/tmp filled with clamav files --> user over quota

Discussion in 'Installation/Configuration' started by ArnOS, May 18, 2007.

  1. ArnOS

    ArnOS New Member

    When user arno@domain.tld tries to send an e-mail to admin@domain.tld it bounces back with the following error:

    == Bounce ==

    <web7_admin@server1.example.com> (expanded from <admin@domain.tld>):
    can't create user output file. Command output: procmail: Quota exceeded
    while writing
    "/var/www/web7/Maildir/tmp/1179487840.31842_0.server1.example.com"


    And in the maillogs:

    == mail.log ==

    May 18 13:30:38 h1266987 postfix/smtpd[31837]: C7FBD1FC0E6E: client=client.bla.com[x.x.x.x], sasl_method=LOGIN, sasl_username=web7_arno
    May 18 13:30:38 h1266987 postfix/cleanup[31840]: C7FBD1FC0E6E: message-id=<BLEKKFFIOFKCHJJFFGHEGEPPCAAA.arno@domain.tld>
    May 18 13:30:38 h1266987 postfix/qmgr[22332]: C7FBD1FC0E6E: from=<arno@domain.tld>, size=749, nrcpt=1 (queue active)
    May 18 13:30:41 h1266987 postfix/local[31841]: C7FBD1FC0E6E: to=<web7_admin@server1.example.com>, orig_to=<admin@domain.tld>, relay=local, delay=3, status=bounced (can't create user output file. Command output: procmail: Quota exceeded while writing "/var/www/web7/Maildir/tmp/1179487840.31842_0.server1.example.com" )
    May 18 13:30:41 h1266987 postfix/qmgr[22332]: C7FBD1FC0E6E: removed


    The web7_admin user has a qouta limit of 25 MB. Repquota shows the user has reached its limit:

    h1266987:/var/log# repquota -avug | grep web7
    web7_admin -- 25600 25600 26624 none 244 0 0


    However the directory for his mail and logs only contains around 11 MB (/var/www/web7/user/web7_admin/). I found out the rest is in the /tmp directory:

    h1266987:/var/log# ll /tmp/
    total 8
    drwx------ 2 web7_admin web7 4096 May 18 13:30 clamav-861a09f2850a263a1e290c829169e102

    h1266987:/tmp# ll /tmp/clamav-861a09f2850a263a1e290c829169e102/
    total 13676
    -rw------- 1 web7_admin web7 17992 May 18 13:30 COPYING
    -rw------- 1 web7_admin web7 4736232 May 18 13:30 main.db
    -rw------- 1 web7_admin web7 637507 May 18 13:30 main.hdb
    -rw------- 1 web7_admin web7 8572928 May 18 13:30 main.ndb


    I'm not sure, but the problem seems to be related to the problem described in thread 11100. However, the ISPConfig version is 2.2.12 and Clamav version is 0.90.2. It seems the user is invoking the clamav update by sending an e-mail, but the update fails.What may be causing this problem?

    Grtz,
    Arno.
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Are you sure the ISPConfig version is 2.2.12? Because this problem was fixed in one of the last releases...
     
  3. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Which linux distribution do you use? Are the clamav database files and directory world readable? Otherwise the access from the clamassassin script will fail and clamav tries to download the database files again.
     
  4. ArnOS

    ArnOS New Member

    @Falko: Yes the version is 2.2.12. What did you do to fix it?

    @Till: The distro is debian sarge and all the clamav files and dir's are world readable. Probably a shot in the dark but the server is a Virtuoso-based VPS.
     
  5. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Till implemented the fix, so I'm not sure...
     
  6. ArnOS

    ArnOS New Member

    It probably has something to do with this: http://lists.jameslick.com/pipermail/clamassassin-announce/2007-February/000030.html. It says to remove the --mbox option from the CLAMSCANOPT variable.

    # Configure options passed to clamscanner
    CLAMSCANOPT="--no-summary --stdout"

    Till mentioned it in his thread: http://www.howtoforge.com/forums/showthread.php?t=11100&highlight=clamassassin.

    I wonder if it is possible to run the updates as the admispconfig user or some other user without a quota?

