diff options
| author | Malo Bourgon <mbourgon@gmail.com> | 2020-10-05 10:46:20 -0700 |
|---|---|---|
| committer | Malo Bourgon <mbourgon@gmail.com> | 2022-06-30 13:33:06 -0700 |
| commit | 6e8bc5e7408e2c5f62871d63d409ba527e84ca57 (patch) | |
| tree | a706e40d77459c1aa129d06823b64a38ba871913 /modules/security | |
| parent | ca57e8bcdbf1c50846cf37abac8b18f8d0636160 (diff) | |
Use sed to disable sudo touch ID authentication
Diffstat (limited to 'modules/security')
| -rw-r--r-- | modules/security/pam.nix | 44 |
1 files changed, 31 insertions, 13 deletions
diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 4137b3f..424e674 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -4,6 +4,36 @@ with lib; let cfg = config.security.pam; + + # Implementation Notes + # + # We don't use `environment.etc` because this would require that the user manually delete + # `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires + # sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the + # changes again after OS updates (which remove modifications to this file). + # + # As such, we resort to line addition/deletion in place using `sed`. We add a comment to the + # added line that includes the name of the option, to make it easier to identify the line that + # should be deleted when the option is disabled. + mkSudoTouchIdAuthScript = isEnabled: + let + file = "/etc/pam.d/sudo"; + option = "security.pam.enableSudoTouchIdAuth"; + in '' + ${if isEnabled then '' + # Enable sudo Touch ID authentication, if not already enabled + if ! grep 'pam_tid.so' ${file} > /dev/null; then + sed -i "" '2i\ + auth sufficient pam_tid.so # nix-darwin: ${option} + ' ${file} + fi + '' else '' + # Disable sudo Touch ID authentication, if added by nix-darwin + if grep '${option}' ${file} > /dev/null; then + sed -i "" '/${option}/d' ${file} + fi + ''} + ''; in { @@ -25,19 +55,7 @@ in system.activationScripts.pam.text = '' # PAM settings echo >&2 "setting up pam..." - ${if cfg.enableSudoTouchIdAuth then '' - # Enable sudo Touch ID authentication - if ! grep pam_tid.so /etc/pam.d/sudo > /dev/null; then - sed -i.orig '2i\ - auth sufficient pam_tid.so - ' /etc/pam.d/sudo - fi - '' else '' - # Disable sudo Touch ID authentication - if test -e /etc/pam.d/sudo.orig; then - mv /etc/pam.d/sudo.orig /etc/pam.d/sudo - fi - ''} + ${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth} ''; }; } |