The only secure way to enforce read-only access on a sqlite database is
via filesystem permissions. I would recommend setting your database to
640 and ensure that any modifying process runs with the owning UID.
Dovecot processes will not assume they should run as a GID based on the
UID to which they are assigned; you need to explicitly set the GID of
the process (pretty sure this is the case anyways). Neither I or anyone
else on this list though will be able to offer much more guidance than
that unless you supply your `doveconf -n` output.
On 2016-02-24 13:31, Lev Serebryakov wrote:
I want to use SQLite database as storage for auth and user databases.
I've encountered two problems here:
(1) There is no way to open SQLite database read-only (via
sqlite3_open_v2() call with SQLITE_OPEN_READONLY flag). It looks bad. I
don't need (and want) to give dovecot rights to write to this database.
(2) I've created system group "hostingdb", added "dovecot" user to it
and gives 660 rights to database file, but still "auth-worker" could
not
open database and complains to log file. Now I'm set "user = root" for
auth-worker, but I don't like it! Why auth-worker doesn't belong to
"hostingdb" group?