    Grtz,
    Arno
     
  7. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    These fixes are all applied in ISPConfig 2.2.12, but you may check the files yourself.

    Thats not a quota problem of the quota during updates. The updates are always run by a user without quota. The problem is that clamav seems to refuse the updated databases on your server and then loads a new database under the owner of the mailbox.

    I use ISPConfig 2.2.12 under sarge here too and I dont get any tmp files from clamav.
     
  8. ArnOS

    ArnOS New Member

    The files are ok :)

    Do you have any idea why clamav refuses it? The funny thing is it doesn't happen all the time. Most of the time the update completes succesfully, so I figured it can't be the clamav database being corrupt.

    As a workaround I increased the quota for the user. It isn't life-threatening after all :D ..

    Tnx for your help.

    Grtz,
    Arno.
     
  9. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    I have no idea. Maybe you can try to turn on logging for Clamav. The complete clamav installation that ISPConfig uses is in /home/admispconfig/ispconfig/tools/clamav

    There is one workaround that you might try.

    1) Install clamd (the daemon version) from your linux distribution.
    2) Reconfigure the ISPConfig clamassassin script in /home/admispconfig/ispconfig/tools/clamasassin to use the clamd daemon instaed of the clamav binary from ISPConfig.
     
  10. mxc

    mxc ISPConfig Developer ISPConfig Developer

    I am having the same problem on the 2.2.12 version. I just deleted the files from /tmp as a temporary measure. I hope this was the correct thing to do.
     
  11. ArnOS

    ArnOS New Member

    Well.. It's obvious that debugging is not actually my core business but here's what I did so far:

    - Created user test with quota of 5 MB (.
    - Created e-mail account in Thunderbird.
    - Sent an e-mail from test user to test user self.

    Thunderbird tells me the message cannot be sent, syslog says:

    May 21 20:26:04 h1266987 postfix/local[13475]: BD60E1FC0E70: to=<web7_test@server1.example.com>, orig_to=<test@domain.tld>, relay=local, delay=10, status=bounced (can't create user output file. Command output: /bin/cat: write error: Disk quota exceeded procmail: Program failure (1) of "/home/admispconfig/ispconfig/tools/clamav/bin/clamassassin" procmail: Rescue of unfiltered data succeeded postdrop: warning: uid=10015: Disk quota exceeded sendmail: fatal: web7_test(10015): Error writing message file [13501] warn: bayes: cannot open bayes databases /var/www/web7/user/web7_test/.spamassassin/bayes_* R/O: tie failed: [13501] warn: bayes: cannot open bayes databases /var/www/web7/user/web7_test/.spamassassin/bayes_* R/O: tie failed: [13501] warn: bayes: cannot open bayes databases /var/www/web7/user/web7_test/.spamassassin/bayes_* R/O: tie failed: procmail: Quota exceeded while writing "/var/www/web7/user/web7_test/Maildir/tmp/1179771964.13492_0.server1.example.com" )
    May 21 20:26:04 h1266987 postfix/qmgr[11941]: BD60E1FC0E70: removed


    This because of the clamav database files in /tmp (they are bigger than 5 MB), created immediately after I sent the message. Next I:

    - Deleted the clamav files in /tmp.
    - Sent another message form test user to himself.

    This message arrives, but the headers show a clamscan error 50 :( :

    X-Virus-Status: Failed
    X-Virus-Report: /home/admispconfig/ispconfig/tools/clamav/bin/clamscan error 50
    X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.90.2/3274/Mon May 21 17:19:42 2007


    So if the (main) clamav database is corrupt, it must show in the headers of another sent message, by a user who has enough space. But it doesn't:

    X-Virus-Status: No
    X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.90.2/3274/Mon May 21 17:19:42 2007


    For all users with enough space clamscan is working fine. So it is probably the database in /tmp clamscan is complaining about (well, this makes sense: because of the 5MB quota there would never be enough space to build it correctly anyway).

    What am I missing here?
     
  12. ArnOS

    ArnOS New Member

    Do you have any users who are near their quota limits?
     
