I have a custom /etc/pam.d/sudo setup and I noticed that the file was always reset to default when macOS updates itself.
How do I prevent that from happening?
Asked
Active
Viewed 475 times
2
Teddy C
- 1,718
3 Answers
4
macOS Sonoma adds an include for sudo_local to the top of /etc/pam.d/sudo:
# sudo: auth account password session
auth include sudo_local
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
According to /etc/pam.d/sudo_local.template, this /etc/pam.d/sudo_local won't be overwritten by system updates:
# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
#auth sufficient pam_tid.so
As long as you're only wanting to add new lines to the top of /etc/pam.d/sudo, you should be able to create /etc/pam.d/sudo_local and add your customisations there (or if it's just the pam_tid.so tweak, you can copy /etc/pam.d/sudo_local.template to /etc/pam.d/sudo_local and uncomment out the appropriate line).
Aaron
- 41
3
You cannot prevent it, you will have to check if it has changed and restore your custom file when you detect the change.
lbutlr
- 1,133
-
@Seamus There is thread in Apple Developer Forum with alleged response to bug report: "This is expected behavior. We can’t possibly know whether the custom changes that have been made to this file are still valid under the new major OS, and we have to deliver an OS which functions correctly out-of-the-box. Advanced users such as yourself will understand how to put it back." :-) – Aivar Paalberg Sep 20 '23 at 09:06
2
Q: "How do I prevent that from happening?"
You can prevent Apple's Updates from performing a "reset to default" with the chflags command. Open a terminal, and make the following entry:
sudo chflags simmutable /etc/pam.d/sudo
This sets the system-level immutable flag on the named file; synonyms for simmutable are schg and schange.
See man chflags for details and options. Importantly, understand that when you need to edit /etc/pam.d/sudo again, you must first clear the immutable flag as follows:
sudo chflags nosimmutable /etc/pam.d/sudo
To list/show the flags, use ls -lO.
Notes:
I've tested this on my Ventura system during my recent update to ver 13.6, and it (finally) prevented Apple's OS Update from reverting (resetting to default) my /etc/auto_master file - as it had done during two previous updates. Consequently, I believe it will work on all /etc files, and perhaps others that are similarly reverted during Apple's macOS Updates. However: Updates are rather infrequent, so feedback from others who use chflags is appreciated.
The chflags utility has been around since about 1994 (BSD 4.4). However, man chflags has a 2018 date, possibly suggesting that the utility has been recently updated. Also, man chflags states there are only a few utilities that are "chflags-aware" - including install and restore.
The flags that are set/cleared by chflags are stored in file metadata in a structure that is very similar to the structures containing ownership and mode data. Each structure is manipulated by its own utility: chown for ownership, chmod for mode/permissions and chflags for flags.
flags are similar to mode/permissions, but apply different types of permissions across all user classes. Whereas mode/permissions are set for each class of user (owner, group, everyone), a flag applies to all users - even root! For example, the simmutable flag means no changes may be made to the file by anyone; even the owner must remove the flag before making a change to it. This feature can create confusion, for example, when a user cannot change a file even with sudo. Note that the ls -lO command may be used to reveal flag settings.
I learned of the chflags utility from @ArjanVlaanderen in an answer he posted to another question. I posted a question similar to this one recently which was closed as a duplicate. I was not satisfied with the accepted answer to this question, and so this is my attempt to answer.
Following are a few references on chflags:
POSIX standard flags defined in stat.h; from this answer in Apple SE.
Locking and Unlocking Files, from 'Mac OSX Hacks' by O'Reilly.
Python os.chflags() Method - for Python programmers :)
chattr- Wikipedia article comparing Linuxchattrto Apple/BSDchflags.
Seamus
- 4,547