From d2efb0a55a73d1d49c2ab93984c8f12c57356ec2 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 15 Jun 2009 21:19:47 +0000
Subject: [PATCH] Add non-unix group bits, adapted from Quest

---
 sudo.pod    | 14 +++++++++++---
 sudoers.pod | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/sudo.pod b/sudo.pod
index 7deec8b9f..a153e0aab 100644
--- a/sudo.pod
+++ b/sudo.pod
@@ -583,15 +583,23 @@ To get a file listing of an unreadable directory:
 
  $ sudo ls /usr/local/protected
 
-To list the home directory of user yazza on a machine where the
-file system holding ~yazza is not exported as root:
+To list the home directory of user yaz on a machine where the
+file system holding ~yaz is not exported as root:
 
- $ sudo -u yazza ls ~yazza
+ $ sudo -u yaz ls ~yaz
 
 To edit the F<index.html> file as user www:
 
  $ sudo -u www vi ~www/htdocs/index.html
 
+To view system logs only accessible to root and users in the adm group:
+
+ $ sudo -g adm view /var/log/syslog
+
+To run an editor as jim with a different primary group:
+
+ $ sudo -u jim -g audio vi ~jim/sound.txt
+
 To shutdown a machine:
 
  $ sudo shutdown -r +15 "quick reboot"
diff --git a/sudoers.pod b/sudoers.pod
index b329ab701..ab3c5e23b 100644
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -116,6 +116,7 @@ The definitions of what constitutes a valid I<alias> member follow.
 	  '!'* '#'uid |
 	  '!'* '%'group |
 	  '!'* '+'netgroup |
+	  '!'* '%:'nonunix_group |
 	  '!'* User_Alias
 
 A C<User_List> is made up of one or more usernames, uids (prefixed
@@ -124,6 +125,33 @@ with '+') and C<User_Alias>es.  Each list item may be prefixed with
 zero or more '!' operators.  An odd number of '!' operators negate
 the value of the item; an even number just cancel each other out.
 
+A C<username>, C<group>, C<netgroup> and C<nonunix_groups> may
+be enclosed in double quotes to avoid the need for escaping special
+characters.  Alternately, special characters may be specified in
+escaped hex mode, e.g. \x20 for space.
+
+The C<nonunix_group> syntax depends on the underlying implementation.
+For instance, the QAS AD backend supports the following formats:
+
+=over 4
+
+=item *
+
+Group in the same domain: "Group Name"
+
+=item *
+
+Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+
+=item *
+
+Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+
+=back
+
+Note that quotes around group names are optional.  Unquoted strings must
+use a backslash (\) to escape spaces and the '@' symbol.
+
  Runas_List ::= Runas_Member |
 		Runas_Member ',' Runas_List
 
@@ -1259,6 +1287,7 @@ these are a bit contrived.  First, we define our I<aliases>:
  # Runas alias specification
  Runas_Alias	OP = root, operator
  Runas_Alias	DB = oracle, sybase
+ Runas_Alias	ADMINGRP = adm, oper
 
  # Host alias specification
  Host_Alias	SPARC = bigtime, eclipse, moet, anchor :\
@@ -1352,6 +1381,12 @@ The user B<joe> may only L<su(1)> to operator.
 
  pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
 
+ %opers		ALL = (: ADMINGRP) /usr/sbin/
+
+Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
+with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
+groups).
+
 The user B<pete> is allowed to change anyone's password except for
 root on the I<HPPA> machines.  Note that this assumes L<passwd(1)>
 does not take multiple usernames on the command line.