Open gzm55 opened 1 year ago
This is the way.
Now that Sonoma is out with sudo_local
(#18), it seems pointless to implement this. @gzm55 do you think it's still relevant?
sudo_local is almost the way in this issue, the latest /etc/pam/sudo
contains the line as the first auth
line:
auth include sudo_local
For the newer OS (>=14), we should create/edit the /etc/pam/sudo_local
(a fixed magic path) to enable all the plugins (tid, pam_reattach, etc.) we needed without any include
lines.
In the sudoers
part on the newer OS, we don't need to enable another pam_service
, but we should better keep the restore commands using a safe pam_service and NOPASSWD
to disable a bad /etc/pam/sudo_local
.
+1 to this. The first thing that came into mind when comparing this method vs. sudo_local was the lack of a safe recovery mechanism.
But this would still be the right way on pre-sonoma machines. Maybe change it to /etc/pam.d/sudo_local instead of /etc/pam.d/my-sudo so that its ready for Sonoma+(?)
Also, it would have been nice if "pam_reattach" and "pam_watchid" could somehow be chosen as an option during install, instead of having to manually add that too. Wishful thinking on my part.
But this would still be the right way on pre-sonoma machines. Maybe change it to /etc/pam.d/sudo_local instead of /etc/pam.d/my-sudo so that its ready for Sonoma+(?)
The hard part for pre-sonoma is that the OS will be upgrade to sonoma, and the include
direction need to be reversed after upgrading:
I'm afraid the cycling includes of sudo and sudo_local would introduce some troubles.
Using a custom sudoers.d file and a pam.d conf, we can setup touch id auth for sudo with addition features:
.plist
files/etc/pam.d/sudo
, then the touch id function still works after system upgradingWhen installing, the script should generate two files:
/etc/sudoers.d/50-pam-service
, with the content like this:/etc/pam.d/my-sudo
, with the content like this:we can add more sudo auth features in
/etc/pam.d/my-sudo
. when fails, the user with name{admin-user-name}
can quickly restore the default sudo auth method by running