activation: Set the permissions of /etc/sudoers to 440.

* gnu/build/activation.scm (activate-etc): Move 'rm-f' to a local
  'define'.  When TARGET is "sudoers", make it 440.

gnu/build/activation.scm

@@ -147,9 +147,11 @@ numeric gid or #f."
   ;; /etc is a mixture of static and dynamic settings.  Here is where we
   ;; initialize it from the static part.
 
+  (define (rm-f file)
+    (false-if-exception (delete-file file)))
+
   (format #t "populating /etc from ~a...~%" etc)
-  (let ((rm-f (lambda (f)
+
-                (false-if-exception (delete-file f)))))
   (rm-f "/etc/static")
   (symlink etc "/etc/static")
   (for-each (lambda (file)
@@ -163,7 +165,11 @@ numeric gid or #f."
                 ;; symlinking them.
                 (if (file-is-directory? source)
                     (symlink source target)
-                      (copy-file source target))))
+                    (copy-file source target))
+
+                ;; XXX: Dirty hack to meet sudo's expectations.
+                (when (string=? (basename target) "sudoers")
+                  (chmod target #o440))))
             (scandir etc
                      (lambda (file)
                        (not (member file '("." ".."))))
@@ -175,7 +181,7 @@ numeric gid or #f."
 
   ;; Prevent ETC from being GC'd.
   (rm-f "/var/guix/gcroots/etc-directory")
-    (symlink etc "/var/guix/gcroots/etc-directory")))
+  (symlink etc "/var/guix/gcroots/etc-directory"))
 
 (define %setuid-directory
   ;; Place where setuid programs are stored.