diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2014-09-11 23:23:07 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2014-09-12 00:14:52 +0200 |
| commit | ee7bae3bbd2030d5f2cdb88e484e1c67a063e2a3 (patch) | |
| tree | d48af1fc649fc562ce77d38cb3c93e68b6c63295 /gnu/build | |
| parent | c851400bee4f42d9ef582820a1badaa96ba72934 (diff) | |
| download | guix-ee7bae3bbd2030d5f2cdb88e484e1c67a063e2a3.tar guix-ee7bae3bbd2030d5f2cdb88e484e1c67a063e2a3.tar.gz | |
activation: Set the permissions of /etc/sudoers to 440.
* gnu/build/activation.scm (activate-etc): Move 'rm-f' to a local
'define'. When TARGET is "sudoers", make it 440.
Diffstat (limited to 'gnu/build')
| -rw-r--r-- | gnu/build/activation.scm | 62 |
1 files changed, 34 insertions, 28 deletions
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index ee82a078b9..04dd19f3e1 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -147,35 +147,41 @@ numeric gid or #f." ;; /etc is a mixture of static and dynamic settings. Here is where we ;; initialize it from the static part. + (define (rm-f file) + (false-if-exception (delete-file file))) + (format #t "populating /etc from ~a...~%" etc) - (let ((rm-f (lambda (f) - (false-if-exception (delete-file f))))) - (rm-f "/etc/static") - (symlink etc "/etc/static") - (for-each (lambda (file) - (let ((target (string-append "/etc/" file)) - (source (string-append "/etc/static/" file))) - (rm-f target) - - ;; Things such as /etc/sudoers must be regular files, not - ;; symlinks; furthermore, they could be modified behind our - ;; back---e.g., with 'visudo'. Thus, make a copy instead of - ;; symlinking them. - (if (file-is-directory? source) - (symlink source target) - (copy-file source target)))) - (scandir etc - (lambda (file) - (not (member file '("." "..")))) - - ;; The default is 'string-locale<?', but we don't have - ;; it when run from the initrd's statically-linked - ;; Guile. - string<?)) - - ;; Prevent ETC from being GC'd. - (rm-f "/var/guix/gcroots/etc-directory") - (symlink etc "/var/guix/gcroots/etc-directory"))) + + (rm-f "/etc/static") + (symlink etc "/etc/static") + (for-each (lambda (file) + (let ((target (string-append "/etc/" file)) + (source (string-append "/etc/static/" file))) + (rm-f target) + + ;; Things such as /etc/sudoers must be regular files, not + ;; symlinks; furthermore, they could be modified behind our + ;; back---e.g., with 'visudo'. Thus, make a copy instead of + ;; symlinking them. + (if (file-is-directory? source) + (symlink source target) + (copy-file source target)) + + ;; XXX: Dirty hack to meet sudo's expectations. + (when (string=? (basename target) "sudoers") + (chmod target #o440)))) + (scandir etc + (lambda (file) + (not (member file '("." "..")))) + + ;; The default is 'string-locale<?', but we don't have + ;; it when run from the initrd's statically-linked + ;; Guile. + string<?)) + + ;; Prevent ETC from being GC'd. + (rm-f "/var/guix/gcroots/etc-directory") + (symlink etc "/var/guix/gcroots/etc-directory")) (define %setuid-directory ;; Place where setuid programs are stored. |