Deal with LD_LIBRARY_PATH

3 files changed, 9 insertions, 1 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 83989ecd..cd816e9b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -48,6 +48,9 @@ option(enable-gdk-pixbuf "Use Pixbuf to support more image formats" YES)
 option(enable-binding-event "Enables binding event subscription" YES)
 option(zsh-completions "Zsh shell completions" NO)
 option(default-wallpaper "Installs the default wallpaper" YES)
+option(ld-library-path "Configures sway's default LD_LIBRARY_PATH" "/usr/lib")
+
+add_definitions(-D_LD_LIBRARY_PATH="${ld-library-path}")
 
 find_package(JsonC REQUIRED)
 find_package(PCRE REQUIRED)
diff --git a/sway/main.c b/sway/main.c
index 1db88da2..9746cfb2 100644
--- a/sway/main.c
+++ b/sway/main.c
@@ -220,7 +220,9 @@ int main(int argc, char **argv) {
 		"      --get-socketpath   Gets the IPC socket path and prints it, then exits.\n"
 		"\n";
 
-	unsetenv("LD_PRELOAD"); // Security
+	// Security:
+	unsetenv("LD_PRELOAD");
+	setenv("LD_LIBRARY_PATH", _LD_LIBRARY_PATH, 1);
 
 	int c;
 	while (1) {
diff --git a/sway/sway-security.7.txt b/sway/sway-security.7.txt
index 451f7b88..b6f18e80 100644
--- a/sway/sway-security.7.txt
+++ b/sway/sway-security.7.txt
@@ -62,6 +62,9 @@ compromised by LD_PRELOAD. It probably isn't, but you can be sure by setting
 permit LD_PRELOAD for it (and will also run it as root, which sway will shortly
 drop). You could also statically link sway itself.
 
+Note that LD_LIBRARY_PATH has all of the same problems, and all of the same
+solutions.
+
 Read your log
 -------------