only modify sudo_local if required

Makefile

@@ -33,11 +33,11 @@ ifeq (,$(wildcard $(PAM_FILE_BASE)_local.template))
 	grep $(LIBRARY_NAME) $(PAM_FILE) > /dev/null || sudo sed '2{h;s/.*/$(PAM_TEXT)/;p;g;}' $(PAM_FILE) | sudo tee $(PAM_FILE)
 else
 	$(eval PAM_FILE = $(PAM_FILE_BASE)_local)
-# Modify sudo_local if the library isn't already present in the file
 # If the file is empty or doesn't exist, the full sudo_local.template is used as a base, otherwise, the existing file is used.
 	sudo sh -c '[ -s $(PAM_FILE) ] || cat $(PAM_FILE).template >> $(PAM_FILE)'
+# Modify sudo_local if the library isn't already present in the file
 # Uncomment pam_tid.so
-	sudo sed -i ".old" -e '/$(PAM_TID_TEXT)/s/^#//g' $(PAM_FILE)
+	grep $(LIBRARY_NAME) $(PAM_FILE) > /dev/null || sudo sed -i ".old" -e '/$(PAM_TID_TEXT)/s/^#//g' $(PAM_FILE)
 # Insert $(PAM_TEXT) after the pam_tid.so line. This allows pam_tid.so to be used by default (which unexpectedly allows watch authentication as well) with pam_watchid.so as a fallback in cases where pam_tid.so falls through due to TouchID being deemed unavailable by macOS.
-	sudo sed -i "" -e '/$(PAM_TID_TEXT)/s/$$/\nauth sufficient $(LIBRARY_NAME)/g' $(PAM_FILE)
+	grep $(LIBRARY_NAME) $(PAM_FILE) > /dev/null || sudo sed -i "" -e '/$(PAM_TID_TEXT)/s/$$/\nauth sufficient $(LIBRARY_NAME)/g' $(PAM_FILE)
 endif