I want to start clamd normally as a root user, and assign the local socket to be used by Qmail-Scanner (only). clamd runs as user/group clamav, qmail-scanner-queue as qscand.
$ id -nG clamav
clamav qscand
$ id -nG qscand
qscand
clamd.conf as follows:
$ cat /usr/local/etc/clamd.conf
LocalSocket /tmp/clamav/clamd.socket
LocalSocketGroup qscand
LocalSocketMode 660
User clamav
When I try to start clamd, after a few seconds I get:
# ls -l /tmp/clamav
total 0
# clamd
ERROR: Failed to change socket ownership to group qscand
# ls -l /tmp/clamav
total 0
s--------- 1 clamav clamav 0 2012-12-11 15:57 clamd.socket=
# sudo -u clamav clamd
# ls -l /tmp/clamav
total 0
srw-rw---- 1 clamav qscand 0 2012-12-11 15:57 clamd.socket=
See the funny trick I have to play?
If I start it as root, the program doesn't know after dropping privileges that its
effective user is a member of the needed group. But if I start it as user clamav, it works!
I'm using an older linux (Slackware 11.0.0) so after reading docs, and compiling test code, I'm beginning to suspect a library issue with that distribution. Searches reveal people encountering this error in 2010, but no definitive solutions.
Can anyone confirm that clamav should work the way I expect? Or show me the error of my ways …
Best Answer
I now have the configuration exactly as I wish. The behavior is by design; why, I am not sure. Anyway enabling the option "AllowSupplementaryGroups" solved my issue:
Now root can start the server without any special tricks.