Owner/group/perms on /var/spool/MailScanner keep clamav from scanning
mailinglist at mindconnect.nl
Tue Nov 20 23:57:14 GMT 2012
On 20-11-2012 15:22, Glenn Steen wrote:
> On 20 November 2012 12:55, Martijn <mailinglist at mindconnect.nl> wrote:
> You can easily test what is happening by becoming the sepective users
> and try to cd/ls the directories from root (/) on down to the
> /var/spool/MailScanner/incoming directory (e.g. "su - postfix -s
> /bin/bash" etc).
> What is very likely happening is that the "toplevel" directory
> /var/spool/MailScanner, due to the --- perms for other, simply don't
> allow the clamd-process to change directory into it's child directory
> incoming. Simply make that one 4 (1.e. r-x) as well and you'll be
> fine. I suppose you need tell all (filesystem, MailScanner.conf and
> AppArmour) what the deal is.
That is a good suggestion for everyone running into this. With this, I
have verified that the root cause is not the ownership or perms on
/var/spool/MailScanner/incoming OR the directories higher up the tree
where the files are stored, but the owner/perms on
/var/spool/MailScanner itself, PLUS that MailScanner resets these
settings every restart.
Reason I'm on to this is that there seems to be some confusion about
this. A lot of people are looking for clues at the wrong directory. For
So, cutting it short:
- The suggested settings for clamav/clamd in the configuration file
don't work 100% on some systems, and this is causing some confusion.
Mainly, because the error in the logs suggest a problem with the
permissions of the directory higher up the tree: the Incoming Dir.
I couldn't find anyone reporting the true cause as the owner/perms on
/var/spool/MailScanner, so I thought it was a good idea to start a new
thread. My aim would be to just reduce the confusion :-) Everyone seeing
the lstat() error the first time will investigate.
The hints for adding
# For MailScanner
to /etc/apparmor.d/usr.sbin.clamd is a keeper, particularly for users on
Also, I would like to aim at a common solution that . So far, I have
read several fixes, which I think may not be a good idea:
- Set less strict permissions on directories, opening up those dirs not
just for clamav but for who knows what.
- Adding clamav to the postfix group, or reversed. Again, opening things
up on a much larger scale then needed.
Those work in the sense that they get rid of the error. But they also
'fix' a lot more than just the error in the logs.
Setting the ownership of /var/spool/MailScanner to postfix:clamav and
perms 640 I think would be a very good fix, if it weren't for
MailScanner resetting those values.
I think fixing this may need some extra settings in the configuration,
to regulate the ownership and perms in /var/spool/MailScanner
specifically, instead of assuming Run As values.
Any thoughts on this from the community?
More information about the MailScanner