No problem
The allowance of all options is only if there are no options given at all, but then that would allow them to use
tail to examine any file anywhere on the system and that is probably not what you want.
Code:
%groupname ALL=(ALL) NOPASSWD: /usr/bin/tail
Another option is to make the log files readable by the group in question.
Code:
sudo chgrp groupname /path/to/files/this.log
sudo chmod g=r /path/to/files/this.log
Then you'd also have to adjust the configuration for
logrotate to keep those changes. In that way, the requirement for
sudo can be eliminated.