From 8a4c881888ca14eaab67688825433c4c50615f73 Mon Sep 17 00:00:00 2001
From: Pierluigi Lenoci <pierluigilenoci@gmail.com>
Date: Fri, 24 Apr 2026 17:12:33 +0200
Subject: [PATCH] docs(sudoers): fix EBNF to distinguish Runas user and group
 lists

The Runas_Spec grammar used a single Runas_List for both the user
and group portions, but the sudoers parser does not accept %-prefixed
groups (e.g., %group, %#gid, %:nonunix_group, %:#nonunix_gid) in
the group position after the colon.

Split Runas_List/Runas_Member into:
- Runas_User_List/Runas_User: the full set of members (user names,
  UIDs, %group, %#gid, %:nonunix_group, %:#nonunix_gid, +netgroup,
  Runas_Alias, ALL)
- Runas_Group_List/Runas_Group: only group names, #group-ID,
  +netgroup, Runas_Alias, and ALL

Update the Runas_Spec rule, Runas_Alias_Spec, Defaults> syntax, and
the surrounding prose to use the new type names.

Fixes: https://github.com/sudo-project/sudo/issues/520
Signed-off-by: Pierluigi Lenoci <pierluigilenoci@gmail.com>
---
 docs/sudoers.mdoc.in | 72 +++++++++++++++++++++++++-------------------
 1 file changed, 41 insertions(+), 31 deletions(-)

diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in
index aee0388800..f0f8103208 100644
--- a/docs/sudoers.mdoc.in
+++ b/docs/sudoers.mdoc.in
@@ -769,7 +769,7 @@ User_Alias_Spec ::= User_Alias '=' User_List
 
 Runas_Alias ::= NAME
 
-Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
+Runas_Alias_Spec ::= Runas_Alias '=' Runas_User_List
 
 Host_Alias ::= NAME
 
@@ -911,22 +911,31 @@ See
 for a list of
 characters that need to be escaped.
 .Bd -literal
-Runas_List ::= Runas_Member |
-               Runas_Member ',' Runas_List
+Runas_User_List ::= Runas_User |
+                    Runas_User ',' Runas_User_List
 
-Runas_Member ::= '!'* user name |
-                 '!'* #user-ID |
-                 '!'* %group |
-                 '!'* %#group-ID |
-                 '!'* %:nonunix_group |
-                 '!'* %:#nonunix_gid |
-                 '!'* +netgroup |
-                 '!'* Runas_Alias |
-                 '!'* ALL
+Runas_User ::= '!'* user name |
+               '!'* #user-ID |
+               '!'* %group |
+               '!'* %#group-ID |
+               '!'* %:nonunix_group |
+               '!'* %:#nonunix_gid |
+               '!'* +netgroup |
+               '!'* Runas_Alias |
+               '!'* ALL
+
+Runas_Group_List ::= Runas_Group |
+                     Runas_Group ',' Runas_Group_List
+
+Runas_Group ::= '!'* group name |
+                '!'* #group-ID |
+                '!'* +netgroup |
+                '!'* Runas_Alias |
+                '!'* ALL
 .Ed
 .Pp
 A
-.Em Runas_List
+.Em Runas_User_List
 is similar to a
 .Em User_List
 except that instead
@@ -943,7 +952,9 @@ and
 .Sy toor ) ,
 you can use a user-ID instead of a name (#0 in the example given).
 The user-ID or group-ID specified in a
-.Em Runas_Member
+.Em Runas_User
+or
+.Em Runas_Group
 need not be listed in the password or group database.
 .Bd -literal
 Host_List ::= Host |
@@ -1243,7 +1254,7 @@ Default_Type ::= 'Defaults' |
                  'Defaults@' Host_List |
                  'Defaults:' User_List |
                  'Defaults!' Cmnd_List |
-                 'Defaults>' Runas_List
+                 'Defaults>' Runas_User_List
 
 Default_Entry ::= Default_Type Parameter_List
 
@@ -1328,7 +1339,7 @@ Cmnd_Spec_List ::= Cmnd_Spec |
 
 Cmnd_Spec ::= Runas_Spec? Option_Spec* (Tag_Spec ':')* Cmnd
 
-Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+Runas_Spec ::= '(' Runas_User_List? (':' Runas_Group_List)? ')'
 
 .ie \n(SL \{\
 .ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
@@ -1393,34 +1404,33 @@ determines the user and/or the group that a command
 may be run as.
 A fully-specified
 .Em Runas_Spec
-consists of two
-.Em Runas_List Ns s
+consists of a
+.Em Runas_User_List
+and a
+.Em Runas_Group_List
 (as defined above) separated by a colon
 .Pq Ql \&:
 and enclosed in a set of parentheses.
-The first
-.Em Runas_List
+The first list
+.Pq Em Runas_User_List
 indicates which users the command may be run as via the
 .Fl u
 option.
-The second defines a list of groups that may be specified via the
+The second list
+.Pq Em Runas_Group_List
+defines a list of groups that may be specified via the
 .Fl g
 option (in addition to any of the target user's groups).
-If both
-.Em Runas_List Ns s
+If both lists
 are specified, the command may be run with any combination of users
-and groups listed in their respective
-.Em Runas_List Ns s.
+and groups listed in their respective lists.
 If only the first is specified, the command may be run as any user
 in the list and, optionally, with any group the target user belongs to.
-If the first
-.Em Runas_List
-is empty but the
+If the first list is empty but the
 second is specified, the command may be run as the invoking user
 with the group set to any listed in the
-.Em Runas_List .
-If both
-.Em Runas_List Ns s
+.Em Runas_Group_List .
+If both lists
 are empty, the command may only be run as the invoking user and the
 group, if specified, must be one that the invoking user is a member of.
 If no