I would like being able to specify one or more supplementary groups for a command in sudoers that will be added to the set of supplementary groups when using command, while leaving the primary group as is. 

Rationale:
There are various system groups that give additional access to users. Examples: audio (using the soundcard), video (using the camera), sudo (being able to use sudo). Normally if you want to give a user one of these types of additional access you just add him/her to the corresponding group in /etc/group and each time he/she logs in, that group will be added to his supplementary group set.

However, there are circumstances where you dont want the user complete access to a resource but just while running a particular command/program (same things as when you use sudo to allow users to run a particular command as root but not doing other things as root). The normal way to achive this I guess is to specify (:group) in sudoers and the user can use sudo -g group. The problem with this is that, since sudo sets the primary group id, any files that are created while the user is running the program are created with that group id rather than the users normal primary group. And since the user owns the file he/she can just edit it (for example making it a shell script that runs a shell), do chmod g+s on it, and run it, and he/she has full access to everything the group has access to.

In my case I'm creating a restricted environment where the only way to access the internet is through running a special web browser through sudo. But I still want the users to be able to download files, and the files should be created with the users normal uid and gid.

Thanks