I reinstalled and doas works fine again for that purpose.  Although, I did custom instead of doas no password.

Then, I did doas poweroff and doas reboot in their respective places. Now I can shutdown and reboot the way I want.

reinstalling sadly hasn't fixed my wine bug though.

I agree. Lots of things aren't a problem for people who understand their system. The issue is non-technical users.  Sadly it is those same user who will not made the effort to configure their system properly. Of course I'm sure those users are using sudo, so it's not an issue.

But it still seems that you could still do damage with a fake executable, even if a password is required.  Just put it in the local path (in $HOME)  like I did with the whoami example above and the user will be tricked to give the password.

of course a better example would be apt because why would you you'd be less likely to use root for whoami.

I created a fake whoami file in my local path ~/.local/bin/ that simply echos HAHA!  The results:

regular user - runs the fake whoami
with sudo - runs the real whoami
with doas - runs the fake whoami

Yep security issue.  So you might want to use full path when adding nopass commands.

update : Does not affect nopass commands. See post below.

#!/bin/bash
echo In fake poweroff script
id

If that says it's running as root you have a security hole. A malicious person could add something like rm -rF / to it.

OK I got it all figured out.  It's so simple I can't believe it cause this much trouble. It can be summed up by saying the configuration is very specific. nopass is only allowed if it's exactly as it is in the file. So to sum this all up.

1. If you configure it with args then you have to use the args or it won't work
2. If you configure it with the full path you must use the full path - many graphical apps will need this. For example JWMKit.
3. The reverse is true if you configure as the command line only the command will not work if you do the full path.

So the args do work for me, but I tested without the args assuming it world work with or without them.
When I tested in the terminal it did not work because I did not use the full path as configured in my file.
This is why it worked with the scripts, and graphical apps, as they did use the full path.

So I will configure with multiple combinations.

full path with args
full path without args.
no path with args
no path without args

permit nopass user as root cmd poweroff args -f
permit nopass user as root cmd poweroff
permit nopass user as root cmd /sbin/poweroff args -f
permit nopass user as root cmd /sbin/poweroff

Does any one feel dumb now

To be fair I would expect it to know that poweroff is the same as /sbin/poweroff since /sbin/ is in the exec path.  Also I would expect the args to be optional.  Maybe requiring it to be exact adds extra security. I mean you could easily manipulate the exec path to hack the system. right?

In a way we were all correct, it's just the configuration wasn't specific enough for zappers setup where he wanted to use both the commandline (no path with args) and jwmkit (path, and no args)

works

will repeat with seatd & lightdm (if I can)

will repeat with seatd

I will replace dummy-logind with vanilla, and do again
I'll be back

Also I use xserver-xorg-legacy /etc/Xwrapper.config
and I don't use a login manager

aaaggghhh!