Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Date:   Thu, 28 Mar 2019 13:05:03 -0500
From:   "Serge E. Hallyn" <serge@hallyn.com>
To:     Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc:     "Eric W. Biederman" <ebiederm@xmission.com>,
        lkml <linux-kernel@vger.kernel.org>,
        "Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: Allowing mapping supplemental groups in user namespace?
Message-ID: <20190328180503.GA16249@mail.hallyn.com>
References: <CAKdAkRQj=bSSL2Cw3gAqi5f12yP3+KsvtrMvU4Lcfta_JYxMYQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAKdAkRQj=bSSL2Cw3gAqi5f12yP3+KsvtrMvU4Lcfta_JYxMYQ@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Thu, Feb 28, 2019 at 11:27:38AM -0800, Dmitry Torokhov wrote:
> Hi Eric,
> 
> Currently, unless caller has CAP_SETGID in parent namespace, we can
> only map effective group id in the new user namespace. Would it be
> possible to relax this rule to also allow mapping of supplemental
> groups (1:1) of the caller?
> 
> Thanks.
> 
> -- 
> Dmitry

Hi,

Is there a use case where adding those to /etc/subgid is onerous?
(There probably is, just would like to see yours)

thanks,
-serge