Comment 10 for bug 1729357

Thanks for replying Eric, but I'm having trouble reproducing what you've posted. I can't write the gid map until I've written deny to /prod/$pid/setgroups, not the other way around. There might be some nuance I've missed.

Also, newgidmap will allow a user to map their own GID to 0 in the user namespace, even when there is no entry for that user in /etc/subgid.

What if newgidmap wrote "deny" to /proc/$pid/setgroups unless the user is whitelisted in some config file, probably separate from /etc/subgid, as Stéphane suggested?