Re: The real culprit
Maybe someone can comment about whether SELinux capabilities would be good safety net against such mishaps.
Assuming the SELinux contexts were set up properly, the exploit as posted would be entirely obviated; newgrp has no need to write to sudoers, and would not be permitted to do so, even if it were being run by root.
That said, something like visudo (if installed) would get around that ;-(
 I've seen SELinux set up in pretty much an "allow everything" mode; it's *technicallly* running, but provides essentially no protection at all. This is, quite obviously, not how you're supposed to do things...