The good old "permission denied", the ignored group memberships, and a proposed solution
Dominic Raferd
dominic at timedicer.co.uk
Sat May 15 18:29:40 CEST 2021
On 15/05/2021 16:55, Luc Pardon wrote:
> Recently I decided to do some restructuring of a Postfix/Amavis/ClamAV installation and ran into a puzzling situation. After some head-scratching, I came up with a solution and thought I'd share it, in case it should be helpful to others (that's also why I'm posting here, rather than to the developers list).
>
> FWIW, the setup is Amavis 2.12.1 on Linux with Perl 5.30, and ClamAV 0.103.2. The packages are loosely based on Fedora but locally-built.
>
> Now, as for the setup:
>
> * There are two user accounts, "amavis" and "clamscan".
> * Both are members of "clamgroup".
> * The ClamAV socket is owned by user "clamscan",
> * and "clamgroup" has r+w permission on it.
>
> Unfortunately, that won't fly, at least not with $daemon_group = "amavis" in amavisd.conf. That brings the infamous "Permission denied" on the socket.
>
> However, with $daemon_group = "clamgroup", all is well, and the amavisd
> daemon can talk to clamd, as expected. Incidentally, that means that
> things on disk are OK...
I believe that if you use the new preferred way of calling clamav i.e.
with --fdpass, the whole permissions issue disappears.
Example:
@av_scanners = (
['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary {}",
[0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);
More information about the amavis-users
mailing list