From 13931e41d62cea69a571e8d8a44d8981deffdc5d Mon Sep 17 00:00:00 2001
From: Phil Estes <estesp@linux.vnet.ibm.com>
Date: Fri, 14 Sep 2018 12:53:53 -0400
Subject: [PATCH] Add additional GIDs by default if they exist in /etc/group

If we are using an image config, we should by default add any additional
GIDs that are found from reading /etc/group, even if the default user is
root.

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
---
 oci/spec_opts.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/oci/spec_opts.go b/oci/spec_opts.go
index d7fe4a29f..50c77396d 100644
--- a/oci/spec_opts.go
+++ b/oci/spec_opts.go
@@ -315,8 +315,14 @@ func WithImageConfigArgs(image Image, args []string) SpecOpts {
 			}
 			s.Process.Cwd = cwd
 			if config.User != "" {
-				return WithUser(config.User)(ctx, client, c, s)
+				if err := WithUser(config.User)(ctx, client, c, s); err != nil {
+					return err
+				}
+				return WithAdditionalGIDs(fmt.Sprintf("%d", s.Process.User.UID))(ctx, client, c, s)
 			}
+			// we should query the image's /etc/group for additional GIDs
+			// even if there is no specified user in the image config
+			return WithAdditionalGIDs("root")(ctx, client, c, s)
 		} else if s.Windows != nil {
 			s.Process.Env = config.Env
 			s.Process.Args = append(config.Entrypoint, config.Cmd...)