ClamAV “Permission denied”: How to fix it

You got a ClamAV “Permission denied” message from your mail server? Learn how to resolve the issue.

The ClamAV “Permission denied” message

I recently set up a new Debian GNU/Linux Server with an MySQL based mail setup using Postfix for SMTP. My Postfix server uses Amavis and ClamAV to scan for viruses. I encountered a problem where ClamAV reported “Permission denied” in my log file (by default /var/log/mail.log).

(!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/lib/amavis/amavis " data-mce-bogus="1">tmp/amavis-20151026T222741-20271-mdUXn8gF/parts: lstat() failed: Permission denied. ERROR\n"
(!)ClamAV-clamd av-scanner FAILED: CODE(0x4976fa8) unexpected ,output="/var/lib/amavis/tmp/amavis-20151026T222741-20271-mdUXn8gF/parts: lstat() failed: Permission denied. ERROR\n" at (eval 96) line 905.
(!)WARN: all primary virus scanners failed, considering backups

Group membership

To resolve this issue you first have to ensure that the user running ClamAV (usually clamav) is a member of the amavis group.

To check if this is already the case just input

groups clamav

into the console. The output should look like this:

clamav : clamav amavis

if amavis is not in the list use

adduser clamav amavis

Directory permissions

After that check the permission of amavis tmp directory. You can get the path from the log message. By default it should be /var/lib/amavis/tmp/. To check the permission you could use:

ls -la /var/lib/amavis/tmp/

where you would expect the output to contain

drwxrwx--- 3 amavis amavis 4096 Oct 27 13:14 .

The point at the end stands for the directory itself. You want to make sure that it starts with drwxrwx—. This means that the user and the group owning this directory (the both occurences of amavis) are able to (r)ead, (w)rite and e(x)ecute in this directory.
If the user and group don’t have the before mentioned rights use

chmod 770 /var/lib/amavis/tmp/

ClamAV configuration

After that we just have to check if ClamAV uses other groups than its main group. To do this we open the ClamAV configuration file in our favorite editor:

editor /etc/clamav/clamd.conf

Make sure the option AllowSupplementaryGroups is set to true

Restarting the services

Now all you have to do is to restart the services. It would be probably enough to restart the ClamAV daemon but it won’t hurt to restart Amavis as well

/etc/init.d/clamav-daemon restart
/etc/init.d/amavis restart

6 thoughts on “ClamAV “Permission denied”: How to fix it”

  1. How would I configure clamav to automatically kick off a weekly virus scan of the entire hard drive?

Leave a Reply

Your email address will not be published.