Jesper, > I have just installed a new FreeBSD box, updated the ports system, > installed postfix, amavisd-new and clamav. So far so good. > I have made the nessassary changes to the conf files with no problems. > Now I started postfix, and then I would start amavisd-new, but here I > have problems. > > The problem is: > On my old bsd box with the same setup, I used to start amavisd-new with > this command: amavisd -u vscan > But when I try this on my new setup I get this error in the > /var/mail/maillog file: > Sep 27 09:46:04 filter2 amavis[30683]: Net::Server: 2005/09/27-09:46:04 > Couldn't chroot to "/var/amavis"\n at line 467 in file > /usr/local/lib/perl5/site_perl/5.8.6/Net/Server.pm
To be able to do chroot the process needs root privileges. Specifying -u on the command drops privileges early during startup, before amavisd.conf is run and before chroot - which is why chroot fails. The -u can not be used when chroot is desired. amavisd-new-2.0 release notes: - new command line options '-u user' and '-g group' are available. These are pretty much equivalent to doing a su(1) to the specified user first (in which case the use of these options is redundant). By doing 'su' or by specifying a command-line option '-u username' one can prevent a potential security risk on misconfigured sites where amavisd.conf is writable by UID running amavisd (e.g. not owned by root). If a (non-root) username or UID is specified, privileges are now dropped _before_ opening and evaluating a configuration file. The consequence is that the configuration variables $daemon_user and $daemon_group (in amavisd.conf) can not have an after-effect (a warning is issued if different). If -u is not specified, the behaviour is as before, i.e. the config file is read and evaluated under the current UID (as root unless 'su' was done), and the values of $daemon_user and $daemon_group from the config file are passed to Net::Server, which changes UID during its startup after chroot-ing (if requested). If chroot is desired, the -u must not be used: the root privilege is required to do chroot, and the config file must be read _before_ doing chroot. A case of Catch-22. Be doubly careful of who can modify the configuration file. Another consequence of specifying -u is that any external files (e.g. templates, lookup hashes) as possibly read from amavisd.conf, are now accessed as unprivileged user and no longer as root. The same goes for opening the log file when not logging via syslog. Mark ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
