## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## check_tor_bootstrap.bsh
user ALL=(sdwdate) NOPASSWD: /usr/libexec/helper-scripts/onion-time-pre-script

## Required for systemcheck running "tor --verify-config".
user ALL=(debian-tor) NOPASSWD: /usr/bin/tor --verify-config
user ALL=(debian-tor) NOPASSWD: /usr/sbin/tor --verify-config

## tor_bootstrap_check.bsh
## Run by /usr/libexec/helper-scripts/tor_bootstrap_check.bsh
## check_bootstrap_helper_script
user ALL=(debian-tor) NOPASSWD: /usr/libexec/helper-scripts/tor_bootstrap_check.py
user ALL=(debian-tor) NOPASSWD: /usr/libexec/helper-scripts/tor_consensus_valid-after.py
user ALL=(debian-tor) NOPASSWD: /usr/libexec/helper-scripts/tor_consensus_valid-until.py
user ALL=(debian-tor) NOPASSWD: /usr/bin/tor-circuit-established-check

user ALL=NOPASSWD: /usr/bin/systemctl --no-pager --no-block status onion-grater
user ALL=NOPASSWD: /usr/bin/systemctl --no-pager --no-block status qubes-updates-proxy.service

user ALL=NOPASSWD: /usr/libexec/helper-scripts/apt-get-update-simulate
user ALL=NOPASSWD: /usr/libexec/helper-scripts/apt-get-update-kill-helper
user ALL=NOPASSWD: /usr/sbin/anondate

## check_package_manager_running_helper
user ALL=NOPASSWD: /usr/bin/fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock

## required for check_network_interfaces
user ALL=NOPASSWD: /usr/sbin/ifconfig eth0
user ALL=NOPASSWD: /usr/sbin/ifconfig eth1

## required for check_kernel_messages
user ALL=NOPASSWD: /usr/bin/dmesg ""

## required for check_spectre_meltdown
user ALL=NOPASSWD: /usr/bin/spectre-meltdown-checker --paranoid

## required for check_services
user ALL=NOPASSWD: /usr/sbin/apparmor-info --boot
user ALL=NOPASSWD: /usr/bin/journalctl --boot --no-pager
user ALL=NOPASSWD: /usr/bin/journalctl --boot --no-pager --priority=0..4
user ALL=NOPASSWD: /usr/bin/journalctl --boot --no-pager -u whonix-firewall
user ALL=NOPASSWD: /usr/bin/systemctl --no-pager --no-block status whonix-firewall
user ALL=NOPASSWD: /usr/bin/systemctl --no-pager --no-block --no-legend --failed
user ALL=NOPASSWD: /usr/bin/systemctl --no-pager --no-block --failed list-units

## required for check_tor_running
user ALL=NOPASSWD: /usr/bin/systemctl --no-pager --no-block status tor
user ALL=NOPASSWD: /usr/bin/systemctl --no-pager --no-block status tor@default
user ALL=NOPASSWD: /usr/libexec/systemcheck/check_tor_running

## required for check_warrant_canary
user ALL=NOPASSWD: /usr/bin/systemctl --no-pager --no-block status canary

## required for check_network_interfaces if /sys is restricted to root
user ALL=NOPASSWD: /usr/bin/cat /sys/class/net/eth0/carrier
user ALL=NOPASSWD: /usr/bin/cat /sys/class/net/eth1/carrier

## required for check_pvclock if /sys is restricted to root
user ALL=NOPASSWD: /usr/bin/cat /sys/devices/system/clocksource/clocksource0/current_clocksource
user ALL=NOPASSWD: /usr/bin/cat /sys/devices/system/clocksource/clocksource0/available_clocksource

## required for check_virtualizer if /sys is restricted to root
user ALL=NOPASSWD: /usr/bin/systemd-detect-virt

## required for check_sudo
user ALL=NOPASSWD: /usr/bin/test -x /usr/bin/test
## TODO: Consider removing hardcoded account 'user' from here?
sysmaint ALL=NOPASSWD: /usr/bin/test -x /usr/bin/test
