Allow also 444 for security file mode

author: Jaanus Torp <jaanus@saun.ee> 2017-03-16 15:12:22 +0000
committer: Jaanus Torp <jaanus@saun.ee> 2017-03-16 15:12:22 +0000
commit: 8306b886e9d24a5bbeafedf315724f97b3ae86d4 (patch)
tree: a00b20bface88b4ac872df001c4cc6946b657663
parent: Merge pull request #1115 from snoack/missing-includes (diff)
download: sway-8306b886e9d24a5bbeafedf315724f97b3ae86d4.tar.gz
sway-8306b886e9d24a5bbeafedf315724f97b3ae86d4.tar.zst
sway-8306b886e9d24a5bbeafedf315724f97b3ae86d4.zip
2 files changed, 3 insertions, 3 deletions
diff --git a/sway/config.c b/sway/config.c
index f46ce882..46faf643 100644
--- a/sway/config.c
+++ b/sway/config.c
@@ -547,8 +547,8 @@ bool load_main_config(const char *file, bool is_active) {
                list_qsort(secconfigs, qstrcmp);
                for (int i = 0; i < secconfigs->length; ++i) {
                        char *_path = secconfigs->items[i];
-                        if (stat(_path, &s) || s.st_uid != 0 || s.st_gid != 0 || (s.st_mode & 0777) != 0644) {
+                        if (stat(_path, &s) || s.st_uid != 0 || s.st_gid != 0 || (((s.st_mode & 0777) != 0644) && (s.st_mode & 0777) != 0444)) {
-                                sway_log(L_ERROR, "Refusing to load %s - it must be owned by root and mode 644", _path);
+                                sway_log(L_ERROR, "Refusing to load %s - it must be owned by root and mode 644 or 444", _path);
                                success = false;
                        } else {
                                success = success && load_config(_path, config);
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt
index fb47ffcf..ec6df1f3 100644
--- a/sway/sway-security.7.txt
+++ b/sway/sway-security.7.txt
@@ -21,7 +21,7 @@ you must make a few changes external to sway first.
 Configuration of security features is limited to files in the security directory
 (this is likely /etc/sway/security.d/*, but depends on your installation prefix).
-Files in this directory must be owned by root:root and chmod 644. The default
+Files in this directory must be owned by root:root and chmod 644 or 444. The default
 security configuration is installed to /etc/sway/security.d/00-defaults, and
 should not be modified - it will be updated with the latest recommended security
 defaults between releases. To override the defaults, you should add more files to
author	Jaanus Torp <jaanus@saun.ee>	2017-03-16 15:12:22 +0000
committer	Jaanus Torp <jaanus@saun.ee>	2017-03-16 15:12:22 +0000
commit	8306b886e9d24a5bbeafedf315724f97b3ae86d4 (patch)
tree	a00b20bface88b4ac872df001c4cc6946b657663
parent	Merge pull request #1115 from snoack/missing-includes (diff)
download	sway-8306b886e9d24a5bbeafedf315724f97b3ae86d4.tar.gz sway-8306b886e9d24a5bbeafedf315724f97b3ae86d4.tar.zst sway-8306b886e9d24a5bbeafedf315724f97b3ae86d4.zip

diff --git a/sway/config.c b/sway/config.c index f46ce882..46faf643 100644 --- a/sway/config.c +++ b/sway/config.c
@@ -547,8 +547,8 @@ bool load_main_config(const char *file, bool is_active) {
547	list_qsort(secconfigs, qstrcmp);	547	list_qsort(secconfigs, qstrcmp);
548	for (int i = 0; i < secconfigs->length; ++i) {	548	for (int i = 0; i < secconfigs->length; ++i) {
549	char *_path = secconfigs->items[i];	549	char *_path = secconfigs->items[i];
550	if (stat(_path, &s) \|\| s.st_uid != 0 \|\| s.st_gid != 0 \|\| (s.st_mode & 0777) != 0644) {	550	if (stat(_path, &s) \|\| s.st_uid != 0 \|\| s.st_gid != 0 \|\| (((s.st_mode & 0777) != 0644) && (s.st_mode & 0777) != 0444)) {
551	sway_log(L_ERROR, "Refusing to load %s - it must be owned by root and mode 644", _path);	551	sway_log(L_ERROR, "Refusing to load %s - it must be owned by root and mode 644 or 444", _path);
552	success = false;	552	success = false;
553	} else {	553	} else {
554	success = success && load_config(_path, config);	554	success = success && load_config(_path, config);


diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index fb47ffcf..ec6df1f3 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt
@@ -21,7 +21,7 @@ you must make a few changes external to sway first.
21		21
22	Configuration of security features is limited to files in the security directory	22	Configuration of security features is limited to files in the security directory
23	(this is likely /etc/sway/security.d/*, but depends on your installation prefix).	23	(this is likely /etc/sway/security.d/*, but depends on your installation prefix).
24	Files in this directory must be owned by root:root and chmod 644. The default	24	Files in this directory must be owned by root:root and chmod 644 or 444. The default
25	security configuration is installed to /etc/sway/security.d/00-defaults, and	25	security configuration is installed to /etc/sway/security.d/00-defaults, and
26	should not be modified - it will be updated with the latest recommended security	26	should not be modified - it will be updated with the latest recommended security
27	defaults between releases. To override the defaults, you should add more files to	27	defaults between releases. To override the defaults, you should add more files to