Bug#310633: exim4-daemon-heavy: av_scanner permission error w ith clamav

Tom.Morgan@denverseminary.edu, 310633@bugs.debian.org Tom.Morgan@denverseminary.edu, 310633@bugs.debian.org
Thu, 26 May 2005 13:09:44 -0600 

-----Original Message-----
From: Adam D. Barratt [mailto:debian-bts@adam-barratt.org.uk] 
Sent: Tuesday, May 24, 2005 5:00 PM
To: 310633@bugs.debian.org; tom morgan
Subject: Re: Bug#310633: exim4-daemon-heavy: av_scanner permission error
with clamav

> On Tue, 2005-05-24 at 15:18 -0600, tom morgan wrote:
> > Package: exim4-daemon-heavy
> > Version: 4.50-4
> > Severity: important
> > 
> > i apologize if this is tied to the wrong package.  it's hard to tell if 
> > it is an exim4 bug or a clamav bug.  based on the solution given below, 
> > i selected this one.
> > 
> > after enabling the av_scanner directive in exim4, using clamav, we
> > started receiving the following error:
> [...]
> > the solution is to add the user  clamav  to the group  Debian-exim .  as

> > such, i am suggesting that clamav be added to group Debian-exim as part 
> > of the exim4 install/configuration.
> 
> This has previously been suggested a number of times against the clamav
> package, as bug #250335 and the three others merged with it.
> 
> For this reason, /usr/share/doc/clamav-base/README.Debian.gz contains
> details of how to integrate Clamav with sendmail, exim4 and Amavis.
> 
> IMHO, adding users to groups created by other packages isn't something
> unrelated packages should be doing - even less so when one the vast
> majority of new sarge and sid systems will be running exim4 but may
> never be running clamav (or may have clamav added later, since exim4
> will be installed by the installer).

Thanks for mentioning #250335.  I've read it and I see that the
documentation to deal with this issue does exist.  However, in the name of
ease of use and accessibility to people, it seems to me that it still would
be useful to attempt to address the issue at the installer level.  

While dealing with it inside the clamav-daemon package seems out of place
because of the variety of potential uses of that package, including it
inside exim4-daemon-heavy (because of the exican-acl code) might make more
sense.  It also helps negotiate the ownership of the the passwd record.
That is, it's less awkward to add the clamav group to the Debian-exim user
by an exim package than by the clamav package.  And, IIRC, -light is the
default for new systems and so this wouldn't affect them either.  (Unless
exiscan-acl support has been added to -light, then I've made some errant
assumptions.)

I would guess that the liklihood of using clamav with -heavy is reasonably
high and that adding the clamav group to the Debian-exim user, by -heavy,
would be useful.  Is the risk of blindly adding that group membership
substantial?  Changing the permissions of /var/spool/exim4/scan to include
group-write seems like something that could (and I would argue should) be
done easily without any additional consequence.

Alternatively, it could be a debconf option by -heavy or by clamav-daemon,
but that would seem less likely to be helpful based on variance in install
order sequence and/or install times, such asadding clamav-daemon or
upgrading to -heavy, either at a later date.

I know some packages also display an info page through debconf (or email it
to root).  Perhaps at least presenting this issue through that mechanism
would raise awareness and be able to point to the documentation with
information to fix it.  Again, I would suggest that be added to the MTA(s)
affected.  

Thanks for your consideration and all the hard work that goes into making
all of Debian the reliable distro that it is.