activation: Set the permissions of /etc/sudoers to 440.

* gnu/build/activation.scm (activate-etc): Move 'rm-f' to a local 'define'. When TARGET is "sudoers", make it 440.
2014-09-11 23:23:07 +02:00 · 2014-09-11 23:23:07 +02:00 · ee7bae3bbd
parent c851400bee
commit ee7bae3bbd
1 changed files with 31 additions and 25 deletions
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@ -147,9 +147,11 @@ numeric gid or #f."
  ;; /etc is a mixture of static and dynamic settings.  Here is where we
  ;; initialize it from the static part.

+  (define (rm-f file)
+    (false-if-exception (delete-file file)))
+
  (format #t "populating /etc from ~a...~%" etc)
-  (let ((rm-f (lambda (f)
-                (false-if-exception (delete-file f)))))
+
  (rm-f "/etc/static")
  (symlink etc "/etc/static")
  (for-each (lambda (file)
@ -163,7 +165,11 @@ numeric gid or #f."
                ;; symlinking them.
                (if (file-is-directory? source)
                    (symlink source target)
-                      (copy-file source target))))
+                    (copy-file source target))
+
+                ;; XXX: Dirty hack to meet sudo's expectations.
+                (when (string=? (basename target) "sudoers")
+                  (chmod target #o440))))
            (scandir etc
                     (lambda (file)
                       (not (member file '("." ".."))))
@ -175,7 +181,7 @@ numeric gid or #f."

  ;; Prevent ETC from being GC'd.
  (rm-f "/var/guix/gcroots/etc-directory")
-    (symlink etc "/var/guix/gcroots/etc-directory")))
+  (symlink etc "/var/guix/gcroots/etc-directory"))

 (define %setuid-directory
  ;; Place where setuid programs are stored.