Hi, and thanks for your reply.
No need to apologize, everybody can get things mixed up, and me the first 
But I really appreciate the gesture anyway, it’s seems to get harder and harder to find somebody able to do so, whereas to me it’s one of the greatest strength somebody can have…
Thanks also for pushing me to refresh my knowledge about the groups, that’s a very crucial part of any UNIX and UNIX-like system, after all!
So, in my case, I have:
$ groups
sys network power gamemode autologin lp wheel
Plus the one named after my user.
So yeah, I could use a bit of cleanup too!
As you said, sys is used for handling printers using CUPS, but so are the groups wheel and root.
See in CUPS - ArchWiki chapter 6.1.1:
User groups with printer administration privileges are defined in SystemGroup in the /etc/cups/cups-files.conf . The sys and root and wheel groups are used by default.
$ sudo cat /etc/cups/cups-files.conf
(...)
# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
# This cannot contain the Group value for security reasons...
SystemGroup sys root wheel
So, if the user is in the wheel group or if the printer is configured once by root, he doesn’t even need to be in the sys group anymore, as I understand it correctly…
I don’t have any printer, so I will try to remove my user from the sys group and see if there’s any side effect. Surely a good thing for security, as it was abused in the past, it seems:
https://bbs.archlinux.org/viewtopic.php?id=148960
Funny thing: again, writing a custom Polkit rule allows members of the wheel group to administer printers without a password, see chapter 6.1.2 from the link above…
The network group seems only to be used today to be able to add and remove networks without a password in SSH sessions. The user must be in this group, as in the wheel group (again) and also with the need of a custom Polkit rule:
https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions
So no need for being in it, if not in this case.
The power group was needed in the good old days before HAL and systemd, so it’s really obsolete now:
https://www.linuxquestions.org/questions/slackware-14/shutdown-without-su-757413/
https://bbs.archlinux.org/viewtopic.php?id=98408
Specific to my system, gamemode is a nice trick to get the most of the ressources when playing games, and autologin is specific to LightDM, which comes with my Cinnamon desktop.
But I’m only using autologin on another machine, and not my main PC, so I can also remove my user from it…
And finally, I’m not using anything on my parallel port, so that’s not needed either!
So, grand total is now:
$ groups
gamemode wheel
Plus the one named after my user. That’s an early springs cleaning!
As I noticed in my first message above, and thank to this thread, the custom rule for passwordless mounting an internal drive ondemand with a file manager is also working with the group named after my user, so I could even delete it from the wheel group, it seems…
And that bring us to the second topic of your reply:
Again, with all due respect, I don’t think so…
See, I remember having to do that trick a long time ago, even before using Manjaro, but with files ending with the .pkla extension in Debian and derivatives, like in this example:
https://askubuntu.com/questions/552503/stop-asking-for-authentication-to-mount-usb-stick/1424539#1424539
And each time this question is asked for the same exact situation I want to achieve, the same exact “hack” comes over and over again as an answer:
https://bbs.archlinux.org/viewtopic.php?id=272738
https://forum.endeavouros.com/t/how-to-mount-drives-without-password/23432/13
https://forum.endeavouros.com/t/password-authentication-when-mounting-drives-in-thunar/17812/4
That was only after a quick search, but I’m sure I could find much more, older ones, and for other distros too…
The only thing I got in my fstab is my root partition, and my swap. I don’t want anything else mounted automatically at startup, because of security reasons.
I just want to access my drives when I want to, and that from my file manager, by clicking on it, but without having to put a password, and there is no other way to do that I’ve found, so far…
Even Arch wiki is admitting it:
polkit - ArchWiki chapter 3.3.3, quote:
File managers may ask for a password when trying to mount a storage device, or yield a Not authorized or similar error. See Udisks#Configuration for details.
Wich brings to the same solution of a modified Polikt rule, as noted in my first post.
But it’s nothing personal with Arch or Manjaro, actually for my work, I have to have installed (along Windows 10/11 and macOS) all of the “big” Linux distros (Debian, Ubuntu, OpenSuse, Mageia, Fedora, Red Hat clone, and a few others more), so I had to actually put this Polkit rule (in one format or another) on each one of those!
I’m curious if that will be the same thing on FreeBSD, I have just reinstalled it for fun after a long pause (I still have an old laptop with 8.3 on it that I didn’t booted for years, now we are at 14!), we shall see…
So, seing the numerous posts using this “hack” on the Web to solve this issue, plus the fact that almost 10 people already thanked me for posting it on the last stable update thread, I really don’t think the problem lies in my system…
TL;DR of this very long post again (sorry), if somebody is interested:
- a lot of the groups to which an user is added are actually obsolete, or only needed in very specific use cases. After inspection, the user could be removed from a lot of those, for a better security.
- WARNING: do it at your own risk, and don’t come back to me if you break something! Knowledge is power, and the Arch wiki quoted above is a good source to understand the role of the various groups.
- as for now, I don’t see any other way for a passwordless mount of internal drive ondemand FROM a file manager (and NOT automatically at startup from
/etc/fstab), without a modified Polkit rule. Even the Arch wiki seems to acknowledge that, but if somebody do, I’m all ears… - that’s nothing specific to Manjaro or even Arch, I actually have to do that to every single Linux distro I’m using, whatever the flavour is! Actually, I already needed to do that a long time ago, and on Debian and derivated distros, the file to edit has a .pkla extension…
- modifiying/writing a custom Polkit rule to do things without a password seems more common that I first thought, see links above for configuring CUPS or using NetwokManager in a SSH session…
And that’s exactly when you need your user in thewheelgroup (for the both case), and also in thenetworkgroup (only for the 2nd case).