On my Linux machine, I (my user) have a main group and multiple other groups (note I belong to group 150):
$ id -u; id -g; id -G
1000
1000
1000 6 21 91 97 150 190 465 996 1003
I need to isolate a command into a user namespace. I use unshare --user for that:
$ unshare --user --map-user=4000 --map-group=4000 bash -c 'id -u; id -g; id -G'
4000
4000
4000 65534
(Note that all groups I belonged to are kept but, as most of them are not mapped in the new user namespace, they are replaced by the overflow group, 65534, "nobody", or "nogroup". A call to getgroups confirms that by returning the list "1000 65534 65534 65534 65534 65534 65534 65534 65534 65534". id deduplicates that list.)
I'm not allowed, as a user, to map any group excepted the effective group in parent namespace (1000). But here, I do need to use one of my supplementary group to run an executable with escalated privileges (note that /usr/bin/dumpcap may be executed only if one is in the group 150, in which I am in the outer namespace):
$ ls -n /usr/bin/dumpcap
-rwxr-xr-- 1 0 150 116928 Jun 7 21:16 /usr/bin/dumpcap
$ getcap /usr/bin/dumpcap
/usr/bin/dumpcap cap_dac_override,cap_net_admin,cap_net_raw=eip
Is there a way to make a group in the user namespace mapped to a supplementary group I belong to in the parent namespace (here 150)? —Without CAP_SETGID of course, it would be too easy. ;-)