The goal is to allow TouchID to be used for sudo command instead of the password. This can be achieved by adding line auth sufficient pam_tid.so
into file /etc/pam.d/sudo
.
Problem is, that MacOS resets any changes to this file after every update, so I decided to automate this task with Automator.app
using AppleScript and then run created application on login.
Apple script is needed to allow administrator access to /etc/pam.d/sudo
file (if you would edit it by hand, you would have to use sudo vim
instead of vim
for example).
So my code looks something like this:
property SudoPath : "/etc/pam.d/sudo"
property TIDLine : "auth sufficient pam_tid.so"
property CustomPrompt : "Allow TouchID to authenticate you for sudo access"
if (do shell script ("grep -q pam_tid.so " & SudoPath & " && echo 'true' || echo 'false'")) is equal to "false" then
do shell script ("sudo sed -i '' '1i\\'$''\\n'" & TIDLine & "'" & SudoPath) with prompt CustomPrompt with administrator privileges
end if
It checks if the line is already there and if it is not, then it should insert the line into the file. It should be above the line containing pam_smartcard.so
, but that proved to be too difficult so I opted to insert it at the first line.
My script crashes with error sed: 1: "1i\nauth sufficie ...": extra characters after \ at the end of i command
, which I think is related to the \n
character in code, but if I remove the second backslash it is changed into invisible end of line during compilation. And also I don't really know which characters need to be escaped and how.
Also there seem to be some further issues with MacOS Monterey, because even if the sed command is right, the script ends with an error /bin/sh: /etc/pam.d/sudo: Operation not permitted
which wasn't showing up in Big Sur.
Thanks for any help.
Update:
So a solved the endline issues by using the gnu-sed (installed via Homebrew) and tried to allow automator and gsed command a full disk access in the Preferences. Now i am getting
Syntax Error: /usr/local/bin/gsed: couldn't open temporary file /etc/pam.d/sedNyxhvU: Operation not permitted
property GnuSedPath : "/usr/local/bin/gsed"
property SudoPath : "/etc/pam.d/sudo"
property TIDLine : "auth sufficient pam_tid.so"
property CustomPrompt : "Allow TouchID to authenticate you for sudo access"
if (do shell script ("grep -q pam_tid.so " & SudoPath & " && echo 'true' || echo 'false'")) is equal to "false" then
do shell script ("sudo " & GnuSedPath & " -i '2i " & TIDLine & "' " & SudoPath) with prompt CustomPrompt with administrator privileges
end if
It is now supported by OS (since Sonoma at least).
Make sure that /etc/pam.d/sudo
contains line:
auth include sudo_local
Then put the following line inside /etc/pam.d/sudo_local
:
auth sufficient pam_tid.so
The OS will never reset changes to sudo_local
, so the TouchID for sudo will be enabled from now on.