Submitted by beat on Sun, 10/20/2013 - 09:19
Looking at syslogs of our new slave dns servers, I saw a lot of:
ns3 named[949]: zone example.com/IN: refresh: could not set file modification time of '/var/lib/bind/example.com.hosts': permission denied
(example.com instead of real domain or reverse domain).
And indeed perms of files that got synced first were: -rw-r--r-- 1 root root
while files added on master dns later were: -rw-r--r-- 1 bind bind
Finally some were: -rw-rw-r-- 1 root bind
I fixed it so that all are: -rw-r--r-- 1 bind bind
with: chown -R bind:bind /var/lib/bind chmod g-w /var/lib/bind
That solved the syslogs.
Status:
Active
Virtualmin version:
6.14
Webmin version:
1.962
Comments
Submitted by Locutus on Sun, 10/20/2013 - 12:30 Comment #1
There is an option in the module configuration of Webmin's BIND module with which you can tell it the owner and group of new zone files. I'm not at my PC at the moment so I can't look up the exact place.
Submitted by beat on Mon, 10/21/2013 - 15:51 Comment #2
Thanks for the heads up on the setting.
Found it: In Webmin: Servers: Bind DNS Server: Module config: Zone file options: Owner for zone files (user:group).
It was "default", and that seems to mean "root:root" on Ubuntu 12.04LTS... But it should be bind:bind.
I have now set it to bind:bind.
But it's imho still a bug that default is incorrect.
Submitted by JamieCameron on Mon, 10/21/2013 - 17:30 Comment #3
What was the ownership on /var/lib/bind before you changed it? The default behavior of Webmin is to copy the ownership from that file to new zone files.
Submitted by JamieCameron on Mon, 10/21/2013 - 17:30 Comment #4
Submitted by beat on Mon, 10/21/2013 - 17:43 Comment #5
almost sure that /var/lib/bind folder's ownership was bind:bind
maybe it was root:bind, but certainly not root:root
(this was on secondary DNS servers added afterwards)
i checked other primary servers and there it is root:bind, and all files inside are also root:bind.
Submitted by JamieCameron on Mon, 10/21/2013 - 20:18 Comment #6
So permissions should have been copied from /var/lib/bind .. unless perhaps you have an old version of Webmin on the slave system? Which Webmin release is it running?
Submitted by beat on Tue, 10/22/2013 - 13:37 Comment #7
At the time of the issue I had it is:
Webmin version 1.660 Virtualmin version 4.02.gpl GPL
Submitted by JamieCameron on Tue, 10/22/2013 - 18:16 Comment #8
Let me see if I can re-produce this on a test Ubuntu 12.04 system.
Any idea on a Ubuntu 18.04 server where the default owner is set? I also have a root:bind issue.
Submitted by Nico94 on Mon, 10/28/2019 - 15:59 Comment #10
Same issue here on Debian 9 servers/VPS.
"Webmin > Servers > Bind DNS Server > Module config > Zone file options > Owner for zone files" is (was) set on "Owner for zone files (user:group)" and I find a mix of "bind:bind", "root:root" and "root:bind" owners in the /var/lib/bind files.
This leads to a much bigger problem, due to incorrect root:bind permissions, zone files are never populated and stay at 0 bytes:
-rw-r--r-- 1 root bind 0 Oct 28 14:16 xyz.org.za.hostsBasically after every new commissioning you have to manually adjust permissions otherwise your name server is useless.
Submitted by gpsau on Wed, 09/30/2020 - 18:55 Comment #12
This is still an issue !! I have followed comments for a new debian system and still cannot nail it. New files are written root:root no matter what is set on the config. BUT !! delete the new .hosts file, and reboot and a usable one gets written... Wished this was fixed once and for all.
This is odd, as it works just fine for me. Tested with Ubuntu 20.04. By default Webmin tries to copy permissions to a new zone file from
/var/lib/bind, which is root:bind by default. If you go to BIND module config and define Owner for zone files (user:group) as bind:bind, then newly created zone files have correspondent permissions.What exactly doesn't work for you? What Webmin version do you use there?
Submitted by gpsau on Thu, 10/01/2020 - 17:17 Comment #14
Several weeks ago I setup Dedian 64bit 10.4 and had to frig around with directory permissions and got things working, but then mail broke. I also noticed there are firewall issues.
This week Debian 32bit 10.6 the fix didn't work, in fact on dns slaves nothing it working permanently and slave reverse zones are just not.
Maybe its debian 10 ?
But today I will try Ubuntu 20.04 for the slave dns.
Oh on debian 10 the module config just aint working for me :(
What I have found is that the initial transfers of a domain gets root:root delete the /var/lib/bind/host.file. then reboot. the new file written is the correct permissions.
EXCEPT !! .rev
I'll creat a ubuntu 20 slave and see what happens...
Submitted by gpsau on Fri, 10/02/2020 - 20:30 Comment #15
Ok, several issues... maybe its just laster releases. I finally fixed the issues by changing the setups. After setting up the base machine I installed bind9 then went to work setting directories bind:bind and permissions BEFORE installing webmin. Also, checked all typing on the mod config page, on one machine I had bind.bind instead of bind:bind (but that was only once it happenned). I would be tempted to change the default on a new install when installing, but I am slowly making a list of to:do for every new machine and install order.
Submitted by JamieCameron on Sat, 10/03/2020 - 17:06 Comment #16
What Webmin/Virtualmin should do is either use the ownership set on the Module Config page (which have to be in user:group format), or copy it from the parent directory, like /var/lib/bind . We assume that in a regular install, the OS-supplied packages will have the permissions on those directories set correctly.
@Ilia
Any clues which submodule in Webmin/Bind contains this? On a fresh Ubuntu 20.04 I don't see it in any of the Webmin/BIND submodules.
Submitted by gpsau on Sat, 12/19/2020 - 06:03 Comment #18
Go and change the permissions on the directories.. Also becareful of the syntax you use (if wrong you'll probbly remember the wrong default next time).
I think that was what I nailed on it... its a while ago ...
Yes, in module configuration (Webmin > Servers > BIND DNS Server > Configuration (a button with a cog icon, at the top left of the page) ), on Zone file options sub-page.