The good old "permission denied", the ignored group memberships, and a proposed solution
Dominic Raferd
dominic at timedicer.co.uk
Mon May 17 14:32:31 CEST 2021
On 16/05/2021 16:37, Luc Pardon wrote:
> On Sat, 15 May 2021 17:29:40 +0100
> Dominic Raferd <dominic at timedicer.co.uk> wrote:
>
>> I believe that if you use the new preferred way of calling clamav
>> i.e. with --fdpass, the whole permissions issue disappears.
>>
>> Example:
>>
>> @av_scanners = (
>> ['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary
>> {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*)
>> FOUND$/m ], );
> Thanks, but no, it does not work, I still get "Permission denied". The
> wording is a little different, but the meaning is the same: no go.
>
> That makes sense. In fact, clamdscan is just a client for clamd, and it
> will talk to the daemon over the same socket that amavisd would use if
> it talked directly to clamd. And because the client is run by
> amavisd (after dropping privileges), it can't have more access than
> amavisd itself...
The default setting for the clamav socket is to be world-readable and
world-writeable. In Ubuntu (and Debian?) this is set explicitly (but
presumably unnecessarily) in clamd.conf thus:
LocalSocketMode 666
Do you have mode 660?
More information about the amavis-users
mailing list