Skip to content

[feature req] use pam_service of sudoers to keep touchid after system upgrading #15

Open
@gzm55

Description

@gzm55

Using a custom sudoers.d file and a pam.d conf, we can setup touch id auth for sudo with addition features:

  • get rid of .plist files
  • do not edit the system managed conf /etc/pam.d/sudo, then the touch id function still works after system upgrading
  • support safe and quic recovering for bad pam.d configs for sudo

When installing, the script should generate two files:

  1. /etc/sudoers.d/50-pam-service, with the content like this:
Cmnd_Alias PAM_RESTORE=/bin/rm -f /etc/sudoers.d/50-pam-service
Cmnd_Alias PAM_UNINSTALL=/bin/rm -f /etc/sudoers.d/50-pam-service /etc/pam.d/my-sudo
# make restore and uninstall commands still use system sudo profile
Defaults!PAM_RESTORE,PAM_UNINSTALL pam_service = sudo
# restore command does not require password, we can restore as long as sudo can find sudo pam profile
# the {admin-user-name} should be replaced with a real user name
"{admin-user-name}" ALL=(ALL) NOPASSWD: PAM_RESTORE
# use custom pam_service for all users
Defaults pam_service = my-sudo
# use custom pam_service for specify users
# the {admin-user-name} should be replaced with a real user name
#Defaults:"{admin-user-name}" pam_service = my-sudo
  1. /etc/pam.d/my-sudo, with the content like this:
# reattach to user gui session: https://github.com/fabianishere/pam_reattach
# remove the following line if pam_reattach is not installed, and the installing script has to detect the absolute path of pam_reattach.so
auth       optional       /opt/homebrew/lib/pam/pam_reattach.so
# auth via touch id: https://github.com/artginzburg/sudo-touchid
auth       sufficient     pam_tid.so
# include system sudo policy
auth       include        sudo
account    include        sudo
password   include        sudo
session    include        sudo

we can add more sudo auth features in /etc/pam.d/my-sudo. when fails, the user with name {admin-user-name} can quickly restore the default sudo auth method by running

sudo /bin/rm -f /etc/sudoers.d/50-pam-service

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions