bug#38438: Fcgiwrap service has no supplementary groups

["pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>]

Fcgiwrap should be started with the supplementary groups of its user.
Shepherd’s make-forkexec-constructor does not currently appear to
support this.

Upstream fcgiwrap ships with a systemd service with the User= setting.

Systemd confers this user’s supplementary groups by default:
<https://www.freedesktop.org/software/systemd/man/systemd.exec.html>:
> If the User= setting is used the supplementary group list is
> initialized from the specified user's default group list, as defined
> in the system's user and group database. Additional groups may be
> configured through the SupplementaryGroups= setting (see below).

Not starting with supplementary groups sometimes causes problems.

Namely the Guix manual claims for Gitolite’s umask:
> A value like ‘#o0027’ will give read access to the group used
> by Gitolite (by default: ‘git’).  This is necessary when using
> Gitolite with software like cgit or gitweb.

But this does not work because giving a supplementary group git to the
fcgiwrap user does not confer the supplementary group git to fcgiwrap.
This is visible when looking at the fcgiwrap process in
`ps -eo pid,supgrp,args`.  It is also visible by configuring nginx to

fastcgi_param SCRIPT_FILENAME /test/test.sh;

and making test.sh a script that prints "Content-Type: text/plain\n\n"
followed by the output of the id command.

Regards,
Florian