Hacker News new | past | comments | ask | show | jobs | submit login

I’ve just added this to my .bash_profile:

  enable-sudo-touchid() {
    sudo sed -i -e '1s;^;auth       sufficient     pam_tid.so\n;' /etc/pam.d/sudo
But probably automating the check (if the automated checker has the correct permission) would not be that hard.

A step further so you don't have to think about enabling it:

  sudo() {
    unset -f sudo
    if [[ "$(uname)" == 'Darwin' ]] && ! grep 'pam_tid.so' /etc/pam.d/sudo --silent; then
      sudo sed -i -e '1s;^;auth       sufficient     pam_tid.so\n;' /etc/pam.d/sudo
    sudo "$@"

Here's another function in Fish that incorporates the other suggestions offered in this thread.

    function sudo --description "Execute a command as another user."
        if [ (uname) = "Darwin" ]
            set --local needle "^auth\b.*\bpam_\(reattach\|tid\|watchid\)\.so\$"
            if ! grep $needle --silent /etc/pam.d/sudo && \
                [ -f /usr/local/lib/pam/pam_reattach.so* ] && \
                [ -f /usr/local/lib/pam/pam_watchid.so* ]
            command sudo sh -c "
            cat << EOF >/etc/pam.d/sudo
    auth optional pam_reattach.so
    auth sufficient pam_tid.so
    auth sufficient pam_watchid.so
    \$(grep -v '$needle' /etc/pam.d/sudo)
    EOF"; or return $status
        command sudo $argv

Thanks! That looks good!

Thought on the second thought, I’ll continue to use the more “manual” method for now. As it gives me more control and it would be easier to switch off when touch ID sudo will be supported more officially.

The hard part with these kinds of fixes is that they evaluate every time you create a new shell or tab, which for me is very frequently.

It’s already starting to add noticeable latency from all of the various eval statements in there.

Edit: I missed it’s a function def which should be fine speed wise.

That's a function definition, the only overhead will be parsing, not evaluation.

Why not run a launchd script on boot that does the update? Does it need to be in the .bashrc?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact