[sudo-users] use of sudo with -g option
Todd C. Miller
Todd.Miller at courtesan.com
Thu May 20 09:53:05 EDT 2010
There were bugs in the -g support in sudo 1.7.0 that have since
been fixed. Specifically, sudo 1.7.0 would set the real gid to the
value specified via -g but not the effective gid.
As for documentation, see the Runas_Spec section of the sudoers manual.
Here's the relevant portion:
A Runas_Spec determines the user and/or the group that a command
may be run as. A fully-specified Runas_Spec consists of two
Runas_Lists (as defined above) separated by a colon (':') and
enclosed in a set of parentheses. The first Runas_List indicates
which users the command may be run as via sudo's -u option.
The second defines a list of groups that can be specified via
sudo's -g option. If both Runas_Lists are specified, the command
may be run with any combination of users and groups listed in
their respective Runas_Lists. If only the first is specified,
the command may be run as any user in the list but no -g option
may be specified. If the first Runas_List is empty but the
second is specified, the command may be run as the invoking
user with the group set to any listed in the Runas_List. If
no Runas_Spec is specified the command may be run as root and
no group may be specified.
More information about the sudo-users