The good old "permission denied", the ignored group memberships, and a proposed solution

Dominic Raferd dominic at
Sat May 15 18:29:40 CEST 2021

On 15/05/2021 16:55, Luc Pardon wrote:
> Recently I decided to do some restructuring of a Postfix/Amavis/ClamAV installation and ran into a puzzling situation. After some head-scratching, I came up with a solution and thought I'd share it, in case it should be helpful to others (that's also why I'm posting here, rather than to the developers list).
> FWIW, the setup is Amavis 2.12.1 on Linux with Perl 5.30, and ClamAV 0.103.2. The packages are loosely based on Fedora but locally-built.
> Now, as for the setup:
> * There are two user accounts, "amavis" and "clamscan".
> * Both are members of "clamgroup".
> * The ClamAV socket is owned by user "clamscan",
> * and "clamgroup" has r+w permission on it.
> Unfortunately, that won't fly, at least not with $daemon_group = "amavis" in amavisd.conf. That brings the infamous "Permission denied" on the socket.
> However, with $daemon_group = "clamgroup", all is well, and the amavisd
> daemon can talk to clamd, as expected. Incidentally, that means that
> things on disk are OK...

I believe that if you use the new preferred way of calling clamav i.e. 
with --fdpass, the whole permissions issue disappears.


@av_scanners = (
   ['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary {}",
    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

More information about the amavis-users mailing list