Category Archives: Mac OS X

Everything around Mac OS X

Using TouchID for sudo on macOS Sierra

A couple of days ago, I’ve received my new 15″ Mac Book Pro. So far I’m quite happy. Ok the the circumstance, that I have to carry around a bunch of adapters. I’m waiting for the first projector at customers with USB-C connection. But thats an other story. Initially I thought, that I will not use the new Touch Bar that much. But I must admit that it’s quite handy from time to time. In particular the Touch ID to unlock the Mac Book Pro.

During my day to day work, I’m using the terminal quite a lot. This also includes the use of sudo. Why not using the Touch ID, to run a privileged command with sudo rather than typing the password. Good idea, unfortunately this is not possible out of the box in macOS Sierra. A Google search has revealed two possible solutions respectively projects on GitHub.

  • Replace the sudo with a customised version of sudo, which does support Touch ID (see sudo-touchid
  • Add a customised PAM module, which does support the Touch ID (see pam_touchid

I have decided to test the custom PAM module, because it seems, that this alternative has less impact on the operating system. The configuration is straight forward and includes the following steps:

  • Build the project using Xcode
  • Copy the PAM module to a custom location
  • Update the sudo configuration

As mentioned in a comments on GitHub, sudo over ssh does not work with this PAM module (see pam_touchid appears to break sudo over SSH) pam_touchid.m requires a small modification. In particular the following if statement has to be added at the top of the method pam_sm_authenticate.

if (getenv("SSH_TTY"))
return PAM_IGNORE;

In case of a sudo authentication request over SSH the module will do nothing. Sudo will fall back to the regular PAM modules. So lets start Xcode to adjust pam_touchid.m and build pam_touchid.so.2.
Build PAM Module
Create a custom directory for the PAM module, copy pam_touchid.so.2 and adjust the owner and privileges.

sudo mkdir -p /usr/local/lib/pam/
sudo cp pam_touchid.so.2 /usr/local/lib/pam/
sudo chown root:wheel /usr/local/lib/pam/pam_touchid.so.2
sudo chmod 444 /usr/local/lib/pam/pam_touchid.so.2

Update the sudo configuration and add auth sufficient pam_touchid.so reason="execute a command as another user" to the top of the file.

sudo vi /etc/pam.d/sudo

cat /etc/pam.d/sudo
# sudo: auth account password session
auth sufficient pam_touchid.so reason="execute a command as another user"
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so

As soon as you start a new terminal session, you can use your Touch ID to authenticate sudo. Below you see an example of sudo hostname to get the current hostname.
TouchID
As mentioned in the realm of the PAM Touch ID project, you have to be sure what your doing. If it is the first time you use Xcode and Terminal, it is probably better to not change your sudo authentication.

Thanks to Hamza Sood for this PAM module.

Get rid of Adobe PDF Viewer plugin in Safari

Recently I’ve had to install the Adobe Acrobat Reader on my MacBook Pro. As usual, I was in a hurry and had no time to complete the installation. Since then Safari will always use Acrobat PDF Viewer plugin to display PDF. Because I prefer using Mac OS Preview to view PDF files, it is time to get rid of the Acrobat plug-in.

Nothing easier than that…

… just open Terminal and go to the Library folder to remove the corresponding Acrobat Internet Plug-Ins.

cd "/Library/Internet Plug-Ins/"
sudo rm -rf AdobePDFViewer*

Mac OS X Terminal Compatibility Settings

I start using iTerm rather than Terminal to work on the command line. In my opinion it is much more powerful to setup some window groups. Several tabs and/or windows can be stored and managed as bookmarks. The manipulation of window and tab title seams also a bit easier. But that is not the topic of this post 🙂

When working on the command line I also use TVDBasenv. Starting a new session always display the status of environment / databases.

Last login: Tue Apr 26 22:17:55 on ttys014

Down/dummy   : rdbms1020 rdbms1020IC

Listener     : Down

user@host:~/ [rdbms1020IC]

Unfortunately in iTerm this does not work in the same way as in Terminal.

Last login: Tue Apr 26 21:52:17 on ttys010
ps: illegal option -- f
usage: ps [-AaCcEefhjlMmrSTvwXx] [-O fmt | -o fmt] [-G gid[,gid...]]
[-u]
[-p pid[,pid...]] [-t tty[,tty...]] [-U user[,user...]]
ps [-L]

Down/dummy   : rdbms1020 rdbms1020IC

Listener     : Down

user@host:~/ [rdbms1020IC]

I first thought that the two Application are using a different PATH and therefore a different ps. But all the following test have shown the same output on both environments.

user@host:~/ [rdbms1020IC] which ps
/bin/ps

user@host:~/ [rdbms1020IC] type -a ps
ps is /bin/ps

The comparison of the environment variables finally showed a few differences.

diff iterm.txt terminal.txt
...
< COLORFGBG=0;15
< COMMAND_MODE=legacy
---
> COMMAND_MODE=unix2003
< TERM_PROGRAM=iTerm.app
---
> TERM_PROGRAM=Apple_Terminal
> TERM_PROGRAM_VERSION=273.1
...

It seams that COMMAND_MODE does the trick. In iTerm it is set to legacy while Terminal is using unix2003. So setting COMMAND_MODE to legacy cause utility programs like ps to behave as closely to Mac OS X 10.3’s utility programs, while setting it to unix2003 causes utility programs to obey the Version 3 of the Single UNIX Specification (SUSv3).

To fix my issue I simply have to add COMMAND_MODE=unix2003 to my .bash_profile.

More information on manipulating the compatibility settings can be found in
man 5 compat