I’ve installed NixOS 24.11 with the graphic installer, desktop XFCE and everything encrypted.
There is a second disk which I have manually encrypted. Now I have to enter a passphrase and my sudo password when I open the disk through Thunar or the commandline.
I don’t want to enter my sudo password, so I’ve added the following rule in my configuration.nix:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
action.id == "org.freedesktop.udisks2.filesystem-mount" ||
action.id == "org.freedesktop.udisks2.encrypted-unlock-system" ||
action.id == "org.freedesktop.udisks2.encrypted-unlock") &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
However, I still have to enter my password after the passphrase. In the popup in Thunar I see a reference to org.freedesktop.udisks2.encrypted-unlock-system, so I guess my polkit rule is not enough.
But after a lot of tinkering, I still haven’t found a solution. Any hints?
This may be of use Don't prompt a user for the sudo password
On mobile sorry for formatting etc.
I don’t think their goal is to eliminate the sudo password altogether. I think their goal is specifically to mount the drive via udisks without an admin password. Polkit / udisks should be able to make that happen. We’d have to see what @jwvdveen’s configuration looks like (i.e. how that polkit rule was added in configuration.nix)
Sorry I wasn’t explicit enough with my response. You could approach this like editing sudoers, and have the specific command that the account is running be allowed to execute without entering the sudo password. An example is below where you have a script called mountDrive.sh which would contain the relevant commands to mount the encrypted drive you would then allow the user explicit permission to run this with sudo privileges without entering the password.
You could then create a shell aliases e.g. mnted and you’re done.
Just FYI from a security point of view this is not ideal, and would recommend restricting permissions as much as possible on this script.
security.sudo.extraRules= [
{ users = [ "privileged_user" ];
commands = [
{ command = "/home/root/mountDrive.sh" ;
options= [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea
}
];
}
];
1 Like
Adding commands that can be run through sudo without auth is a massive security hole. They just want to unlock / mount a drive. It shouldn’t require punching holes in the sudo boundary.
1 Like
Like my comment says, “Just FYI from a security point of view this is not ideal, and would recommend restricting permissions as much as possible on this script.”
1 Like
Sure, but in the absence of a better option people may just use whatever’s in front of them.
Rather I would also like to see more of what their config contains here.
1 Like
Completely valid, and makes perfect sense. I was just trying to provide “an” option is all.
1 Like
Thanks for all the responses so far.
Just to be clear, I’m not trying to create a security risk. In a similar setup on Ubuntu, I had to enter a passphrase on boot, a password on login and, when I accessed the second hard disk, just a passphrase (which isn’t the same as the first one).
From what I’ve read udisks (perhaps in combination with keyring) makes this possible. So I’m trying to do the same on NixOS. But from the responses here is looks like I’m asking something extraordinary.
So I will have to look further.
Thanks for your time.
Do you already have udisks enabled? i.e. services.udisks2.enable = true;?
Yep, this is done by default in the xfce installation.
I don’t think it’s extraordinary. I think there’s just some bug or misconfiguration here that we haven’t found yet. Unlocking and mounting an encrypted drive seems pretty normal to me
Thanks, good to know.
Just to be sure, unlocking an mounting can been done. I only would like not to enter my password after unlocking.
And I think the combination of udisks2 and polkit should make that happen without messing with sudo permissions.
There are plenty examples of unlocking a second encrypted drive at boot with the same passphrase as the first. But that is not what I want to achieve here.
Yea what I’d like to see has to do with the polkit rule that you mentioned originally. I’d like to see how you added that to your configuration.nix. It’s possible you just put it in the wrong place.
(To be clear, I’m no polkit expert; I do not know for sure that the rule you added would work or not)
Here is the relevant part of my configuration.nix:
...SNIP...
boot.initrd.luks.devices."luks-<UUID>".device = "/dev/disk/by-uuid/<UUID>";
...SNIP...
services.gnome.gnome-keyring.enable = true;
# Enable CUPS to print documents.
services.printing.enable = true;
security.polkit.extraConfig = ''
# Allow udisks2 to mount devices without authentication
# for users in the "wheel" group.
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
action.id == "org.freedesktop.udisks2.filesystem-mount" ||
action.id == "org.freedesktop.udisks2.encrypted-unlock-system" ||
action.id == "org.freedesktop.udisks2.encrypted-unlock") &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
'';
...SNIP...
# Define a user account. Don't forget to set a password with ‘passwd’.
users.users.<user> = {
isNormalUser = true;
description = "<description>";
extraGroups = ["networkmanager" "wheel" "libvirtd"];
packages = with pkgs; [];
};
...SNIP...
This is absolutely possible and I use it a lot with an external hard drive.
I just click on it in Natilus and get prompted for the password. No sudo required.
Is yours an internal disk?
UPDATE:
I have focused on the gnome-keyring, and it occurred to me that no key is automatically added to the keyring. I would expect my account password in the login keyring and udisks using that. But if it is not there, it obviously can not be used.
Does this make sense, or do I understand the gnome-keyring wrong?
Yep, it is an internal disk. And I want the same as you, only with Thunar 
I’m curious though, did you have to add something to your configuration.nix for it to work?
If not, I’ll probably have to take a look at the configuration of the GNOME desktop for hints.