mirror of
https://github.com/LnL7/nix-darwin.git
synced 2025-03-13 20:30:02 +00:00
Use sed to disable sudo touch ID authentication
This commit is contained in:
parent
ca57e8bcdb
commit
6e8bc5e740
1 changed files with 31 additions and 13 deletions
|
@ -4,6 +4,36 @@ with lib;
|
|||
|
||||
let
|
||||
cfg = config.security.pam;
|
||||
|
||||
# Implementation Notes
|
||||
#
|
||||
# We don't use `environment.etc` because this would require that the user manually delete
|
||||
# `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires
|
||||
# sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the
|
||||
# changes again after OS updates (which remove modifications to this file).
|
||||
#
|
||||
# As such, we resort to line addition/deletion in place using `sed`. We add a comment to the
|
||||
# added line that includes the name of the option, to make it easier to identify the line that
|
||||
# should be deleted when the option is disabled.
|
||||
mkSudoTouchIdAuthScript = isEnabled:
|
||||
let
|
||||
file = "/etc/pam.d/sudo";
|
||||
option = "security.pam.enableSudoTouchIdAuth";
|
||||
in ''
|
||||
${if isEnabled then ''
|
||||
# Enable sudo Touch ID authentication, if not already enabled
|
||||
if ! grep 'pam_tid.so' ${file} > /dev/null; then
|
||||
sed -i "" '2i\
|
||||
auth sufficient pam_tid.so # nix-darwin: ${option}
|
||||
' ${file}
|
||||
fi
|
||||
'' else ''
|
||||
# Disable sudo Touch ID authentication, if added by nix-darwin
|
||||
if grep '${option}' ${file} > /dev/null; then
|
||||
sed -i "" '/${option}/d' ${file}
|
||||
fi
|
||||
''}
|
||||
'';
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -25,19 +55,7 @@ in
|
|||
system.activationScripts.pam.text = ''
|
||||
# PAM settings
|
||||
echo >&2 "setting up pam..."
|
||||
${if cfg.enableSudoTouchIdAuth then ''
|
||||
# Enable sudo Touch ID authentication
|
||||
if ! grep pam_tid.so /etc/pam.d/sudo > /dev/null; then
|
||||
sed -i.orig '2i\
|
||||
auth sufficient pam_tid.so
|
||||
' /etc/pam.d/sudo
|
||||
fi
|
||||
'' else ''
|
||||
# Disable sudo Touch ID authentication
|
||||
if test -e /etc/pam.d/sudo.orig; then
|
||||
mv /etc/pam.d/sudo.orig /etc/pam.d/sudo
|
||||
fi
|
||||
''}
|
||||
${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue