The only secure way to enforce read-only access on a sqlite database is via filesystem permissions. I would recommend setting your database to 640 and ensure that any modifying process runs with the owning UID.
Dovecot processes will not assume they should run as a GID based on the
UID to which they are assigned; you need to explicitly set the GID of
the process (pretty sure this is the case anyways). Neither I or anyone
else on this list though will be able to offer much more guidance than
that unless you supply your doveconf -n output.
On 2016-02-24 13:31, Lev Serebryakov wrote:
I want to use SQLite database as storage for auth and user databases. I've encountered two problems here:
(1) There is no way to open SQLite database read-only (via sqlite3_open_v2() call with SQLITE_OPEN_READONLY flag). It looks bad. I don't need (and want) to give dovecot rights to write to this database.
(2) I've created system group "hostingdb", added "dovecot" user to it and gives 660 rights to database file, but still "auth-worker" could not open database and complains to log file. Now I'm set "user = root" for auth-worker, but I don't like it! Why auth-worker doesn't belong to "hostingdb" group?