You should probably also make sure that users cannot alter the tcl file through which they access the database file; probably something like:
chown reading_room /path/to/reading_room.tcl chmod 644 /path/to/reading_room.tcl (It's possible that you will also need execute permission on the file, in which case change "644" to "755"). Graham Sunday, May 26, 2019, 12:52:29 PM, Adrian Ho <ml+sql...@03s.net> wrote: > On 26/5/19 7:49 AM, Markos wrote: >> I made a program (reading_room.tcl), with Sqlite running on Debian 9, >> to control the books of a reading room. >> >> I implemented an authentication system for common users and >> administrator users in the reading_room.tcl program. >> >> Now I want that any user logged in the Linux be able to run the >> program reading_room.tcl, which will access the database (books.db) >> >> But I want to protect the file books.db so that only the the program >> reading_room.tcl can access the books.db file (to read or write). But >> that no user could delete or write to the file books.db (only the >> program reading_room.tcl) > The standard Unix permissions/ACLs architecture doesn't support this use > case directly. A relatively simple and bulletproof way to achieve what > you want is to use sudo to get everyone running reading_room.tcl as a > separate (non-login) user. > As root, run "useradd reading_room", then "visudo" to add the following > line to /etc/sudoers: > ALL ALL = (reading_room) /path/to/reading_room.tcl > Then, "chown reading_room /path/to/books.db" and "chmod 600 > /path/to/books.db" to ensure that only user "reading_room" can access > the DB. > Finally, create a "reading_room" script that your users will run: > #!/usr/bin/env bash > sudo -u reading_room /path/to/reading_room.tcl _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
