From 1d98da837f1e94c04209bce901d5b664b3cd0ec5 Mon Sep 17 00:00:00 2001 From: Malo Bourgon Date: Fri, 11 Sep 2020 12:14:44 -0700 Subject: [PATCH 1/5] Add option to enable sudo authentication with TouchID --- modules/module-list.nix | 1 + modules/system/etc-pam.d-sudo.patch | 8 ++++++++ modules/system/sudo.nix | 15 +++++++++++++++ 3 files changed, 24 insertions(+) create mode 100644 modules/system/etc-pam.d-sudo.patch create mode 100644 modules/system/sudo.nix diff --git a/modules/module-list.nix b/modules/module-list.nix index d4c1b35b..ba84d278 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -29,6 +29,7 @@ ./system/launchd.nix ./system/patches.nix ./system/shells.nix + ./system/sudo.nix ./system/version.nix ./time ./networking diff --git a/modules/system/etc-pam.d-sudo.patch b/modules/system/etc-pam.d-sudo.patch new file mode 100644 index 00000000..fa361b42 --- /dev/null +++ b/modules/system/etc-pam.d-sudo.patch @@ -0,0 +1,8 @@ +--- /etc/pam.d/sudo ++++ /etc/pam.d/sudo +@@ -1,4 +1,5 @@ + # sudo: auth account password session ++auth sufficient pam_tid.so + auth sufficient pam_smartcard.so + auth required pam_opendirectory.so + account required pam_permit.so diff --git a/modules/system/sudo.nix b/modules/system/sudo.nix new file mode 100644 index 00000000..d4112edb --- /dev/null +++ b/modules/system/sudo.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.system.sudo; +in + +{ + options = { + system.sudo.touchid.enable = mkEnableOption "Enable sudo authentication with Touch ID"; + }; + + config = mkIf cfg.touchid.enable { system.patches = [ ./etc-pam.d-sudo.patch ]; }; +} From ca57e8bcdbf1c50846cf37abac8b18f8d0636160 Mon Sep 17 00:00:00 2001 From: Malo Bourgon Date: Mon, 14 Sep 2020 13:34:30 -0700 Subject: [PATCH 2/5] Change option name and switch to using activation script --- modules/module-list.nix | 2 +- modules/security/pam.nix | 43 +++++++++++++++++++++++++++ modules/system/activation-scripts.nix | 1 + modules/system/etc-pam.d-sudo.patch | 8 ----- modules/system/sudo.nix | 15 ---------- 5 files changed, 45 insertions(+), 24 deletions(-) create mode 100644 modules/security/pam.nix delete mode 100644 modules/system/etc-pam.d-sudo.patch delete mode 100644 modules/system/sudo.nix diff --git a/modules/module-list.nix b/modules/module-list.nix index ba84d278..71ef1529 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -2,6 +2,7 @@ ./alias.nix ./documentation ./misc/lib.nix + ./security/pam.nix ./security/pki ./security/sandbox ./system @@ -29,7 +30,6 @@ ./system/launchd.nix ./system/patches.nix ./system/shells.nix - ./system/sudo.nix ./system/version.nix ./time ./networking diff --git a/modules/security/pam.nix b/modules/security/pam.nix new file mode 100644 index 00000000..4137b3fe --- /dev/null +++ b/modules/security/pam.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.security.pam; +in + +{ + options = { + security.pam.enableSudoTouchIdAuth = mkEnableOption '' + Enable sudo authentication with Touch ID + + When enabled, this option adds the following line to /etc/pam.d/sudo: + + auth sufficient pam_tid.so + + (Note that macOS resets this file when doing a system update. As such, sudo + authentication with Touch ID won't work after a system update until the nix-darwin + configuration is reapplied.) + ''; + }; + + config = { + system.activationScripts.pam.text = '' + # PAM settings + echo >&2 "setting up pam..." + ${if cfg.enableSudoTouchIdAuth then '' + # Enable sudo Touch ID authentication + if ! grep pam_tid.so /etc/pam.d/sudo > /dev/null; then + sed -i.orig '2i\ + auth sufficient pam_tid.so + ' /etc/pam.d/sudo + fi + '' else '' + # Disable sudo Touch ID authentication + if test -e /etc/pam.d/sudo.orig; then + mv /etc/pam.d/sudo.orig /etc/pam.d/sudo + fi + ''} + ''; + }; +} diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 346fb97c..8ade8ed5 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -56,6 +56,7 @@ in ${cfg.activationScripts.groups.text} ${cfg.activationScripts.users.text} ${cfg.activationScripts.applications.text} + ${cfg.activationScripts.pam.text} ${cfg.activationScripts.patches.text} ${cfg.activationScripts.etc.text} ${cfg.activationScripts.defaults.text} diff --git a/modules/system/etc-pam.d-sudo.patch b/modules/system/etc-pam.d-sudo.patch deleted file mode 100644 index fa361b42..00000000 --- a/modules/system/etc-pam.d-sudo.patch +++ /dev/null @@ -1,8 +0,0 @@ ---- /etc/pam.d/sudo -+++ /etc/pam.d/sudo -@@ -1,4 +1,5 @@ - # sudo: auth account password session -+auth sufficient pam_tid.so - auth sufficient pam_smartcard.so - auth required pam_opendirectory.so - account required pam_permit.so diff --git a/modules/system/sudo.nix b/modules/system/sudo.nix deleted file mode 100644 index d4112edb..00000000 --- a/modules/system/sudo.