Polkit rules to mount external drives under Thunar

10 Sep 2019


Thunar is a fantastic file-manager. I however, use it without the xfce4 desktop, i.e as part of my i3-wm workflow. Prior to an upgrade I did on my Voidlinux install, Thunar had no problems mounting/unmounting/ejecting external drives. After the upgrade, I was faced with a Not authorized to perform this operation pop-up, each time I tried mounting my external HDD.

Policykit

Policykit is a framework to let less-privilleged processes, talk to more privilleged ones, with a finer level of control, unlike sudo or doas which gives the entire process root privilleges. Thunar makes use of a policy-kit rule to mount drives.

Lets install some packages that we'll need

$ sudo xbps-install thunar-volman polkit-gnome

Don't worry, polkit-gnome is just a policy-kit agent that needs to be running in the background. And no, it wont pull in the gnome desktop as a dependency.

The rule

Create the file /etc/polkit-1/rules.d/10-udisks2.rules with the following content

polkit.addRule(function(action, subject) {
  var YES = polkit.Result.YES;
  var permission = {
    // required for udisks1:
    // "org.freedesktop.udisks.filesystem-mount": YES,
    // "org.freedesktop.udisks.luks-unlock": YES,
    // "org.freedesktop.udisks.drive-eject": YES,
    // "org.freedesktop.udisks.drive-detach": YES,
    // required for udisks2:
    "org.freedesktop.udisks2.filesystem-mount": YES,
    "org.freedesktop.udisks2.filesystem-mount-system": YES,
    "org.freedesktop.udisks2.encrypted-unlock": YES,
    "org.freedesktop.udisks2.encrypted-unlock-system": YES,
    "org.freedesktop.udisks2.eject-media": YES,
    "org.freedesktop.udisks2.eject-media-system": YES,
    "org.freedesktop.udisks2.power-off-drive": YES,
    "org.freedesktop.udisks2.power-off-drive-system": YES,
    // required for udisks2 if using udiskie from another seat (e.g. systemd):
    "org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
    "org.freedesktop.udisks2.filesystem-unmount-others": YES,
    "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
    "org.freedesktop.udisks2.eject-media-other-seat": YES,
    "org.freedesktop.udisks2.power-off-drive-other-seat": YES
  };
  if (subject.isInGroup("storage")) {
    return permission[action.id];
  }
});

If you're wondering how I got the list of permission, do a $ pkaction. It goes without saying that your user needs to be in the storage group, for this to work. The above rule just says, give mount/unmount/eject permissions to those processes from a subject($USER), who is a member of the storage group.

$ groups # gives a list
$ sudo usermod -a -G storage ronin # adds ronin to storage group

Have our policy-kit agent running whenever we start our desktop. I run i3 so I have,

...
exec --no-startup-id /usr/libexec/polkit-gnome-authentication-agent-1
...

in the list of startup apps. For debian systems, the binary might be
/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1

Fin

By now, we should have our disk mounting/ejecting problem solved. As an extra thing I wanted to point out, I start i3 from an .xinitrc file. The line looks like

exec ck-launch-session dbus-launch i3

Credits

Happy Hacking & have a great day!