Repository: artginzburg/sudo-touchid Branch: main Commit: c3e1046fdd90 Files: 14 Total size: 34.0 KB Directory structure: gitextract_pgmr0z7t/ ├── .github/ │ └── workflows/ │ └── makefile.yml ├── .gitignore ├── Brewfile ├── Brewfile.lock.json ├── LICENSE ├── Makefile ├── README.md ├── com.user.sudo-touchid.plist ├── docs/ │ └── LEGACY_MACOS.md ├── install.sh ├── res/ │ ├── icon.psd │ ├── preview.psd │ └── repository-open-graph.psd └── sudo-touchid.sh ================================================ FILE CONTENTS ================================================ ================================================ FILE: .github/workflows/makefile.yml ================================================ name: Makefile CI on: - push - pull_request jobs: test: runs-on: macos-latest steps: - name: Checkout 🛎️ uses: actions/checkout@v3 with: fetch-depth: 1 - name: Install dependencies run: make - name: Run check run: make check ================================================ FILE: .gitignore ================================================ .DS_Store ================================================ FILE: Brewfile ================================================ brew "shellcheck" ================================================ FILE: Brewfile.lock.json ================================================ { "entries": { "brew": { "shellcheck": { "version": "0.8.0", "bottle": { "rebuild": 0, "root_url": "https://ghcr.io/v2/homebrew/core", "files": { "arm64_monterey": { "cellar": ":any_skip_relocation", "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:625466bcd245a36da12ee088877d582c7e9fec1622418d1165a7d7d8f204ecc3", "sha256": "625466bcd245a36da12ee088877d582c7e9fec1622418d1165a7d7d8f204ecc3" }, "arm64_big_sur": { "cellar": ":any_skip_relocation", "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:883ba5ee45554568cd1ce106dc6c090ec0745f576a4a6708332de951b03c7423", "sha256": "883ba5ee45554568cd1ce106dc6c090ec0745f576a4a6708332de951b03c7423" }, "monterey": { "cellar": ":any_skip_relocation", "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:cfd8c8e8d8927dfd4b83593f539690a6083b075b0a1ff8a66578e8bb810d3db9", "sha256": "cfd8c8e8d8927dfd4b83593f539690a6083b075b0a1ff8a66578e8bb810d3db9" }, "big_sur": { "cellar": ":any_skip_relocation", "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:d88edc1ae7db555ec5da01d4a1272da8260eb62073d2cdfa5fa3dce37d51fbe6", "sha256": "d88edc1ae7db555ec5da01d4a1272da8260eb62073d2cdfa5fa3dce37d51fbe6" }, "catalina": { "cellar": ":any_skip_relocation", "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:24a67cd4f2b66a02cb77a1c705d7dcf25b4410209435a0b1136398da1fa6f766", "sha256": "24a67cd4f2b66a02cb77a1c705d7dcf25b4410209435a0b1136398da1fa6f766" }, "x86_64_linux": { "cellar": ":any_skip_relocation", "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:961b2f3d75cf86dd5bc767cf689eee8f8e88bb30d716cf208b4bb89d61e5a553", "sha256": "961b2f3d75cf86dd5bc767cf689eee8f8e88bb30d716cf208b4bb89d61e5a553" } } } } } }, "system": { "macos": { "big_sur": { "HOMEBREW_VERSION": "3.4.2", "HOMEBREW_PREFIX": "/usr/local", "Homebrew/homebrew-core": "c746b78fadadd6573727169a48868826b880f80f", "CLT": "13.2.0.0.1.1638488800", "Xcode": "13.2.1", "macOS": "11.6.2" } } } } ================================================ FILE: LICENSE ================================================ Eclipse Public License - v 2.0 THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. 1. DEFINITIONS "Contribution" means: a) in the case of the initial Contributor, the initial content Distributed under this Agreement, and b) in the case of each subsequent Contributor: i) changes to the Program, and ii) additions to the Program; where such changes and/or additions to the Program originate from and are Distributed by that particular Contributor. A Contribution "originates" from a Contributor if it was added to the Program by such Contributor itself or anyone acting on such Contributor's behalf. Contributions do not include changes or additions to the Program that are not Modified Works. "Contributor" means any person or entity that Distributes the Program. "Licensed Patents" mean patent claims licensable by a Contributor which are necessarily infringed by the use or sale of its Contribution alone or when combined with the Program. "Program" means the Contributions Distributed in accordance with this Agreement. "Recipient" means anyone who receives the Program under this Agreement or any Secondary License (as applicable), including Contributors. "Derivative Works" shall mean any work, whether in Source Code or other form, that is based on (or derived from) the Program and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. "Modified Works" shall mean any work in Source Code or other form that results from an addition to, deletion from, or modification of the contents of the Program, including, for purposes of clarity any new file in Source Code form that contains any contents of the Program. Modified Works shall not include works that contain only declarations, interfaces, types, classes, structures, or files of the Program solely in each case in order to link to, bind by name, or subclass the Program or Modified Works thereof. "Distribute" means the acts of a) distributing or b) making available in any manner that enables the transfer of a copy. "Source Code" means the form of a Program preferred for making modifications, including but not limited to software source code, documentation source, and configuration files. "Secondary License" means either the GNU General Public License, Version 2.0, or any later versions of that license, including any exceptions or additional permissions as identified by the initial Contributor. 