sudo-touchid is a fork ofsudo with Touch ID support on macOS (powered by theLocalAuthentication framework). Once compiled, it will allow you to authenticatesudo commands with Touch ID in the Terminal on supported Macs (such as the late 2016 MacBook Pros).
- I am not a security expert. While I am using this as a fun experiment on my personal computer, your security needs may vary.
- This has only been tested on the 2016 15" MacBook Pro with Touch Bar running macOS 10.12.1.
To buildsudo-touchid, simply open the included Xcode project file with Xcode 8+, select theBuild All target, and clickBuild.
If we try running our newly-builtsudo executable now, we'll get an error:
sudo must be owned by uid 0 and have the setuid bit set
To fix this, we can use our system'ssudo command and thechown/chmod commands to give our newly-builtsudo the permissions it needs:
cd (built-products-directory)
sudo chown root:wheel sudo && sudo chmod 4755 sudo
Now if we try running our copy ofsudo, it should work:
cd (built-products-directory)
./sudo -s
If you don't have a Mac with a biometric sensor,sudo-touchid will fail. If you'd still like to test whether theLocalAuthentication framework is working correctly, you can change thekAuthPolicy constant toLAPolicyDeviceOwnerAuthentication insudo/plugins/sudoers/auth/sudo_auth.m. This will present a dialog box asking the user for his or her password:
While not useful in practice, you can use this to verify that theLocalAuthentication code does in fact work.
Replacing the system'ssudo program is quite risky (can prevent your Mac from booting) and requires disabling System Integrity Protection (aka "Rootless").
Instead of replacingsudo, we can install our build under/usr/local/bin and give the path precedence over/usr/bin, this way our build is found first.
sudo cp (built-products-directory)/sudo /usr/local/bin/sudo
sudo chown root:wheel /usr/local/bin/sudo && sudo chmod 4755 /usr/local/bin/sudo
You can set up yourPATH by addingexport PATH=/usr/local/bin:$PATH to.bashrc (thanks @edenzik).
Now you should be able to entersudo in any Terminal (or iTerm) window and authenticate with Touch ID!
