Open
Description
Using a custom sudoers.d file and a pam.d conf, we can setup touch id auth for sudo with addition features:
- get rid of
.plist
files - do not edit the system managed conf
/etc/pam.d/sudo
, then the touch id function still works after system upgrading - support safe and quic recovering for bad pam.d configs for sudo
When installing, the script should generate two files:
/etc/sudoers.d/50-pam-service
, with the content like this:
Cmnd_Alias PAM_RESTORE=/bin/rm -f /etc/sudoers.d/50-pam-service
Cmnd_Alias PAM_UNINSTALL=/bin/rm -f /etc/sudoers.d/50-pam-service /etc/pam.d/my-sudo
# make restore and uninstall commands still use system sudo profile
Defaults!PAM_RESTORE,PAM_UNINSTALL pam_service = sudo
# restore command does not require password, we can restore as long as sudo can find sudo pam profile
# the {admin-user-name} should be replaced with a real user name
"{admin-user-name}" ALL=(ALL) NOPASSWD: PAM_RESTORE
# use custom pam_service for all users
Defaults pam_service = my-sudo
# use custom pam_service for specify users
# the {admin-user-name} should be replaced with a real user name
#Defaults:"{admin-user-name}" pam_service = my-sudo
/etc/pam.d/my-sudo
, with the content like this:
# reattach to user gui session: https://github.com/fabianishere/pam_reattach
# remove the following line if pam_reattach is not installed, and the installing script has to detect the absolute path of pam_reattach.so
auth optional /opt/homebrew/lib/pam/pam_reattach.so
# auth via touch id: https://github.com/artginzburg/sudo-touchid
auth sufficient pam_tid.so
# include system sudo policy
auth include sudo
account include sudo
password include sudo
session include sudo
we can add more sudo auth features in /etc/pam.d/my-sudo
. when fails, the user with name {admin-user-name}
can quickly restore the default sudo auth method by running
sudo /bin/rm -f /etc/sudoers.d/50-pam-service
Metadata
Metadata
Assignees
Labels
No labels
Activity