Supplemental groups not added for process started directly by 'podman exec --user <user>'

[Iolaum]

Describe the bug
When the primary user tries to change the group ownership of a file within a toolbox container it fails with the following error:
chown: changing group of '/tmp/test.1': Operation not permitted

Steps how to reproduce the behaviour

1. Create and enter container from Fedora Silverblue 33 host:

$ toolbox create --container test
$ toolbox enter test

Reproduce error:

$ sudo groupadd group1
$ sudo usermod -a -G group1 $USER
$ echo test > /tmp/test.1
$ chown :group1 /tmp/test.1 
chown: changing group of '/tmp/test.1': Operation not permitted

Expected behaviour
The change in group ownership would succeed (as it does on the host and on a "normal" podman fedora container).

Actual behaviour
Changing the group ownership fails.

Screenshots
If applicable, add screenshots to help explain your problem.

Output of toolbox --version (v0.0.90+)

$ toolbox --version
toolbox version 0.0.96

Toolbox package info (rpm -q toolbox)

$ rpm -q toolbox
warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.
toolbox-0.0.96-1.fc33.x86_64

Output of podman version

$ podman version
Version:      2.1.1
API Version:  2.0.0
Go Version:   go1.15.2
Built:        Mon Oct  5 02:25:24 2020
OS/Arch:      linux/amd64

Podman package info (rpm -q podman)

$ rpm -q podman
warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.
podman-2.1.1-10.fc33.x86_64

Info about your OS

$ cat /etc/os-release 
NAME=Fedora
VERSION="33.20201028.0 (Silverblue)"
...

Additional context
Add any other context about the problem here.
When did the issue start occurring? After an update (what packages were updated)?
If the issue is about operating with containers/images (creating, using, deleting,..), share here what image you used. If you're unsure, share here the output of toolbox list -i (shows all toolbox images on your system).

$ toolbox list -i
IMAGE ID      IMAGE NAME                                        CREATED
4f81af0fcbc0  registry.fedoraproject.org/f33/fedora-toolbox:33  2 days ago

[debarshiray]

I think that this is a fallout from commit 15173f8 because of this. eg., if we sudo su $USER into a new session, then the chown works and id matches id $USER.

[owtaylor]

This appears to potentially be a podman bug - I asked about supplemental groups on #podman and @mheon pointed me to the part of the code that is supposed to read the supplemental groups for podman exec -u , but it doesn't seem to be working. Filed: containers/podman#9986

[Iolaum]

This bug can still be re-produced by running the snippet provided above.

However if one exits the toolbox container and then re-enters, they are able to change ownership properly.
Not sure if that is intended or not.

[debarshiray]

@owtaylor chased it down the stack and fixed it in crun:

• Supplemental groups not added for 'podman exec -u <user>' podman#9986
• additional_gids ignored on exec crun#644
• On exec, honor additional_gids from the process spec crun#645

I tried the original reproducer in this issue with group wheel since it's a supplementary group for my user, and it worked. Hence, I am going to close this on the assumption that it's fixed. Please leave a comment if you have reason to believe otherwise.

[debarshiray]

I am putting together some tests in #1447 to ensure that this continues to work as expected.