diff options
| author | Domen Kožar <domen@dev.si> | 2022-09-20 13:42:31 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-20 13:42:31 +0100 |
| commit | b3de9dded8476b85e0210c8deab17895180ad2c3 (patch) | |
| tree | 2bb77424e3c64d456a1de2f6440381e636fe50df /modules | |
| parent | 14a12e9ee72215b5f1e7dcbbff52e21a2e1d688c (diff) | |
| parent | c1ac8e9b3df081a897a0a97f9927aee1ae9ccec3 (diff) | |
Merge pull request #228 from malob/sudo-touchid
Add option to enable sudo authentication with Touch ID
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/module-list.nix | 1 | ||||
| -rw-r--r-- | modules/security/pam.nix | 62 | ||||
| -rw-r--r-- | modules/system/activation-scripts.nix | 1 |
3 files changed, 64 insertions, 0 deletions
diff --git a/modules/module-list.nix b/modules/module-list.nix index 35d056e..23a4254 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -3,6 +3,7 @@ ./documentation ./misc/ids.nix ./misc/lib.nix + ./security/pam.nix ./security/pki ./security/sandbox ./system diff --git a/modules/security/pam.nix b/modules/security/pam.nix new file mode 100644 index 0000000..ac7603f --- /dev/null +++ b/modules/security/pam.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.security.pam; + + # Implementation Notes + # + # We don't use `environment.etc` because this would require that the user manually delete + # `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires + # sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the + # changes again after OS updates (which remove modifications to this file). + # + # As such, we resort to line addition/deletion in place using `sed`. We add a comment to the + # added line that includes the name of the option, to make it easier to identify the line that + # should be deleted when the option is disabled. + mkSudoTouchIdAuthScript = isEnabled: + let + file = "/etc/pam.d/sudo"; + option = "security.pam.enableSudoTouchIdAuth"; + sed = "${pkgs.gnused}/bin/sed"; + in '' + ${if isEnabled then '' + # Enable sudo Touch ID authentication, if not already enabled + if ! grep 'pam_tid.so' ${file} > /dev/null; then + ${sed} -i '2i\ + auth sufficient pam_tid.so # nix-darwin: ${option} + ' ${file} + fi + '' else '' + # Disable sudo Touch ID authentication, if added by nix-darwin + if grep '${option}' ${file} > /dev/null; then + ${sed} -i '/${option}/d' ${file} + fi + ''} + ''; +in + +{ + options = { + security.pam.enableSudoTouchIdAuth = mkEnableOption '' + Enable sudo authentication with Touch ID + + When enabled, this option adds the following line to /etc/pam.d/sudo: + + auth sufficient pam_tid.so + + (Note that macOS resets this file when doing a system update. As such, sudo + authentication with Touch ID won't work after a system update until the nix-darwin + configuration is reapplied.) + ''; + }; + + config = { + system.activationScripts.pam.text = '' + # PAM settings + echo >&2 "setting up pam..." + ${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth} + ''; + }; +} diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 346fb97..8ade8ed 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -56,6 +56,7 @@ in ${cfg.activationScripts.groups.text} ${cfg.activationScripts.users.text} ${cfg.activationScripts.applications.text} + ${cfg.activationScripts.pam.text} ${cfg.activationScripts.patches.text} ${cfg.activationScripts.etc.text} ${cfg.activationScripts.defaults.text} |