2 files changed, 3 insertions, 3 deletions

diff --git a/sway/config.c b/sway/config.c
index 88e6fad1..92d971d6 100644
--- a/sway/config.c
+++ b/sway/config.c
@@ -543,8 +543,8 @@ bool load_main_config(const char *file, bool is_active) {
                 for (int i = 0; i < secconfigs->length; ++i) {
                         char *_path = secconfigs->items[i];
                         struct stat s;
-                        if (stat(_path, &s) || s.st_uid != 0 || s.st_gid != 0 || (s.st_mode & 0777) != 0644) {
-                                sway_log(L_ERROR, "Refusing to load %s - it must be owned by root and mode 644", _path);
+                        if (stat(_path, &s) || s.st_uid != 0 || s.st_gid != 0 || (((s.st_mode & 0777) != 0644) && (s.st_mode & 0777) != 0444)) {
+                                sway_log(L_ERROR, "Refusing to load %s - it must be owned by root and mode 644 or 444", _path);
                                 success = false;
                         } else {
                                 success = success && load_config(_path, config);
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt
index fb47ffcf..ec6df1f3 100644
--- a/sway/sway-security.7.txt
+++ b/sway/sway-security.7.txt
@@ -21,7 +21,7 @@ you must make a few changes external to sway first.
 
 Configuration of security features is limited to files in the security directory
 (this is likely /etc/sway/security.d/*, but depends on your installation prefix).
-Files in this directory must be owned by root:root and chmod 644. The default
+Files in this directory must be owned by root:root and chmod 644 or 444. The default
 security configuration is installed to /etc/sway/security.d/00-defaults, and
 should not be modified - it will be updated with the latest recommended security
 defaults between releases. To override the defaults, you should add more files to