From c9c2d40f7172747823dc9c5ab16b9bb541cf3c0d Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 20 Feb 2025 17:46:40 +0700 Subject: [PATCH 1/3] pam: remove `with lib;` --- modules/security/pam.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 69b4c37ed..2e091b987 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.security.pam; @@ -39,7 +37,7 @@ in { options = { - security.pam.enableSudoTouchIdAuth = mkEnableOption "" // { + security.pam.enableSudoTouchIdAuth = lib.mkEnableOption "" // { description = '' Enable sudo authentication with Touch ID. From b6b7804953466e443f414730e475c4abbcfcc300 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 20 Feb 2025 17:51:32 +0700 Subject: [PATCH 2/3] pam: switch to using `sudo_local` file --- modules/security/pam.nix | 95 +++++++++++++++++++--------------------- 1 file changed, 46 insertions(+), 49 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 2e091b987..54af138c7 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -2,66 +2,63 @@ let cfg = config.security.pam; - - # Implementation Notes - # - # We don't use `environment.etc` because this would require that the user manually delete - # `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires - # sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the - # changes again after OS updates (which remove modifications to this file). - # - # As such, we resort to line addition/deletion in place using `sed`. We add a comment to the - # added line that includes the name of the option, to make it easier to identify the line that - # should be deleted when the option is disabled. - mkSudoTouchIdAuthScript = isEnabled: - let - file = "/etc/pam.d/sudo"; - option = "security.pam.enableSudoTouchIdAuth"; - sed = "${pkgs.gnused}/bin/sed"; - in '' - ${if isEnabled then '' - # Enable sudo Touch ID authentication, if not already enabled - if ! grep 'pam_tid.so' ${file} > /dev/null; then - ${sed} -i '2i\ - auth sufficient pam_tid.so # nix-darwin: ${option} - ' ${file} - fi - '' else '' - # Disable sudo Touch ID authentication, if added by nix-darwin - if grep '${option}' ${file} > /dev/null; then - ${sed} -i '/${option}/d' ${file} - fi - ''} - ''; in - { options = { - security.pam.enableSudoTouchIdAuth = lib.mkEnableOption "" // { - description = '' - Enable sudo authentication with Touch ID. - - When enabled, this option adds the following line to - {file}`/etc/pam.d/sudo`: + security.pam = { + enable = lib.mkEnableOption "managing PAM with nix-darwin" // { + default = true; + example = false; + }; - ``` - auth sufficient pam_tid.so - ``` + enableSudoTouchIdAuth = lib.mkEnableOption "" // { + description = '' + Whether to enable Touch ID with sudo. - ::: {.note} - macOS resets this file when doing a system update. As such, sudo - authentication with Touch ID won't work after a system update - until the nix-darwin configuration is reapplied. - ::: - ''; + This will also allow your Apple Watch to be used for sudo. If this doesn't work, + you can go into `System Settings > Touch ID & Password` and toggle the switch for + your Apple Watch. + ''; + }; }; }; config = { - system.activationScripts.pam.text = '' + environment.etc."pam.d/sudo_local" = { + inherit (cfg) enable; + text = lib.optionalString cfg.enableSudoTouchIdAuth "auth sufficient pam_tid.so"; + }; + + system.activationScripts.pam.text = + let + file = "/etc/pam.d/sudo"; + marker = "security.pam.sudo_local"; + deprecatedOption = "security.pam.enableSudoTouchIdAuth"; + sed = lib.getExe pkgs.gnused; + in + '' # PAM settings echo >&2 "setting up pam..." - ${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth} + + # REMOVEME when macOS 13 no longer supported as macOS automatically + # nukes this file on system upgrade + # Always clear out older implementation if it is present + if grep '${deprecatedOption}' ${file} > /dev/null; then + ${sed} -i '/${deprecatedOption}/d' ${file} + fi + + ${if cfg.enable then '' + # REMOVEME when macOS 13 no longer supported + # `sudo_local` is automatically included after macOS 14 + if ! grep 'sudo_local' ${file} > /dev/null; then + ${sed} -i '2iauth include sudo_local # nix-darwin: ${marker}' ${file} + fi + '' else '' + # Remove include line if we added it + if grep '${marker}' ${file} > /dev/null; then + ${sed} -i '/${marker}/d' ${file} + fi + ''} ''; }; } From 405217801f04f10ba5193453923b04e1ff4d8a23 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 20 Feb 2025 17:52:40 +0700 Subject: [PATCH 3/3] pam: add `pam_reattach` support --- modules/security/pam.nix | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 54af138c7..1a71bc7ff 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -20,13 +20,30 @@ in your Apple Watch. ''; }; + + enableSudoPamReattach = lib.mkEnableOption "" // { + description = '' + Whether to enable reattaching a program to the user's bootstrap session. + + This fixes Touch ID for sudo not working inside tmux and screen. + + This allows programs like tmux and screen that run in the background to + survive across user sessions to work with PAM services that are tied to the + bootstrap session. + ''; + default = cfg.enableSudoTouchIdAuth; + example = false; + }; }; }; config = { environment.etc."pam.d/sudo_local" = { inherit (cfg) enable; - text = lib.optionalString cfg.enableSudoTouchIdAuth "auth sufficient pam_tid.so"; + text = lib.concatLines ( + (lib.optional cfg.enableSudoPamReattach "auth optional ${pkgs.pam-reattach}/lib/pam/pam_reattach.so") + ++ (lib.optional cfg.enableSudoTouchIdAuth "auth sufficient pam_tid.so") + ); }; system.activationScripts.pam.text =