Hello, keinflue writes: > I also had another look and I missed that effectively CAP_SETGID is > required in the _parent_ namespace in order to use setgroups (because > otherwise writing "deny" to /proc/[pid]/setgroups is essentially > forced). > > But the same seems to also be required to map more than the own > effective uid/gid of the process into the namespace. Right, user_namespaces(7) makes it clear: • The data written to uid_map (gid_map) must consist of a sin‐ gle line that maps the writing process's effective user ID (group ID) in the parent user namespace to a user ID (group ID) in the user namespace. > So I guess neither solution of dropping or mapping supplementary > groups will work completely unprivileged and the only solution is to > modify or disable the coreutils test case. Yes, I came to this conclusion as well. I believe the attached Coreutils patch should fix that (yet to be tested). Would be worth reporting upstream as well because in a way it’s a failure of the test framework. Thanks, Ludo’.