> getpwnam() will tell you whether a text string is a valid user name.  If
> it is a valid user name, then don't try to recurse into it as a group
> name.

Must admit I didn't consider that an option.  My expectation was that
people would find this feature useful if they have 100's of usernames
that they want to be able to su.  Doing 100's of getpwnam's
potentially via NIS didn't strike me as good.  Plus the fact that with
idividual user groups, its extremely rare that they should contain
additional users so recursing into the group is not going to change
the result.

> But perhaps that's too expensive, in which case the documentation
> should warn people not to expect it to work.

Not to expect what to work?  Anyway, I think its worth adding a
warning to carefully consider the content of the group database(s)
before enabling the feature.

Thanks for your input.
--sjg