You normally want to change the group list, rather than to drop it, to match your new identity after the suid/sgid-assisted switch. You need the group list to match your new uid (and actually gid too, as the group list usually includes gid itself).

Unfortunately, as was already mentioned, currently you need CAP_SETGID for calling initgroups(). However in an attempt to solve that, I posted a few proposals to LKML. This one allows to "restrict" a group list, which is somewhat similar to dropping it, but doesn't give you any extra access rights if they were blocked by one of the groups in a list. This one actually allows you to get the correct group list, but you need a privileged helper process to assist you with that task.

I personally prefer the second solution as it gives you a correct group list, but the first one is at least very simple and doesn't require any helper process or extra privs.

Unfortunately both patch-sets only yielded 1 review comment each, which means the lack of an interest to this problem among LKML people. Maybe those who are interested in this problem here, can evaluate my patches and offer some more discussion of them in LKML.