Fix an issue where pam_reattach path gets stale

zmre · Apr 1, 2024 · 4721539 · 4721539
1 parent f6f687f
commit 4721539
Showing 1 changed file with 10 additions and 12 deletions.
diff --git a/modules/darwin/pam.nix b/modules/darwin/pam.nix
@@ -16,31 +16,29 @@ with lib;
       file = "/etc/pam.d/sudo";
       option = "security.pam.enableCustomSudoTouchIdAuth";
     in ''
+      # Unconditionally remove first. If enabled, we'll add it back. This ensures we update pam_reattach.so.
+      if grep '${option}' ${file} > /dev/null; then
+        /usr/bin/sed -i "" '/${option}/d' ${file}
+      fi
       ${
         if isEnabled
         then ''
-          # Enable sudo Touch ID authentication, if not already enabled
-          if ! grep 'pam_tid.so' ${file} > /dev/null; then
-            /usr/bin/sed -i "" '2i\
+          # Enable sudo Touch ID authentication
+          /usr/bin/sed -i "" '2i\
           auth       optional     ${pkgs.stable.pam-reattach}/lib/pam/pam_reattach.so # nix-darwin: ${option}\
           auth       sufficient     pam_tid.so # nix-darwin: ${option}
-            ' ${file}
-          fi
-        ''
-        else ''
-          # Disable sudo Touch ID authentication, if added by nix-darwin
-          if grep '${option}' ${file} > /dev/null; then
-            /usr/bin/sed -i "" '/${option}/d' ${file}
-          fi
+          ' ${file}
+
         ''
+        else ""
       }
     '';
   in {
     options = {
       security.pam.enableCustomSudoTouchIdAuth = mkEnableOption ''
         Enable sudo authentication with Touch ID
         When enabled, this option adds the following line to /etc/pam.d/sudo:
-            auth       optional     /opt/homebrew/lib/pam/pam_reattach.so
+            auth       optional       /path/to/pam_reattach.so
             auth       sufficient     pam_tid.so
         (Note that macOS resets this file when doing a system update. As such, sudo
         authentication with Touch ID won't work after a system update until the nix-darwin