[users] possible configuration bug in clamav 0.90.1
Jason Sutherland
jay at jaysweb.net
Wed Mar 7 21:43:44 CET 2007
I'm currently running several mail servers with a stack of CentOS 4.4,
Exim, spamassasin, and clamav. The recent update of clamd 0.90 changed
the default setting for AllowSupplementaryGroups from yes to no. This is
also present in the newer 0.90.1 version as well. This change causes a
permission error that causes exim to stop recieving smtp mail if it is
using clamav for virus scanning. In this case you will see an error
similar to
2007-03-07 14:31:18 1HP1r4-0007Ay-PN malware acl condition: clamd:
ClamAV returned /var/spool/exim/scan/1HP1r4-0007Ay-PN: lstat() failed. ERROR
in the /var/log/exim/panic.log. Exim places mail messages in
/var/spool/exim/scan with the ownership exim:exim and mode 750 to be
scanned by clamd. Part of configuring clamd to work with exim is to put
user clamav in group exim so it can scan incoming mail and not have to
run as root. The new default of AllowSupplementaryGroups appears to not
allow clamav to scan a file unless the it is the explicit owner of the
file even though it does have read permission for that file. So is this
a bug or is it really the mail server administrator's responsibility to
catch a change in the default? If it is to be considered a bug should it
be fixed in the dag packaging or in the clamav source.
-Jason
More information about the users
mailing list