Help with Warning: new{g,u}idmap is not setuid-root

I have these two warnings on my Ubunu 16.04 LTS server:

lxc-checkconfig | grep Warning

Warning: newuidmap is not setuid-root
Warning: newgidmap is not setuid-root

But setuid seems correct:

ls -l /usr/bin/new{g,u}idmap | cut -f 1,3,4,8 -d ' '

-rwsr-xr-x root root /usr/bin/newgidmap
-rwsr-xr-x root root /usr/bin/newuidmap

Some environment details:

uname -a

Linux mentor 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

lxc info

driver: lxc
driver_version: 2.0.8
server: lxd
server_version: "2.21"
storage: zfs
storage_version: 0.6.5.6-0ubuntu16

Should this be a matter for concern and if so, do you have a recommended course of action?

Help much appreciated :wink:

Since you’re running LXD the daemon will run as root which means the process that sets up the container will run as root before the container changes to a new user namespace and becomes completely isolated. The idmaps will be written directly in this case even if the binaries are not setuid. This looks just like the logic in lxc-checkconfig is faulty but that should be fixed in newer LXC versions.

1 Like

Thank you very much for the insight @brauner - I’m all good then and very excited to hit it on some (test) production containers.

Hopefully there are enough keywords in this post for people to find this with a web (or in-site discussion) search so that they do not pause on this step.

The top search result for this issue on Google is https://github.com/lxc/lxd/issues/3384 on which I just left a note pointing to this topic.