Using "doveadm pw" as unpriviledged user

[Ralf Jung]

Hi all,

Some time ago, I wrote a small CGI script to let users change their IMAP
password. The script runs as www-data user and uses "doveadm pw" to check if a
password hash matches a password.

Unfortunately, this means that I have to make large parts of my dovecot config
world-readable, as otherwise I get errors like this:

doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-auth.conf
line 123: Couldn't open include file /etc/dovecot/conf.d/auth-sql.conf.ext:
Permission denied

I understand doveadm also does plenty of things that interact with the running
dovecot instance and thus need access to the config, but for generating hashes
or comparing hashes with passwords, it should not be necessary to read the
dovecot config.  This shouldn't require a properly setup dovecot on this machine
at all, in fact.
I'd prefer to make the config not world-readable, and indeed the Debian
packaging sometimes makes those files not-world-readable on upgrades, breaking
my setup.  Is there any way to call "doveadm pw" as a users that cannot read the
dovecot config on the current machine?

This happens with the following versions of the dovecot debian package:
1:2.3.4.1-5+deb10u1~bpo9+1, 1:2.3.4.1-5+deb10u1

Thanks!
Ralf

PS: Please keep me in Cc, as I am not subscribed to the list.