2. GRANT OF RIGHTS a) Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, Distribute and sublicense the Contribution of such Contributor, if any, and such Derivative Works. b) Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free patent license under Licensed Patents to make, use, sell, offer to sell, import and otherwise transfer the Contribution of such Contributor, if any, in Source Code or other form. This patent license shall apply to the combination of the Contribution and the Program if, at the time the Contribution is added by the Contributor, such addition of the Contribution causes such combination to be covered by the Licensed Patents. The patent license shall not apply to any other combinations which include the Contribution. No hardware per se is licensed hereunder. c) Recipient understands that although each Contributor grants the licenses to its Contributions set forth herein, no assurances are provided by any Contributor that the Program does not infringe the patent or other intellectual property rights of any other entity. Each Contributor disclaims any liability to Recipient for claims brought by any other entity based on infringement of intellectual property rights or otherwise. As a condition to exercising the rights and licenses granted hereunder, each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed, if any. For example, if a third party patent license is required to allow Recipient to Distribute the Program, it is Recipient's responsibility to acquire that license before distributing the Program. d) Each Contributor represents that to its knowledge it has sufficient copyright rights in its Contribution, if any, to grant the copyright license set forth in this Agreement. e) Notwithstanding the terms of any Secondary License, no Contributor makes additional grants to any Recipient (other than those set forth in this Agreement) as a result of such Recipient's receipt of the Program under the terms of a Secondary License (if permitted under the terms of Section 3). 3. REQUIREMENTS 3.1 If a Contributor Distributes the Program in any form, then: a) the Program must also be made available as Source Code, in accordance with section 3.2, and the Contributor must accompany the Program with a statement that the Source Code for the Program is available under this Agreement, and informs Recipients how to obtain it in a reasonable manner on or through a medium customarily used for software exchange; and b) the Contributor may Distribute the Program under a license different than this Agreement, provided that such license: i) effectively disclaims on behalf of all other Contributors all warranties and conditions, express and implied, including warranties or conditions of title and non-infringement, and implied warranties or conditions of merchantability and fitness for a particular purpose; ii) effectively excludes on behalf of all other Contributors all liability for damages, including direct, indirect, special, incidental and consequential damages, such as lost profits; iii) does not attempt to limit or alter the recipients' rights in the Source Code under section 3.2; and iv) requires any subsequent distribution of the Program by any party to be under a license that satisfies the requirements of this section 3. 3.2 When the Program is Distributed as Source Code: a) it must be made available under this Agreement, or if the Program (i) is combined with other material in a separate file or files made available under a Secondary License, and (ii) the initial Contributor attached to the Source Code the notice described in Exhibit A of this Agreement, then the Program may be made available under the terms of such Secondary Licenses, and b) a copy of this Agreement must be included with each copy of the Program. 3.3 Contributors may not remove or alter any copyright, patent, trademark, attribution notices, disclaimers of warranty, or limitations of liability ("notices") contained within the Program from any copy of the Program which they Distribute, provided that Contributors may add their own appropriate notices. 4. COMMERCIAL DISTRIBUTION Commercial distributors of software may accept certain responsibilities with respect to end users, business partners and the like. While this license is intended to facilitate the commercial use of the Program, the Contributor who includes the Program in a commercial product offering should do so in a manner which does not create potential liability for other Contributors. Therefore, if a Contributor includes the Program in a commercial product offering, such Contributor ("Commercial Contributor") hereby agrees to defend and indemnify every other Contributor ("Indemnified Contributor") against any losses, damages and costs (collectively "Losses") arising from claims, lawsuits and other legal actions brought by a third party against the Indemnified Contributor to the extent caused by the acts or omissions of such Commercial Contributor in connection with its distribution of the Program in a commercial product offering. The obligations in this section do not apply to any claims or Losses relating to any actual or alleged intellectual property infringement. In order to qualify, an Indemnified Contributor must: a) promptly notify the Commercial Contributor