artginzburg / sudo-touchid Goto Github PK
View Code? Open in Web Editor NEW Permanent TouchID support 👆 for `sudo`.
Home Page: https://git.io/sudotouchid
License: Eclipse Public License 2.0
Permanent TouchID support 👆 for `sudo`.
Home Page: https://git.io/sudotouchid
License: Eclipse Public License 2.0
Apple seems to have added a way for Touch ID to be enabled permanently in Sonoma:
https://www.idownloadblog.com/2023/08/24/touch-id-sudo-command-terminal-tutorial/
Should this be incorporated into this tool?
We may want to look at https://circleci.com/docs/2.0/testing-macos/
~
❯ sudo brew services start sudo-touchid
Error: Running Homebrew as root is extremely dangerous and no longer supported.
As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system.
Error: Failure while executing; `/opt/homebrew/bin/brew tap homebrew/services` exited with 1.
~
❯
~
❯ brew config
HOMEBREW_VERSION: 3.6.7
ORIGIN: https://github.com/Homebrew/brew
HEAD: 6a7eac25e167a1eb2d49e13c8cc530a3188af995
Last commit: 8 days ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 9345e061435f18a91437cc5a3db34a90acbb9f1b
Core tap last commit: 66 minutes ago
Core tap branch: master
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 8
Homebrew Ruby: 2.6.10 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: octa-core 64-bit arm_firestorm_icestorm
Clang: 14.0.0 build 1400
Git: 2.37.1 => /Library/Developer/CommandLineTools/usr/bin/git
Curl: 7.84.0 => /usr/bin/curl
macOS: 13.0-arm64
CLT: 14.1.0.0.1.1666437224
Xcode: N/A
Rosetta 2: false
~
❯
This worked for me until some point recently, possibly due to an OS upgrade. I upgraded the package to see if that would fix things:
❯ brew install artginzburg/tap/sudo-touchid
Running `brew update --preinstall`...
==> Auto-updated Homebrew!
Updated 3 taps (homebrew/core, homebrew/cask and homebrew/services).
<snip>
sudo-touchid 0.2 is already installed but outdated (so it will be upgraded).
==> Downloading https://github.com/artginzburg/sudo-touchid/releases/download/0.3/sudo-touchid.sh
==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/389117398/ee
######################################################################## 100.0%
==> Upgrading artginzburg/tap/sudo-touchid
0.2 -> 0.3
==> Caveats
To restart artginzburg/tap/sudo-touchid after an upgrade:
sudo brew services restart artginzburg/tap/sudo-touchid
Or, if you don't want/need a background service you can just run:
/opt/homebrew/opt/sudo-touchid/bin/sudo-touchid
==> Summary
🍺 /opt/homebrew/Cellar/sudo-touchid/0.3: 5 files, 4.5KB, built in 1 second
==> Running `brew cleanup sudo-touchid`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Removing: /opt/homebrew/Cellar/sudo-touchid/0.2... (5 files, 3.4KB)
Warning: Directory not empty @ dir_s_rmdir - /opt/homebrew/Cellar/sudo-touchid/0.2
❯ sudo brew services start sudo-touchid
Password:
Warning: Taking root:admin ownership of some sudo-touchid paths:
/opt/homebrew/Cellar/sudo-touchid/0.3/bin
/opt/homebrew/Cellar/sudo-touchid/0.3/bin/sudo-touchid
/opt/homebrew/opt/sudo-touchid
/opt/homebrew/opt/sudo-touchid/bin
/opt/homebrew/var/homebrew/linked/sudo-touchid
This will require manual removal of these paths using `sudo rm` on
brew upgrade/reinstall/uninstall.
/Library/LaunchDaemons/homebrew.mxcl.sudo-touchid.plist: service already bootstrapped
Bootstrap failed: 37: Operation already in progress
Error: Failure while executing; `/bin/launchctl bootstrap system /Library/LaunchDaemons/homebrew.mxcl.sudo-touchid.plist` exited with 37.
