newgidmap - set the gid mapping of a user namespace
newgidmap pid gid lowergid count [gid lowergid count [ ... ]]
The newgidmap sets /proc/[pid]/gid_map based on its command line arguments and the gids allowed. Subgid delegation can either be managed via /etc/subgid or through the configured NSS subid module. These options are mutually exclusive.
Note that the root group is not exempted from the requirement for a valid /etc/subgid entry.
After the pid argument, newgidmap expects sets of 3 integers:
newgidmap verifies that the caller is the owner of the process indicated by pid and that for each of the above sets, each of the GIDs in the range [lowergid, lowergid+count) is allowed to the caller according to /etc/subgid before setting /proc/[pid]/gid_map.
Note that newgidmap may be used only once for a given process.
Instead of an integer process id, the first argument may be specified as fd:N, where the integer N is the file descriptor number for the calling process's opened file for /proc/[pid[. In this case, newgidmap will use openat(2) to open the gid_map file under that directory, avoiding a TOCTTOU in case the process exits and the pid is immediately reused.
There currently are no options to the newgidmap command.