I'm using ClamAV on a Debian 12 system and aim to scan files uploaded via a PHP script using the UNIX socket. However, I'm encountering a problem where the ClamAV UNIX socket seemingly lacks access to the uploaded files. Here are some tests I've conducted:
sudo socat - /run/clamav/clamd.sock>> PING<< PONGThat means the Socket is set up and running. Let's try to scan a file:
sudo socat - /run/clamav/clamd.sock>> SCAN /var/www/html/TestImg.png<< /var/www/html/TestImg.png: Access denied. ERRORThat is weird, let's check if clamdscan is able to scan directly:
clamdscan --fdpass --stream /var/www/html/TestImg.png>> /var/www/html/TestImg.png: OKThat works, even without sudo rights. So let's hop into some debugging. This is what I have already done:
- Made sure, TestImg.png has each and every right (777: -rwxrwxrwx) -> Did not help
- Made sure, www-data (the actual user/group that uses the SCAN-Command) is the ownder -> did not help
- Made sure, the File
/run/clamav/clamd.sockhas all possible rights (777) -> did not help - Tried socat from different users (
sudo -u www-data socat/sudo -u root socat/ ...) -> did not help - Made sure that www-data user has clamav-group and vice versa (
sudo usermod -aG clamav www-data && sudo usermod -aG www-data clamav) -> did not help
I also tried to run the clamav-daemon with root rights by adding these two lines to /etc/clamav/clamd.conf:
User clamavAllowSupplementaryGroups yesLocalSocketMode 660 #Also tried commenting-out this line so the whole world has accessI've also been using the dpkg-reconfigure clamav-daemon command at least a trillion times, with no result. I even tried to get a TCP-Socket running instead of the UNIX Socket. Nothing seemed to work so far.
And yes, for every change I did, I always restarted and reloaded everything by:
sudo systemctl restart clamav-daemon && sudo systemctl restart php8.2-fpm && sudo systemctl restart nginxThis problem is really driving me nuts! Your professional help is very appreciated!
This is my /etc/clamav/clamd.conf File:
#Automatically Generated by clamav-daemon postinst#To reconfigure clamd run #dpkg-reconfigure clamav-daemon#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for detailsLocalSocket /run/clamav/clamd.sockFixStaleSocket trueLocalSocketGroup clamav#LocalSocketMode 660# TemporaryDirectory is not set to its default /tmp here to make overriding# the default with environment variables TMPDIR/TMP/TEMP possibleUser clamavScanMail falseScanArchive trueArchiveBlockEncrypted falseMaxDirectoryRecursion 99FollowDirectorySymlinks falseFollowFileSymlinks trueReadTimeout 500MaxThreads 2MaxConnectionQueueLength 20LogSyslog trueLogRotate trueLogFacility LOG_LOCAL6LogClean falseLogVerbose falsePreludeEnable noPreludeAnalyzerName ClamAVDatabaseDirectory /var/lib/clamavOfficialDatabaseOnly falseSelfCheck 3600Foreground falseDebug falseScanPE trueMaxEmbeddedPE 10MScanOLE2 trueScanPDF trueScanHTML trueMaxHTMLNormalize 10MMaxHTMLNoTags 2MMaxScriptNormalize 5MMaxZipTypeRcg 1MScanSWF trueExitOnOOM falseLeaveTemporaryFiles falseAlgorithmicDetection trueScanELF trueIdleTimeout 30CrossFilesystems truePhishingSignatures truePhishingScanURLs truePhishingAlwaysBlockSSLMismatch falsePhishingAlwaysBlockCloak falsePartitionIntersection falseDetectPUA falseScanPartialMessages falseHeuristicScanPrecedence falseStructuredDataDetection falseCommandReadTimeout 30SendBufTimeout 200MaxQueue 100ExtendedDetectionInfo trueOLE2BlockMacros falseAllowAllMatchScan trueForceToDisk falseDisableCertCheck falseDisableCache falseMaxScanTime 120000MaxScanSize 100MMaxFileSize 25MMaxRecursion 16MaxFiles 10000MaxPartitions 50MaxIconsPE 100PCREMatchLimit 10000PCRERecMatchLimit 5000PCREMaxFileSize 25MScanXMLDOCS trueScanHWP3 trueMaxRecHWP3 16StreamMaxLength 50MLogFile /var/log/clamav/clamav.logLogTime trueLogFileUnlock yesLogFileMaxSize 5MBytecode trueBytecodeSecurity TrustSignedBytecodeTimeout 60000OnAccessMaxFileSize 5MHere is some totally fine log from sudo journalctl -u clamav-daemon:
Apr 07 17:15:58 systemd[1]: Starting clamav-daemon.service - Clam AntiVirus userspace daemon...Apr 07 17:15:58 systemd[1]: Started clamav-daemon.service - Clam AntiVirus userspace daemon.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: Global time limit set to 120000 milliseconds.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: Global size limit set to 104857600 bytes.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: File size limit set to 26214400 bytes.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: Recursion level limit set to 16.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: Files limit set to 10000.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: MaxPartitions limit set to 50.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: MaxIconsPE limit set to 100.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: MaxRecHWP3 limit set to 16.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: PCREMatchLimit limit set to 10000.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: PCRERecMatchLimit limit set to 5000.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Limits: PCREMaxFileSize limit set to 26214400.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Archive support enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> AlertExceedsMax heuristic detection disabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Heuristic alerts enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Portable Executable support enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> ELF support enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Mail files support enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> OLE2 support enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> PDF support enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> SWF support enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> HTML support enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> XMLDOCS support enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> HWP3 support enabled.Apr 07 17:16:24 clamd[1102794]: Mon Apr 7 17:16:24 2025 -> Self checking every 3600 seconds.This is the PHP-Code I am actually using to scan the file:
try { move_uploaded_file($_FILES['file']['tmp_name'], __DIR__ . "/TestImg.png") if (socket_connect($MyCLAMAVSocket, "/var/run/clamav/clamd.sock")) { if ($MyCLAMAVSocket) { $ClamDaemonCommand = "SCAN " . __DIR__ . "/TestImg.png"; socket_send($MyCLAMAVSocket, $ClamDaemonCommand, strlen($ClamDaemonCommand), 0); socket_recv($MyCLAMAVSocket, $return, 20000, 0); socket_close($MyCLAMAVSocket); $ScanResult = substr(strrchr(trim($return), ":"), 1); if ($ScanResult !== false) { $ScanResultMessage = trim($ScanResult); if ($ScanResultMessage == "OK") { //File is valid } else { if (str_contains($ScanResultMessage, "Access denied.")) { //Access Denied Problem (I always end up here!) } else { //Probably harmful file detected } } } else { //Scan-Error } } else { //Another Socket-Error } } else { //Another Socket-Error }} catch (Exception $EE) { //Socket-Error}Please let me know if you need any further details.
