Document that the target user's groups may be specified via the -g option.

doc/sudo.cat

@@ -167,7 +167,9 @@ DDEESSCCRRIIPPTTIIOONN
                  require that the `#' be escaped with a backslash (`\').  If
                  no --uu option is specified, the command will be run as the
                  invoking user.  In either case, the primary group will be set
-                 to _g_r_o_u_p.
+                 to _g_r_o_u_p.  The _s_u_d_o_e_r_s policy permits any of the target
+                 user's groups to be specified via the --gg option as long as
+                 the --PP option is not in use.
 
      --HH, ----sseett--hhoommee
                  Request that the security policy set the HOME environment
@@ -736,4 +738,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.26                    October 13, 2018                    Sudo 1.8.26
+Sudo 1.8.26                    October 27, 2018                    Sudo 1.8.26

doc/sudo.man.in

@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDO" "8" "October 13, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "8" "October 27, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -363,6 +363,14 @@ If no
 option is specified, the command will be run as the invoking user.
 In either case, the primary group will be set to
 \fIgroup\fR.
+The
+\fIsudoers\fR
+policy permits any of the target user's groups to be specified via
+the
+\fB\-g\fR
+option as long as the
+\fB\-P\fR
+option is not in use.
 .TP 12n
 \fB\-H\fR, \fB\--set-home\fR
 Request that the security policy set the

doc/sudo.mdoc.in

@@ -18,7 +18,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd October 13, 2018
+.Dd October 27, 2018
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -330,6 +330,14 @@ If no
 option is specified, the command will be run as the invoking user.
 In either case, the primary group will be set to
 .Ar group .
+The
+.Em sudoers
+policy permits any of the target user's groups to be specified via
+the
+.Fl g
+option as long as the
+.Fl P
+option is not in use.
 .It Fl H , -set-home
 Request that the security policy set the
 .Ev HOME

doc/sudoers.cat

@@ -530,15 +530,16 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      defined above) separated by a colon (`:') and enclosed in a set of
      parentheses.  The first Runas_List indicates which users the command may
      be run as via ssuuddoo's --uu option.  The second defines a list of groups that
-     can be specified via ssuuddoo's --gg option.  If both Runas_Lists are
-     specified, the command may be run with any combination of users and
-     groups listed in their respective Runas_Lists. If only the first is
-     specified, the command may be run as any user in the list but no --gg
-     option may be specified.  If the first Runas_List is empty but the second
-     is specified, the command may be run as the invoking user with the group
-     set to any listed in the Runas_List.  If both Runas_Lists are empty, the
-     command may only be run as the invoking user.  If no Runas_Spec is
-     specified the command may be run as rroooott and no group may be specified.
+     can be specified via ssuuddoo's --gg option in addition to any of the target
+     user's groups.  If both Runas_Lists are specified, the command may be run
+     with any combination of users and groups listed in their respective
+     Runas_Lists. If only the first is specified, the command may be run as
+     any user in the list but no --gg option may be specified.  If the first
+     Runas_List is empty but the second is specified, the command may be run
+     as the invoking user with the group set to any listed in the Runas_List.
+     If both Runas_Lists are empty, the command may only be run as the
+     invoking user.  If no Runas_Spec is specified the command may be run as
+     rroooott and no group may be specified.
 
      A Runas_Spec sets the default for the commands that follow it.  What this
      means is that for the entry:
@@ -2927,4 +2928,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.26                     October 7, 2018                    Sudo 1.8.26
+Sudo 1.8.26                    October 27, 2018                    Sudo 1.8.26

doc/sudoers.man.in

@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "October 7, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "October 27, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -1092,7 +1092,7 @@ option.
 The second defines a list of groups that can be specified via
 \fBsudo\fR's
 \fB\-g\fR
-option.
+option in addition to any of the target user's groups.
 If both
 \fRRunas_List\fRs
 are specified, the command may be run with any combination of users

doc/sudoers.mdoc.in

@@ -18,7 +18,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd October 7, 2018
+.Dd October 27, 2018
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -1045,7 +1045,7 @@ option.
 The second defines a list of groups that can be specified via
 .Nm sudo Ns 's
 .Fl g
-option.
+option in addition to any of the target user's groups.
 If both
 .Li Runas_List Ns s
 are specified, the command may be run with any combination of users