Atomicorp

I am running clamav-0.94.2-3.el5.art

[root@server1 etc]# freshclam
ClamAV update process started at Sat Feb 7 23:07:26 2009
main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven)
ERROR: chdir_tmp: Can't create directory ./clamav-eb55b25a4beb18f2bd18e3ba69f69026
WARNING: Incremental update failed, trying to download daily.cvd
ERROR: getfile: Can't create new file /var/clamav/clamav-0a96430273e7660a0a741b252e342aea in /var/clamav
Hint: The database directory must be writable for UID 112 or GID 103
WARNING: Can't download daily.cvd from db.local.clamav.net

What can be causing this?

The permissions for your /var/clamav (or where-ever your clamav dbs are help, sometimes /var/lib/clamav) are not set correctly. This is usually because freshclam is running a different user from clamd, or something changed the ownership of that directory.

check what user freshclam is running as and check /var/clamav (or whatever it is on your box) for what user/group owns it. Also check clamd - you dont want to change /var/clamav to something different from clamd (you'll break clamd).

Hi mike.

/var/clamav

its owned by qscand / qscand

and freshclam its root /root

You have qmail-scanner installed?

In that case you need to edit /etc/freshclam.conf so that DatabaseOwner is qscand, as follows:

DatabaseOwner qscand

And in /etc/clamd.conf edit things so that User is qscand too, as follows:

User qscand

Then chown all files in /var/log/clamav and /var/clamav to qscand:qscand by using the following commands
and
Check if this has solved the problem by just running freshclam on the command line.

Check that clamd restarts correctly by doing
Faris.

p.s. Anytime you update clamav using yum, the default ownerships are going to change, and in some cases you .conf files may get overwritten (though that's unusual).

So you need to do this/check this every time you use yum and a new version of clamav/clamd etc is installed.

Faris.

Freshclam has its own user setting (called DatabaseOwner) in /etc/freshclam.conf. I always manually set this to qscand instead of the default clamav and chown the /var/clamav dir accordingly.

faris wrote:p.s. Anytime you update clamav using yum, the default ownerships are going to change, and in some cases you .conf files may get overwritten (though that's unusual).

So you need to do this/check this every time you use yum and a new version of clamav/clamd etc is installed.

You'd think that the RPM packages could take care of this for us.

Yeah, it would be nice if the ownerships were sorted automatically.

The thing is if you use qmail-scanner you end up using qscand and if you don't then you end up using clamav instead.

But remember that the /etc/cron.daily/freshclam script does sort out the ownerships of the directories and files automatically based on what's in the conf files.

Maybe that could get launched automatically after a clamav update, so it would sort everything out and avoid the problem. (otherwise you'd have to wait until the cron job runs)

What do you think Scott/Mike?

Faris.

It does sort them out automatically on our systems

Scott, what DatabaseOwner do you use in /etc/freshclam.conf, clamav or qscand? I've always had to manually adjust ownerships after ClamAV upgrades and it seems a lot of others are doing the same.

Thank you Faris

Your method fixed

I will be aware of this every upgrade.

Thank you

Its set to qscand on all my systems

Everything is configured to use qscand on our boxes as well. After a ClamAV update /var/clamav is owned by clamav:clamav and 755, so freshclam won't work, because qscand is not allowed to write in /var/clamav. The RPM packages also install files in /var/clamav owned by clamav:clamav that freshclam cannot overwrite. We have to run 'chown -R qscand:qscand /var/clamav' after ClamAV updates to get things to work.

http://3es.atomicrocketturtle.com/packa ... lamav.spec is the spec file if you want to take a crack an an update

I have no idea where to start with that one. What we're seeing is that /var/clamav is owned by clamav:clamav after ClamAV updates and there are also files owned by clamav:clamav in that directory after ClamAV updates. The /var/clamav directory is owned by both clamd and clamav-db, and apparently either or both of those packages set clamav:clamav as the owner of /var/clamav and some files in that directory. Running 'chown -R qscand:qscand /var/clamav' fixes this and gets things to work again. I don't know where in the RPM process this should be taken care of.

could be a trigger in qmail-scanner too:

http://3es.atomicrocketturtle.com/packa ... anner.spec

what I do to debug this stuff is:

rpm -q --scripts <package>
rpm -q --triggers <package>