[$] Sticky groups in the shadows

Group membership is normally used to grant access to some resource;examples might include using groups to control access to a shareddirectory, a printer, or the ability to use tools like sudo. Itis possible, though, to use group membership to deny access to aresource instead, and some administrators make use of that feature. Butgroups only work as a negative credential if the user cannot shed them atwill. Occasionally, some way to escape a group has turned up, resulting invulnerabilities on systems where they are used to block access; despitefixes in the past, it turns out that there is still a potential problemwith groups and user namespaces; thispatch set from Giuseppe Scrivano seeks to mitigate it through thecreation of "shadow" groups.