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.system.sudo; -in - -{ - options = { - system.sudo.touchid.enable = mkEnableOption "Enable sudo authentication with Touch ID"; - }; - - config = mkIf cfg.touchid.enable { system.patches = [ ./etc-pam.d-sudo.patch ]; }; -} From 6e8bc5e7408e2c5f62871d63d409ba527e84ca57 Mon Sep 17 00:00:00 2001 From: Malo Bourgon Date: Mon, 5 Oct 2020 10:46:20 -0700 Subject: [PATCH 3/5] Use sed to disable sudo touch ID authentication --- modules/security/pam.nix | 44 ++++++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 4137b3fe..424e674f 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -4,6 +4,36 @@ with lib; let cfg = config.security.pam; + + # Implementation Notes + # + # We don't use `environment.etc` because this would require that the user manually delete + # `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires + # sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the + # changes again after OS updates (which remove modifications to this file). + # + # As such, we resort to line addition/deletion in place using `sed`. We add a comment to the + # added line that includes the name of the option, to make it easier to identify the line that + # should be deleted when the option is disabled. + mkSudoTouchIdAuthScript = isEnabled: + let + file = "/etc/pam.d/sudo"; + option = "security.pam.enableSudoTouchIdAuth"; + in '' + ${if isEnabled then '' + # Enable sudo Touch ID authentication, if not already enabled + if ! grep 'pam_tid.so' ${file} > /dev/null; then + sed -i "" '2i\ + auth sufficient pam_tid.so # nix-darwin: ${option} + ' ${file} + fi + '' else '' + # Disable sudo Touch ID authentication, if added by nix-darwin + if grep '${option}' ${file} > /dev/null; then + sed -i "" '/${option}/d' ${file} + fi + ''} + ''; in { @@ -25,19 +55,7 @@ in system.activationScripts.pam.text = '' # PAM settings echo >&2 "setting up pam..." - ${if cfg.enableSudoTouchIdAuth then '' - # Enable sudo Touch ID authentication - if ! grep pam_tid.so /etc/pam.d/sudo > /dev/null; then - sed -i.orig '2i\ - auth sufficient pam_tid.so - ' /etc/pam.d/sudo - fi - '' else '' - # Disable sudo Touch ID authentication - if test -e /etc/pam.d/sudo.orig; then - mv /etc/pam.d/sudo.orig /etc/pam.d/sudo - fi - ''} + ${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth} ''; }; } From e5f24e97a7467e14032778bdf0265db6349c9fa3 Mon Sep 17 00:00:00 2001 From: Malo Bourgon Date: Mon, 15 Feb 2021 10:57:04 -0800 Subject: [PATCH 4/5] Fix indent of line added to sudo file Co-authored-by: Peter Esselius --- modules/security/pam.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 424e674f..7de766ef 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -24,7 +24,7 @@ let # Enable sudo Touch ID authentication, if not already enabled if ! grep 'pam_tid.so' ${file} > /dev/null; then sed -i "" '2i\ - auth sufficient pam_tid.so # nix-darwin: ${option} + auth sufficient pam_tid.so # nix-darwin: ${option} ' ${file} fi '' else '' From c1ac8e9b3df081a897a0a97f9927aee1ae9ccec3 Mon Sep 17 00:00:00 2001 From: Malo Bourgon Date: Thu, 17 Feb 2022 10:22:42 -0800 Subject: [PATCH 5/5] Use GNU version of sed from nixpkgs --- modules/security/pam.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 7de766ef..ac7603f2 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -19,18 +19,19 @@ let let file = "/etc/pam.d/sudo"; option = "security.pam.enableSudoTouchIdAuth"; + sed = "${pkgs.gnused}/bin/sed"; in '' ${if isEnabled then '' # Enable sudo Touch ID authentication, if not already enabled if ! grep 'pam_tid.so' ${file} > /dev/null; then - sed -i "" '2i\ + ${sed} -i '2i\ auth sufficient pam_tid.so # nix-darwin: ${option} ' ${file} fi '' else '' # Disable sudo Touch ID authentication, if added by nix-darwin if grep '${option}' ${file} > /dev/null; then - sed -i "" '/${option}/d' ${file} + ${sed} -i '/${option}/d' ${file} fi ''} '';