From edd502f82ad8d6fdc95cb0e0b508c2bf09ecd837 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Thu, 16 Mar 2017 14:06:03 -0400 Subject: Merge pull request #1117 from jnsaff/master Allow also 444 for security file mode --- sway/config.c | 4 ++-- sway/sway-security.7.txt | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'sway') diff --git a/sway/config.c b/sway/config.c index 88e6fad1..92d971d6 100644 --- a/sway/config.c +++ b/sway/config.c @@ -543,8 +543,8 @@ bool load_main_config(const char *file, bool is_active) { for (int i = 0; i < secconfigs->length; ++i) { char *_path = secconfigs->items[i]; struct stat s; - if (stat(_path, &s) || s.st_uid != 0 || s.st_gid != 0 || (s.st_mode & 0777) != 0644) { - sway_log(L_ERROR, "Refusing to load %s - it must be owned by root and mode 644", _path); + if (stat(_path, &s) || s.st_uid != 0 || s.st_gid != 0 || (((s.st_mode & 0777) != 0644) && (s.st_mode & 0777) != 0444)) { + sway_log(L_ERROR, "Refusing to load %s - it must be owned by root and mode 644 or 444", _path); success = false; } else { success = success && load_config(_path, config); diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt index fb47ffcf..ec6df1f3 100644 --- a/sway/sway-security.7.txt +++ b/sway/sway-security.7.txt @@ -21,7 +21,7 @@ you must make a few changes external to sway first. Configuration of security features is limited to files in the security directory (this is likely /etc/sway/security.d/*, but depends on your installation prefix). -Files in this directory must be owned by root:root and chmod 644. The default +Files in this directory must be owned by root:root and chmod 644 or 444. The default security configuration is installed to /etc/sway/security.d/00-defaults, and should not be modified - it will be updated with the latest recommended security defaults between releases. To override the defaults, you should add more files to -- cgit v1.2.3-54-g00ecf