Merge pull request #228 from malob/sudo-touchid

Add option to enable sudo authentication with Touch ID
2025-03-28 02:37:09 +00:00 · 2022-09-20 13:42:31 +01:00 · 2022-09-20 13:42:31 +01:00 · b3de9dded8
commit b3de9dded8
parent 14a12e9ee7 c1ac8e9b3d
3 changed files with 64 additions and 0 deletions
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -3,6 +3,7 @@
  ./documentation
  ./misc/ids.nix
  ./misc/lib.nix
+  ./security/pam.nix
  ./security/pki
  ./security/sandbox
  ./system
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -0,0 +1,62 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.security.pam;
+
+  # Implementation Notes
+  #
+  # We don't use `environment.etc` because this would require that the user manually delete
+  # `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires
+  # sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the
+  # changes again after OS updates (which remove modifications to this file).
+  #
+  # As such, we resort to line addition/deletion in place using `sed`. We add a comment to the
+  # added line that includes the name of the option, to make it easier to identify the line that
+  # should be deleted when the option is disabled.
+  mkSudoTouchIdAuthScript = isEnabled:
+  let
+    file   = "/etc/pam.d/sudo";
+    option = "security.pam.enableSudoTouchIdAuth";
+    sed = "${pkgs.gnused}/bin/sed";
+  in ''
+    ${if isEnabled then ''
+      # Enable sudo Touch ID authentication, if not already enabled
+      if ! grep 'pam_tid.so' ${file} > /dev/null; then
+        ${sed} -i '2i\
+      auth       sufficient     pam_tid.so # nix-darwin: ${option}
+        ' ${file}
+      fi
+    '' else ''
+      # Disable sudo Touch ID authentication, if added by nix-darwin
+      if grep '${option}' ${file} > /dev/null; then
+        ${sed} -i '/${option}/d' ${file}
+      fi
+    ''}
+  '';
+in
+
+{
+  options = {
+    security.pam.enableSudoTouchIdAuth = mkEnableOption ''
+      Enable sudo authentication with Touch ID
+
+      When enabled, this option adds the following line to /etc/pam.d/sudo:
+
+          auth       sufficient     pam_tid.so
+
+      (Note that macOS resets this file when doing a system update. As such, sudo
+      authentication with Touch ID won't work after a system update until the nix-darwin
+      configuration is reapplied.)
+    '';
+  };
+
+  config = {
+    system.activationScripts.pam.text = ''
+      # PAM settings
+      echo >&2 "setting up pam..."
+      ${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth}
+    '';
+  };
+}
--- a/modules/system/activation-scripts.nix
+++ b/modules/system/activation-scripts.nix
@ -56,6 +56,7 @@ in
      ${cfg.activationScripts.groups.text}
      ${cfg.activationScripts.users.text}
      ${cfg.activationScripts.applications.text}
+      ${cfg.activationScripts.pam.text}
      ${cfg.activationScripts.patches.text}
      ${cfg.activationScripts.etc.text}
      ${cfg.activationScripts.defaults.text}