  13. ArnOS

    ArnOS New Member

    You'd better increase the quota or use the workaround Till described. Without enough space for a user the clamav files for that user keep showing up.
     
    Last edited: May 21, 2007
  14. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    This does not really matters as the relevant thing is that clamav on my server does not create the files in /tmp, so no additional space is needed and used.

    Your debugging is correct and it is the same that I found out some months ago before we patched ISPConfig (If I remember correctly, it was 2.2.10 or so). The real question is why does clamav not use the central database file which is updated by freshclam on your server and downloads a new database per user instead.
     
  15. ArnOS

    ArnOS New Member

    I don't know, I didn't change any of the clamav files in the ISPConfig install, nor their permissions. But I'll try to find the cause.
     
  16. mxc

    mxc ISPConfig Developer ISPConfig Developer

    Hi there,

    This is becoming an bit of an issue for us :( We didn't do anything special either just followed the stadard upgrade process. I can't remember is we skipped a version but I dont think this would make a difference. Also we didn't have this problem in the past.

    regards

    Mark
     
  17. mxc

    mxc ISPConfig Developer ISPConfig Developer

    Also this only became a problem for us about 3 days ago. I think we had serveral weeks on no issues with the upgrade before that.
     
  18. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    This indicates that the problem is not related to the update. Also I updated many servers for customers and did not had this problem.

    I posted the options to the problem at the beginning of the thread.

    Either debug why clamav refuses to use its central database on your server or switch to spamd of your linux distribution.
     
  19. ArnOS

    ArnOS New Member

    As another workaround you might follow these instructions: http://kb.swsoft.com/article_38_1410_en.html. It gives you a /tmp partition without quota.
     
  20. ArnOS

    ArnOS New Member

    It seems to me that nothing's wrong but I think I'm overlooking something. I can't figure out why clamscan unpacks its main.cvd in /tmp..

