sedapplescriptzshmacos-monterey

Mac automator - TouchID for sudo issues with system disk access


The goal is to allow TouchID to be used for sudo command instead of the password. This can be achieved by adding line auth sufficient pam_tid.so into file /etc/pam.d/sudo.

Problem is, that MacOS resets any changes to this file after every update, so I decided to automate this task with Automator.app using AppleScript and then run created application on login.

Apple script is needed to allow administrator access to /etc/pam.d/sudo file (if you would edit it by hand, you would have to use sudo vim instead of vim for example).

So my code looks something like this:

property SudoPath : "/etc/pam.d/sudo"
property TIDLine : "auth       sufficient     pam_tid.so"
property CustomPrompt : "Allow TouchID to authenticate you for sudo access"

if (do shell script ("grep -q pam_tid.so " & SudoPath & " && echo 'true' || echo 'false'")) is equal to "false" then
    do shell script ("sudo sed -i '' '1i\\'$''\\n'" & TIDLine & "'" & SudoPath) with prompt CustomPrompt with administrator privileges
end if

It checks if the line is already there and if it is not, then it should insert the line into the file. It should be above the line containing pam_smartcard.so, but that proved to be too difficult so I opted to insert it at the first line.

My script crashes with error sed: 1: "1i\nauth sufficie ...": extra characters after \ at the end of i command, which I think is related to the \n character in code, but if I remove the second backslash it is changed into invisible end of line during compilation. And also I don't really know which characters need to be escaped and how.

Also there seem to be some further issues with MacOS Monterey, because even if the sed command is right, the script ends with an error /bin/sh: /etc/pam.d/sudo: Operation not permitted which wasn't showing up in Big Sur.

Thanks for any help.

Update:

So a solved the endline issues by using the gnu-sed (installed via Homebrew) and tried to allow automator and gsed command a full disk access in the Preferences. Now i am getting

Syntax Error: /usr/local/bin/gsed: couldn't open temporary file /etc/pam.d/sedNyxhvU: Operation not permitted

property GnuSedPath : "/usr/local/bin/gsed"
property SudoPath : "/etc/pam.d/sudo"
property TIDLine : "auth       sufficient     pam_tid.so"
property CustomPrompt : "Allow TouchID to authenticate you for sudo access"

if (do shell script ("grep -q pam_tid.so " & SudoPath & " && echo 'true' || echo 'false'")) is equal to "false" then
    do shell script ("sudo " & GnuSedPath & " -i '2i " & TIDLine & "' " & SudoPath) with prompt CustomPrompt with administrator privileges
end if

Solution

  • It is now supported by OS (since Sonoma at least).

    Make sure that /etc/pam.d/sudo contains line:

    auth       include        sudo_local
    

    Then put the following line inside /etc/pam.d/sudo_local:

    auth       sufficient     pam_tid.so
    

    The OS will never reset changes to sudo_local, so the TouchID for sudo will be enabled from now on.