ClamAV "Permission denied": How to fix it

You got a ClamAV “Permission denied” message from your mail server? Learn how to resolve the issue.

The ClamAV “Permission denied” message

I recently set up a new Debian GNU/Linux Server with an MySQL based mail setup using Postfix for SMTP. My Postfix server uses Amavis and ClamAV to scan for viruses. I encountered a problem where ClamAV reported “Permission denied” in my log file (by default /var/log/mail.log).

(!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/lib/amavis/amavis " data-mce-bogus="1"&gt;tmp/amavis-20151026T222741-20271-mdUXn8gF/parts: lstat() failed: Permission denied. ERROR\n"
(!)ClamAV-clamd av-scanner FAILED: CODE(0x4976fa8) unexpected ,output="/var/lib/amavis/tmp/amavis-20151026T222741-20271-mdUXn8gF/parts: lstat() failed: Permission denied. ERROR\n" at (eval 96) line 905.
(!)WARN: all primary virus scanners failed, considering backups

Group membership

To resolve this issue you first have to ensure that the user running ClamAV (usually clamav) is a member of the amavis group.

To check if this is already the case just input

groups clamav

into the console. The output should look like this:

clamav : clamav amavis

if amavis is not in the list use

adduser clamav amavis

Directory permissions

After that check the permission of amavis tmp directory. You can get the path from the log message. By default it should be /var/lib/amavis/tmp/. To check the permission you could use:

ls -la /var/lib/amavis/tmp/

where you would expect the output to contain

drwxrwx--- 3 amavis amavis 4096 Oct 27 13:14 .

The point at the end stands for the directory itself. You want to make sure that it starts with drwxrwx—. This means that the user and the group owning this directory (the both occurences of amavis) are able to (r)ead, (w)rite and e(x)ecute in this directory.
If the user and group don’t have the before mentioned rights use

chmod 770 /var/lib/amavis/tmp/

ClamAV configuration

After that we just have to check if ClamAV uses other groups than its main group. To do this we open the ClamAV configuration file in our favorite editor:

editor /etc/clamav/clamd.conf

Make sure the option AllowSupplementaryGroups is set to true

Restarting the services

Now all you have to do is to restart the services. It would be probably enough to restart the ClamAV daemon but it won’t hurt to restart Amavis as well

/etc/init.d/clamav-daemon restart
/etc/init.d/amavis restart

8 thoughts on “ClamAV “Permission denied”: How to fix it”

Joe Bloggs says:

12. January 2016 at 11:02

Hi Moshe,

I just ran into that error following this how-to https://www.df.eu/de/service/df-faq/cloudserver/anleitungen/spam-und-virenschutz-mit-postfix-debian/ and fixed it with your posting.
Many thanks!
Best Regards
Joe

LOUIS says:

29. May 2016 at 13:04

How would I configure clamav to automatically kick off a weekly virus scan of the entire hard drive?

Kurzer says:

2. May 2017 at 11:37

Hilft auch unter Ubuntu 16.04 LTS. Vielen Dank.

Klaus says:

19. August 2019 at 11:43

Thank you so much! Fixed it after 1h.
Regards

Serge says:

4. October 2019 at 19:18

Thank you for posting your solution, it help me fix the problem!

Andi says:

13. November 2019 at 08:22

Thank you so much ! It also fixed my Problem on my ispconfig 3 running Postfix, ClamAV amnd Amavis.

BR Andi

Eekig says:

14. October 2021 at 13:51

Sometimes you don’t come up with the most logical solutions yourself – thank you –

visitor searching for help says:

13. November 2021 at 14:03

Thank you so much, this helped a lot.