Running Homebrew as root is extremely dangerous and no longer supported.

[love4taylor]

~
❯ sudo brew services start sudo-touchid        
Error: Running Homebrew as root is extremely dangerous and no longer supported.
As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system.
Error: Failure while executing; `/opt/homebrew/bin/brew tap homebrew/services` exited with 1.

~
❯ 

~
❯ brew config                          
HOMEBREW_VERSION: 3.6.7
ORIGIN: https://github.com/Homebrew/brew
HEAD: 6a7eac25e167a1eb2d49e13c8cc530a3188af995
Last commit: 8 days ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 9345e061435f18a91437cc5a3db34a90acbb9f1b
Core tap last commit: 66 minutes ago
Core tap branch: master
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 8
Homebrew Ruby: 2.6.10 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: octa-core 64-bit arm_firestorm_icestorm
Clang: 14.0.0 build 1400
Git: 2.37.1 => /Library/Developer/CommandLineTools/usr/bin/git
Curl: 7.84.0 => /usr/bin/curl
macOS: 13.0-arm64
CLT: 14.1.0.0.1.1666437224
Xcode: N/A
Rosetta 2: false

~
❯ 

[angryjonny]

Dropping sudo from the command worked for me.
i.e. brew services start sudo-touchid

[love4taylor]

It doesn't work, plist is under the user Library folder which means it won't run with root privileges? So I don't think it will do anything.

~
❯ brew services start sudo-touchid
Warning: sudo-touchid must be run as root to start at system startup!
Bootstrap failed: 5: Input/output error
Try re-running the command as root for richer errors.
Error: Failure while executing; `/bin/launchctl bootstrap gui/501 /Users/love4taylor/Library/LaunchAgents/homebrew.mxcl.sudo-touchid.plist` exited with 5.

[artginzburg]

Turns out the problem is you need to first tap brew/services, and then you can run via sudo.
Without sudo, the service won't work anyway, as it modifies system configuration.

I'll update the ReadMe

[love4taylor]

It seems that the sudo brew command does not report an error now, but I reopened a terminal and it did not pop up the touch-id authentication is still the password, so it does not seem to have worked.

~
❯ sudo brew services start sudo-touchid                                                
Warning: Taking root:admin ownership of some sudo-touchid paths:
  /opt/homebrew/Cellar/sudo-touchid/0.4/bin
  /opt/homebrew/Cellar/sudo-touchid/0.4/bin/sudo-touchid
  /opt/homebrew/opt/sudo-touchid
  /opt/homebrew/opt/sudo-touchid/bin
  /opt/homebrew/var/homebrew/linked/sudo-touchid
This will require manual removal of these paths using `sudo rm` on
brew upgrade/reinstall/uninstall.
==> Successfully started `sudo-touchid` (label: homebrew.mxcl.sudo-touchid)

~
❯ sudo ls                              
Password:

[artginzburg]

First after entering the command, you need to restart the terminal session.

Also, the brew services command just starts the service — it does not call sudo-touchid right away.

I'll also update the ReadMe about that.

[love4taylor]

I tried restarting the terminal session, but it didn't work.

2022-11-11.23.57.48.mov

[artginzburg]

Dropping sudo from the command worked for me.
i.e. brew services start sudo-touchid

@angryjonny wait, how? I thought sudo-touchid cannot work without root access. Or does brew services allow anything to run as root now?

[artginzburg]

@love4taylor try running plain sudo-touchid. The service does not do it for some reason. I still don't know why does it not, strange as hell.

[love4taylor]

The plist generated by brew looks like this, It seems to be different from the one provided in your repo.

~
❯ cat /Library/LaunchDaemons/homebrew.mxcl.sudo-touchid.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>homebrew.mxcl.sudo-touchid</string>
	<key>LimitLoadToSessionType</key>
	<array>
		<string>Aqua</string>
		<string>Background</string>
		<string>LoginWindow</string>
		<string>StandardIO</string>
		<string>System</string>
	</array>
	<key>ProgramArguments</key>
	<array>
		<string>/opt/homebrew/opt/sudo-touchid/bin/sudo-touchid</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>

[artginzburg]

Wow. The manual installation plist does not have the "LimitLoadToSessionType" key indeed. The brew-generated one also did not have it before. I'll try to look into it.

But looks like the new key is not related to sudo-touchid not working. The plist just automates running sudo-touchid. Have you tried running just the script?

[love4taylor]

I tried the script install, sh does not have permission to install to /usr/local/bin, sudo sh is needed, but since the script ended up executing sudo-touchid manually, I am not sure if the installed service is working or not, I tried sudo-touchid -d and restart session/reboot but did not succeed in modifying the pam file.

[love4taylor]

If I simply run sudo-touchid I'm sure it will work, I just care more about the plist service for automated changes after upgrading the system.

[artginzburg]

Could you try explicitly setting the Program arguments string to /usr/bin/sudo /opt/homebrew/opt/sudo-touchid/bin/sudo-touchid? I'll also try that and report here if it works for me.

P.S. Did that just now and restarted the system. Doesn't seem to work. sudo brew services shows "error" status:

[artginzburg]

I think the initial issue was resolved by Homebrew (just untapped homebrew/services and ran sudo brew services start sudo-touchid to check that). The background service not running at load is discussed here: #8.

Could anyone confirm that the initial issue is resolved?

[love4taylor]

It doesn't seem to help to do so.

[TheAifam5]

-r--r--r--  1 root  wheel  246 Mar 18 05:34 /etc/pam.d/sudo

I think the script should check for proper chmod first or set and restore.

This is on Ventura 13.3.

[artginzburg]

Doesn't seem like chmod is related to this issue. There's another issue where I tried something related to permissions — #8 (comment)