    server1:~# /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --debug /tmp
    LibClamAV debug: Initializing the engine (0.90.2)
    LibClamAV debug: cli_loaddbdir: Acquiring dbdir lock
    LibClamAV debug: Loading databases from /home/admispconfig/ispconfig/tools/clamav/share/clamav
    LibClamAV debug: in cli_cvdload()
    LibClamAV debug: MD5(.tar.gz) = 3e37be3e4f9f91af1051d70e45078bb0
    LibClamAV debug: in cli_untgz()
    LibClamAV debug: Unpacking /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/COPYING
    LibClamAV debug: Unpacking /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.db
    LibClamAV debug: Unpacking /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.hdb
    LibClamAV debug: Unpacking /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.ndb
    LibClamAV debug: Unpacking /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.zmd
    LibClamAV debug: Unpacking /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.fp
    LibClamAV debug: Unpacking /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.mdb
    LibClamAV debug: Unpacking /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.info
    LibClamAV debug: cli_loaddbdir: Acquiring dbdir lock
    LibClamAV debug: Loading databases from /tmp/clamav-d84324ad9211a562e8dca3448e2ba778
    LibClamAV debug: Initializing engine->root[0]
    LibClamAV debug: Initialising AC pattern matcher of root[0]
    LibClamAV debug: Initializing BM tables of root[0]
    LibClamAV debug: in cli_bm_init()
    LibClamAV debug: BM: Number of indexes = 63744
    LibClamAV debug: Initializing engine->root[1]
    LibClamAV debug: Initialising AC pattern matcher of root[1]
    LibClamAV debug: Initializing BM tables of root[1]
    LibClamAV debug: in cli_bm_init()
    LibClamAV debug: BM: Number of indexes = 63744
    LibClamAV debug: Initializing engine->root[2]
    LibClamAV debug: Initialising AC pattern matcher of root[2]
    LibClamAV debug: Initializing BM tables of root[2]
    LibClamAV debug: in cli_bm_init()
    LibClamAV debug: BM: Number of indexes = 63744
    LibClamAV debug: Initializing engine->root[3]
    LibClamAV debug: Initialising AC pattern matcher of root[3]
    LibClamAV debug: Initializing BM tables of root[3]
    LibClamAV debug: in cli_bm_init()
    LibClamAV debug: BM: Number of indexes = 63744
    LibClamAV debug: Initializing engine->root[4]
    LibClamAV debug: Initialising AC pattern matcher of root[4]
    LibClamAV debug: Initializing BM tables of root[4]
    LibClamAV debug: in cli_bm_init()
    LibClamAV debug: BM: Number of indexes = 63744
    LibClamAV debug: Initializing engine->root[5]
    LibClamAV debug: Initialising AC pattern matcher of root[5]
    LibClamAV debug: Initializing BM tables of root[5]
    LibClamAV debug: in cli_bm_init()
    LibClamAV debug: BM: Number of indexes = 63744
    LibClamAV debug: Initializing engine->root[6]
    LibClamAV debug: Initialising AC pattern matcher of root[6]
    LibClamAV debug: Initializing BM tables of root[6]
    LibClamAV debug: in cli_bm_init()
    LibClamAV debug: BM: Number of indexes = 63744
    LibClamAV debug: /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.db loaded
    LibClamAV debug: Initializing md5 list structure
    LibClamAV debug: /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.hdb loaded
    LibClamAV debug: /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.ndb loaded
    LibClamAV debug: /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.zmd loaded
    LibClamAV debug: /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.fp loaded
    LibClamAV debug: /tmp/clamav-d84324ad9211a562e8dca3448e2ba778/main.mdb loaded
    LibClamAV debug: Dynamic engine configuration settings:
    LibClamAV debug: --------------------------------------
    LibClamAV debug: Module PE: On
    LibClamAV debug: * Submodule PARITE: On
    LibClamAV debug: * Submodule KRIZ: On
    LibClamAV debug: * Submodule MAGISTR: On
    LibClamAV debug: * Submodule POLIPOS: On
    LibClamAV debug: * Submodule MD5SECT: On
    LibClamAV debug: * Submodule UPX: On
    LibClamAV debug: * Submodule FSG: On
    LibClamAV debug: * Submodule SUE: On
    LibClamAV debug: * Submodule PETITE: On
    LibClamAV debug: * Submodule PESPIN: On
    LibClamAV debug: * Submodule YC: On
    LibClamAV debug: * Submodule WWPACK: On
    LibClamAV debug: * Submodule NSPACK: On
    LibClamAV debug: * Submodule MEW: On
    LibClamAV debug: * Submodule UPACK: On
