clamdscan clamav-daemon error

This is covered in the apparmor section of /usr/share/doc/clamav/README.Debian.gz (at the end). You should update your profile to authorize scanning where you need it to happen. See https://wiki.ubuntu.com/AppArmor and the linked pages for details. /etc/apparmor.d/usr.sbin.clamd is the profile that needs to be modified for your use case.

Hi

This is actually not a bug. Please see this bugreport to better understand what's going on:

https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/450250

In short: clamdscan uses clamav-daemon to scan for files. When you run 'clamdscan /path/to/file', in the background it just 'orders' clamav-daemon to open that file and scan it.
Because of Apparmor, clamav-daemon doesn't have the read permissions to open any file in any random directory. This _could_ be the problem in your case.

You may have to adjust clamav daemon's apparmor profile to give permissions to qmail's temporary folders (in which the messages are scanned). Look for apparmor messages in the logfile (usually you do a grep for 'audit' in /var/log/messages).

Please update this bugreport if you have problems, I will mark it as Incomplete for now.

This is not the wine itself is apparmor module:
 sudo apparmor_status | grep clam | wc -l
0

The error occurs regardless of - whether the apparmor module is loaded or not.
I tried also the Linux kernel from kernel.org - compiled without support for apparmor - was the same error.

Ok, then check this: does the clamav daemon (which runs as clamav user by default) have read access to the files you try to scan? When using havp with clamav daemon, clamav user gets added to havp group, so it has read access to havp's files.

The jaunty clamav-daemon - acting as user clamav scan all files via clamdscan properly
In Karmic clamav-daemon - acts only as a root user scan all files via clamdscan properly
When running as user clamav - nothing scans - are only the errors (if the scan is done by clamdscan)

Havp-proxy and clamdrip (thunderbird plugin) to work and function correctly in both the Jaunty as well as Karmic

For now, i have no problem - I tested at home, but next week I start work at the mail server
 (Qmail + Dovecot) and there must be a virus scan - had to be clamav.
And now I wonder - if clamav-daemon running as root does not pose a threat to the system?

Jaunty program in clamav-daemon clamav user enough permissions - to work properly
in Karmic - clamav-daemon must have root permissions - why - I do not understand

And this situation is only - when the scanning is done by clamdscan.
Because I thought it was a mistake clamdscan - I do not know whether rightly.

And, finally, I do not know - whether in Jaunty was a mistake - that the user clamav has access to all files and clamav-daemon to work properly,
 whether Karmic is an error - because clamav user is not permitted to any file - and it must be user root to clamav-daemon to work properly.

This is where the error was - in Jaunty or Karmic?

Yours

Clamav-daemon runs as user clamav:
:~$ cat /etc/group | grep havp
havp:x:130: # - clamav is working properly
Scan through Clamdrip (thunderbird plugin) - clamav is working properly

Scan through clamdscan - incorrectly, only errors

Clamav daemon runs as root :
Everything is working properly, but clamav-daemon running as root,
creating a gap in security (enough to exploit in file - which attack the clamav-daemon and the server has a problem).

Excuse me, I know little English:)

Yours

I hope I understood correctly what you wanted to say above.

You shouldn't ever run clamav daemon as root.

How is your havp set up? By default havp uses the clamav library to scan for viruses, and NOT clamav daemon. Maybe this is why it's working, because it doesn't use clamav daemon.

Please check the permissions again:
1. run clamav daemon as clamav user (default)
2. copy a file to /tmp, make sure it has 0644 permissions (chmod 0644 /tmp/eicar.txt)
3. try to scan it: clamdscan /tmp/eicar.txt

This should work, and if it does it means clamav daemon is working ok.

Now do this:
4. change the permissions to 0640, chown <user>:<user> /tmp/eicar.txt (where <user> is a non-root user you have on the system)
5. scan again: clamdscan /tmp/eicar.txt

This time it shouldn't work, it should give you that 'permission denied' error.

Now try this:
6. usermod -a -G <user> clamav (where <user> is the above user's group)
7. restart clamav daemon, /etc/init.d/clamav-daemon restart (this is important)
8. scan again with clamdscan

This time it should work again.

This might solve this problem: grant executable permissions to thedirectory containing the files. clamdscan will be able to scan it-tested this in maverick(10.10) and it works.

Indeed. But you can't / shouldn't do that, because that would mean ANYBODY could access those files, not just clamav-daemon. And that might not be desirable :)