Update security.pam.enableSudoTouchIdAuth for Sonoma+

[citizen428]

Since macOS 14 (Sonoma), one can modify /etc/pam.d/sudo_local which will survive OS upgrades. By default, there's a file called /etc/pam.d/sudo_local.template with the following contents:

# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
#auth       sufficient     pam_tid.so

This gets included in /etc/pam.d/sudoers:

auth       include        sudo_local

It seems like a good idea to use this file so Touch ID for sudo will be available also right after upgrades, without having to run darwin-rebuild switch first.

[purcell]

I think this could be easily accomplished by making file here conditional on config.system.darwinVersion.

[citizen428]

Yes, that should work, I briefly played around with that idea earlier today. In the end I just settled for this and removed the setting from my flake.nix, which is GoogEnough™ for me.

environment.etc = {
  "pam.d/sudo_local".text = ''
    auth sufficient pam_tid.so
  '';
};

[emilazy]

We should unconditionally generate sudo_local and retain only enough logic to add the auth include sudo_local line to /etc/pam.d/sudo when absent. See #1020 which I just realized I forgot to get around to reviewing again, oops :(

[purcell]

Oh, lol, I didn't see that PR!

[citizen428]

Ugh, I only searched issues, not PRs, sorry. But I like your suggestion @emilazy, I think that's the best way forward.