10 Sep 2019
Thunar is a fantastic file-manager. I however, use it without the xfce4 desktop, i.e as part of my i3-wm workflow. Prior to an upgrade I did on my Voidlinux install, Thunar had no problems mounting/unmounting/ejecting external drives. After the upgrade, I was faced with a Not authorized to perform this operation pop-up, each time I tried mounting my external HDD.
Policykit is a framework to let less-privilleged processes,
talk to more privilleged ones, with a finer level of control, unlike sudo
or doas
which gives the entire
process root
privilleges. Thunar makes use of a policy-kit rule
to mount drives.
Lets install some packages that we'll need
$ sudo xbps-install thunar-volman polkit-gnome
Don't worry, polkit-gnome
is just a policy-kit agent that needs to be running in the background. And
no, it wont pull in the gnome desktop as a dependency.
Create the file /etc/polkit-1/rules.d/10-udisks2.rules
with the following content
polkit.addRule(function(action, subject) {
var YES = polkit.Result.YES;
var permission = {
// required for udisks1:
// "org.freedesktop.udisks.filesystem-mount": YES,
// "org.freedesktop.udisks.luks-unlock": YES,
// "org.freedesktop.udisks.drive-eject": YES,
// "org.freedesktop.udisks.drive-detach": YES,
// required for udisks2:
"org.freedesktop.udisks2.filesystem-mount": YES,
"org.freedesktop.udisks2.filesystem-mount-system": YES,
"org.freedesktop.udisks2.encrypted-unlock": YES,
"org.freedesktop.udisks2.encrypted-unlock-system": YES,
"org.freedesktop.udisks2.eject-media": YES,
"org.freedesktop.udisks2.eject-media-system": YES,
"org.freedesktop.udisks2.power-off-drive": YES,
"org.freedesktop.udisks2.power-off-drive-system": YES,
// required for udisks2 if using udiskie from another seat (e.g. systemd):
"org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
"org.freedesktop.udisks2.filesystem-unmount-others": YES,
"org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
"org.freedesktop.udisks2.eject-media-other-seat": YES,
"org.freedesktop.udisks2.power-off-drive-other-seat": YES
};
if (subject.isInGroup("storage")) {
return permission[action.id];
}
});
If you're wondering how I got the list of permission, do a $ pkaction
. It goes without saying that
your user needs to be in the storage
group, for this to work. The above rule
just says,
give mount/unmount/eject permissions to those processes from a subject
($USER
),
who is a member of the storage
group.
$ groups # gives a list
$ sudo usermod -a -G storage ronin # adds ronin to storage group
Have our policy-kit agent running whenever we start our desktop. I run i3 so I have,
...
exec --no-startup-id /usr/libexec/polkit-gnome-authentication-agent-1
...
in the list of startup apps. For debian systems, the binary might be
/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
By now, we should have our disk mounting/ejecting problem solved. As an extra thing I wanted to point
out, I start i3 from an .xinitrc
file. The line looks like
exec ck-launch-session dbus-launch i3
Happy Hacking & have a great day!