diff --git a/.gitignore b/.gitignore
index 9f81dd8..cefb59e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ __pycache__/
 *.egg-info/
 .pytest_cache/
 *.log
+lib/erminig.db
diff --git a/Dockerfile b/Dockerfile
index 508e3c8..6e6c1eb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,9 @@ RUN dnf -y update && \
     dnf -y install python3 python3-pip sqlite tar zstd git bash && \
     dnf clean all
 
-RUN mkdir -p /var/lib/erminig /var/cache/erminig /opt/erminig
+RUN useradd -r -s /sbin/nologin -d /var/lib/erminig pak && \
+    mkdir -p /var/lib/erminig /var/cache/erminig /opt/erminig && \
+    chown -R pak:pak /var/lib/erminig /var/cache/erminig /opt/erminig
 
 COPY . /opt/erminig
 
diff --git a/erminig/models/db.py b/erminig/models/db.py
index dde81c8..3fd0cc9 100644
--- a/erminig/models/db.py
+++ b/erminig/models/db.py
@@ -7,6 +7,8 @@
 # Libre comme l’air, stable comme un menhir, et salé comme le beurre.
 #
 
+import os
+import pwd
 import sqlite3
 from erminig.config import Config
 
@@ -20,6 +22,12 @@ def init_db():
         conn.executescript(f.read())
     conn.commit()
     conn.close()
+    # Attribution au user pak
+    pak_uid = pwd.getpwnam("pak").pw_uid
+    pak_gid = pwd.getpwnam("pak").pw_gid
+    os.chown(Config.DB_PATH, pak_uid, pak_gid)
+    os.chmod(Config.DB_PATH, 0o664)
+
     print("Base erminig.db initialisée avec succès.")
 
 
diff --git a/erminig/system/security.py b/erminig/system/security.py
index a2ff43d..98bc2f1 100644
--- a/erminig/system/security.py
+++ b/erminig/system/security.py
@@ -39,9 +39,9 @@ def run_as_user(username):
             try:
                 pid = os.fork()
                 if pid > 0:
-                    # Parent
+                    # Parent : attendre le child, ne pas exit, juste return proprement
                     _, status = os.waitpid(pid, 0)
-                    return os.WEXITSTATUS(status)
+                    return status >> 8  # récupère le code retour du fils (comme exit code)
 
                 # Child
                 pw_record = pwd.getpwnam(username)
@@ -51,14 +51,13 @@ def run_as_user(username):
                 os.setgid(user_gid)
                 os.setuid(user_uid)
 
-                # Exécuter la fonction sous l'utilisateur demandé
                 result = func(*args, **kwargs)
-                sys.exit(0 if result is None else int(bool(result)))
+                os._exit(0 if result is None else int(bool(result)))
 
             except OSError as e:
                 print(f"[SECURITY] Fork échoué : {e}")
-                sys.exit(1)
+                os._exit(1)
 
         return wrapper
 
-    return decorator
+    return decorator
\ No newline at end of file
diff --git a/lib/erminig.db b/lib/erminig.db
deleted file mode 100644
index 25fdf49..0000000
Binary files a/lib/erminig.db and /dev/null differ