3

The goal is to allow TouchID to be used for sudo command instead of the password. This can be achieved by adding line auth sufficient pam_tid.so into file /etc/pam.d/sudo.

Problem is, that MacOS resets any changes to this file after every update, so I decided to automate this task with Automator.app using AppleScript and then run created application on login.

Apple script is needed to allow administrator access to /etc/pam.d/sudo file (if you would edit it by hand, you would have to use sudo vim instead of vim for example).

So my code looks something like this:

property SudoPath : "/etc/pam.d/sudo"
property TIDLine : "auth       sufficient     pam_tid.so"
property CustomPrompt : "Allow TouchID to authenticate you for sudo access"

if (do shell script ("grep -q pam_tid.so " & SudoPath & " && echo 'true' || echo 'false'")) is equal to "false" then
    do shell script ("sudo sed -i '' '1i\\'$''\\n'" & TIDLine & "'" & SudoPath) with prompt CustomPrompt with administrator privileges
end if

It checks if the line is already there and if it is not, then it should insert the line into the file. It should be above the line containing pam_smartcard.so, but that proved to be too difficult so I opted to insert it at the first line.

My script crashes with error sed: 1: "1i\nauth sufficie ...": extra characters after \ at the end of i command, which I think is related to the \n character in code, but if I remove the second backslash it is changed into invisible end of line during compilation. And also I don't really know which characters need to be escaped and how.

Also there seem to be some further issues with MacOS Monterey, because even if the sed command is right, the script ends with an error /bin/sh: /etc/pam.d/sudo: Operation not permitted which wasn't showing up in Big Sur.

Thanks for any help.

Update:

So a solved the endline issues by using the gnu-sed (installed via Homebrew) and tried to allow automator and gsed command a full disk access in the Preferences. Now i am getting

Syntax Error: /usr/local/bin/gsed: couldn't open temporary file /etc/pam.d/sedNyxhvU: Operation not permitted

property GnuSedPath : "/usr/local/bin/gsed"
property SudoPath : "/etc/pam.d/sudo"
property TIDLine : "auth       sufficient     pam_tid.so"
property CustomPrompt : "Allow TouchID to authenticate you for sudo access"

if (do shell script ("grep -q pam_tid.so " & SudoPath & " && echo 'true' || echo 'false'")) is equal to "false" then
    do shell script ("sudo " & GnuSedPath & " -i '2i " & TIDLine & "' " & SudoPath) with prompt CustomPrompt with administrator privileges
end if
MrKew
  • 333
  • 1
  • 14

1 Answers1

2

Similar issue. I've been using patch as a tool to add the lines to /etc/pam.d/sudo. Having upgraded to macOS 12.4, I either got the same error as you Operation not permitted due to /etc/pam.d/sudo not being writeable.

I was running the patch command in a terminal (iTerm). The issue was fixed by allowing "Full disk access" to iTerm.

Perhaps your issue would be solved by allowing Automator "Full disk access" (under System Preferences -> Security & Privacy -> (the tab) Integrity)?

krissen
  • 63
  • 10
  • Great idea, but sadly it did not help. I tried to allow the full disc access for automator and the sed shell command, but it anyway crashed, because of not having permissions to edit some temporary file in pam.d/ – MrKew Oct 16 '22 at 10:02