From 5dd89f912de977a006f5636c8d06930ab43833e1 Mon Sep 17 00:00:00 2001
From: tasket <tasket@openmailbox.org>
Date: Tue, 22 Nov 2016 05:34:48 -0500
Subject: [PATCH] Additional step for Whonix

Per this discussion, https://forums.whonix.org/t/fixing-whonix-boot-issue-after-securing-qubes-root-auth/3155/8

Whonix executes sudo commands in non-root startup scripts which causes pop-up auth prompts to appear while Whonix VMs are starting. The problem is partly due to sudo parsing sudoers.d entries in alphabetical order, and some later configs cause earlier ones to get overridden. Adding the right permissions to a lexically 'last' filename resolves the issue.
---
 security/vm-sudo.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/security/vm-sudo.md b/security/vm-sudo.md
index 45d048e3..70e426a4 100644
--- a/security/vm-sudo.md
+++ b/security/vm-sudo.md
@@ -141,6 +141,12 @@ this for extra security.**
 
           auth sufficient pam_permit.so
 
+    - For Whonix, if prompts appear during boot, create /etc/sudoers.d/zz99 and add two lines:
+
+    ```
+          ALL ALL=NOPASSWD: /usr/sbin/virt-what
+          ALL ALL=NOPASSWD: /usr/sbin/service whonixcheck *
+    ```
 
 Dom0 password-less root access
 ------------------------------