How to fix amvavis reporting "permission denied" for clamav
Solution 1
While the clamd
user was a member of the amavis
group, the clamd
process was running as the clamav
(not clamd
) user.
Adding clamav
to the amavis
group solved the issue.
Solution 2
A working solution is to change
AllowSupplementaryGroups false -> true
in /etc/clamav/clamd.conf
restart clamav-daemon
Solution 3
As AllowSupplementaryGroups
does not exist anymore, I ended by adding each user to the other group, like this:
usermod -a -G clamav amavis
usermod -a -G amavis clamav
(and restart everything just to be sure)
/etc/init.d/clamav-daemon restart
/etc/init.d/amavis restart
/etc/init.d/postfix restart
With this, no need to change folder permission on /var/lib/amavis/tmp
(and I'm not sure those permissions will be left as is on the next apt-get upgrade...)
Related videos on Youtube
aSteve
Updated on September 18, 2022Comments
-
aSteve over 1 year
I've recently noticed a frustrating niggle... When processing email, an Ubuntu Server (with all the updates applied) reports "Permission denied" when trying to virus scan attachments.
Apr 2 14:05:20 svr amavis[6376]: (06376-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts: lstat() failed: Permission denied. ERROR\n" Apr 2 14:05:20 svr amavis[6376]: (06376-01) (!)ClamAV-clamd av-scanner FAILED: CODE(0x30cf250) unexpected , output="/var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts: lstat() failed: Permission denied. ERROR\n" at (eval 136) line 899. Apr 2 14:05:20 svr amavis[6376]: (06376-01) (!)WARN: all primary virus scanners failed, considering backups
When I look at the directories in question, I see this:
$ ls -ld /var/lib/amavis/tmp drwxrwx--- 4 amavis amavis 4096 Apr 2 14:16 /var/lib/amavis/tmp $ ls -ld /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/ drwxr-x--- 3 amavis amavis 4096 Apr 2 14:05 /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/ $ ls -ld /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts drwxr-x--- 2 amavis amavis 4096 Apr 2 14:16 /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts
I made sure the clamd user is a member of the amavisd group - but this didn't fix anything. Can anyone tell me, specifically, which component wants what permissions - and... ideally... what to do to fix this?
Clarification: I am not looking for explanations of the fundamentals of permissions. I am looking for a solution appropriate to this specific problem - which, at first glance, at least, looks as if a component of the amavis suite (perhaps clamd) is using the wrong umask value. Of course, this fault may have arisen as a result of a number of bugs or configuration glitches. I am looking, specifically, for the most appropriate resolution for this case... where a 'vanilla' amavis/clamav install fails to access the contents of temporary folders it creates as/when required to scan inbound email.
I am aware of this similar (non-Ubuntu) question. The Redhat/Centos answer doesn't solve the problem I experience with Ubuntu.
This problem is encountered on "Ubuntu 14.04.2 LTS" - there are no pending updates.
-
Admin about 9 yearsThe group
amavis
has no write permissions for/var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/
and/var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts
-
Admin about 9 yearsTry this
chmod -R g+w /var/lib/amavis/tmp
-
Admin about 9 yearsThe problem isn't that I can't change the permissions to permit group write on the directories... The problem is that I don't know how to ensure that directories created under /var/lib/amavis/tmp/ - in future - get created with the correct permissions. This directory seems to be where amavis expands messages to inspect attachments. The defaults used to work... now, after some updates, it doesn't.
-
Admin about 9 yearsThen work on your question.
-
-
A.B. about 9 yearsThunar to set permissions? OMG.
-
A.B. about 9 yearsAnd then on a server?
-
user.dz about 9 yearsMishael, you can use this to change permission when you have GUI (gtk2+xfce ) already installed like Ubuntu desktop edition. The OP here mentioned the use of Ubuntu Server. That means No GUI installed and you have to use CLI/command line instead. eq:
sudo chmod -R +rw /var/lib/amavis
(-R for recursive) -
chmike over 8 yearsThis is what solved it for me (I'm on Debian Jessie). Adding clamav to the amavis group didn't solve it.
-
Michael almost 8 yearsTry this ulimet -i unlimted, and it might work fine this way.
-
Daniel Vérité over 7 yearsThe
AllowSupplementaryGroups
option has been dropped in recent versions of clamav (0.99.2+, Jun 2, 2016 in upstream). -
B. Shea over 7 years+1 This worked. The approved answer below DOES NOT. If you followed the Ubuntu AmavisNew wiki page (hopefully), you would have already added amavis/clamav as supplementary groups to one another. Approved answer does nothing but repeat this - and does not work. I am running default pkgs on 16.04.1 LTS. ref: help.ubuntu.com/community/PostfixAmavisNew
-
B. Shea over 7 yearsThe default pkg on 16.04.1 has the directive
AllowSupplementaryGroups
in main config. You are posting misleading information. If the directive does not exist in newer versions - then why does adding the supplementary groups to each account work for you? IT IS STILL IN THE CONFIG on 16.04.1 because it isn't used anymore? Hmm. Show me proof. BTW switching this 'TRUE' made everything work on 16.04.1. ref: help.ubuntu.com/community/PostfixAmavisNew#Troubleshooting -
B. Shea over 7 years
-
user3021729 about 7 yearsThis is not true that AllowSupplementaryGroups does not exist. And what's more you have to set it to true to actually make it work.
-
Admin about 7 yearsConfirmed: fixed problem for me, as well, Ubuntu LTS 16.04.1
-
Ding-Yi Chen almost 7 yearsGrep from source ver 0.99.2 clamd/clamd.c- if(optget(opts, "AllowSupplementaryGroups")->enabled) { clamd/clamd.c-#ifdef HAVE_INITGROUPS clamd/clamd.c: if(initgroups(opt->strarg, user->pw_gid)) { clamd/clamd.c: fprintf(stderr, "ERROR: initgroups() failed.\n"); clamd/clamd.c- optfree(opts); clamd/clamd.c- return 1; clamd/clamd.c- } clamd/clamd.c-#else
-
Ian Gibbs over 6 yearsThis is still necessary in Ubuntu Xenial which has 0.99.2, so I don't believe @DanielVérité is correct with his version number.
-
Taco Bob over 3 yearsclamd[24248]: WARNING: Ignoring deprecated option AllowSupplementaryGroups at /etc/clamav/clamd.conf:8 At least in September 2020, AllowSupplementaryGroups is no longer an option. Posting this because so many Google results are leading to this now way outdated thread.