The good old "permission denied", the ignored group memberships, and a proposed solution

Dominic Raferd dominic at
Mon May 17 14:32:31 CEST 2021

On 16/05/2021 16:37, Luc Pardon wrote:
> On Sat, 15 May 2021 17:29:40 +0100
> Dominic Raferd <dominic at> wrote:
>> I believe that if you use the new preferred way of calling clamav
>> i.e. with --fdpass, the whole permissions issue disappears.
>> Example:
>> @av_scanners = (
>>     ['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary
>> {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*)
>> FOUND$/m ], );
> Thanks, but no, it does not work, I still get "Permission denied". The
> wording is a little different, but the meaning is the same: no go.
> That makes sense. In fact, clamdscan is just a client for clamd, and it
> will talk to the daemon over the same socket that amavisd would use if
> it talked directly to clamd. And because the client is run by
> amavisd (after dropping privileges), it can't have more access than
> amavisd itself...

The default setting for the clamav socket is to be world-readable and 
world-writeable. In Ubuntu (and Debian?) this is set explicitly (but 
presumably unnecessarily) in clamd.conf thus:

LocalSocketMode 666

Do you have mode 660?

More information about the amavis-users mailing list