Configures PAM on macOS via a Launch Daemon so that Touch ID for sudo is always available
and persists across OS upgrades.
The project installs two files on your system:
- Executable:
/usr/local/bin/persistent-touch-id-sudo - Launch daemon:
/Library/LaunchDaemons/com.yuriyguts.persistent-touch-id-sudo.plist
When macOS starts up, it invokes the launch daemon, which defines the metadata for launching the executable (what file to run, where to store logs, etc.).
The executable checks if Touch ID is already configured in /etc/pam.d/sudo.
If it's not, it adds a new configuration line there allowing Touch ID to be used.
The entire operation is very fast and leaves no processes running in the background.
Full Disk Access permissions cannot be granted to individual shell scripts. While we can
add them to the allow list, it will only work if we allow full disk access for all
env or bash processes, which is too permissive. Building the tool as a standalone
native binary allows adding it to the allow list directly.
You'll need CMake to build and install this project.
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make installThen, go to Preferences > Security & Privacy > Full Disk Access, and add
the executable /usr/local/bin/persistent-touch-id-sudo to the allow list.
Restart macOS in order for the launch daemon to take effect.
$ sudo rm /Library/LaunchDaemons/com.yuriyguts.persistent-touch-id-sudo.plist
$ sudo rm /usr/local/bin/persistent-touch-id-sudoThen, go to Preferences > Security & Privacy > Full Disk Access, and remove
/usr/local/bin/persistent-touch-id-sudo from the allow list.
If you'd like to stop using Touch ID for sudo as well, edit /etc/pam.d/sudo manually
and remove the line containing pam_tid.so.
If sudo still prompts you for the password, check the log files:
$ cat /tmp/com.yuriyguts.persistent-touch-id-sudo.stdout.log
$ cat /tmp/com.yuriyguts.persistent-touch-id-sudo.stderr.log