Does this work with macOS 12.6?

artginzburg / sudo-touchid

 Permanent TouchID support 👆 for `sudo`.

https://git.io/sudotouchid

Eclipse Public License 2.0

512 stars 13 forks source link

Does this work with macOS 12.6? #11

Open deviantintegral opened 1 year ago

deviantintegral commented 1 year ago

I just installed this via homebrew, and it appears sandboxing is preventing sed from editing /private/etc/pam.d/sudo. I get the following in the console when running sudo brew services start sudo-touchid:

default 17:29:18.707309-0400 sudo root : PWD=/ ; USER=root ; COMMAND=/usr/bin/sed -E -i .bak 1s/^(#.*)$/\1\ auth sufficient pam_tid.so/ /etc/pam.d/sudo info 17:29:18.731118-0400 kernel sandboxd rejected approval request from sed for kTCCServiceSystemPolicySysAdminFiles (/private/etc/pam.d/.!94543!sudo): denied

artginzburg commented 1 year ago

Hell. I don't get this error in 12.6. I wonder how to reproduce it.

Do you receive the same error if you try running the command manually?

deviantintegral commented 1 year ago

No, I don't get the error when running in an iTerm window.

I tested logging out and back in just in case there was some issue with the new launchagent and sandboxing, but no luck there.

artginzburg commented 1 year ago

By quick googling ("macos kernel sandboxd rejected approval request"), I found possible solutions, like giving Full Disk Access to the script. Another idea is to try adding --no-quarantine flag to the brew install command.

I can't test whether this fixes the issue since I can't reproduce the error, even though SIP is enabled on my system.

Also, you may check the "Allow apps downloaded from" setting in System Preferences > Security & Privacy > General.

pointum commented 1 year ago

@deviantintegral Try this Terminal command to reset relevant permissions:

tccutil reset SystemPolicySysAdminFiles

deviantintegral commented 1 year ago

--no-quarantine flag

No luck here, or with granting full disk access.

Also, you may check the "Allow apps downloaded from" setting in System Preferences > Security & Privacy > General.

This is set to App Store and Identified Developers.

tccutil

TIL'ed! It figures its man page is spartan. This reset correctly, but I still get the above error.

On restart, I took a deeper look at the console logs: https://gist.github.com/deviantintegral/9be33c288ed98e23572c305840d2e354

I wonder if this error is causing stricter sandboxing? I'm not sure exactly what signature its referring to though given this is a shell script:

debug 09:20:00.863368-0400 syspolicyd signatures didn't match: 1647255843, 1647275625, /usr/local/Cellar/sudo-touchid/0.4/bin/sudo-touchid