You should probably also make sure that users cannot alter the tcl
file through which they access the database file; probably something
like: 

chown reading_room /path/to/reading_room.tcl
chmod 644 /path/to/reading_room.tcl

(It's possible that you will also need execute permission on the file,
in which case change "644" to "755").

Graham

Sunday, May 26, 2019, 12:52:29 PM, Adrian Ho <ml+sql...@03s.net> wrote:

> On 26/5/19 7:49 AM, Markos wrote:
>> I made a program (reading_room.tcl), with Sqlite running on Debian 9,
>> to control the books of a reading room.
>>
>> I implemented an authentication system for common users and
>> administrator users in the reading_room.tcl program.
>>
>> Now I want that any user logged in the Linux be able to run the
>> program reading_room.tcl, which will access the database (books.db)
>>
>> But I want to protect the file books.db so that only the the program
>> reading_room.tcl can access the books.db file (to read or write). But
>> that no user could delete or write to the file books.db (only the
>> program reading_room.tcl)

> The standard Unix permissions/ACLs architecture doesn't support this use
> case directly. A relatively simple and bulletproof way to achieve what
> you want is to use sudo to get everyone running reading_room.tcl as a
> separate (non-login) user.

> As root, run "useradd reading_room", then "visudo" to add the following
> line to /etc/sudoers:

> ALL    ALL = (reading_room) /path/to/reading_room.tcl

> Then, "chown reading_room /path/to/books.db" and "chmod 600
> /path/to/books.db" to ensure that only user "reading_room" can access
> the DB.

> Finally, create a "reading_room" script that your users will run:

> #!/usr/bin/env bash

> sudo -u reading_room /path/to/reading_room.tcl



_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to