SQLite driver and auth-worker credentials
james at lottspot.com
james at lottspot.com
Wed Feb 24 18:49:22 UTC 2016
The only secure way to enforce read-only access on a sqlite database is
via filesystem permissions. I would recommend setting your database to
640 and ensure that any modifying process runs with the owning UID.
Dovecot processes will not assume they should run as a GID based on the
UID to which they are assigned; you need to explicitly set the GID of
the process (pretty sure this is the case anyways). Neither I or anyone
else on this list though will be able to offer much more guidance than
that unless you supply your `doveconf -n` output.
On 2016-02-24 13:31, Lev Serebryakov wrote:
> I want to use SQLite database as storage for auth and user databases.
> I've encountered two problems here:
>
> (1) There is no way to open SQLite database read-only (via
> sqlite3_open_v2() call with SQLITE_OPEN_READONLY flag). It looks bad. I
> don't need (and want) to give dovecot rights to write to this database.
>
> (2) I've created system group "hostingdb", added "dovecot" user to it
> and gives 660 rights to database file, but still "auth-worker" could
> not
> open database and complains to log file. Now I'm set "user = root" for
> auth-worker, but I don't like it! Why auth-worker doesn't belong to
> "hostingdb" group?
More information about the dovecot
mailing list