aboutsummaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2020-08-24 17:02:48 +0200
committerLudovic Courtès <ludo@gnu.org>2020-08-24 23:23:57 +0200
commit384377632c41c5c42e32889f4a239223aaae1ca9 (patch)
treeb080c748f35e710e51fbec3979ddfe3a930f3cfb /gnu
parent0d203eeaa69a42a914a9981449805014ab6b7b77 (diff)
downloadguix-384377632c41c5c42e32889f4a239223aaae1ca9.tar.gz
guix-384377632c41c5c42e32889f4a239223aaae1ca9.zip
system: Validate sudoers file when building the system.
Suggested by pkill9 <pkill9@runbox.com>. * gnu/system.scm (validated-sudoers-file): New procedure. (operating-system-etc-service): Use it.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/system.scm16
1 files changed, 15 insertions, 1 deletions
diff --git a/gnu/system.scm b/gnu/system.scm
index 5dd2f7f680..f092df56ce 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -747,6 +747,18 @@ This is the GNU system. Welcome.\n")
"Return the default /etc/hosts file."
(plain-file "hosts" (local-host-aliases host-name)))
+(define (validated-sudoers-file file)
+ "Return a copy of FILE, a sudoers file, after checking that it is
+syntactically correct."
+ (computed-file "sudoers"
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+
+ (invoke #+(file-append sudo "/sbin/visudo")
+ "--check" "--file" #$file)
+ (copy-file #$file #$output)))))
+
(define* (operating-system-etc-service os)
"Return a <service> that builds containing the static part of the /etc
directory."
@@ -873,7 +885,9 @@ fi\n")))
("timezone" ,(plain-file "timezone" (operating-system-timezone os)))
("localtime" ,(file-append tzdata "/share/zoneinfo/"
(operating-system-timezone os)))
- ,@(if sudoers `(("sudoers" ,sudoers)) '())
+ ,@(if sudoers
+ `(("sudoers" ,(validated-sudoers-file sudoers)))
+ '())
,@(if hurd
`(("login" ,(file-append hurd "/etc/login"))
("motd" ,(file-append hurd "/etc/motd"))