fix: move pam configuration to sudo_local #1020
Conversation
|
Thanks! This is definitely the direction I want to go, but we need to keep support for macOS < 14. That means that ensuring the |
Good call on the support for older versions and older nix-darwin support. What do you think of the recent changes? I added back an activation script like the old one which will check for the old implementation and delete it using Otherwise, if all For users on macOS >=14, the entire thing will just be managed through |
| { | ||
| environment.etc."pam.d/sudo_local" = { | ||
| enable = isPamEnabled; | ||
| text = lib.strings.concatStringsSep "\n" [ |
There was a problem hiding this comment.
| text = lib.strings.concatStringsSep "\n" [ | |
| text = lib.concatLines [ |
| (lib.optionalString cfg.enablePamReattach "auth optional ${pkgs.pam-reattach}/lib/pam/pam_reattach.so") | ||
| (lib.optionalString cfg.enableSudoTouchIdAuth "auth sufficient pam_tid.so") |
There was a problem hiding this comment.
| (lib.optionalString cfg.enablePamReattach "auth optional ${pkgs.pam-reattach}/lib/pam/pam_reattach.so") | |
| (lib.optionalString cfg.enableSudoTouchIdAuth "auth sufficient pam_tid.so") | |
| (lib.mkIf cfg.enablePamReattach "auth optional ${pkgs.pam-reattach}/lib/pam/pam_reattach.so") | |
| (lib.mkIf cfg.enableSudoTouchIdAuth "auth sufficient pam_tid.so") |
I think this will mean the output file won't have blank lines in it
| # NOTE: this can be removed at some point when support for older versions are dropped | ||
| # Always clear out older implementation if it exists | ||
| if grep '${deprecatedOption}' ${file} > /dev/null; then | ||
| ${sed} -i '/${option}/d' ${file} |
There was a problem hiding this comment.
| ${sed} -i '/${option}/d' ${file} | |
| ${sed} -i '/${deprecatedOption}/d' ${file} |
| file = "/etc/pam.d/sudo"; | ||
| option = "security.pam.enableSudoTouchIdAuth"; | ||
| file = "/etc/pam.d/sudo"; | ||
| option = "security.pam"; |
There was a problem hiding this comment.
| option = "security.pam"; | |
| marker = "security.pam.sudo_local"; |
| fi | ||
| # Check if include line is needed (macOS < 14) | ||
| if ! grep 'sudo_local' ${file} > /dev/null; then | ||
| ${sed} -i '2iauth include sudo_local # nix-darwin: ${option}' ${file} |
There was a problem hiding this comment.
| ${sed} -i '2iauth include sudo_local # nix-darwin: ${option}' ${file} | |
| ${sed} -i '2iauth include sudo_local # nix-darwin: ${marker}' ${file} |
| # for the existance of the line `auth include sudo_local`. This is included | ||
| # in macOS Sonoma and later. If the line is not there already then `sed` will add it. | ||
| # In those cases, the line will include the name of the option root (`security.pam`), | ||
| # to make it easier to identify the line that should be deleted when the option is disabled. |
There was a problem hiding this comment.
It would be good to add a comment about what happens to the marker line in /etc/pam.d/sudo when upgrading to Sonoma
| # in macOS Sonoma and later. If the line is not there already then `sed` will add it. | ||
| # In those cases, the line will include the name of the option root (`security.pam`), | ||
| # to make it easier to identify the line that should be deleted when the option is disabled. | ||
| mkIncludeSudoLocalScript = isEnabled: |
There was a problem hiding this comment.
| mkIncludeSudoLocalScript = isEnabled: |
This being a function seems unnecessary
| ${sed} -i '2i\ | ||
| auth sufficient pam_tid.so # nix-darwin: ${option} | ||
| ' ${file} | ||
| # NOTE: this can be removed at some point when support for older versions are dropped |
There was a problem hiding this comment.
| # NOTE: this can be removed at some point when support for older versions are dropped | |
| # REMOVEME when macOS 13 no longer supported |
|
I think we can skip the I also think that we shouldn’t include a marker on the |
|
The benefit of the marker would be that if a user uninstalled nix-darwin on a pre-Sonoma version we'd be able to restore it to closer to the original state, but either way is fine as As |
|
I think not being able to use touch ID very early in the user session is an acceptable failure mode if that’s all it is. |
Addresses #985 and #787.
/etc/pam.d/sudo_localenvironment.etcpam_reattachoption to fix sudo TouchID in tmuxImplementation uses
environment.etcto create the/etc/pam.d/sudo_localfile and adds thepkgs.pam-reattachoption provided in #662. Follows the comment by @emilazy to have nix-darwin manage the file entirely. If the file exists already, nix-darwin should handle it through the usual warning telling the user to rename the file tosudo_local.before-nix-darwin. As identified by @lilyball in their comment, the symlink approach here shouldn't impact users since it doesn't touch the main/etc/pam.d/sudofile. As long as/etc/pam.d/sudoremains a regular file than this should work fine without disrupting sudo to applynix-darwinconfigurations.I recognize this may be a duplicate PR given all the other open issues/PRs, but I haven't seen movement on them in a while. Feel free to close this if it's unnecessary.