It is a common practice to use clamd and amavisd-new together running as different users. This requires putting clamav in the amavis group so it can read/scan files as they pass through amavis. However, the installation of acct-user/clamav on a working system causes the supplementary groups of the clamav user to be rewritten, dropping access to amavis group files, breaking clamd's ability to perform a scan. It seems this type of situation could affect other acct-user/* packages with great annoyance to users and potentially introduce security issues instead of solve them. Reproducible: Always
*** This bug has been marked as a duplicate of bug 708560 ***
I know that better than anyone... But in this case, the recommended way to integrate clamav and amavisd-new was overly-permissive, and there's just a much better way to do it. The CONTSCAN method asks clamd to perform the scan itself, which means that it has to be able to read ALL of your personal files, not just the one being scanned. Running clamdscan with --fdpass is better in every way. Now that amavis has an active upstream again, we can hopefully get the default entry replaced: https://gitlab.com/amavis/amavis/issues/59
