diff -up ./doc/sudoers.cat.lookup ./doc/sudoers.cat --- ./doc/sudoers.cat.lookup 2017-04-25 13:17:51.073190114 +0200 +++ ./doc/sudoers.cat 2017-04-25 13:17:51.081190069 +0200 @@ -1140,24 +1140,39 @@ SSUUDDOOEERRSS OOPPTTIIOONN _o_n by default. match_group_by_gid - By default, when matching groups, ssuuddooeerrss will first - resolve all the user's group IDs to group names and - then compare those group names to any group names - listed in the _s_u_d_o_e_r_s file. This works well on systems - where the number of groups listed in the _s_u_d_o_e_r_s file - is larger than the number of groups a typical user - belongs to. On systems where group lookups are slow, - where users may belong to a large number of groups, and - where the number of groups listed in the _s_u_d_o_e_r_s file - is relatively small, it may be prohibitively expensive - and running commands via ssuuddoo may take longer than - normal. On such systems it may be faster to use the + By default, ssuuddooeerrss will look up each group the user is + a member of by group ID to determine the group name + (this is only done once). The resulting list of the + user's group names is used when matching groups listed + in the _s_u_d_o_e_r_s file. This works well on systems where + the number of groups listed in the _s_u_d_o_e_r_s file is + larger than the number of groups a typical user belongs + to. On systems where group lookups are slow, where + users may belong to a large number of groups, and where + the number of groups listed in the _s_u_d_o_e_r_s file is + relatively small, it may be prohibitively expensive and + running commands via ssuuddoo may take longer than normal. + On such systems it may be faster to use the _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag to avoid resolving the user's - group IDs to group names and instead resolve all group - names listed in the _s_u_d_o_e_r_s file, matching by group ID - instead of by group name. The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag - has no effect when _s_u_d_o_e_r_s data is stored in LDAP. - This flag is _o_f_f by default. + group IDs to group names. In this case, ssuuddooeerrss must + look up any group name listed in the _s_u_d_o_e_r_s file and + use the group ID instead of the group name when + determining whether the user is a member of the group. + + Note that if _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d is enabled, group + database lookups performed by ssuuddooeerrss will be keyed by + group name as opposed to group ID. On systems where + there are multiple sources for the group database, it + is possible to have conflicting group names or group + IDs in the local _/_e_t_c_/_g_r_o_u_p file and the remote group + database. On such systems, enabling or disabling + _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d can be used to choose whether group + database queries are performed by name (enabled) or ID + (disabled), which may aid in working around group entry + conflicts. + + The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag has no effect when _s_u_d_o_e_r_s + data is stored in LDAP. This flag is _o_f_f by default. This setting is only supported by version 1.8.18 or higher. diff -up ./doc/sudoers.man.in.lookup ./doc/sudoers.man.in --- ./doc/sudoers.man.in.lookup 2017-04-25 13:17:51.074190108 +0200 +++ ./doc/sudoers.man.in 2017-04-25 13:17:51.082190064 +0200 @@ -2423,10 +2423,12 @@ This flag is by default. .TP 18n match_group_by_gid -By default, when matching groups, +By default, \fBsudoers\fR -will first resolve all the user's group IDs to group names and then -compare those group names to any group names listed in the +will look up each group the user is a member of by group ID to +determine the group name (this is only done once). +The resulting list of the user's group names is used when matching +groups listed in the \fIsudoers\fR file. This works well on systems where the number of groups listed in the @@ -2442,10 +2444,29 @@ running commands via may take longer than normal. On such systems it may be faster to use the \fImatch_group_by_gid\fR -flag to avoid resolving the user's group IDs to group names and -instead resolve all group names listed in the +flag to avoid resolving the user's group IDs to group names. +In this case, +\fBsudoers\fR +must look up any group name listed in the \fIsudoers\fR -file, matching by group ID instead of by group name. +file and use the group ID instead of the group name when determining +whether the user is a member of the group. +.sp +Note that if +\fImatch_group_by_gid\fR +is enabled, group database lookups performed by +\fBsudoers\fR +will be keyed by group name as opposed to group ID. +On systems where there are multiple sources for the group database, +it is possible to have conflicting group names or group IDs in the local +\fI/etc/group\fR +file and the remote group database. +On such systems, enabling or disabling +\fImatch_group_by_gid\fR +can be used to choose whether group database queries are performed +by name (enabled) or ID (disabled), which may aid in working around +group entry conflicts. +.sp The \fImatch_group_by_gid\fR flag has no effect when diff -up ./doc/sudoers.mdoc.in.lookup ./doc/sudoers.mdoc.in --- ./doc/sudoers.mdoc.in.lookup 2017-04-25 13:17:51.075190102 +0200 +++ ./doc/sudoers.mdoc.in 2017-04-25 13:17:51.082190064 +0200 @@ -2268,10 +2268,12 @@ This flag is .Em @mail_no_user@ by default. .It match_group_by_gid -By default, when matching groups, +By default, .Nm -will first resolve all the user's group IDs to group names and then -compare those group names to any group names listed in the +will look up each group the user is a member of by group ID to +determine the group name (this is only done once). +The resulting list of the user's group names is used when matching +groups listed in the .Em sudoers file. This works well on systems where the number of groups listed in the @@ -2287,10 +2289,29 @@ running commands via may take longer than normal. On such systems it may be faster to use the .Em match_group_by_gid -flag to avoid resolving the user's group IDs to group names and -instead resolve all group names listed in the +flag to avoid resolving the user's group IDs to group names. +In this case, +.Nm +must look up any group name listed in the .Em sudoers -file, matching by group ID instead of by group name. +file and use the group ID instead of the group name when determining +whether the user is a member of the group. +.Pp +Note that if +.Em match_group_by_gid +is enabled, group database lookups performed by +.Nm +will be keyed by group name as opposed to group ID. +On systems where there are multiple sources for the group database, +it is possible to have conflicting group names or group IDs in the local +.Pa /etc/group +file and the remote group database. +On such systems, enabling or disabling +.Em match_group_by_gid +can be used to choose whether group database queries are performed +by name (enabled) or ID (disabled), which may aid in working around +group entry conflicts. +.Pp The .Em match_group_by_gid flag has no effect when