SQLite driver and auth-worker credentials

james at lottspot.com james at lottspot.com
Wed Feb 24 18:49:22 UTC 2016


The only secure way to enforce read-only access on a sqlite database is 
via filesystem permissions. I would recommend setting your database to 
640 and ensure that any modifying process runs with the owning UID.

Dovecot processes will not assume they should run as a GID based on the 
UID to which they are assigned; you need to explicitly set the GID of 
the process (pretty sure this is the case anyways). Neither I or anyone 
else on this list though will be able to offer much more guidance than 
that unless you supply your `doveconf -n` output.

On 2016-02-24 13:31, Lev Serebryakov wrote:
> I want to use SQLite database as storage for auth and user databases.
> I've encountered two problems here:
> 
>  (1) There is no way to open SQLite database read-only (via
> sqlite3_open_v2() call with SQLITE_OPEN_READONLY flag). It looks bad. I
> don't need (and want) to give dovecot rights to write to this database.
> 
>  (2) I've created system group "hostingdb", added "dovecot" user to it
> and gives 660 rights to database file, but still "auth-worker" could 
> not
> open database and complains to log file. Now I'm set "user = root" for
> auth-worker, but I don't like it! Why auth-worker doesn't belong to
> "hostingdb" group?


More information about the dovecot mailing list