in writing of such claim, and b) allow the Commercial Contributor to control, and cooperate with the Commercial Contributor in, the defense and any related settlement negotiations. The Indemnified Contributor may participate in any such claim at its own expense. For example, a Contributor might include the Program in a commercial product offering, Product X. That Contributor is then a Commercial Contributor. If that Commercial Contributor then makes performance claims, or offers warranties related to Product X, those performance claims and warranties are such Commercial Contributor's responsibility alone. Under this section, the Commercial Contributor would have to defend claims against the other Contributors related to those performance claims and warranties, and if a court requires any other Contributor to pay any damages as a result, the Commercial Contributor must pay those damages. 5. NO WARRANTY EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely responsible for determining the appropriateness of using and distributing the Program and assumes all risks associated with its exercise of rights under this Agreement, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and unavailability or interruption of operations. 6. DISCLAIMER OF LIABILITY EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. GENERAL If any provision of this Agreement is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this Agreement, and without further action by the parties hereto, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. If Recipient institutes patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Program itself (excluding combinations of the Program with other software or hardware) infringes such Recipient's patent(s), then such Recipient's rights granted under Section 2(b) shall terminate as of the date such litigation is filed. All Recipient's rights under this Agreement shall terminate if it fails to comply with any of the material terms or conditions of this Agreement and does not cure such failure in a reasonable period of time after becoming aware of such noncompliance. If all Recipient's rights under this Agreement terminate, Recipient agrees to cease use and distribution of the Program as soon as reasonably practicable. However, Recipient's obligations under this Agreement and any licenses granted by Recipient relating to the Program shall continue and survive. Everyone is permitted to copy and distribute copies of this Agreement, but in order to avoid inconsistency the Agreement is copyrighted and may only be modified in the following manner. The Agreement Steward reserves the right to publish new versions (including revisions) of this Agreement from time to time. No one other than the Agreement Steward has the right to modify this Agreement. The Eclipse Foundation is the initial Agreement Steward. The Eclipse Foundation may assign the responsibility to serve as the Agreement Steward to a suitable separate entity. Each new version of the Agreement will be given a distinguishing version number. The Program (including Contributions) may always be Distributed subject to the version of the Agreement under which it was received. In addition, after a new version of the Agreement is published, Contributor may elect to Distribute the Program (including its Contributions) under the new version. Except as expressly stated in Sections 2(a) and 2(b) above, Recipient receives no rights or licenses to the intellectual property of any Contributor under this Agreement, whether expressly, by implication, estoppel or otherwise. All rights in the Program not expressly granted under this Agreement are reserved. Nothing in this Agreement is intended to be enforceable by any entity that is not a Contributor or Recipient. No third-party beneficiary rights are created under this Agreement. Exhibit A - Form of Secondary Licenses Notice "This Source Code may also be made available under the following Secondary Licenses when the conditions for such availability set forth in the Eclipse Public License, v. 2.0 are satisfied: {name license(s), version(s), and exceptions or additional permissions here}." Simply including a copy of this Agreement, including this Exhibit A is not sufficient to license the Source Code under Secondary Licenses. If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a relevant directory) where a recipient would be likely to look for such a notice. You may add additional accurate notices of copyright ownership. ================================================ FILE: Makefile ================================================ .PHONY: bundle check bundle: brew bundle check: shellcheck sudo-touchid.sh ================================================ FILE: README.md ================================================ Icon # sudo-touchid [![Downloads](https://img.shields.io/github/downloads/artginzburg/sudo-touchid/total?color=teal)](https://github.com/artginzburg/sudo-touchid/releases) [![Donate](https://img.shields.io/badge/buy%20me%20a%20coffee-donate-white)](https://github.com/artginzburg/sudo-touchid?sponsor=1)
Native and reliable [**TouchID**](https://support.apple.com/en-gb/guide/mac-help/mchl16fbf90a/mac) support for `sudo`
## Try it out     without installing ```powershell curl -sL git.io/sudo-touch-id | sh ``` Now `sudo` is great, just like Safari — with your fingerprint in Terminal. > Don't worry, you can also [reverse](#usage) it
Result: Preview Just type git.io/sudotouchid to go here.
