Separate out the supplemental group ID checks from the supplemental

group name checks in user_in_group().  We now call sudo_get_gidlist()
only when the group name in sudoers begins with a '#' (which is
seldom used).

plugins/sudoers/pwutil.c

@@ -943,16 +943,15 @@ user_in_group(const struct passwd *pw, const char *group)
     struct group_list *grlist = NULL;
     struct gid_list *gidlist = NULL;
     struct group *grp = NULL;
-    const char *errstr;
-    int i;
     bool matched = false;
+    int i;
     debug_decl(user_in_group, SUDOERS_DEBUG_NSS)
 
-    if ((gidlist = sudo_get_gidlist(pw)) != NULL) {
     /*
      * If it could be a sudo-style group ID check gids first.
      */
     if (group[0] == '#') {
+	const char *errstr;
 	gid_t gid = (gid_t) sudo_strtoid(group + 1, NULL, NULL, &errstr);
 	if (errstr != NULL) {
 	    sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO,
@@ -962,6 +961,7 @@ user_in_group(const struct passwd *pw, const char *group)
 		matched = true;
 		goto done;
 	    }
+	    if ((gidlist = sudo_get_gidlist(pw)) != NULL) {
 		for (i = 0; i < gidlist->ngids; i++) {
 		    if (gid == gidlist->gids[i]) {
 			matched = true;
@@ -970,10 +970,11 @@ user_in_group(const struct passwd *pw, const char *group)
 		}
 	    }
 	}
+    }
 
     /*
      * Next check the supplementary group vector.
-	 * It usually includes the password db group too.
+     * On BSD it includes the password db group too.
      */
     if ((grlist = sudo_get_grlist(pw)) != NULL) {
 	for (i = 0; i < grlist->ngroups; i++) {
@@ -991,13 +992,15 @@ user_in_group(const struct passwd *pw, const char *group)
 	    goto done;
 	}
     }
+
 done:
     if (grp != NULL)
 	sudo_gr_delref(grp);
     if (grlist != NULL)
 	sudo_grlist_delref(grlist);
+    if (gidlist != NULL)
 	sudo_gidlist_delref(gidlist);
-    }
+
     sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: user %s %sin group %s",
 	__func__, pw->pw_name, matched ? "" : "NOT ", group);
     debug_return_bool(matched);