After switching to systemd using the default socket, /var/run/clamav/clamd.sock with amavis and clamav, amavis gets greeted with permission denied errors on the clamd socket, even though it is srw-rw-rw-. /var/run is with systemd symlinked to /run which is tmpfs mounted (tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)). Even changing to /tmp/clamd.sock (also tmpfs) the socket still fails. Changing the socket to /var/lib/clamav/clamd.sock works as a work around, as that normally is a normally mounted filesystem. I'm not sure if it is an amavis, clamd or systemd(well a mount) bug, but patching both temporarly to /var/lib/clamav/clamd.sock prevents problems until upstream sorts this. Reproducible: Always
please paste the output of "stat /run".
Gladly, File: ‘/run’ Size: 900 Blocks: 0 IO Block: 4096 directory Device: 13h/19d Inode: 1140 Links: 28 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-05-06 10:57:17.039999946 +0200 Modify: 2016-05-06 16:48:21.102187339 +0200 Change: 2016-05-06 16:48:21.102187339 +0200 Birth: - for completness sake: File: ‘/var/lib/clamav/’ Size: 156 Blocks: 0 IO Block: 4096 directory Device: 25h/37d Inode: 536 Links: 1 Access: (0755/drwxr-xr-x) Uid: ( 104/ clamav) Gid: ( 997/ clamav) Access: 2016-05-01 17:11:34.000000000 +0200 Modify: 2016-05-09 10:00:49.053277956 +0200 Change: 2016-05-09 10:00:49.053277956 +0200 Birth: - which is where i keep my socket for now. File: ‘/var/lib/clamav/clamd.sock’ Size: 0 Blocks: 0 IO Block: 4096 socket Device: 25h/37d Inode: 920397 Links: 1 Access: (0666/srw-rw-rw-) Uid: ( 104/ clamav) Gid: ( 997/ clamav) Access: 2016-05-06 10:57:47.379998898 +0200 Modify: 2016-05-06 10:57:47.379998898 +0200 Change: 2016-05-06 10:57:47.379998898 +0200 Birth: -
P.S. Also a directory is made for clamav under /run: File: ‘/run/clamav/’ Size: 80 Blocks: 0 IO Block: 4096 directory Device: 13h/19d Inode: 3045 Links: 2 Access: (0710/drwx--x---) Uid: ( 104/ clamav) Gid: ( 997/ clamav) Access: 2016-05-06 10:57:19.049999877 +0200 Modify: 2016-05-06 10:57:47.399998897 +0200 Change: 2016-05-06 10:57:47.399998897 +0200 Birth: -
it won't work for sure if you put it in /tmp because the unit has PrivateTmp=true. you could try stracing amavis or socat UNIX-CONNECT when it's in /run though.
Just had the same problem few minutes ago. chmod 755 /var/run/clamav The essential part is that the x bit is set in the directory. (it also works with 711).
seems chmod on the /var/run/clamav directory doesn't survive a reboot. Elsewhere it is recommended to make clamav member of the amavis group and amavis member of the clamav group. This doesn't seem to help.
This is because the clamav tmpfiles.d entry makes /run/clamav mode 710 every time the machine starts: d /run/clamav 0710 clamav clamav That should probably be 750 instead. Then adding the amavis user to the "clamav" group would allow it to enter that directory and access the socket. It works in OpenRC because the permissions on that directory get adjusted to 755 on-the-fly, but in my opinion, that's a mistake.
Assigning to antivirus@ because I think this needs to be fixed in clamav. Please see my previous comment. Most likely, /run/clamav should be mode 750 under both systemd and OpenRC. NOTE: both the tmpfiles.d and OpenRC init script need to be updated, if you believe me. The tmpfiles.d entry makes the permissions too strict (710), and OpenRC leaves them too loose (755).
I will have a look at this soon. But what you (@mjo) say seems to make sense.
There was a bug in amavis that prevented multiple groups from working correctly: https://gitlab.com/amavis/amavis/-/issues/68 When the next version of amavis is released, we can finally fix these socket permissions and have things Just Work out of the box.
Can we close this ticket or is there an easy action that we can take to implement any fixes that are still outstanding? Are the changes in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=873ea574ea7e050bd7f1a7d4297528d3b2e5592e sufficient?
(In reply to Matt Jolly from comment #11) > Can we close this ticket or is there an easy action that we can take to > implement any fixes that are still outstanding? > > Are the changes in > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=873ea574ea7e050bd7f1a7d4297528d3b2e5592e sufficient? 0750 on /run/clamav would be better IMO, but right now both OpenRC and systemd use 0755 and that's sufficient to close this issue.
