diff --git a/db/db.go b/db/db.go
index 2ab1b32..81362c7 100644
--- a/db/db.go
+++ b/db/db.go
@@ -65,11 +65,11 @@ func Open(path string) (*sql.DB, error) {
 	// connection to serialize all access and eliminate busy errors.
 	database.SetMaxOpenConns(1)
 
-	// Ensure permissions are correct even if the file already existed.
-	if err := os.Chmod(path, 0600); err != nil {
-		_ = database.Close()
-		return nil, fmt.Errorf("db: chmod %s: %w", path, err)
-	}
+	// Best-effort permissions tightening. This may fail inside rootless
+	// podman containers where fchmod is denied in the user namespace.
+	// The database still functions correctly without it.
+	// See: log/2026-04-03-uid-incident.md
+	_ = os.Chmod(path, 0600)
 
 	return database, nil
 }
@@ -168,9 +168,7 @@ func Snapshot(database *sql.DB, destPath string) error {
 		return fmt.Errorf("db: snapshot: %w", err)
 	}
 
-	if err := os.Chmod(destPath, 0600); err != nil {
-		return fmt.Errorf("db: chmod snapshot %s: %w", destPath, err)
-	}
+	_ = os.Chmod(destPath, 0600) // best-effort; may fail in rootless containers
 
 	return nil
 }