Poking around I found newgrp and sg, both of which look promising to "reset" the groups to what the user has in /etc/groups. Especially since newgrp (and sg which is a link to it) is setuid root.
But alas, after much screwing around, they fail with:
setgroups(2, [1410, 5200]) = -1 EPERM (Operation not permitted) (thanks strace)
Ok, so hit the source. The program is all happy up until the setgroups syscall. Which means it understands the user is *allowed* to reset the groups as per the config of /etc/groups.
https://github.com/shadow-maint/shadow/blob/master/src/newgrp.c
But when it actually does it, the kernel says nope. Ok great, but why is this? newgrp is running as root at that point, no? (I can't see it dropping its perms in the src.) As root it should have that CAP that Gilbert mentioned, no?
I'm bummed because newgrp/sg really looked like the holy grail: a standard program already in the distros, already with setuid, and will "do the right thing" for me.
So why doesn't it work?
... I wonder if it works on a pre-capabilities kernel...