    LibClamAV debug: Module ELF: On
    LibClamAV debug: Module ARCHIVE: On
    LibClamAV debug: * Submodule RAR: On
    LibClamAV debug: * Submodule ZIP: On
    LibClamAV debug: * Submodule GZIP: On
    LibClamAV debug: * Submodule BZIP: On
    LibClamAV debug: * Submodule SZDD: On
    LibClamAV debug: * Submodule CAB: On
    LibClamAV debug: * Submodule CHM: On
    LibClamAV debug: * Submodule OLE2: On
    LibClamAV debug: * Submodule TAR: On
    LibClamAV debug: * Submodule BINHEX: On
    LibClamAV debug: * Submodule SIS: On
    LibClamAV debug: Module DOCUMENT: On
    LibClamAV debug: * Submodule HTML: On
    LibClamAV debug: * Submodule RTF: On
    LibClamAV debug: * Submodule PDF: On
    LibClamAV debug: Module MAIL: On
    LibClamAV debug: * Submodule MBOX: On
    LibClamAV debug: * Submodule TNEF: On
    LibClamAV debug: Module OTHER: On
    LibClamAV debug: * Submodule UUENCODED: On
    LibClamAV debug: * Submodule SCRENC: On
    LibClamAV debug: * Submodule RIFF: On
    LibClamAV debug: * Submodule JPEG: On
    LibClamAV debug: * Submodule CRYPTFF: On
    LibClamAV debug: /home/admispconfig/ispconfig/tools/clamav/share/clamav/main.cvd loaded
    LibClamAV debug: cli_loaddbdir: Acquiring dbdir lock
    LibClamAV debug: Loading databases from /home/admispconfig/ispconfig/tools/clamav/share/clamav/daily.inc
    LibClamAV debug: /home/admispconfig/ispconfig/tools/clamav/share/clamav/daily.inc/daily.db loaded
    LibClamAV debug: /home/admispconfig/ispconfig/tools/clamav/share/clamav/daily.inc/daily.hdb loaded
    LibClamAV debug: /home/admispconfig/ispconfig/tools/clamav/share/clamav/daily.inc/daily.ndb loaded
    LibClamAV debug: /home/admispconfig/ispconfig/tools/clamav/share/clamav/daily.inc/daily.zmd loaded
    LibClamAV debug: /home/admispconfig/ispconfig/tools/clamav/share/clamav/daily.inc/daily.fp loaded
    LibClamAV debug: /home/admispconfig/ispconfig/tools/clamav/share/clamav/daily.inc/daily.mdb loaded
    LibClamAV debug: /home/admispconfig/ispconfig/tools/clamav/share/clamav/daily.inc/daily.cfg loaded
    LibClamAV debug: Dynamic engine configuration settings:
    LibClamAV debug: --------------------------------------
    LibClamAV debug: Module PE: On
    LibClamAV debug: * Submodule PARITE: On
    LibClamAV debug: * Submodule KRIZ: On
    LibClamAV debug: * Submodule MAGISTR: On
    LibClamAV debug: * Submodule POLIPOS: On
    LibClamAV debug: * Submodule MD5SECT: On
    LibClamAV debug: * Submodule UPX: On
    LibClamAV debug: * Submodule FSG: On
    LibClamAV debug: * Submodule SUE: On
    LibClamAV debug: * Submodule PETITE: On
    LibClamAV debug: * Submodule PESPIN: On
    LibClamAV debug: * Submodule YC: On
    LibClamAV debug: * Submodule WWPACK: On
    LibClamAV debug: * Submodule NSPACK: On
    LibClamAV debug: * Submodule MEW: On
    LibClamAV debug: * Submodule UPACK: On
    LibClamAV debug: Module ELF: On
    LibClamAV debug: Module ARCHIVE: On
    LibClamAV debug: * Submodule RAR: On
    LibClamAV debug: * Submodule ZIP: On
    LibClamAV debug: * Submodule GZIP: On
    LibClamAV debug: * Submodule BZIP: On
    LibClamAV debug: * Submodule SZDD: On
    LibClamAV debug: * Submodule CAB: On
    LibClamAV debug: * Submodule CHM: On
    LibClamAV debug: * Submodule OLE2: On
    LibClamAV debug: * Submodule TAR: On
    LibClamAV debug: * Submodule BINHEX: On
    LibClamAV debug: * Submodule SIS: On
    LibClamAV debug: Module DOCUMENT: On
    LibClamAV debug: * Submodule HTML: On
    LibClamAV debug: * Submodule RTF: On
    LibClamAV debug: * Submodule PDF: ** Off **
    LibClamAV debug: Module MAIL: On
    LibClamAV debug: * Submodule MBOX: On
    LibClamAV debug: * Submodule TNEF: On
    LibClamAV debug: Module OTHER: On
    LibClamAV debug: * Submodule UUENCODED: On
    LibClamAV debug: * Submodule SCRENC: On
    LibClamAV debug: * Submodule RIFF: On
    LibClamAV debug: * Submodule JPEG: On
    LibClamAV debug: * Submodule CRYPTFF: On
    LibClamAV debug: Small data (4 bytes)
    /tmp/enormous.virus: OK
    /tmp/sess_b22d8ef5f9aca805b8ed6e755c5fb7e4: Empty file
    /tmp/clamscan.debug.log: OK

    ----------- SCAN SUMMARY -----------
    Known viruses: 117594
    Engine version: 0.90.2
    Scanned directories: 1
    Scanned files: 2
    Infected files: 0
    Data scanned: 0.00 MB
    Time: 15.218 sec (0 m 15 s)


    What files & dir's should be in /home/admispconfig/ispconfig/tools/clamav/share/clamav? Any help would be greatly appreciated.
     

Share This Page