How to fix amvavis reporting "permission denied" for clamav

I've recently noticed a frustrating niggle... When processing email, an Ubuntu Server (with all the updates applied) reports "Permission denied" when trying to virus scan attachments.

Apr  2 14:05:20 svr amavis[6376]: (06376-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts: lstat() failed: Permission denied. ERROR\n"
Apr  2 14:05:20 svr amavis[6376]: (06376-01) (!)ClamAV-clamd av-scanner FAILED: CODE(0x30cf250) unexpected , output="/var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts: lstat() failed: Permission denied. ERROR\n" at (eval 136) line 899.
Apr  2 14:05:20 svr amavis[6376]: (06376-01) (!)WARN: all primary virus scanners failed, considering backups

When I look at the directories in question, I see this:

$ ls -ld /var/lib/amavis/tmp
drwxrwx--- 4 amavis amavis 4096 Apr  2 14:16 /var/lib/amavis/tmp
$ ls -ld /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/
drwxr-x--- 3 amavis amavis 4096 Apr  2 14:05 /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/
$ ls -ld /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts                                                                                                                                                                           
drwxr-x--- 2 amavis amavis 4096 Apr  2 14:16 /var/lib/amavis/tmp/amavis-20150402T140519-06376-PZcyHfOt/parts

I made sure the clamd user is a member of the amavisd group - but this didn't fix anything. Can anyone tell me, specifically, which component wants what permissions - and... ideally... what to do to fix this?

Clarification: I am not looking for explanations of the fundamentals of permissions. I am looking for a solution appropriate to this specific problem - which, at first glance, at least, looks as if a component of the amavis suite (perhaps clamd) is using the wrong umask value. Of course, this fault may have arisen as a result of a number of bugs or configuration glitches. I am looking, specifically, for the most appropriate resolution for this case... where a 'vanilla' amavis/clamav install fails to access the contents of temporary folders it creates as/when required to scan inbound email.

I am aware of this similar (non-Ubuntu) question. The Redhat/Centos answer doesn't solve the problem I experience with Ubuntu.

This problem is encountered on "Ubuntu 14.04.2 LTS" - there are no pending updates.

Thunar to set permissions? OMG.

And then on a server?

Mishael, you can use this to change permission when you have GUI (gtk2+xfce ) already installed like Ubuntu desktop edition. The OP here mentioned the use of Ubuntu Server. That means No GUI installed and you have to use CLI/command line instead. eq: sudo chmod -R +rw /var/lib/amavis (-R for recursive)

This is what solved it for me (I'm on Debian Jessie). Adding clamav to the amavis group didn't solve it.

Try this ulimet -i unlimted, and it might work fine this way.

The AllowSupplementaryGroups option has been dropped in recent versions of clamav (0.99.2+, Jun 2, 2016 in upstream).

+1 This worked. The approved answer below DOES NOT. If you followed the Ubuntu AmavisNew wiki page (hopefully), you would have already added amavis/clamav as supplementary groups to one another. Approved answer does nothing but repeat this - and does not work. I am running default pkgs on 16.04.1 LTS. ref: help.ubuntu.com/community/PostfixAmavisNew

The default pkg on 16.04.1 has the directive AllowSupplementaryGroups in main config. You are posting misleading information. If the directive does not exist in newer versions - then why does adding the supplementary groups to each account work for you? IT IS STILL IN THE CONFIG on 16.04.1 because it isn't used anymore? Hmm. Show me proof. BTW switching this 'TRUE' made everything work on 16.04.1. ref: help.ubuntu.com/community/PostfixAmavisNew#Troubleshooting

Specifically: help.ubuntu.com/community/PostfixAmavisNew#Troubleshooting

This is not true that AllowSupplementaryGroups does not exist. And what's more you have to set it to true to actually make it work.

Confirmed: fixed problem for me, as well, Ubuntu LTS 16.04.1

Grep from source ver 0.99.2 clamd/clamd.c- if(optget(opts, "AllowSupplementaryGroups")->enabled) { clamd/clamd.c-#ifdef HAVE_INITGROUPS clamd/clamd.c: if(initgroups(opt->strarg, user->pw_gid)) { clamd/clamd.c: fprintf(stderr, "ERROR: initgroups() failed.\n"); clamd/clamd.c- optfree(opts); clamd/clamd.c- return 1; clamd/clamd.c- } clamd/clamd.c-#else

This is still necessary in Ubuntu Xenial which has 0.99.2, so I don't believe @DanielVérité is correct with his version number.

clamd[24248]: WARNING: Ignoring deprecated option AllowSupplementaryGroups at /etc/clamav/clamd.conf:8 At least in September 2020, AllowSupplementaryGroups is no longer an option. Posting this because so many Google results are leading to this now way outdated thread.