artginzburg / sudo-touchid Goto Github PK

View Code? Open in Web Editor NEW

496.0 6.0 13.0 2.87 MB

 Permanent TouchID support 👆 for `sudo`.

Home Page: https://git.io/sudotouchid

License: Eclipse Public License 2.0

Shell 96.80% Ruby 0.59% Makefile 2.61%

sudo touchid macos authentication bash terminal cli security

sudo-touchid's Introduction

sudo-touchid

Native and reliable TouchID support for sudo

Try it out _{^{without installing}}

curl -sL git.io/sudo-touch-id | sh

Now sudo is great, just like Safari — with your fingerprint in Terminal or whatever you're on.

^{Don't worry, you can also reverse it without installing}

Please note: without full installation, TouchID for sudo will be disabled after the next macOS update.

_{_Result:}

_{Just type git.io/sudotouchid to go here.}

Features

Fast
Reliable
Written in Bash — no dependencies!
Include it to your automated system build — always working and up to date with major macOS upgrades!

Install

Via 🍺 Homebrew (Recommended)

brew install artginzburg/tap/sudo-touchid
sudo brew services start sudo-touchid

Check out the formula if you're interested

Using `curl`

curl -sL git.io/sudo-touchid | sh

^{curl is pre-installed in macOS}

Performs automated "manual" installation.

The installation process:

Makes the sudo-touchid command available.
Makes it auto-run on every system launch ^{(using a simple launchd daemon with RunAtLoad key set to true)}, so that when a macOS update erases our custom sudo configuration, sudo-touchid fixes it again.

Usage

sudo-touchid [options]
           # Running without options adds TouchID parameter to sudo configuration
             [-v,  --version]   # Output installed version
           # Commands:
             [-d,  --disable]   # Removes TouchID from sudo config

if not installed, can be used via curl ^{bundled with macOS}

sh <( curl -sL git.io/sudo-touch-id ) [options]
                                    # Reliability — check :)
                                      [-d,  --disable]   # Removes TouchID from sudo config

Why?

Productivity

macOS updates do reset /etc/pam.d/sudo, so previously users had to manually edit the file after each upgrade.

This tool was born to automate the process, allowing for TouchID sudo auth to be quickly enabled on a new/clean system.
Spreading the technology.

I bet half of you didn't know.

It was there for a long time.
Lightness

The script is small, doesn't need any builds, doesn't need XCode.

Code size comparison — previously favoured solution VS. the one you're currently reading:

How does it work?

`sudo-touchid.sh` — the script:

Adds auth sufficient pam_tid.so to the top of /etc/pam.d/sudo file ^{following @cabel's advice}
Creates a backup file named sudo.bak.
Has a --disable (-d) option that performs the opposite of the steps above.

_{Non-Homebrew files:}

`com.user.sudo-touchid.plist` — the property list (global daemon):

Runs sudo-touchid.sh on system reload

Needed because any following macOS updates just wipe out our custom sudo.

`install.sh` — the installer:

Saves sudo-touchid.sh as /usr/local/bin/sudo-touchid and gives it the permission to execute.

(yes, that also means you're able to run sudo-touchid from Terminal)
Saves com.user.sudo-touchid.plist to /Library/LaunchDaemons/ so that it's running on boot (requires root permission).

Manual installation

Generally follow the steps provided by the installer in "Non-Homebrew files"
If you need to, store sudo-touchid.sh anywhere else and replace /usr/local/bin in com.user.sudo-touchid.plist with the chosen path.

Contributing

PRs and Issues are much welcome!

If you don't like something — change it or inform the ones willing to help.

Disabling password prompt for `sudo`

Change %admin ALL=(ALL) ALL to %admin ALL=(ALL) NOPASSWD: ALL in /etc/sudoers

TouchID support in `tmux`

Have a look at pam_reattach module

Apple Watch TouchID support

Have a look at pam_watchid module

sudo-touchid's People

Contributors

Stargazers

Watchers

Forkers

icodein stackptr malagari desousak shredthagnar zhangnew ricardoareis versionsix da4ftso heo001997 gzm55 jonesiscoding jamexhuang

sudo-touchid's Issues

I was somewhat expecting, that the Apple Watch uses the same API as Touch ID, but it doesn't seem to be the case. So, I was wondering if double-tapping the Apple Watch's button could be added in a future version. Or do you see this feature request out of scope for your project?

stopped working after the latest update

The latest update for Ventura, which was the first Rapid Security Response (RSR), seems to have broken something.

Although the launch daemon is still activated, it was not successful in fixing my pam.d/sudo.

