NOPASSWD and PASSWD cannot handle commands in Cmnd_Spec_List

[BriocheBerlin]

The documentation states:

[...] the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example:

ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
[...]
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lp

Currently this does not work for sudo-rs, relevant tests:
https://github.com/memorysafety/sudo-rs/blob/b8e57586fa9ed0985d8ac71fac11a4bdcc884350/test-framework/sudo-compliance-tests/src/nopasswd.rs#L65

and

https://github.com/memorysafety/sudo-rs/blob/b8e57586fa9ed0985d8ac71fac11a4bdcc884350/test-framework/sudo-compliance-tests/src/passwd.rs#L19

However NOPASSWD can handle ALL, e.g. {USERNAME} ALL=(ALL:ALL) NOPASSWD: ALL.

[squell]

This is probably due to the different pathname matching between ogsudo and sudo; e.g. ls will resolve to /usr/bin/ls instead of /bin/ls. (I.e. ogsudo uses matching based on whether the files inodes' match, sudo-rs uses absolute paths--we haven't spent effort on inode-based matching since Todd warned us there were issues with that).

[squell]

See commit 8333926.

The path-issue (that is more noticeable now that we switched the CI to bookworm) is addressed in #561 (which I'm writing a compliance test for).