Qubes-VM-hardening icon indicating copy to clipboard operation
Qubes-VM-hardening copied to clipboard

Published 20 hours ago verified publisher icon tasket

Unable to mount external USB drives

Open tortugaverde98 opened this issue 7 years ago • 7 comments

From an appvm with a hardened template, unable to mount an external usb thumbdrive. Nautilus/Files shows it is present, but once clicked on to mount, error pops up: Unable to access location, not authorized to perform action.

From Disks, error is "Error mounting filesystem" Not authorized to perform operation (udisks-error-quart, 4). I realize it's possible to mount it via a root xterm from dom0, but is there something that can be whitelisted or something to allow USBs to be mounted as normal?

tortugaverde98 avatar Jun 18 '18 17:06 tortugaverde98

@tortugaverde98 Is the thumbdrive encrypted? This advice may apply:

https://askubuntu.com/questions/399768/encrypted-disk-wont-unlock-anymore-not-authorized-to-perform-operation-udisks#751769

The udisksctl command could be a convenient workaround, but a possible solution may be hinted at in the answer mentioning polkit (polkit-gnome in this case).

tasket avatar Jun 18 '18 18:06 tasket

It is not encrypted, and the filesystem is fat32. I have two identical templates (fedora 28), and the only difference between them is that one has been hardened and passwordless root removed, but all the other qubes agents reinstalled, including polkit. The thumbdrive mounts fine in the non-hardened, but not in the hardened.

Something needs to be whitelisted so the hardening script allows it to mount.

tortugaverde98 avatar Jun 18 '18 20:06 tortugaverde98

Attempting to gather more specifics, I ran the command below with the resulting response. Are there any workarounds that don't involve running a dom0 root xterm?:

$ udisksctl mount -b /dev/xvdi1 ==== AUTHENTICATING FOR org.freedesktop.udisks2.filesystem-mount-system ==== Authentication is required to mount /dev/xvdi1 Authenticating as: root Password: polkit-agent-helper-1: pam_authenticate failed: Authentication failure ==== AUTHENTICATION FAILED ==== Error mounting /dev/xvdi1: GDBus.Error:org.freedesktop.UDisks2.Error.NotAuthorized: Not authorized to perform operation

tortugaverde98 avatar Jun 18 '18 20:06 tortugaverde98

This looks like an upstream Qubes issue.

Without vm-boot-protect present I can reproduce the behavior by first following the Qubes vm-sudo doc. Same result if I remove the qubes-core-agent-passwordless-root package. Likewise, installing nautilus in a fedora-minimal template and trying to use it to mount disks should lead to the same auth failure because that template doesn't come with passwordless-root installed.

There may still be some mechanism by which nautilus can mount volumes in an auth-restricted VM. For instance if some setting or policy makes nautilus use sudo, then a VM configured for sudo prompts should trigger a dom0 auth prompt before successfully running mount. Also, this suid method might work.

tasket avatar Jun 18 '18 22:06 tasket

Additional ideas for workarounds: https://unix.stackexchange.com/questions/96625/how-to-allow-non-superusers-to-mount-any-filesystem

tasket avatar Jun 18 '18 22:06 tasket

To clarify, it is required to remove passwordless root on fedora templates, correct?

tortugaverde98 avatar Jun 18 '18 23:06 tortugaverde98

Attempting on a debian minimal template, with the same result. Any suggestions to get this going?

tortugaverde98 avatar Jan 21 '20 02:01 tortugaverde98