# TSID sudoers configuration
# Extend secure_path to include /usr/local/bin for TSID commands
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin

# Rocky 9 기본값 match_group_by_gid를 비활성화하여 username 기반 그룹 매칭 사용
# nss_tsid 환경에서 GID 기반 그룹 조회가 실패하는 문제 방지
Defaults    !match_group_by_gid

# lightdm/tsid-greeter는 tty 없이 실행되므로 requiretty 비활성화 (Rocky 9/10 필수)
Defaults:lightdm    !requiretty
Defaults:tsid-greeter    !requiretty

# sudo/wheel group members can run sudo, but PAM requires TSID mobile approval
# Ubuntu uses %sudo, Rocky/CentOS use %wheel group
%sudo ALL=(ALL:ALL) ALL
%wheel ALL=(ALL:ALL) ALL

# Deny tsid-client package removal for security (prevent accidental TSID removal)
%wheel ALL=(ALL:ALL) !/usr/bin/dnf remove* tsid-client, !/usr/bin/dnf erase* tsid-client, !/usr/bin/dnf uninstall* tsid-client
%wheel ALL=(ALL:ALL) !/usr/bin/yum remove* tsid-client, !/usr/bin/yum erase* tsid-client, !/usr/bin/yum uninstall* tsid-client
%wheel ALL=(ALL:ALL) !/usr/bin/rpm -e* tsid-client, !/usr/bin/rpm --erase* tsid-client

# TSID sudo configuration
# Allow gdm/lightdm user to run TSID scripts as root without password
gdm ALL=(root) NOPASSWD: /usr/bin/tsid-auth-wrapper
lightdm ALL=(root) NOPASSWD: /usr/bin/tsid-auth-wrapper

# Allow lightdm user to create temporary users and manage LightDM for QR login
lightdm ALL=(root) NOPASSWD: /usr/sbin/useradd, /usr/bin/passwd
lightdm ALL=(root) NOPASSWD: /usr/sbin/useradd *
lightdm ALL=(root) NOPASSWD: /bin/systemctl restart lightdm
lightdm ALL=(root) NOPASSWD: /usr/bin/systemctl restart lightdm
lightdm ALL=(root) NOPASSWD: /usr/bin/tee *
lightdm ALL=(root) NOPASSWD: /bin/chmod *
lightdm ALL=(root) NOPASSWD: /usr/bin/chmod *
lightdm ALL=(root) NOPASSWD: /bin/systemctl daemon-reload
lightdm ALL=(root) NOPASSWD: /usr/bin/systemctl daemon-reload
lightdm ALL=(ALL:ALL) NOPASSWD: /usr/bin/tee

# Allow tsid-greeter user to manage GDM configuration and restart GDM
# (Rocky 10 GDM kiosk session)
tsid-greeter ALL=(root) NOPASSWD: /usr/bin/tee /etc/gdm/custom.conf
tsid-greeter ALL=(root) NOPASSWD: /usr/bin/chmod 644 /etc/gdm/custom.conf
tsid-greeter ALL=(root) NOPASSWD: /usr/bin/systemctl stop gdm
tsid-greeter ALL=(root) NOPASSWD: /usr/bin/systemctl start gdm
tsid-greeter ALL=(root) NOPASSWD: /usr/bin/systemctl restart gdm

# Note: tsid-autologin-helper removed - PAM now handles session management directly