❯ sudo brew services stop sudo-touchid
Stopping `sudo-touchid`... (might take a while)
==> Successfully stopped `sudo-touchid` (label: homebrew.mxcl.sudo-touchid)
❯ sudo brew services start sudo-touchid
Warning: Taking root:admin ownership of some sudo-touchid paths:
/opt/homebrew/Cellar/sudo-touchid/0.3/bin
/opt/homebrew/Cellar/sudo-touchid/0.3/bin/sudo-touchid
/opt/homebrew/opt/sudo-touchid
/opt/homebrew/opt/sudo-touchid/bin
/opt/homebrew/var/homebrew/linked/sudo-touchid
This will require manual removal of these paths using `sudo rm` on
brew upgrade/reinstall/uninstall.
==> Successfully started `sudo-touchid` (label: homebrew.mxcl.sudo-touchid)
After the above, sudo
still requires my password. It appears the script has not changed the files in the expected ways:
❯ cat /etc/pam.d/sudo
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
❯ cat /etc/pam.d/sudo.bak
2022/02/16 11:03:31 open /etc/pam.d/sudo.bak: no such file or directory
I tried uninstalling via brew
(requiring manually removing /opt/homebrew/Cellar/sudo-touchid/{0.2,0.3}
) but it's the same result.
Manually running /opt/homebrew/opt/sudo-touchid/bin/sudo-touchid
fixes the issue.
Following the README.md, I end up with
Bootstrap failed: 5: Input/output error
Error: Failure while executing; `/bin/launchctl bootstrap system /Library/LaunchDaemons/homebrew.mxcl.sudo-touchid.plist` exited with 5.
Using a custom sudoers.d file and a pam.d conf, we can setup touch id auth for sudo with addition features:
.plist
files/etc/pam.d/sudo
, then the touch id function still works after system upgradingWhen installing, the script should generate two files:
/etc/sudoers.d/50-pam-service
, with the content like this:Cmnd_Alias PAM_RESTORE=/bin/rm -f /etc/sudoers.d/50-pam-service
Cmnd_Alias PAM_UNINSTALL=/bin/rm -f /etc/sudoers.d/50-pam-service /etc/pam.d/my-sudo
# make restore and uninstall commands still use system sudo profile
Defaults!PAM_RESTORE,PAM_UNINSTALL pam_service = sudo
# restore command does not require password, we can restore as long as sudo can find sudo pam profile
# the {admin-user-name} should be replaced with a real user name
"{admin-user-name}" ALL=(ALL) NOPASSWD: PAM_RESTORE
# use custom pam_service for all users
Defaults pam_service = my-sudo
# use custom pam_service for specify users
# the {admin-user-name} should be replaced with a real user name
#Defaults:"{admin-user-name}" pam_service = my-sudo
/etc/pam.d/my-sudo
, with the content like this:# reattach to user gui session: https://github.com/fabianishere/pam_reattach
# remove the following line if pam_reattach is not installed, and the installing script has to detect the absolute path of pam_reattach.so
auth optional /opt/homebrew/lib/pam/pam_reattach.so
# auth via touch id: https://github.com/artginzburg/sudo-touchid
auth sufficient pam_tid.so
# include system sudo policy
auth include sudo
account include sudo
password include sudo
session include sudo
we can add more sudo auth features in /etc/pam.d/my-sudo
. when fails, the user with name {admin-user-name}
can quickly restore the default sudo auth method by running
sudo /bin/rm -f /etc/sudoers.d/50-pam-service
As the title says, inside tmux I'm still prompted with Password:
instead of having the TouchID window show up.
Hi,
Thanks for your work.
on my device, your great program doesn't works anymore. I am on a apple silicon mac. and i have done the install with homebrew.
I tried running sudo say "Hello World"
and it would go to the enter password. Without showing any touchid.
I was somewhat expecting, that the Apple Watch uses the same API as Touch ID, but it doesn't seem to be the case. So, I was wondering if double-tapping the Apple Watch's button could be added in a future version. Or do you see this feature request out of scope for your project?
I just installed this via homebrew, and it appears sandboxing is preventing sed from editing /private/etc/pam.d/sudo
. I get the following in the console when running sudo brew services start sudo-touchid
:
default 17:29:18.707309-0400 sudo root : PWD=/ ; USER=root ; COMMAND=/usr/bin/sed -E -i .bak 1s/^(#.*)$/\1
auth sufficient pam_tid.so/ /etc/pam.d/sudo
info 17:29:18.731118-0400 kernel sandboxd rejected approval request from sed for kTCCServiceSystemPolicySysAdminFiles (/private/etc/pam.d/.!94543!sudo): denied
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.