activation: Set the permissions of /etc/sudoers to 440.

* gnu/build/activation.scm (activate-etc): Move 'rm-f' to a local 'define'. When TARGET is "sudoers", make it 440.

activation: Set the permissions of /etc/sudoers to 440.
ee7bae3b · Ludovic Courtès · c851400b · ee7bae3b
Commit ee7bae3b authored 10 years ago by Ludovic Courtès
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -147,35 +147,41 @@ (define (activate-etc etc)
  ;; /etc is a mixture of static and dynamic settings.  Here is where we
  ;; initialize it from the static part.
+  (define (rm-f file)
+    (false-if-exception (delete-file file)))
  (format #t "populating /etc from ~a...~%" etc)
-  (let ((rm-f (lambda (f)
-                (false-if-exception (delete-file f)))))
+  (rm-f "/etc/static")
-    (rm-f "/etc/static")
+  (symlink etc "/etc/static")
-    (symlink etc "/etc/static")
+  (for-each (lambda (file)
-    (for-each (lambda (file)
+              (let ((target (string-append "/etc/" file))
-                (let ((target (string-append "/etc/" file))
+                    (source (string-append "/etc/static/" file)))
-                      (source (string-append "/etc/static/" file)))
+                (rm-f target)
-                  (rm-f target)
+                ;; Things such as /etc/sudoers must be regular files, not
-                  ;; Things such as /etc/sudoers must be regular files, not
+                ;; symlinks; furthermore, they could be modified behind our
-                  ;; symlinks; furthermore, they could be modified behind our
+                ;; back---e.g., with 'visudo'.  Thus, make a copy instead of
-                  ;; back---e.g., with 'visudo'.  Thus, make a copy instead of
+                ;; symlinking them.
-                  ;; symlinking them.
+                (if (file-is-directory? source)
-                  (if (file-is-directory? source)
+                    (symlink source target)
-                      (symlink source target)
+                    (copy-file source target))
-                      (copy-file source target))))
-              (scandir etc
+                ;; XXX: Dirty hack to meet sudo's expectations.
-                       (lambda (file)
+                (when (string=? (basename target) "sudoers")
-                         (not (member file '("." ".."))))
+                  (chmod target #o440))))
+            (scandir etc
-                       ;; The default is 'string-locale<?', but we don't have
+                     (lambda (file)
-                       ;; it when run from the initrd's statically-linked
+                       (not (member file '("." ".."))))
-                       ;; Guile.
-                       string<?))
+                     ;; The default is 'string-locale<?', but we don't have
+                     ;; it when run from the initrd's statically-linked
-    ;; Prevent ETC from being GC'd.
+                     ;; Guile.
-    (rm-f "/var/guix/gcroots/etc-directory")
+                     string<?))
-    (symlink etc "/var/guix/gcroots/etc-directory")))
+  ;; Prevent ETC from being GC'd.
+  (rm-f "/var/guix/gcroots/etc-directory")
+  (symlink etc "/var/guix/gcroots/etc-directory"))
 (define %setuid-directory
  ;; Place where setuid programs are stored.