From 6790958d82c4ef6e085effee9017f2b01d9c5fc7 Mon Sep 17 00:00:00 2001
From: simonmicro <simon@simonmicro.de>
Date: Sat, 11 Apr 2026 16:45:27 +0200
Subject: [PATCH] Provide ephemeral db-path by default for web-ui container

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 docker/docker-py3-kms/Dockerfile | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docker/docker-py3-kms/Dockerfile b/docker/docker-py3-kms/Dockerfile
index 4b5e387..836fe74 100644
--- a/docker/docker-py3-kms/Dockerfile
+++ b/docker/docker-py3-kms/Dockerfile
@@ -29,7 +29,7 @@ RUN apk add --no-cache --update \
   tzdata \
   shadow \
   && pip3 install --break-system-packages --no-cache-dir -r /home/py-kms/requirements.txt \
-  && mkdir /db/ \
+  && mkdir /db/ /home/py-kms/db \
   && adduser -S py-kms -G users -s /bin/bash \
   && chown py-kms:users /home/py-kms \
   # Fix undefined timezone, in case the user did not mount the /etc/localtime
@@ -41,11 +41,13 @@ COPY docker/healthcheck.py /usr/bin/healthcheck.py
 COPY docker/start.py /usr/bin/start.py
 RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py
 
-# Additional permission hardening: All files read-only for the executing user
+# Additional permission hardening: keep application files read-only, but preserve
+# a dedicated writable database directory for WebUI/SQLite at runtime.
 RUN find /home/py-kms -type f -print -exec chmod 444 {} ';' && \
     find /home/py-kms -type d -print -exec chmod 555 {} ';' && \
     chown root: -R /home/py-kms && \
-    chown py-kms: /home/py-kms
+    chown py-kms: /home/py-kms && \
+    chmod 1777 /home/py-kms/db
 
 # Web-interface specifics
 COPY LICENSE /LICENSE