# /etc/sudoers.d/orbit-wifi-setup
# Erlaubt orbit-User die nmcli-Subcommands ohne Passwort, fuer das Phase-15
# WLAN-Setup-UI Backend. Defense-in-Depth: Eskalations-Vektoren wie
# 'general log-Level DEBUG' sind bewusst NICHT in dieser Whitelist.
#
# Mode 0440, Owner root:root, Filename ohne Punkt (KEIN .conf).
# Validation: sudo visudo -c -f /etc/sudoers.d/orbit-wifi-setup

# Read-only Subcommands
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli device wifi rescan
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli -t -f * device wifi list
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli -t -f * device show wlan0
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli -t -f * device status
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli -t -f * dev status
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli -t -f * connection show
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli -t -f * connection show *

# Profil-Modifikation
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli connection add type wifi *
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli connection modify *
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli connection up *
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli connection down *
orbit ALL=(root) NOPASSWD: /usr/bin/nmcli connection delete *

# Defaults - env clearen, kein requiretty (TTY2-Login-Kontext)
Defaults:orbit !requiretty
Defaults:orbit env_reset
