The good old "permission denied", the ignored group memberships, and a proposed solution

Luc Pardon amavisuser at
Sun May 16 17:37:52 CEST 2021

On Sat, 15 May 2021 17:29:40 +0100
Dominic Raferd <dominic at> wrote:

> I believe that if you use the new preferred way of calling clamav
> i.e. with --fdpass, the whole permissions issue disappears.
> Example:
> @av_scanners = (
>    ['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary
> {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*)
> FOUND$/m ], );

Thanks, but no, it does not work, I still get "Permission denied". The
wording is a little different, but the meaning is the same: no go.

That makes sense. In fact, clamdscan is just a client for clamd, and it
will talk to the daemon over the same socket that amavisd would use if
it talked directly to clamd. And because the client is run by
amavisd (after dropping privileges), it can't have more access than
amavisd itself.

Anyway, even if the use of the client had sidestepped the problem for
clamd, that still won't help with any other scanners that use a Unix
socket for their communication with amavisd.

As an aside: if this is indeed supposed to become the "new way", it
might be good to remind people to include the --config-file parameter.
Without it, the client will probably look for /etc/clamd.conf and that
may not be where the distro has put it. It must be the same value as
that of -c in (typically) the systemd service file that is used to
start the clamd daemon. If they want to talk, both must use the same
values for the socket.

More information about the amavis-users mailing list