait for a fix (or a new distribution release) to show up? Change the policy, of course! There are two GUI frontends for PolicyKit: policykit-gnome and policykit-kde. The policykit-kde shipped in 2009 was rather broken. However, as part of my investigation of this issue, I realized that problem, and updated the Cooker package to the latest SVN revision, which works a lot better. So I’ve also sent that package to 2009 /contrib/backports. I haven’t tested it on 2009, but it ought to work okay, the PolicyKit API is quite stable. So, install that package, and run the KDE Control Center. Go to the Advanced tab, and click on PolicyKit Authorization. Here, you can see all the different sets of actions which PolicyKit controls access to. The one we’re interested in is org.freedesktop.hal, so expand that entry.

Click on “Mount file systems from internal drives.” You’ll see, underneath, the real action name, which we saw in the error message earlier: org.freedesktop.hal.storage.mount-fixed. In theory you should be able to just set the Anyone: drop-down box to Yes, but that didn’t work for me: I think there’s an issue with the resolution of user names. So, instead, create an explicit authorization. Click the ‘Grant’ button, next to Explicit Authorizations. Check the ‘Show system users’ box (this shouldn’t be necessary, and I think it’s related to the ‘Anyone’ bug), and then select your username from the drop-down box (mine was right at the bottom). You can set a constraint, or not, as you choose (it’s probably safest to set ‘Must be in active session on local console’). Then click ‘Grant’. Now you can quit the Control Center, run Dolphin, and click on your partition – and it should mount. There, wasn’t that simple?!

PolicyKit is actually developing into a very powerful framework and will likely be used extensively by many applications in future, and you will be able to use it as a very sophisticated lockdown tool to control how much access users have to different actions on your system.

After that, I also bumped the kde4-extragear-sysadmin package I maintain (which provides the kiosktool and partitionmanager apps, for KDE 4) to the latest SVN, since this whole PolicyKit thing reminded me about it. I also sent Isomaster 1.3.5 to /contrib/backports for 2008 Spring and 2009; thanks to Jerome Soyer for doing the version bump.

Finally, I worked on packaging Navit, a driving navigation application, which was requested by Adam Pigg. With a few patches here and there I’ve got it properly built, but it’s got a bit of an ugly system for configuration (you have to hand-edit a .xml file) and, despite downloading and plugging in a Canadian map file, I couldn’t get it to display anything but a blank orange screen. I’m not sure if this is related to my lack of a GPS device, or just Cooker weirdness, or something else. So I sent the current package to Adam to see whether he can get the app going, since he really has a GPS system. If we can get it going, it’ll be uploaded to Cooker, 2009 and 2008 Spring.

6 Responses

  1. Dark_Schneider971
    Dark_Schneider971 January 5, 2009 at 8:04 am | | Reply

    thanks for this article. Very insightful concerning PolicyKit.

  2. eugeni
    eugeni January 5, 2009 at 8:33 am | | Reply

    Thanks for the quick tour on PolicyKit, I was just looking on its internal functionalities these days (to integrate it into msec). I guess at some point all system authorization is going to be handled by PolicyKit, but for now we have all sort of different authentication mechanisms working together (console-helper, gksu, different pam schemes, and so on).. and sometimes they just contradict each other. Hopefully PolicyKit will solve it in the future.

    As for hosting, are you looking for some dedicated hosting, or just some good shared hosting options? In the latter case, I’d recommend bluehost. It gives tons of bandwidth and disk space, and I haven’t had any problem with it for the last few years, even with big sites (30K+ visitors per day).

  3. justposted
    justposted June 17, 2009 at 1:51 pm | | Reply

    Finally! I’ve read a lot of random forum posts on this, offering plenty of things to try, but yours was the first that was clear, explained the background, and resolved my issue. Many thanks.

  4. google plus android phone
    google plus android phone September 12, 2014 at 5:18 pm | | Reply

    After I initially commented I appear to have clicked the -Notify me when new comments are added- checkbox and from now on each time a comment is added I recieve
    4 emails with the same comment. Is there a
    way you can remove me from that service? Many thanks!

You can comment without reCAPTCHA by using an OpenID as the URL, or logging in with an OpenID or an old site account.

Leave a Reply