hyprland-wiki/pages/Configuring/Permissions.md

---
weight: 12
title: Permissions
---

If you have `hyprland-qtutils` installed, you can make use of Hyprland's built-in
permission system.

For now, it only has one permission, but it might include more in the future.

## Permissions

Permissions work a bit like Android ones. If an app tries to do something sensitive with
the compositor (Hyprland), Hyprland will pop up a notification asking you if you
want to let it do that.

{{< callout type=info >}}

Before setting up permissions, make sure you enable them by setting
`ecosystem:enforce_permissions = true`, as it's disabled by default.

{{</ callout >}}


### Configuring permissions

{{< callout type=important >}}

Permissions set up in the config are **not** reloaded on-the-fly and require a Hyprland
restart for security reasons.

{{</ callout >}}

Configuring them is simple:

```ini
permission = regex, permission, mode
```

for example:
```ini
permission = /usr/bin/grim, screencopy, allow
```
Will allow `/usr/bin/grim` to always capture your screen without asking.

```ini
permission = /usr/bin/appsuite-.*, screencopy, allow
```
Will allow any app whose path starts with `/usr/bin/appsuite-` to capture your screen without asking.


### Permisision modes

There are 3 modes:
- `allow`: Don't ask, just allow the app to proceed.
- `ask`: Pop up a notification every time the app tries to do something sensitive. These popups allow you to Deny, Allow until the app exits, or Allow until Hyprland exits.
- `deny`: Don't ask, always deny the application access.


### Permission list

`screencopy`:
 - Access to your screen _without_ going through xdg-desktop-portal-hyprland. Examples include: `grim`, `wl-screenrec`, `wf-recorder`.
 - If denied, will render a black screen with a "permission denied" text.
 - Why deny? For apps / scripts that might maliciously try to capture your screen without your knowledge by using wayland protocols directly.

`plugin`:
 - Access to load a plugin. Can be either a regex for the app binary, or plugin path.
 - Do _not_ allow `hyprctl` to load your plugins by default (attacker could issue `hyprctl plugin load /tmp/my-malicious-plugin.so`) - use either `deny` to disable or `ask` to be prompted.

## Notes

**xdg-desktop-portal** implementations (including xdph) are just regular applications. They will go through permissions too. You might want to consider
adding a rule like this:
```ini
permission = /usr/(lib|libexec|lib64)/xdg-desktop-portal-hyprland, screencopy, allow
```
if you are not allowing screencopy for all apps.

<br/>

On some **BSD** systems paths might not work. In such cases, you might want to disable permissions altogether, by setting
```ini
ecosystem {
  enforce_permissions = false
}
```
otherwise, you have no _config_ control over permissions (popups will still work, although will not show paths, and "remember" will not be available).
permissions: add permission con trol 2025-04-08 18:38:56 +01:00			`---`
			`weight: 12`
			`title: Permissions`
			`---`

			If you have `hyprland-qtutils` installed, you can make use of Hyprland's built-in
			`permission system.`

			`For now, it only has one permission, but it might include more in the future.`

			`## Permissions`

			`Permissions work a bit like Android ones. If an app tries to do something sensitive with`
			`the compositor (Hyprland), Hyprland will pop up a notification asking you if you`
			`want to let it do that.`

			`{{< callout type=info >}}`

			`Before setting up permissions, make sure you enable them by setting`
			`ecosystem:enforce_permissions = true`, as it's disabled by default.

			`{{</ callout >}}`


			`### Configuring permissions`

permissions: add note about no reloading 2025-04-30 00:36:40 +01:00			`{{< callout type=important >}}`

			`Permissions set up in the config are not reloaded on-the-fly and require a Hyprland`
			`restart for security reasons.`

			`{{</ callout >}}`

permissions: add permission con trol 2025-04-08 18:38:56 +01:00			`Configuring them is simple:`

			```ini
			`permission = regex, permission, mode`
			```

			`for example:`
			```ini
			`permission = /usr/bin/grim, screencopy, allow`
			```
			Will allow `/usr/bin/grim` to always capture your screen without asking.

permissions: add regex example 2025-05-08 23:57:45 +01:00			```ini
			`permission = /usr/bin/appsuite-.*, screencopy, allow`
			```
			Will allow any app whose path starts with `/usr/bin/appsuite-` to capture your screen without asking.

permissions: add permission con trol 2025-04-08 18:38:56 +01:00
			`### Permisision modes`

			`There are 3 modes:`
			- `allow`: Don't ask, just allow the app to proceed.
			- `ask`: Pop up a notification every time the app tries to do something sensitive. These popups allow you to Deny, Allow until the app exits, or Allow until Hyprland exits.
			- `deny`: Don't ask, always deny the application access.


			`### Permission list`

			`screencopy`:
			- Access to your screen _without_ going through xdg-desktop-portal-hyprland. Examples include: `grim`, `wl-screenrec`, `wf-recorder`.
			`- If denied, will render a black screen with a "permission denied" text.`
			`- Why deny? For apps / scripts that might maliciously try to capture your screen without your knowledge by using wayland protocols directly.`

permissions: add plugin perms 2025-04-29 18:04:44 +01:00			`plugin`:
			`- Access to load a plugin. Can be either a regex for the app binary, or plugin path.`
permissions: add regex example 2025-05-08 23:57:45 +01:00			- Do _not_ allow `hyprctl` to load your plugins by default (attacker could issue `hyprctl plugin load /tmp/my-malicious-plugin.so`) - use either `deny` to disable or `ask` to be prompted.
permissions: add permission con trol 2025-04-08 18:38:56 +01:00
			`## Notes`

			`xdg-desktop-portal implementations (including xdph) are just regular applications. They will go through permissions too. You might want to consider`
			`adding a rule like this:`
			```ini
			`permission = /usr/(lib\|libexec\|lib64)/xdg-desktop-portal-hyprland, screencopy, allow`
			```
			`if you are not allowing screencopy for all apps.`

			`<br/>`

			`On some BSD systems paths might not work. In such cases, you might want to disable permissions altogether, by setting`
			```ini
			`ecosystem {`
			`enforce_permissions = false`
			`}`
			```
			`otherwise, you have no _config_ control over permissions (popups will still work, although will not show paths, and "remember" will not be available).`