Re: integrate cloud-based crypto containers

From: Ross Lagerwall <rosslagerwall gmail com>
To: Oliver Kastner <kastner gfz-potsdam de>
Cc: gvfs-list gnome org
Subject: Re: integrate cloud-based crypto containers
Date: Wed, 14 Jan 2015 19:21:01 +0000

On Tue, Jan 13, 2015 at 11:39:10AM +0100, Oliver Kastner wrote:

Hello everybody,

I am trying to find a sophisticated way to integrate cloud-based crypto
containers at user level through gnome/nautilus on a laptop. System is
opensuse 13.1 w/t gnome 3 and gvfsd.

To include a cloud-based device I follow the common route via
fssh -> losetup -> cryptsetup
which produces a mountable device in /dev. User permissions are controlled
through appropriate rules in /etc/udev/rules.d. Cryptsetup requires sudo at
user level, while fssh and losetup can be used by regular users a priori.

Running through the chain by hand, the loop device is identified by nautilus
after losetup and a decrypted block device after crytpsetup, named
appropriately.

$ gvfs-mount -li
Volume(0): Cloud
  Type: GProxyVolume (GProxyVolumeMonitorUDisks2)
  ids:
   class: 'device'
   unix-device: '/dev/dm-1'
   uuid: '37a6324a-746e-4d8c-a318-******'
  symbolic themed icons:  [drive-removable-media-symbolic]
[drive-removable-symbolic]  [drive-symbolic]  [drive-removable-media]
[drive-removable]  [drive]
  can_mount=1
  can_eject=0
  should_automount=0
  sort_key=gvfs.time_detected_usec.1421103071214747

However, it is not possible to gvfs-mount this device as user from console:
"No volume for device file /dev/dm-1"
To mount the block device from within nautilus, root permissions are
demanded. Providing these, the device is mounted and usable.

Alternatively, it is possible to place an appropriate /etc/fstab entry with
user-permission and mount by hand from console. The result in nautilus is
the same. However, placing the chain fssh -> losetup -> cryptsetup -> mount
(through fstab) in a script that is executed through an alacarte-generated
button causes nautilus to show an empty directory.

So here are my questions:
Either:
How to tweak nautilus to allow user-mount of the device (I guess this is
aquivelent to solve the "No volume for device file /dev/dm-1"-issue)

Or:
How to prevent nautilus from interfering regular mounts through a script


Something like this should allow you to user mount internal devices:
/* Copy this to /etc/polkit-1/rules.d/allow-mount-internal.rules */
 
 polkit.addRule(function(action, subject) {
 if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
 action.id == "org.freedesktop.udisks.filesystem-mount-system-internal")
 &&
 subject.local && subject.active && subject.isInGroup("users"))
 {
 return polkit.Result.YES;
 }
 }); 

See here for more info:
https://wiki.archlinux.org/index.php/udisks#Configuration

-- 
Ross Lagerwall

References:
- integrate cloud-based crypto containers
  - From: Oliver Kastner

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]