This is a simple script to automate adding touchID as a sufficient authentication method for sudo commands on mac with Touch ID. Since won't just include it officially, we must resort to these hacky measures.
This script will create a backup of the sudo pam file whenever it edits it and it will only edit the file if touchID is not already found.
Should this bork your system, simply copying the sudo.bak
file over the modified sudo
file from a recovery shell should do the trick.
- Place the bash script itself anywhere you like. The default is
/usr/local/bin
- Edit
com.user.addtouch.plist
and replace/usr/local/bin/addTouch.sh
with the full path to the script in step 1 above. - Place
com.user.addtouch.plist
file in/Library/LaunchDaemons/
- Make sure the
addTouch.sh
script is executable. - On macOS Mojave and newer, you'll need to give /usr/bin/env full disk access in System Preferences in order to allow the script to execute on startup
a. LaunchSystem Preferences
b. Navigate toSecurity and Privacy
c. Choose thePrivacy
tab
d. Unlock the Preferences pane using the lock icon in the bottom left corner
e. Scroll toFull Disk Access
f. Click the+
icon
g. When the finder window pops up, pressCOMMAND
+Shift
+.
together to show hidden files
h. Choose your main hard drive (Default name:Macintosh HD
)
i. Navigate to/usr/bin/env
and select the env command line utility
j. Confirm thatenv
is now selected for full disk access
If you used the default location, the script should be in your path now, you can call it to go ahead and add touchID to pam's sudo file now.
After future updates wipe your custom sudo file, this will kick in on boot and update it.
Granting Full Disk Access to /usr/bin/env means any script that leverages /usr/bin/env for its !# will be granted full disk access. There are security implications to consider with this.