Owner and Permissions in /var/lib/bind : When setting up a new slave server: Files owner root instead of bind ?

Looking at syslogs of our new slave dns servers, I saw a lot of:

ns3 named[949]: zone example.com/IN: refresh: could not set file modification time of '/var/lib/bind/example.com.hosts': permission denied

(example.com instead of real domain or reverse domain).

And indeed perms of files that got synced first were: -rw-r--r-- 1 root root

while files added on master dns later were: -rw-r--r-- 1 bind bind

Finally some were: -rw-rw-r-- 1 root bind

I fixed it so that all are: -rw-r--r-- 1 bind bind

with: chown -R bind:bind /var/lib/bind chmod g-w /var/lib/bind

That solved the syslogs.



There is an option in the module configuration of Webmin's BIND module with which you can tell it the owner and group of new zone files. I'm not at my PC at the moment so I can't look up the exact place.

Thanks for the heads up on the setting.

Found it: In Webmin: Servers: Bind DNS Server: Module config: Zone file options: Owner for zone files (user:group).

It was "default", and that seems to mean "root:root" on Ubuntu 12.04LTS... But it should be bind:bind.

I have now set it to bind:bind.

But it's imho still a bug that default is incorrect.

What was the ownership on /var/lib/bind before you changed it? The default behavior of Webmin is to copy the ownership from that file to new zone files.

almost sure that /var/lib/bind folder's ownership was bind:bind

maybe it was root:bind, but certainly not root:root

(this was on secondary DNS servers added afterwards)

i checked other primary servers and there it is root:bind, and all files inside are also root:bind.

So permissions should have been copied from /var/lib/bind .. unless perhaps you have an old version of Webmin on the slave system? Which Webmin release is it running?

At the time of the issue I had it is:

Webmin version 1.660 Virtualmin version 4.02.gpl GPL

Let me see if I can re-produce this on a test Ubuntu 12.04 system.

eugenevdm.host's picture
Submitted by eugenevdm.host on Mon, 09/16/2019 - 12:24

Found it: In Webmin: Servers: Bind DNS Server: Module config: Zone file options: Owner for zone files (user:group).

Any idea on a Ubuntu 18.04 server where the default owner is set? I also have a root:bind issue.

Same issue here on Debian 9 servers/VPS.

"Webmin > Servers > Bind DNS Server > Module config > Zone file options > Owner for zone files" is (was) set on "Owner for zone files (user:group)" and I find a mix of "bind:bind", "root:root" and "root:bind" owners in the /var/lib/bind files.

eugenevdm.host's picture
Submitted by eugenevdm.host on Thu, 10/31/2019 - 16:42

This leads to a much bigger problem, due to incorrect root:bind permissions, zone files are never populated and stay at 0 bytes:

-rw-r--r-- 1 root bind 0 Oct 28 14:16 xyz.org.za.hosts

Basically after every new commissioning you have to manually adjust permissions otherwise your name server is useless.