Owner and Permissions in /var/lib/bind : When setting up a new slave server: Files owner root instead of bind ?

Looking at syslogs of our new slave dns servers, I saw a lot of:

ns3 named[949]: zone example.com/IN: refresh: could not set file modification time of '/var/lib/bind/example.com.hosts': permission denied

(example.com instead of real domain or reverse domain).

And indeed perms of files that got synced first were: -rw-r--r-- 1 root root

while files added on master dns later were: -rw-r--r-- 1 bind bind

Finally some were: -rw-rw-r-- 1 root bind

I fixed it so that all are: -rw-r--r-- 1 bind bind

with: chown -R bind:bind /var/lib/bind chmod g-w /var/lib/bind

That solved the syslogs.



There is an option in the module configuration of Webmin's BIND module with which you can tell it the owner and group of new zone files. I'm not at my PC at the moment so I can't look up the exact place.

Thanks for the heads up on the setting.

Found it: In Webmin: Servers: Bind DNS Server: Module config: Zone file options: Owner for zone files (user:group).

It was "default", and that seems to mean "root:root" on Ubuntu 12.04LTS... But it should be bind:bind.

I have now set it to bind:bind.

But it's imho still a bug that default is incorrect.

What was the ownership on /var/lib/bind before you changed it? The default behavior of Webmin is to copy the ownership from that file to new zone files.

almost sure that /var/lib/bind folder's ownership was bind:bind

maybe it was root:bind, but certainly not root:root

(this was on secondary DNS servers added afterwards)

i checked other primary servers and there it is root:bind, and all files inside are also root:bind.

So permissions should have been copied from /var/lib/bind .. unless perhaps you have an old version of Webmin on the slave system? Which Webmin release is it running?

At the time of the issue I had it is:

Webmin version 1.660 Virtualmin version 4.02.gpl GPL

Let me see if I can re-produce this on a test Ubuntu 12.04 system.

eugenevdm.host's picture
Submitted by eugenevdm.host on Mon, 09/16/2019 - 12:24

Found it: In Webmin: Servers: Bind DNS Server: Module config: Zone file options: Owner for zone files (user:group).

Any idea on a Ubuntu 18.04 server where the default owner is set? I also have a root:bind issue.

Same issue here on Debian 9 servers/VPS.

"Webmin > Servers > Bind DNS Server > Module config > Zone file options > Owner for zone files" is (was) set on "Owner for zone files (user:group)" and I find a mix of "bind:bind", "root:root" and "root:bind" owners in the /var/lib/bind files.

eugenevdm.host's picture
Submitted by eugenevdm.host on Thu, 10/31/2019 - 16:42

This leads to a much bigger problem, due to incorrect root:bind permissions, zone files are never populated and stay at 0 bytes:

-rw-r--r-- 1 root bind 0 Oct 28 14:16 xyz.org.za.hosts

Basically after every new commissioning you have to manually adjust permissions otherwise your name server is useless.

Needs work

This is still an issue !! I have followed comments for a new debian system and still cannot nail it. New files are written root:root no matter what is set on the config. BUT !! delete the new .hosts file, and reboot and a usable one gets written... Wished this was fixed once and for all.

Ilia's picture
Submitted by Ilia on Thu, 10/01/2020 - 09:55

This is still an issue !! I have followed comments for a new debian system and still cannot nail it.

This is odd, as it works just fine for me. Tested with Ubuntu 20.04. By default Webmin tries to copy permissions to a new zone file from /var/lib/bind, which is root:bind by default. If you go to BIND module config and define Owner for zone files (user:group) as bind:bind, then newly created zone files have correspondent permissions.

What exactly doesn't work for you? What Webmin version do you use there?

Several weeks ago I setup Dedian 64bit 10.4 and had to frig around with directory permissions and got things working, but then mail broke. I also noticed there are firewall issues.

This week Debian 32bit 10.6 the fix didn't work, in fact on dns slaves nothing it working permanently and slave reverse zones are just not.

Maybe its debian 10 ?

But today I will try Ubuntu 20.04 for the slave dns.

Oh on debian 10 the module config just aint working for me :(

What I have found is that the initial transfers of a domain gets root:root delete the /var/lib/bind/host.file. then reboot. the new file written is the correct permissions.

EXCEPT !! .rev

I'll creat a ubuntu 20 slave and see what happens...

Needs work

Ok, several issues... maybe its just laster releases. I finally fixed the issues by changing the setups. After setting up the base machine I installed bind9 then went to work setting directories bind:bind and permissions BEFORE installing webmin. Also, checked all typing on the mod config page, on one machine I had bind.bind instead of bind:bind (but that was only once it happenned). I would be tempted to change the default on a new install when installing, but I am slowly making a list of to:do for every new machine and install order.

What Webmin/Virtualmin should do is either use the ownership set on the Module Config page (which have to be in user:group format), or copy it from the parent directory, like /var/lib/bind . We assume that in a regular install, the OS-supplied packages will have the permissions on those directories set correctly.