Add --help with usage info

TouchID not prompted when running sudo in tmux

As the title says, inside tmux I'm still prompted with Password: instead of having the TouchID window show up.

Running Homebrew as root is extremely dangerous and no longer supported.

~
❯ sudo brew services start sudo-touchid        
Error: Running Homebrew as root is extremely dangerous and no longer supported.
As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system.
Error: Failure while executing; `/opt/homebrew/bin/brew tap homebrew/services` exited with 1.

~
❯

~
❯ brew config                          
HOMEBREW_VERSION: 3.6.7
ORIGIN: https://github.com/Homebrew/brew
HEAD: 6a7eac25e167a1eb2d49e13c8cc530a3188af995
Last commit: 8 days ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 9345e061435f18a91437cc5a3db34a90acbb9f1b
Core tap last commit: 66 minutes ago
Core tap branch: master
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 8
Homebrew Ruby: 2.6.10 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: octa-core 64-bit arm_firestorm_icestorm
Clang: 14.0.0 build 1400
Git: 2.37.1 => /Library/Developer/CommandLineTools/usr/bin/git
Curl: 7.84.0 => /usr/bin/curl
macOS: 13.0-arm64
CLT: 14.1.0.0.1.1666437224
Xcode: N/A
Rosetta 2: false

~
❯

Add -q, --quiet option

Homebrew install does not succeed

Following the README.md, I end up with

Bootstrap failed: 5: Input/output error
Error: Failure while executing; `/bin/launchctl bootstrap system /Library/LaunchDaemons/homebrew.mxcl.sudo-touchid.plist` exited with 5.

Add uninstallation (different from restoring from backup)

Service does not work after upgrade

This worked for me until some point recently, possibly due to an OS upgrade. I upgraded the package to see if that would fix things:

❯ brew install artginzburg/tap/sudo-touchid

Running `brew update --preinstall`...
==> Auto-updated Homebrew!
Updated 3 taps (homebrew/core, homebrew/cask and homebrew/services).
<snip>

sudo-touchid 0.2 is already installed but outdated (so it will be upgraded).
==> Downloading https://github.com/artginzburg/sudo-touchid/releases/download/0.3/sudo-touchid.sh
==> Downloading from https://objects.githubusercontent.com/github-production-release-asset-2e65be/389117398/ee
######################################################################## 100.0%
==> Upgrading artginzburg/tap/sudo-touchid
  0.2 -> 0.3 

==> Caveats
To restart artginzburg/tap/sudo-touchid after an upgrade:
  sudo brew services restart artginzburg/tap/sudo-touchid
Or, if you don't want/need a background service you can just run:
  /opt/homebrew/opt/sudo-touchid/bin/sudo-touchid
==> Summary
🍺  /opt/homebrew/Cellar/sudo-touchid/0.3: 5 files, 4.5KB, built in 1 second
==> Running `brew cleanup sudo-touchid`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Removing: /opt/homebrew/Cellar/sudo-touchid/0.2... (5 files, 3.4KB)
Warning: Directory not empty @ dir_s_rmdir - /opt/homebrew/Cellar/sudo-touchid/0.2

❯ sudo brew services start sudo-touchid

Password:
Warning: Taking root:admin ownership of some sudo-touchid paths:
  /opt/homebrew/Cellar/sudo-touchid/0.3/bin
  /opt/homebrew/Cellar/sudo-touchid/0.3/bin/sudo-touchid
  /opt/homebrew/opt/sudo-touchid
  /opt/homebrew/opt/sudo-touchid/bin
  /opt/homebrew/var/homebrew/linked/sudo-touchid
This will require manual removal of these paths using `sudo rm` on
brew upgrade/reinstall/uninstall.
/Library/LaunchDaemons/homebrew.mxcl.sudo-touchid.plist: service already bootstrapped
Bootstrap failed: 37: Operation already in progress
Error: Failure while executing; `/bin/launchctl bootstrap system /Library/LaunchDaemons/homebrew.mxcl.sudo-touchid.plist` exited with 37.

