# Let the fileshare service user manage its own unit (and its journal)
# without a password so the `fileshareSRV` wrapper works seamlessly.
#
# Tight argument shapes — no trailing `*` — so the fileshare user CANNOT
# pivot through `journalctl _SYSTEMD_UNIT=sshd.service`, `--root=/`,
# `-D /other/journal`, etc., to read logs from unrelated units. Each line
# below matches a single concrete call site in the fileshareSRV wrapper;
# update both files together when adding a new invocation.

Cmnd_Alias FILESHARE_CTL = \
    /usr/bin/systemctl start  fileshare-company-server, \
    /usr/bin/systemctl stop   fileshare-company-server, \
    /usr/bin/systemctl restart fileshare-company-server, \
    /usr/bin/systemctl reload fileshare-company-server, \
    /usr/bin/systemctl enable fileshare-company-server, \
    /usr/bin/systemctl disable fileshare-company-server

# Wrapper-specific journalctl shapes. The `--since=*` form expands a
# single token: it matches `--since=2026-05-29 12:00:00` but NOT extra
# trailing args (sudoers wildcards never cross whitespace), so an
# attacker cannot append `_SYSTEMD_UNIT=sshd` to leak other units' logs.
Cmnd_Alias FILESHARE_LOG = \
    /usr/bin/journalctl -u fileshare-company-server --since=* --no-pager -o cat, \
    /usr/bin/journalctl -u fileshare-company-server --no-pager -o cat, \
    /usr/bin/journalctl -u fileshare-company-server -f

fileshare ALL=(root) NOPASSWD: FILESHARE_CTL, FILESHARE_LOG