### Features - Fast & reliable - Written in Bash — no dependencies - **pam_reattach support** for tmux/screen compatibility (GUI session reattachment) - **Supports modern and legacy systems:** For macOS 13 and below, see [LEGACY_MACOS.md][legacy]
## Install ### Via [🍺 Homebrew](https://brew.sh/) ```bash brew install artginzburg/tap/sudo-touchid ``` > Check out [the formula](https://github.com/artginzburg/homebrew-tap/blob/main/Formula/sudo-touchid.rb) if you're interested
## Usage Copy and run this command: ```bash sudo-touchid ``` It adds TouchID to sudo configuration, or migrates an existing legacy configuration if you're upgrading from macOS 13 or below. ```bash # Usage: sudo-touchid [options] [-v, --version] # Output installed version [-d, --disable] # Remove TouchID from sudo config [--with-reattach] # Include pam_reattach.so for tmux/screen support [--migrate] # Migrate from legacy configuration [--verbose] # Show detailed output [-q, --quiet] # Show minimal output (errors only) [-y, --yes] # Skip confirmation prompts (non-interactive mode) ``` if not installed, can be used via [`curl`][curl] bundled with macOS ```bash sh <( curl -sL git.io/sudo-touch-id ) ``` > Accepts the same arguments, like -d or -v.
### Why? - **Productivity:** Automates TouchID setup - **Lightweight:** Small Bash script, no builds or Xcode required - **Reliable:** Persistent configuration across system updates
## How does it work? **For macOS 14+:** - Creates `/etc/pam.d/sudo_local` with TouchID configuration - Never modifies system-managed `/etc/pam.d/sudo` file **All versions:** - Has a `--disable` (`-d`) option that removes all TouchID configurations. - Optional `--with-reattach` for GUI session reattachment support - Creates backup files during migration - Automatically detects and migrates legacy configurations ### Manual installation Just save `sudo-touchid.sh` as `/usr/local/bin/sudo-touchid` with execute permissions > See [LEGACY_MACOS.md][legacy] for additional considerations on older systems
## Related - **tmux/screen support:** [pam_reattach](https://github.com/fabianishere/pam_reattach) module (built-in via `--with-reattach`) - **Apple Watch support:** [pam_watchid](https://github.com/biscuitehh/pam-watchid) module - **Disable password prompt:** Change `%admin ALL=(ALL) ALL` to `%admin ALL=(ALL) NOPASSWD: ALL` in `/etc/sudoers` [curl]: https://curl.se [legacy]: ./docs/LEGACY_MACOS.md ================================================ FILE: com.user.sudo-touchid.plist ================================================ Label com.user.sudo-touchid ProgramArguments /usr/local/bin/sudo-touchid RunAtLoad KeepAlive ================================================ FILE: docs/LEGACY_MACOS.md ================================================ # Legacy macOS Support (macOS 13 and below) > **Note:** For macOS Ventura and prior, full installation is necessary to preserve TouchID for `sudo` through system updates. ## Install ### Via [🍺 Homebrew](https://brew.sh/) (Recommended) ```powershell brew install artginzburg/tap/sudo-touchid sudo brew services start sudo-touchid ``` > Check out [the formula](https://github.com/artginzburg/homebrew-tap/blob/main/Formula/sudo-touchid.rb) if you're interested ### Using [`curl`][curl] ```bash curl -sL git.io/sudo-touchid | sh ``` ## How it works - Adds `auth sufficient pam_tid.so` to the top of `/etc/pam.d/sudo` file (following [@cabel's advice](https://twitter.com/cabel/status/931292107372838912)). - Creates a backup file named `sudo.bak`. - Optional `--with-reattach` flag adds `pam_reattach.so` before `pam_tid.so` for tmux/screen support. ## Why? macOS updates reset `/etc/pam.d/sudo`, so previously users had to manually edit the file after each upgrade. This tool automates the process by: 1. Making the `sudo-touchid` command available. 