was runnable even when denied by sudoers when using the LDAP or
SSSD backends.
+ * The match_group_by_gid Defaults option has been added to allow
+ sites where group name resolution is slow and where sudoers only
+ contains a small number of groups to match groups by group ID
+ instead of by group name.
+
What's new in Sudo 1.8.17p1
* Fixed a bug introduced in 1.8.17 where the user's groups were
invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
_\bo_\bn by default.
+ match_group_by_gid
+ By default, when matching groups, s\bsu\bud\bdo\boe\ber\brs\bs will first
+ resolve all the user's group IDs to group names and
+ then compare those group names to any group names
+ listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This works well on systems
+ where the number of groups listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ is larger than the number of groups a typical user
+ belongs to. On systems where group lookups are slow,
+ where users may belong to a large number of groups, and
+ where the number of groups listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ is relatively small, it may be prohibitively expensive
+ and running commands via s\bsu\bud\bdo\bo may take longer than
+ normal. On such systems it may be faster to use the
+ _\bm_\ba_\bt_\bc_\bh_\b__\bg_\br_\bo_\bu_\bp_\b__\bb_\by_\b__\bg_\bi_\bd flag to avoid resolving the user's
+ group IDs to group names and instead resolve all group
+ names listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, matching by group ID
+ instead of by group name. This flag is _\bo_\bf_\bf by default.
+
netgroup_tuple If set, netgroup lookups will be performed using the
full netgroup tuple: host name, user name and domain
(if one is set). Historically, s\bsu\bud\bdo\bo only matched the
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.18 August 17, 2016 Sudo 1.8.18
+Sudo 1.8.18 August 30, 2016 Sudo 1.8.18
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "August 17, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "August 30, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fI@mail_no_user@\fR
by default.
.TP 18n
+match_group_by_gid
+By default, when matching groups,
+\fBsudoers\fR
+will first resolve all the user's group IDs to group names and then
+compare those group names to any group names listed in the
+\fIsudoers\fR
+file.
+This works well on systems where the number of groups listed in the
+\fIsudoers\fR
+file is larger than the number of groups a typical user belongs to.
+On systems where group lookups are slow, where users may belong
+to a large number of groups, and where the number of groups listed
+in the
+\fIsudoers\fR
+file is relatively small, it may be prohibitively expensive and
+running commands via
+\fBsudo\fR
+may take longer than normal.
+On such systems it may be faster to use the
+\fImatch_group_by_gid\fR
+flag to avoid resolving the user's group IDs to group names and
+instead resolve all group names listed in the
+\fIsudoers\fR
+file, matching by group ID instead of by group name.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
netgroup_tuple
If set, netgroup lookups will be performed using the full netgroup
tuple: host name, user name and domain (if one is set).
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd August 17, 2016
+.Dd August 30, 2016
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
This flag is
.Em @mail_no_user@
by default.
+.It match_group_by_gid
+By default, when matching groups,
+.Nm
+will first resolve all the user's group IDs to group names and then
+compare those group names to any group names listed in the
+.Em sudoers
+file.
+This works well on systems where the number of groups listed in the
+.Em sudoers
+file is larger than the number of groups a typical user belongs to.
+On systems where group lookups are slow, where users may belong
+to a large number of groups, and where the number of groups listed
+in the
+.Em sudoers
+file is relatively small, it may be prohibitively expensive and
+running commands via
+.Nm sudo
+may take longer than normal.
+On such systems it may be faster to use the
+.Em match_group_by_gid
+flag to avoid resolving the user's group IDs to group names and
+instead resolve all group names listed in the
+.Em sudoers
+file, matching by group ID instead of by group name.
+This flag is
+.Em off
+by default.
.It netgroup_tuple
If set, netgroup lookups will be performed using the full netgroup
tuple: host name, user name and domain (if one is set).