1
0
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2025-03-13 20:30:02 +00:00

Use sed to disable sudo touch ID authentication

This commit is contained in:
Malo Bourgon 2020-10-05 10:46:20 -07:00
parent ca57e8bcdb
commit 6e8bc5e740

View file

@ -4,6 +4,36 @@ with lib;
let
cfg = config.security.pam;
# Implementation Notes
#
# We don't use `environment.etc` because this would require that the user manually delete
# `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires
# sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the
# changes again after OS updates (which remove modifications to this file).
#
# As such, we resort to line addition/deletion in place using `sed`. We add a comment to the
# added line that includes the name of the option, to make it easier to identify the line that
# should be deleted when the option is disabled.
mkSudoTouchIdAuthScript = isEnabled:
let
file = "/etc/pam.d/sudo";
option = "security.pam.enableSudoTouchIdAuth";
in ''
${if isEnabled then ''
# Enable sudo Touch ID authentication, if not already enabled
if ! grep 'pam_tid.so' ${file} > /dev/null; then
sed -i "" '2i\
auth sufficient pam_tid.so # nix-darwin: ${option}
' ${file}
fi
'' else ''
# Disable sudo Touch ID authentication, if added by nix-darwin
if grep '${option}' ${file} > /dev/null; then
sed -i "" '/${option}/d' ${file}
fi
''}
'';
in
{
@ -25,19 +55,7 @@ in
system.activationScripts.pam.text = ''
# PAM settings
echo >&2 "setting up pam..."
${if cfg.enableSudoTouchIdAuth then ''
# Enable sudo Touch ID authentication
if ! grep pam_tid.so /etc/pam.d/sudo > /dev/null; then
sed -i.orig '2i\
auth sufficient pam_tid.so
' /etc/pam.d/sudo
fi
'' else ''
# Disable sudo Touch ID authentication
if test -e /etc/pam.d/sudo.orig; then
mv /etc/pam.d/sudo.orig /etc/pam.d/sudo
fi
''}
${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth}
'';
};
}