2. Auto-running on every system launch using a simple [`launchd`](https://www.launchd.info) daemon, so that when a macOS update erases the custom `sudo` configuration, `sudo-touchid` fixes it again. ### Manual installation 1. Save `sudo-touchid.sh` as `/usr/local/bin/sudo-touchid` with execute permissions 2. Save `com.user.sudo-touchid.plist` to `/Library/LaunchDaemons/` for auto-run on boot 3. Customize paths in the `.plist` file if needed [curl]: https://curl.se ================================================ FILE: install.sh ================================================ curl -# https://raw.githubusercontent.com/artginzburg/sudo-touchid/main/sudo-touchid.sh -o /usr/local/bin/sudo-touchid && chmod +x /usr/local/bin/sudo-touchid && sudo curl -# https://raw.githubusercontent.com/artginzburg/sudo-touchid/main/com.user.sudo-touchid.plist -o /Library/LaunchDaemons/com.user.sudo-touchid.plist && /usr/local/bin/sudo-touchid ================================================ FILE: sudo-touchid.sh ================================================ #!/bin/bash VERSION=0.5 readable_name='[TouchID for sudo]' executable_name='sudo-touchid' # Verbosity control VERBOSE=false QUIET=false AUTO_YES=false # PAM configuration PAM_TOUCHID='auth sufficient pam_tid.so' PAM_REATTACH_PATH='/opt/homebrew/lib/pam/pam_reattach.so' PAM_REATTACH="auth optional $PAM_REATTACH_PATH" # File paths SUDO_PATH='/etc/pam.d/sudo' SUDO_LOCAL_PATH='/etc/pam.d/sudo_local' LEGACY_PAM_FILE='/etc/pam.d/sudo_touchid' usage() { cat <&2 } detect_os_version() { sw_vers -productVersion | cut -d. -f1 } create_pam_content() { local include_reattach="$1" echo "# TouchID for sudo - created by $executable_name v$VERSION" if [[ "$include_reattach" == "true" ]]; then echo "$PAM_REATTACH" fi echo "$PAM_TOUCHID" } install_file() { local content="$1" local target_path="$2" local permissions="$3" local temp_file temp_file=$(mktemp 2>/dev/null) if [[ -z "$temp_file" ]]; then error_echo "Error: Unable to create temporary file. Check /tmp directory permissions and available space." error_echo "Please ensure /tmp exists, is writable, and has sufficient space." return 1 fi if ! echo "$content" > "$temp_file" 2>/dev/null; then error_echo "Error: Unable to write to temporary file. Check /tmp directory permissions and available space." error_echo "Please ensure /tmp exists, is writable, and has sufficient space." rm -f "$temp_file" 2>/dev/null return 1 fi if sudo install -m "$permissions" "$temp_file" "$target_path"; then rm -f "$temp_file" return 0 else rm -f "$temp_file" return 1 fi } check_legacy_configuration() { [[ -f "$LEGACY_PAM_FILE" ]] || grep -q "pam_tid.so" "$SUDO_PATH" 2>/dev/null } migrate_legacy_configuration() { status_echo "Migrating from legacy TouchID configuration..." local major_version major_version=$(detect_os_version) # Remove legacy PAM file if it exists if [[ -f "$LEGACY_PAM_FILE" ]]; then sudo rm -f "$LEGACY_PAM_FILE" verbose_echo "Removed legacy PAM file: $LEGACY_PAM_FILE" fi # Remove TouchID and pam_reattach from /etc/pam.d/sudo if present if grep -q "pam_tid.so\|pam_reattach.so" "$SUDO_PATH" 2>/dev/null; then sudo cp "$SUDO_PATH" "$SUDO_PATH.bak" sudo sed -i '.bak' '/pam_tid\.so/d' "$SUDO_PATH" sudo sed -i '.bak' '/pam_reattach\.so/d' "$SUDO_PATH" verbose_echo "Removed TouchID configuration from $SUDO_PATH (backup saved as $SUDO_PATH.bak)" fi status_echo "Legacy configuration removed successfully." } sudo_touchid_pamlocal_install() { local include_reattach="$1" verbose_echo "Installing TouchID configuration for macOS 14+" # Create PAM configuration for sudo_local local pam_content pam_content=$(create_pam_content "$include_reattach") if ! install_file "$pam_content" "$SUDO_LOCAL_PATH" "644"; then error_echo "Error: Failed to create $SUDO_LOCAL_PATH" return 1 fi verbose_echo "Created $SUDO_LOCAL_PATH" status_echo status_echo "$readable_name enabled successfully for macOS 14+." verbose_echo "Note: If TouchID for sudo stops working, you can disable it with: $executable_name --disable" return 0 } sudo_touchid_legacy_install() { local include_reattach="$1" verbose_echo "Installing TouchID configuration for macOS ≤13" # Check if already configured if grep -q "pam_tid.so" "$SUDO_PATH" 2>/dev/null; then status_echo "$readable_name seems to be enabled already" return 0 fi # Add TouchID to sudo file using sed local nl=$'\n' local touch_pam_line="$PAM_TOUCHID" if [[ "$include_reattach" == "true" ]] && check_reattach_available; then # Insert both pam_reattach and pam_tid after first comment sudo sed -E -i ".bak" "1s/^(#.*)$/\1\\${nl}$PAM_REATTACH\\${nl}$touch_pam_line/" "$SUDO_PATH" else # Insert only pam_tid after first comment sudo sed -E -i ".bak" "1s/^(#.*)$/\1\\${nl}$touch_pam_line/" "$SUDO_PATH" fi verbose_echo "Created a backup file at $SUDO_PATH.bak" status_echo status_echo "$readable_name enabled successfully." return 0 } check_reattach_available() { [[ -f "$PAM_REATTACH_PATH" ]] } check_brew_available() { command -v brew >/dev/null 2>&1 } install_pam_reattach() { if ! check_brew_available; then error_echo "Error: Homebrew is required to install pam-reattach but is not available." error_echo "Please install Homebrew first: https://brew.sh" return 1 fi status_echo "pam_reattach.so is required for --with-reattach but not found." status_echo "Install pam-reattach using Homebrew?" wait_for_user verbose_echo "Installing pam-reattach..." if brew install pam-reattach; then status_echo "$readable_name pam-reattach installed successfully." return 0 else error_echo "$readable_name Failed to install pam-reattach." return 1 fi } sudo_touchid_install() { local include_reattach="$1" local major_version major_version=$(detect_os_version) # Check for migration from legacy configuration if check_legacy_configuration; then status_echo "Legacy TouchID configuration detected. Migrating to new secure method..." if migrate_legacy_configuration; then # After migration, verify legacy configuration is removed if check_legacy_configuration; then error_echo "Error: Legacy configuration still detected after migration. Aborting to prevent infinite loop." return 1 else verbose_echo "Migration completed. Re-running installation with new method..." sudo_touchid_install "$include_reattach" return $? fi else return 1 fi fi # Check if already installed if [[ "$major_version" -ge 14 && -f "$SUDO_LOCAL_PATH" ]]; then if [[ "$include_reattach" == "true" ]] && ! check_reattach_available; then if ! install_pam_reattach; then return 1 fi fi # Check if user wants pam_reattach but it's not installed if [[ "$include_reattach" == "true" ]] && check_reattach_available && ! grep -q "pam_reattach.so" "$SUDO_LOCAL_PATH" 2>/dev/null; then error_echo "$readable_name is installed but without pam_reattach support." error_echo "Please run --disable