You got a ClamAV “Permission denied” message from your mail server? Learn how to resolve the issue.
The ClamAV “Permission denied” message
I recently set up a new Debian GNU/Linux Server with an MySQL based mail setup using Postfix for SMTP. My Postfix server uses Amavis and ClamAV to scan for viruses. I encountered a problem where ClamAV reported “Permission denied” in my log file (by default /var/log/mail.log).
(!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/lib/amavis/amavis " data-mce-bogus="1">tmp/amavis-20151026T222741-20271-mdUXn8gF/parts: lstat() failed: Permission denied. ERROR\n" (!)ClamAV-clamd av-scanner FAILED: CODE(0x4976fa8) unexpected ,output="/var/lib/amavis/tmp/amavis-20151026T222741-20271-mdUXn8gF/parts: lstat() failed: Permission denied. ERROR\n" at (eval 96) line 905. (!)WARN: all primary virus scanners failed, considering backups
To resolve this issue you first have to ensure that the user running ClamAV (usually clamav) is a member of the amavis group.
To check if this is already the case just input
into the console. The output should look like this:
clamav : clamav amavis
if amavis is not in the list use
adduser clamav amavis
After that check the permission of amavis tmp directory. You can get the path from the log message. By default it should be /var/lib/amavis/tmp/. To check the permission you could use:
ls -la /var/lib/amavis/tmp/
where you would expect the output to contain
drwxrwx--- 3 amavis amavis 4096 Oct 27 13:14 .
The point at the end stands for the directory itself. You want to make sure that it starts with drwxrwx—. This means that the user and the group owning this directory (the both occurences of amavis) are able to (r)ead, (w)rite and e(x)ecute in this directory.
If the user and group don’t have the before mentioned rights use
chmod 770 /var/lib/amavis/tmp/
After that we just have to check if ClamAV uses other groups than its main group. To do this we open the ClamAV configuration file in our favorite editor:
Make sure the option
AllowSupplementaryGroups is set to
Restarting the services
Now all you have to do is to restart the services. It would be probably enough to restart the ClamAV daemon but it won’t hurt to restart Amavis as well
/etc/init.d/clamav-daemon restart /etc/init.d/amavis restart