The line "Defaults listpw=never" in sudoers does not work as documented: "sudo -l" still requires a password from the user instead of showing the permitted commands.
Could you give me more details about how to reproduce it? I've tested here and couldn't .
Created attachment 200951 [details] A complete sudoers file
(In reply to Renato Botelho from comment #1) I have attached my complete sudoers file without any redacting. However when a member of the "user" group runs "sudo -l" she is asked for a password.
Have you been able to reproduce the problem with my sudoers file? Just in case they are useful, I'm posting the build options: Options : AUDIT : on DISABLE_AUTH : off DISABLE_ROOT_SUDO: off DOCS : on EXAMPLES : on GSSAPI_BASE : off GSSAPI_HEIMDAL : off GSSAPI_MIT : off INSULTS : off LDAP : off NLS : off NOARGS_SHELL : off OPIE : off PAM : on SSSD : off
ping!
I managed to reproduce the issue here and opened a ticket upstream [1]. While it's not fixed you can workaround it using listpw=any and configuring an entry allowing %user to run /usr/bin/false with NOPASSWD: set [1] https://bugzilla.sudo.ws/show_bug.cgi?id=869
A commit references this bug: Author: garga Date: Tue Jan 22 13:51:16 UTC 2019 New revision: 490951 URL: https://svnweb.freebsd.org/changeset/ports/490951 Log: security/sudo: Fix listpw=never When listpw=never is set, 'sudo -l' is expected to run without asking for a password. PR: 234756 Reported by: vas@mpeks.tomsk.su Obtained from: https://bugzilla.sudo.ws/show_bug.cgi?id=869 Sponsored by: Rubicon Communications, LLC (Netgate) Changes: head/security/sudo/Makefile head/security/sudo/files/patch-plugins_sudoers_parse.c
Fix committed to 1.8.27_1