1 files changed, 28 insertions, 21 deletions

diff --git a/gnu/services.scm b/gnu/services.scm
index f0bbbb27a5..8a4002e072 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -632,7 +632,7 @@ information is missing, return the empty list (for channels) and possibly
     #~(begin
         (use-modules (guix build utils))
 
-        ;; Clean out /tmp and /var/run.
+        ;; Clean out /tmp, /var/run, and /run.
         ;;
         ;; XXX This needs to happen before service activations, so it
         ;; has to be here, but this also implicitly assumes that /tmp
@@ -663,12 +663,16 @@ information is missing, return the empty list (for channels) and possibly
            (setlocale LC_CTYPE "en_US.utf8")
            (delete-file-recursively "/tmp")
            (delete-file-recursively "/var/run")
+           (delete-file-recursively "/run")
 
-           (mkdir "/tmp")
+           ;; Note: The second argument to 'mkdir' is and'ed with umask,
+           ;; hence the 'chmod' calls.
+           (mkdir "/tmp" #o1777)
            (chmod "/tmp" #o1777)
-           (mkdir "/var/run")
+           (mkdir "/var/run" #o755)
            (chmod "/var/run" #o755)
-           (delete-file-recursively "/run/udev/watch.old"))))))
+           (mkdir "/run" #o755)
+           (chmod "/var/run" #o755))))))
 
 (define cleanup-service-type
   ;; Service that cleans things up in /tmp and similar.
@@ -893,23 +897,26 @@ FILES must be a list of name/file-like object pairs."
 
 (define (privileged-program->activation-gexp programs)
   "Return an activation gexp for privileged-program from PROGRAMS."
-  (let ((programs (map (lambda (program)
-                         ;; FIXME This is really ugly, I didn't managed to use
-                         ;; "inherit"
-                         (let ((program-name (privileged-program-program program))
-                               (setuid?      (privileged-program-setuid? program))
-                               (setgid?      (privileged-program-setgid? program))
-                               (user         (privileged-program-user program))
-                               (group        (privileged-program-group program))
-                               (capabilities (privileged-program-capabilities program)))
-                           #~(privileged-program
-                              (setuid? #$setuid?)
-                              (setgid? #$setgid?)
-                              (user    #$user)
-                              (group   #$group)
-                              (capabilities #$capabilities)
-                              (program #$program-name))))
-                       programs)))
+  (let ((programs
+         (map (lambda (program)
+                ;; FIXME This is really ugly, I didn't manage to use "inherit".
+                (let ((program-name (privileged-program-program program))
+                      (setuid?      (privileged-program-setuid? program))
+                      (setgid?      (privileged-program-setgid? program))
+                      (user         (privileged-program-user program))
+                      (group        (privileged-program-group program))
+                      (capabilities (privileged-program-capabilities program)))
+                  (unless (or setuid? setgid? capabilities)
+                    (warning
+                     (G_ "so-called privileged-program ~s lacks any privilege~%")
+                     program-name))
+                  #~(privileged-program (setuid? #$setuid?)
+                                        (setgid? #$setgid?)
+                                        (user    #$user)
+                                        (group   #$group)
+                                        (capabilities #$capabilities)
+                                        (program #$program-name))))
+              programs)))
     (with-imported-modules (source-module-closure
                             '((gnu system privilege)))
       #~(begin