This is a simple script to automate adding touchID as a sufficient authentication method for sudo commands on mac with Touch ID. Since won't just include it officially, we must resort to these hacky measures.
This script will create a backup of the sudo pam file whenever it edits it and it will only edit the file if touchID is not already found.
Should this bork your system, simply copying the sudo.bak file over the modified sudo file from a recovery shell should do the trick.
- Place the bash script itself anywhere you like. The default is
/usr/local/bin - Edit
com.user.addtouch.plistand replace/usr/local/bin/addTouch.shwith the full path to the script in step 1 above. - Place
com.user.addtouch.plistfile in/Library/LaunchDaemons/ - Make sure the
addTouch.shscript is executable. - On macOS Mojave and newer, you'll need to give /usr/bin/env full disk access in System Preferences in order to allow the script to execute on startup
a. LaunchSystem Preferences
b. Navigate toSecurity and Privacy
c. Choose thePrivacytab
d. Unlock the Preferences pane using the lock icon in the bottom left corner
e. Scroll toFull Disk Access
f. Click the+icon
g. When the finder window pops up, pressCOMMAND+Shift+.together to show hidden files
h. Choose your main hard drive (Default name:Macintosh HD)
i. Navigate to/usr/bin/envand select the env command line utility
j. Confirm thatenvis now selected for full disk access
If you used the default location, the script should be in your path now, you can call it to go ahead and add touchID to pam's sudo file now.
After future updates wipe your custom sudo file, this will kick in on boot and update it.
Granting Full Disk Access to /usr/bin/env means any script that leverages /usr/bin/env for its !# will be granted full disk access. There are security implications to consider with this.