Doesn't work on new macOS big sur

[AlexDrBanana]

This pam module doesn't seem to work with the new macOS big sur any more.

[newdev8]

Same problem

[jankytay]

Library Validation failed: Rejecting '/usr/local/lib/pam/pam_watchid.so.2' (Team ID: none, platform: no) for process 'sudo(54344)' (Team ID: none, platform: yes), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.

Okay so it needs to be signed on Big Sur. Also keep in mind the target for x64 system is "x86_64-apple-macosx10.16", at least that's true for dev beta 2.

[rblenkinsopp]

@jankytay How did you obtain the more detailed error message? I'm attempting to sign my version of this but I can't get the more detailed output at present.

[rmoats]

Even after signing with --options=library the error message becomes:

Library Validation failed: Rejecting '/usr/local/lib/pam/pam_watchid.so' (Team ID: T6RHPHE4L3, platform: no) for process 'sudo(16521)' (Team ID: none, platform: yes), reason: mapping process is a platform binary, but mapped file is not

From what I've been able to find, this is the result of a security move from Apple that prevents system components from loading plugins that are not system components, regardless of signature validity.

[scordinskyc]

Compiled and works fine for me. macOS 11.0 DP3 Build 20A5323l

[rblenkinsopp]

I can confirm that this seems to be resolved in macOS 11.0 DP3 Build 20A5323l for me as well - no changes and a completely unsigned .so

[rmoats]

Even after signing with --options=library the error message becomes:

Library Validation failed: Rejecting '/usr/local/lib/pam/pam_watchid.so' (Team ID: T6RHPHE4L3, platform: no) for process 'sudo(16521)' (Team ID: none, platform: yes), reason: mapping process is a platform binary, but mapped file is not

From what I've been able to find, this is the result of a security move from Apple that prevents system components from loading plugins that are not system components, regardless of signature validity.

I should mention that my recent struggles with this are on Catalina (10.15.6), definitely caused by a very recent (within the last week?) update, as I have been using pam_watchid daily for a month or more. Hopefully this breakage is actually being reverted in Big Sur on purpose.

[newdev8]

I'm also using it on the latest macOS Catalina version 10.15.6 and it does work for me.

[ghost]

@scordinskyc @rblenkinsopp

how did u guys made it to work..?

I'm also on macOS 11.0 Beta 3, only works if I disable SIP...

[TimofeyK]

I just successfully configured this on Big Sur release running on Mac mini. No extra steps needed

[cobbal]

As another data point, I just got this working on an arm mac mini. SIP off, no codesigning, only change was in Makefile TARGET=arm64-apple-macosx11.0

[alexclst]

After trying to install this, whatever arrangement of lines in the sudo file I use I get the following error when trying to use sudo:

sudo: unable to initialize PAM: No such file or directory

I'm on 11.1, so maybe Apple has protected this file further. I haven't, and really don't want to, disable any security settings.

[Linus-XZX]

Works on my Intel MBP (12,1) on 11.1 (should be 20C69, don't exactly remember) (TARGET=x86_64-apple-macosx11.1) and 11.2 Beta (20D5029f) (TARGET=x86_64-apple-macosx11.2). I only modified the TARGET variable in Makefile and all default security settings were in place.

[joshpuetz]

Ditto, working here on an M1 Mac Mini by changing the Makefile target to TARGET=arm64-apple-macosx11.0

[alexclst]

Hmm, must have screwed up the build the first try. Just tried again and it worked. This time I used the TARGET that running swift -version returned. Note that on an M1 Mac this appears to be quite a different formulation for a target than on Intel Macs.

[fmckeogh]

I'm on Big Sur 11.1 on an M1 Mac mini, only change was TARGET=arm64-apple-darwin20.2.0 but I'm getting Killed: 9. Any advice?