Skip to content

docs(sudoers): fix EBNF to distinguish Runas user and group lists#529

Merged
millert merged 1 commit into
sudo-project:mainfrom
pierluigilenoci:fix/sudoers-ebnf-man
May 20, 2026
Merged

docs(sudoers): fix EBNF to distinguish Runas user and group lists#529
millert merged 1 commit into
sudo-project:mainfrom
pierluigilenoci:fix/sudoers-ebnf-man

Conversation

@pierluigilenoci
Copy link
Copy Markdown
Contributor

@pierluigilenoci pierluigilenoci commented Apr 24, 2026

Summary

Fixes #520 — The EBNF grammar for Runas_Spec used a single Runas_List for both the user and group portions, but the sudoers parser does not accept %-prefixed groups (e.g., %group, %#gid, %:nonunix_group, %:#nonunix_gid) in the group position (after the colon).

As @millert noted in #520 (comment):

You are correct that, e.g. %#1000 is not permitted in the group portion of a Runas_Spec. Fixing that would probably mean specifying a separate Runas_UserList and Runas_GroupList or something similar.

This patch does exactly that — it splits the EBNF definitions into separate types:

  • Runas_User_List / Runas_User: retains the full set of members (user names, UIDs, %group, %#gid, %:nonunix_group, %:#nonunix_gid, +netgroup, Runas_Alias, ALL)
  • Runas_Group_List / Runas_Group: only group name, #group-ID, +netgroup, Runas_Alias, and ALL

Changes in docs/sudoers.mdoc.in

  • Replaced Runas_List / Runas_Member with Runas_User_List / Runas_User and Runas_Group_List / Runas_Group
  • Updated Runas_Spec rule to use the new types
  • Updated Runas_Alias_Spec and Defaults> syntax to reference Runas_User_List
  • Updated surrounding prose in the Runas_Spec section to use the new type names

Note

This PR was generated with the assistance of AI tooling, with human review and validation.

@pierluigilenoci
docs(sudoers): fix EBNF to distinguish Runas user and group lists
8a4c881 
The Runas_Spec grammar used a single Runas_List for both the user
and group portions, but the sudoers parser does not accept %-prefixed
groups (e.g., %group, %#gid, %:nonunix_group, %:#nonunix_gid) in
the group position after the colon.

Split Runas_List/Runas_Member into:
- Runas_User_List/Runas_User: the full set of members (user names,
  UIDs, %group, %#gid, %:nonunix_group, %:#nonunix_gid, +netgroup,
  Runas_Alias, ALL)
- Runas_Group_List/Runas_Group: only group names, #group-ID,
  +netgroup, Runas_Alias, and ALL

Update the Runas_Spec rule, Runas_Alias_Spec, Defaults> syntax, and
the surrounding prose to use the new type names.

Fixes: sudo-project#520
Signed-off-by: Pierluigi Lenoci <pierluigilenoci@gmail.com>
@pierluigilenoci
Copy link
Copy Markdown
Contributor Author

pierluigilenoci commented May 5, 2026

Hi — friendly ping. Is this PR still on the radar for review? Happy to rebase or make changes if needed. Thanks!

@pierluigilenoci
Copy link
Copy Markdown
Contributor Author

pierluigilenoci commented May 15, 2026

Hi — friendly follow-up. CI is green and all checks pass. Would you be able to review when you get a chance? Thank you!

millert
millert approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@millert millert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks!

@millert millert merged commit 096ee0e into sudo-project:main May 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@millert millert millert approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

man:sudoers(5) EBNF issue

2 participants

@pierluigilenoci @millert