2 files changed, 12 insertions, 2 deletions

diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index a1d2a9cc7d..299c0728cb 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -130,14 +130,15 @@ properties.  Return #t on success."
       ;; 'useradd' fails with "Cannot determine your user name" if the root
       ;; account doesn't exist.  Thus, for bootstrapping purposes, create that
       ;; one manually.
-      (begin
+      (let ((home (or home "/root")))
         (call-with-output-file "/etc/shadow"
           (cut format <> "~a::::::::~%" name))
         (call-with-output-file "/etc/passwd"
           (cut format <> "~a:x:~a:~a:~a:~a:~a~%"
                name "0" "0" comment home shell))
         (chmod "/etc/shadow" #o600)
-        (copy-account-skeletons (or home "/root"))
+        (copy-account-skeletons home)
+        (chmod home #o700)
         #t)
 
       ;; Use 'useradd' from the Shadow package.
diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm
index e5ac320b74..f5bbfafee3 100644
--- a/gnu/tests/base.scm
+++ b/gnu/tests/base.scm
@@ -199,6 +199,15 @@ info --version")
                          ',users+homes))
                marionette)))
 
+          (test-equal "permissions on /root"
+            #o700
+            (let ((root-home #$(any (lambda (account)
+                                      (and (zero? (user-account-uid account))
+                                           (user-account-home-directory
+                                            account)))
+                                    (operating-system-user-accounts os))))
+              (stat:perms (marionette-eval `(stat ,root-home) marionette))))
+
           (test-equal "no extra home directories"
             '()