From 5dd89f912de977a006f5636c8d06930ab43833e1 Mon Sep 17 00:00:00 2001
From: tasket <tasket@openmailbox.org>
Date: Tue, 22 Nov 2016 05:34:48 -0500
Subject: [PATCH 1/2] Additional step for Whonix

Per this discussion, https://forums.whonix.org/t/fixing-whonix-boot-issue-after-securing-qubes-root-auth/3155/8

Whonix executes sudo commands in non-root startup scripts which causes pop-up auth prompts to appear while Whonix VMs are starting. The problem is partly due to sudo parsing sudoers.d entries in alphabetical order, and some later configs cause earlier ones to get overridden. Adding the right permissions to a lexically 'last' filename resolves the issue.
---
 security/vm-sudo.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/security/vm-sudo.md b/security/vm-sudo.md
index 45d048e3..70e426a4 100644
--- a/security/vm-sudo.md
+++ b/security/vm-sudo.md
@@ -141,6 +141,12 @@ this for extra security.**
 
           auth sufficient pam_permit.so
 
+    - For Whonix, if prompts appear during boot, create /etc/sudoers.d/zz99 and add two lines:
+
+    ```
+          ALL ALL=NOPASSWD: /usr/sbin/virt-what
+          ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck *
+    ```
 
 Dom0 password-less root access
 ------------------------------

From 76ecc09a9da9bd334c8310f7d2d27b23ead48d04 Mon Sep 17 00:00:00 2001
From: tasket <tasket@openmailbox.org>
Date: Sat, 26 Nov 2016 21:38:48 -0500
Subject: [PATCH 2/2] Update vm-sudo.md

Specify service actions instead of globbing.
---
 security/vm-sudo.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/vm-sudo.md b/security/vm-sudo.md
index 70e426a4..e5fb2fba 100644
--- a/security/vm-sudo.md
+++ b/security/vm-sudo.md
@@ -141,11 +141,14 @@ this for extra security.**
 
           auth sufficient pam_permit.so
 
-    - For Whonix, if prompts appear during boot, create /etc/sudoers.d/zz99 and add two lines:
+    - For Whonix, if prompts appear during boot, create /etc/sudoers.d/zz99 and add these lines:
 
     ```
           ALL ALL=NOPASSWD: /usr/sbin/virt-what
-          ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck *
+          ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck restart
+          ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck start
+          ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck stop
+          ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck status
     ```
 
 Dom0 password-less root access