Comment 24 for bug 1729357

https://github.com/shadow-maint/shadow/pull/97 is my proposed patch. It currently only deals with the immediate security issue of allowing users that don't have

  % echo "$(whoami):$(id -g):1" >> /etc/setgid

... set up. I've tested this with a couple of different setups and it appears to preserve behaviour when you're mapping subgid'd groups, but it restricts setgroups if the mapping is a fallback one. I was working on a patch for the flags code, but there's a lot of magic in the parsing code for that -- so I will work on that separately.