[feature req] use pam_service of sudoers to keep touchid after system upgrading about sudo-touchid HOT 5 OPEN

This is the way.

from sudo-touchid.

Now that Sonoma is out with sudo_local (#18), it seems pointless to implement this. @gzm55 do you think it's still relevant?

from sudo-touchid.

sudo_local is almost the way in this issue, the latest /etc/pam/sudo contains the line as the first auth line:

auth       include        sudo_local

For the newer OS (>=14), we should create/edit the /etc/pam/sudo_local (a fixed magic path) to enable all the plugins (tid, pam_reattach, etc.) we needed without any include lines.

In the sudoers part on the newer OS, we don't need to enable another pam_service, but we should better keep the restore commands using a safe pam_service and NOPASSWD to disable a bad /etc/pam/sudo_local.

from sudo-touchid.

+1 to this. The first thing that came into mind when comparing this method vs. sudo_local was the lack of a safe recovery mechanism.

But this would still be the right way on pre-sonoma machines. Maybe change it to /etc/pam.d/sudo_local instead of /etc/pam.d/my-sudo so that its ready for Sonoma+(?)

Also, it would have been nice if "pam_reattach" and "pam_watchid" could somehow be chosen as an option during install, instead of having to manually add that too. Wishful thinking on my part.

from sudo-touchid.

But this would still be the right way on pre-sonoma machines. Maybe change it to /etc/pam.d/sudo_local instead of /etc/pam.d/my-sudo so that its ready for Sonoma+(?)

The hard part for pre-sonoma is that the OS will be upgrade to sonoma, and the include direction need to be reversed after upgrading:

• on osx 13: /etc/pam.d/my-sudo include lines from /etc/pam.d/sudo
• on osx 14: /etc/pam.d/sudo include lines from /etc/pam.d/sudo_local

I'm afraid the cycling includes of sudo and sudo_local would introduce some troubles.

from sudo-touchid.