first, then reinstall with --with-reattach." return 1 fi status_echo "$readable_name appears to be already installed." return 0 elif [[ "$major_version" -lt 14 ]] && grep -q "pam_tid.so" "$SUDO_PATH" 2>/dev/null; then if [[ "$include_reattach" == "true" ]] && ! check_reattach_available; then if ! install_pam_reattach; then return 1 fi fi # Check if user wants pam_reattach but it's not installed if [[ "$include_reattach" == "true" ]] && check_reattach_available && ! grep -q "pam_reattach.so" "$SUDO_PATH" 2>/dev/null; then error_echo "$readable_name is installed but without pam_reattach support." error_echo "Please run --disable first, then reinstall with --with-reattach." return 1 fi status_echo "$readable_name appears to be already installed." return 0 fi # Check for pam_reattach if requested if [[ "$include_reattach" == "true" ]] && ! check_reattach_available; then if ! install_pam_reattach; then return 1 fi fi if [[ "$major_version" -ge 14 ]]; then sudo_touchid_pamlocal_install "$include_reattach" else sudo_touchid_legacy_install "$include_reattach" fi } sudo_touchid_disable() { local major_version major_version=$(detect_os_version) # Check what configurations exist local has_config=0 if [[ -f "$SUDO_LOCAL_PATH" ]] || [[ -f "$LEGACY_PAM_FILE" ]] || grep -q "pam_tid.so" "$SUDO_PATH" 2>/dev/null; then has_config=1 fi if [[ $has_config -eq 0 ]]; then status_echo "$readable_name seems to be already disabled" return 0 fi # Show what will be removed verbose_echo "The following TouchID configurations will be removed:" verbose_echo if [[ -f "$SUDO_LOCAL_PATH" ]]; then verbose_echo " - $SUDO_LOCAL_PATH" fi if [[ -f "$LEGACY_PAM_FILE" ]]; then verbose_echo " - $LEGACY_PAM_FILE" fi if [[ "$VERBOSE" == "true" ]] && grep -q "pam_tid.so" "$SUDO_PATH" 2>/dev/null; then echo " - TouchID line from $SUDO_PATH" echo echo "Your $SUDO_PATH will look like this after removal:" echo "----------------------------------------" grep -v "pam_tid.so" "$SUDO_PATH" | grep -v "pam_reattach.so" echo "----------------------------------------" fi wait_for_user # Now proceed with removal local files_removed=0 # Remove sudo_local file (macOS 14+) if [[ -f "$SUDO_LOCAL_PATH" ]]; then sudo rm -f "$SUDO_LOCAL_PATH" verbose_echo "Removed $SUDO_LOCAL_PATH" files_removed=$((files_removed + 1)) fi # Remove legacy PAM file if [[ -f "$LEGACY_PAM_FILE" ]]; then sudo rm -f "$LEGACY_PAM_FILE" verbose_echo "Removed $LEGACY_PAM_FILE" files_removed=$((files_removed + 1)) fi # Check for legacy configuration in /etc/pam.d/sudo if grep -q "pam_tid.so\|pam_reattach.so" "$SUDO_PATH" 2>/dev/null; then sudo cp "$SUDO_PATH" "$SUDO_PATH.bak" sudo sed -i '.bak' '/pam_tid\.so/d' "$SUDO_PATH" sudo sed -i '.bak' '/pam_reattach\.so/d' "$SUDO_PATH" verbose_echo "Removed TouchID configuration from $SUDO_PATH (backup saved as $SUDO_PATH.bak)" files_removed=$((files_removed + 1)) fi status_echo status_echo "$readable_name has been disabled." } sudo_touchid() { local include_reattach="false" local action="install" for opt in "${@}"; do case "$opt" in -v | --version) echo "v$VERSION" return 0 ;; -d | --disable) action="disable" ;; --with-reattach) include_reattach="true" ;; --migrate) action="migrate" ;; --verbose) VERBOSE=true ;; -q | --quiet) QUIET=true ;; -y | --yes) AUTO_YES=true ;; -h | --help) usage return 0 ;; *) echo "Unknown option: $opt" usage return 1 ;; esac done case "$action" in install) sudo_touchid_install "$include_reattach" ;; disable) sudo_touchid_disable ;; migrate) migrate_legacy_configuration ;; esac } sudo_touchid "${@}"