[sudo-users] use of sudo with -g option

Todd C. Miller Todd.Miller at courtesan.com
Thu May 20 09:53:05 EDT 2010

There were bugs in the -g support in sudo 1.7.0 that have since
been fixed.  Specifically, sudo 1.7.0 would set the real gid to the
value specified via -g but not the effective gid.

As for documentation, see the Runas_Spec section of the sudoers manual.
Here's the relevant portion:

    A Runas_Spec determines the user and/or the group that a command
    may be run as.  A fully-specified Runas_Spec consists of two
    Runas_Lists (as defined above) separated by a colon (':') and
    enclosed in a set of parentheses.  The first Runas_List indicates
    which users the command may be run as via sudo's -u option.
    The second defines a list of groups that can be specified via
    sudo's -g option.  If both Runas_Lists are specified, the command
    may be run with any combination of users and groups listed in
    their respective Runas_Lists.  If only the first is specified,
    the command may be run as any user in the list but no -g option
    may be specified.  If the first Runas_List is empty but the
    second is specified, the command may be run as the invoking
    user with the group set to any listed in the Runas_List.  If
    no Runas_Spec is specified the command may be run as root and
    no group may be specified.

 - todd

More information about the sudo-users mailing list