Provide ephemeral db-path by default for web-ui container

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

docker/docker-py3-kms/Dockerfile

@@ -29,7 +29,7 @@ RUN apk add --no-cache --update \
   tzdata \
   shadow \
   && pip3 install --break-system-packages --no-cache-dir -r /home/py-kms/requirements.txt \
-  && mkdir /db/ \
+  && mkdir /db/ /home/py-kms/db \
   && adduser -S py-kms -G users -s /bin/bash \
   && chown py-kms:users /home/py-kms \
   # Fix undefined timezone, in case the user did not mount the /etc/localtime
@@ -41,11 +41,13 @@ COPY docker/healthcheck.py /usr/bin/healthcheck.py
 COPY docker/start.py /usr/bin/start.py
 RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py
 
-# Additional permission hardening: All files read-only for the executing user
+# Additional permission hardening: keep application files read-only, but preserve
+# a dedicated writable database directory for WebUI/SQLite at runtime.
 RUN find /home/py-kms -type f -print -exec chmod 444 {} ';' && \
     find /home/py-kms -type d -print -exec chmod 555 {} ';' && \
     chown root: -R /home/py-kms && \
-    chown py-kms: /home/py-kms
+    chown py-kms: /home/py-kms && \
+    chmod 1777 /home/py-kms/db
 
 # Web-interface specifics
 COPY LICENSE /LICENSE