How to fix amvavis reporting "permission denied" for clamav

clamav permissions antivirus amavisd-new

I've recently noticed a frustrating niggle... When processing email, an Ubuntu Server (with all the updates applied) reports "Permission denied" when trying to virus scan attachments.

Apr  2 14:05:20 svr amavis[6376]: (06376-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts: lstat() failed: Permission denied. ERROR\n"
Apr  2 14:05:20 svr amavis[6376]: (06376-01) (!)ClamAV-clamd av-scanner FAILED: CODE(0x30cf250) unexpected , output="/var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts: lstat() failed: Permission denied. ERROR\n" at (eval 136) line 899.
Apr  2 14:05:20 svr amavis[6376]: (06376-01) (!)WARN: all primary virus scanners failed, considering backups

When I look at the directories in question, I see this:

$ ls -ld /var/lib/amavis/tmp
drwxrwx--- 4 amavis amavis 4096 Apr  2 14:16 /var/lib/amavis/tmp
$ ls -ld /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/
drwxr-x--- 3 amavis amavis 4096 Apr  2 14:05 /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/
$ ls -ld /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts                                                                                                                                                                           
drwxr-x--- 2 amavis amavis 4096 Apr  2 14:16 /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts

I made sure the clamd user is a member of the amavisd group - but this didn't fix anything. Can anyone tell me, specifically, which component wants what permissions - and... ideally... what to do to fix this?

Clarification: I am not looking for explanations of the fundamentals of permissions. I am looking for a solution appropriate to this specific problem - which, at first glance, at least, looks as if a component of the amavis suite (perhaps clamd) is using the wrong umask value. Of course, this fault may have arisen as a result of a number of bugs or configuration glitches. I am looking, specifically, for the most appropriate resolution for this case... where a 'vanilla' amavis/clamav install fails to access the contents of temporary folders it creates as/when required to scan inbound email.

I am aware of this similar (non-Ubuntu) question. The Redhat/Centos answer doesn't solve the problem I experience with Ubuntu.

This problem is encountered on "Ubuntu 14.04.2 LTS" - there are no pending updates.


Solution 1:

A working solution is to change

AllowSupplementaryGroups false -> true

in /etc/clamav/clamd.conf

restart clamav-daemon

Solution 2:

While the clamd user was a member of the amavis group, the clamd process was running as the clamav (not clamd) user.

Adding clamav to the amavis group solved the issue.

Solution 3:

As AllowSupplementaryGroups does not exist anymore, I ended by adding each user to the other group, like this:

usermod -a -G clamav amavis
usermod -a -G amavis clamav

(and restart everything just to be sure)

/etc/init.d/clamav-daemon restart
/etc/init.d/amavis restart
/etc/init.d/postfix restart

With this, no need to change folder permission on /var/lib/amavis/tmp (and I'm not sure those permissions will be left as is on the next apt-get upgrade...)

Related

Ubuntu on surface pro 3 or Linux at all?
USB3 Docking Station for Dell XPS 15
How to get Telegram to show up in Dash
Data structure for maintaining tabular data in memory?
How to connect to SFTP in FileZilla using a private key
ffmpeg: command not found
Difference between pgp protocol and rsa protocol [closed]
How can I stop gvim from crashing when opening a file?
Error running sudo (sudo: unable to resolve host [name]: Connection timed out)
Exception handling in shell scripting?
How do you disable the window preview in Ubuntu dock (GNOME sidebar)?
Why does the snapd service use so much data?