Thanks to both of you for the answers.
I'll run clamd as a port socket daemon and try to check/tweak clamassassin to fall back on the standalone binary if need be.
As Charles writes, you can use "sudo" to permit the hobbit user to run the privileged commands with root privs. The risk in doing that obviously is that if a user manages to break into your box and get shell access as the "hobbit" user, then he can run those same commands with root privileges.
When it comes to security, a lot of things don't seem "obvious" to me ! The risk assesment of "how bad it can get" is in general not too hard to determine, but the risk level is not (IMHO).
Especially the part about breaking into my box with the hobbit user. It's not named "hobbit", neither is its group. I use iptable and only allow INPUT on 1984 from my boxes, I htpassword protect all the hobbit cgi directories and run them as "nobody/nobody" and the shell account passwd is strong. But I can very easily have forgotten some *basic* security measure that applies to Hobbit (and which I am not familiar with because I don't run such daemons in general).
Sincerely, JG