FS#64930 - [amavisd-new] Permission denied (with clamav in group amavis)
Attached to Project:
Community Packages
Opened by Patrick Ben Koetter (Patrick) - Saturday, 21 December 2019, 21:41 GMT
Last edited by David Thurstenson (thurstylark) - Saturday, 12 March 2022, 20:54 GMT
Opened by Patrick Ben Koetter (Patrick) - Saturday, 21 December 2019, 21:41 GMT
Last edited by David Thurstenson (thurstylark) - Saturday, 12 March 2022, 20:54 GMT
|
Details
Description:
clamav fails with "Permission denied" to scan mail from amavis allthough it is in group "amavis" Additional info: Installed packages: [root@v22016013320531498 ~]# pacman -Ss clamav extra/clamav 0.102.1-1 [Installiert] Anti-virus toolkit for Unix [root@v22016013320531498 ~]# pacman -Ss amavisd-new community/amavisd-milter 1.7.0-1 [Installiert] sendmail milter for amavisd-new using the AM.PDP protocol community/amavisd-new 2.12.0-2 [Installiert] High-performance interface between mailer (MTA) and content checkers clamav is in group amavis: # id clamav uid=64(clamav) gid=64(clamav) Gruppen=64(clamav),333(amavis) * config and/or log files etc. clamd has been configured to use AllowSupplementaryGroups allthough the option has been deprecated: # clamconf Checking configuration files in /etc/clamav Config file: clamd.conf ----------------------- AlertExceedsMax disabled PreludeEnable disabled PreludeAnalyzerName disabled LogFile disabled LogFileUnlock disabled LogFileMaxSize = "1048576" LogTime = "yes" LogClean = "yes" LogSyslog = "yes" LogFacility = "LOG_MAIL" LogVerbose = "yes" LogRotate disabled ExtendedDetectionInfo = "yes" PidFile = "/run/clamav/clamd.pid" TemporaryDirectory = "/tmp" DatabaseDirectory = "/var/lib/clamav" OfficialDatabaseOnly disabled LocalSocket = "/run/clamav/clamd.ctl" LocalSocketGroup = "amavis" LocalSocketMode = "660" FixStaleSocket = "yes" TCPSocket disabled TCPAddr disabled MaxConnectionQueueLength = "200" StreamMaxLength = "26214400" StreamMinPort = "1024" StreamMaxPort = "2048" MaxThreads = "10" ReadTimeout = "120" CommandReadTimeout = "30" SendBufTimeout = "500" MaxQueue = "100" IdleTimeout = "30" ExcludePath disabled MaxDirectoryRecursion = "15" FollowDirectorySymlinks disabled FollowFileSymlinks disabled CrossFilesystems = "yes" SelfCheck = "600" DisableCache disabled VirusEvent disabled ExitOnOOM disabled AllowAllMatchScan = "yes" Foreground disabled Debug = "yes" LeaveTemporaryFiles disabled User = "clamav" Bytecode = "yes" BytecodeSecurity = "TrustSigned" BytecodeTimeout = "5000" BytecodeUnsigned disabled BytecodeMode = "Auto" DetectPUA = "yes" ExcludePUA disabled IncludePUA disabled ScanPE = "yes" ScanELF = "yes" ScanMail = "yes" ScanPartialMessages disabled PhishingSignatures = "yes" PhishingScanURLs = "yes" HeuristicAlerts = "yes" HeuristicScanPrecedence disabled StructuredDataDetection disabled StructuredMinCreditCardCount = "3" StructuredMinSSNCount = "3" StructuredSSNFormatNormal = "yes" StructuredSSNFormatStripped disabled ScanHTML = "yes" ScanOLE2 = "yes" AlertBrokenExecutables disabled AlertEncrypted disabled AlertEncryptedArchive disabled AlertEncryptedDoc disabled AlertOLE2Macros disabled AlertPhishingSSLMismatch disabled AlertPhishingCloak disabled AlertPartitionIntersection disabled ScanPDF = "yes" ScanSWF = "yes" ScanXMLDOCS = "yes" ScanHWP3 = "yes" ScanArchive = "yes" ForceToDisk disabled MaxScanTime disabled MaxScanSize = "104857600" MaxFileSize = "26214400" MaxRecursion = "16" MaxFiles = "10000" MaxEmbeddedPE = "10485760" MaxHTMLNormalize = "10485760" MaxHTMLNoTags = "2097152" MaxScriptNormalize = "5242880" MaxZipTypeRcg = "1048576" MaxPartitions = "50" MaxIconsPE = "100" MaxRecHWP3 = "16" PCREMatchLimit = "100000" PCRERecMatchLimit = "2000" PCREMaxFileSize = "26214400" OnAccessMountPath disabled OnAccessIncludePath disabled OnAccessExcludePath disabled OnAccessExcludeRootUID disabled OnAccessExcludeUID disabled OnAccessExcludeUname disabled OnAccessMaxFileSize = "5242880" OnAccessDisableDDD disabled OnAccessPrevention disabled OnAccessExtraScanning disabled OnAccessCurlTimeout = "5000" OnAccessMaxThreads = "5" OnAccessRetryAttempts disabled OnAccessDenyOnError disabled DevACOnly disabled DevACDepth disabled DevPerformance disabled DevLiblog disabled DisableCertCheck disabled AlgorithmicDetection = "yes" BlockMax disabled PhishingAlwaysBlockSSLMismatch disabled PhishingAlwaysBlockCloak disabled PartitionIntersection disabled OLE2BlockMacros disabled ArchiveBlockEncrypted disabled *** AllowSupplementaryGroups is DEPRECATED *** amavis logs clamav failes because the permission to access the files has been denied: Dez 21 22:33:37 v22016013320531498 amavis[2218]: (02218-01) run_av (ClamAV-clamd) result: /var/spool/amavis/tmp/afXXXXt0VB9V/parts: lstat() failed: Permission denied. ERROR\n Dez 21 22:33:37 v22016013320531498 amavis[2218]: (02218-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/spool/amavis/tmp/afXXXXt0VB9V/parts: lstat() failed: Permission denied. ERROR\n" Dez 21 22:33:37 v22016013320531498 amavis[2218]: (02218-01) (!)ClamAV-clamd av-scanner FAILED: CODE(0x5646e86bd270) unexpected , output="/var/spool/amavis/tmp/afXXXXt0VB9V/parts: lstat() failed: Permission denied. ERROR\n" at (eval 59) line 951. Steps to reproduce: * follow the instructions in the wiki https://wiki.archlinux.org/index.php/Amavis#Basic_configuration * Send a test message using e.g. the EICAR testvirus * Look at the log |
This task depends upon
Closed by David Thurstenson (thurstylark)
Saturday, 12 March 2022, 20:54 GMT
Reason for closing: No response
Saturday, 12 March 2022, 20:54 GMT
Reason for closing: No response
Are the instruction on the wiki misleading/incorrect?
Do the configs/groups in the amavisd-new package need adjusting?
Without the output of the `namei` command I requested in my last comment it's not clear what exactly might be the underlying cause.
Please provide some further details.