diff options
author | Drew DeVault <sir@cmpwn.com> | 2016-12-17 15:19:50 -0500 |
---|---|---|
committer | Drew DeVault <sir@cmpwn.com> | 2016-12-17 15:21:57 -0500 |
commit | 1172566d4e298aa6c3555a0d606af4ff31d0db48 (patch) | |
tree | a6afcfbbecef26cc6ecaac0fad75268175fe9a51 /sway/sway-security.7.txt | |
parent | Merge pull request #996 from woutershep/datadir (diff) | |
download | sway-1172566d4e298aa6c3555a0d606af4ff31d0db48.tar.gz sway-1172566d4e298aa6c3555a0d606af4ff31d0db48.tar.zst sway-1172566d4e298aa6c3555a0d606af4ff31d0db48.zip |
Change how security config is loaded0.11-rc3
Diffstat (limited to 'sway/sway-security.7.txt')
-rw-r--r-- | sway/sway-security.7.txt | 18 |
1 files changed, 2 insertions, 16 deletions
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index 588684b9..7d8aa4ad 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt | |||
@@ -19,22 +19,8 @@ usually best suited to a distro maintainer who wants to ship a secure sway | |||
19 | environment in their distro. Sway provides a number of means of securing it but | 19 | environment in their distro. Sway provides a number of means of securing it but |
20 | you must make a few changes external to sway first. | 20 | you must make a few changes external to sway first. |
21 | 21 | ||
22 | Configuration security | 22 | Security-related configuration is only valid in /etc/sway/config (or whatever path |
23 | ---------------------- | 23 | is appropriate for your system). |
24 | |||
25 | Many of Sway's security features are configurable. It's important that a possibly | ||
26 | untrusted program is not able to edit this. Security rules are kept in | ||
27 | _/etc/sway/config.d/security_ (usually), which should only be writable by root. | ||
28 | However, configuration of security rules is not limited to this file - any config | ||
29 | file that sway loads (including i.e. _~/.config/sway/config_) should not be editable | ||
30 | by the user you intend to run programs as. One simple strategy is to use | ||
31 | /etc/sway/config instead of a config file in your home directory, but that doesn't | ||
32 | work well for multi-user systems. A more robust strategy is to run untrusted | ||
33 | programs as another user, or in a sandbox. Configuring this is up to you. | ||
34 | |||
35 | Note that _/etc/sway/config.d/*_ must be included explicitly from your config file. | ||
36 | This is done by default in /etc/sway/config but you must check your own config if | ||
37 | you choose to place it in other locations. | ||
38 | 24 | ||
39 | Environment security | 25 | Environment security |
40 | -------------------- | 26 | -------------------- |