❯ sudo brew services stop sudo-touchid

Stopping `sudo-touchid`... (might take a while)
==> Successfully stopped `sudo-touchid` (label: homebrew.mxcl.sudo-touchid)

❯ sudo brew services start sudo-touchid
Warning: Taking root:admin ownership of some sudo-touchid paths:
  /opt/homebrew/Cellar/sudo-touchid/0.3/bin
  /opt/homebrew/Cellar/sudo-touchid/0.3/bin/sudo-touchid
  /opt/homebrew/opt/sudo-touchid
  /opt/homebrew/opt/sudo-touchid/bin
  /opt/homebrew/var/homebrew/linked/sudo-touchid
This will require manual removal of these paths using `sudo rm` on
brew upgrade/reinstall/uninstall.
==> Successfully started `sudo-touchid` (label: homebrew.mxcl.sudo-touchid)

After the above, sudo still requires my password. It appears the script has not changed the files in the expected ways:

❯ cat /etc/pam.d/sudo
# sudo: auth account password session
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

❯ cat /etc/pam.d/sudo.bak
2022/02/16 11:03:31 open /etc/pam.d/sudo.bak: no such file or directory

I tried uninstalling via brew (requiring manually removing /opt/homebrew/Cellar/sudo-touchid/{0.2,0.3}) but it's the same result.

Manually running /opt/homebrew/opt/sudo-touchid/bin/sudo-touchid fixes the issue.

Don't works with Sonoma

Hi,

Thanks for your work.
on my device, your great program doesn't works anymore. I am on a apple silicon mac. and i have done the install with homebrew.

plist_options is depricated

Brew asked me to, I complied 🐸

Does this work with macOS 12.6?

I just installed this via homebrew, and it appears sandboxing is preventing sed from editing /private/etc/pam.d/sudo. I get the following in the console when running sudo brew services start sudo-touchid:

default 17:29:18.707309-0400 sudo root : PWD=/ ; USER=root ; COMMAND=/usr/bin/sed -E -i .bak 1s/^(#.*)$/\1
auth sufficient pam_tid.so/ /etc/pam.d/sudo
info 17:29:18.731118-0400 kernel sandboxd rejected approval request from sed for kTCCServiceSystemPolicySysAdminFiles (/private/etc/pam.d/.!94543!sudo): denied

Configure automated tests

We may want to look at https://circleci.com/docs/2.0/testing-macos/

[feature req] use pam_service of sudoers to keep touchid after system upgrading

Using a custom sudoers.d file and a pam.d conf, we can setup touch id auth for sudo with addition features:

get rid of .plist files
do not edit the system managed conf /etc/pam.d/sudo, then the touch id function still works after system upgrading
support safe and quic recovering for bad pam.d configs for sudo

When installing, the script should generate two files:

/etc/sudoers.d/50-pam-service, with the content like this:

Cmnd_Alias PAM_RESTORE=/bin/rm -f /etc/sudoers.d/50-pam-service
Cmnd_Alias PAM_UNINSTALL=/bin/rm -f /etc/sudoers.d/50-pam-service /etc/pam.d/my-sudo
# make restore and uninstall commands still use system sudo profile
Defaults!PAM_RESTORE,PAM_UNINSTALL pam_service = sudo
# restore command does not require password, we can restore as long as sudo can find sudo pam profile
# the {admin-user-name} should be replaced with a real user name
"{admin-user-name}" ALL=(ALL) NOPASSWD: PAM_RESTORE
# use custom pam_service for all users
Defaults pam_service = my-sudo
# use custom pam_service for specify users
# the {admin-user-name} should be replaced with a real user name
#Defaults:"{admin-user-name}" pam_service = my-sudo

/etc/pam.d/my-sudo, with the content like this:

# reattach to user gui session: https://github.com/fabianishere/pam_reattach
# remove the following line if pam_reattach is not installed, and the installing script has to detect the absolute path of pam_reattach.so
auth       optional       /opt/homebrew/lib/pam/pam_reattach.so
# auth via touch id: https://github.com/artginzburg/sudo-touchid
auth       sufficient     pam_tid.so
# include system sudo policy
auth       include        sudo
account    include        sudo
password   include        sudo
session    include        sudo

we can add more sudo auth features in /etc/pam.d/my-sudo. when fails, the user with name {admin-user-name} can quickly restore the default sudo auth method by running

sudo /bin/rm -f /etc/sudoers.d/50-pam-service

It can't seem to show up??

I tried running sudo say "Hello World" and it would go to the enter password. Without showing any touchid.

sudo_local in Sonoma

Apple seems to have added a way for Touch ID to be enabled permanently in Sonoma:

https://www.idownloadblog.com/2023/08/24/touch-id-sudo-command-terminal-tutorial/

Should this be incorporated into this tool?

artginzburg / sudo-touchid Goto Github PK

sudo-touchid's Introduction

sudo-touchid

Try it out without installing

Features

Install

Via 🍺 Homebrew (Recommended)

Using curl

Usage

Why?

Code size comparison — previously favoured solution VS. the one you're currently reading:

How does it work?

sudo-touchid.sh — the script:

com.user.sudo-touchid.plist — the property list (global daemon):

install.sh — the installer: