Document the --fdpass option to clamdscan
People run into all kinds of permissions issues while running clamav in combination with amavis. You can work around things by adding somebody to somebody else's group, or by shoveling data over the network, or....
But the best way to avoid problems on a single host is to pass --fdpass
to the clamdscan
program. That way, if you can read a file, you open it and hand off the descriptor to clamd. This avoids transferring data pointlessly, but doesn't require the clamd daemon to be able to read everyone's personal files.
A comment in amavis.conf should suffice for the technical part. Various parts of the documentation discuss strategies for integrating clamav/amavis and this probably deserves a mention there, too.
FWIW, my command is
@av_scanners = (
['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary {}",
[0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);