Making cron/fcron set their setuid wrappers. And made fcron use the nixos systemCrontabJobs by

default. It does not look very modular, and the manual may not look very good, but I think it works better than before. And setting cron.enable = false and fcron.enable = true works fine. svn path=/nixos/trunk/; revision=24199
2010-10-10 11:35:15 +00:00 · 2010-10-10 11:35:15 +00:00 · 79ded36abf
commit 79ded36abf
parent dc11ce585f
3 changed files with 19 additions and 14 deletions
--- a/modules/security/setuid-wrappers.nix
+++ b/modules/security/setuid-wrappers.nix
@ -75,7 +75,7 @@ in
  config = {

    security.setuidPrograms =
-      [ "crontab" "fusermount" "wodim" "cdrdao" "growisofs" ];
+      [ "fusermount" "wodim" "cdrdao" "growisofs" ];

    system.activationScripts.setuid =
      let
--- a/modules/services/scheduling/cron.nix
+++ b/modules/services/scheduling/cron.nix
@ -58,6 +58,10 @@ in
          If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
          will is allowed to have its own crontab file. The /var/cron/cron.deny file
          is created automatically for you. So every user can use a crontab.
+
+          Many nixos modules set systemCronJobs, so if you decide to disable vixie cron
+          and enable another cron daemon, you may want it to get its system crontab
+          based on systemCronJobs.
        '';
      };

@ -68,7 +72,7 @@ in

  ###### implementation

-  config = mkIf config.services.cron.enable {  
+  config = mkIf config.services.cron.enable {

    environment.etc = singleton
      # The system-wide crontab.
@ -77,6 +81,8 @@ in
        mode = "0600"; # Cron requires this.
      };

+    security.setuidPrograms = [ "crontab" ];
+
    environment.systemPackages = [ cronNixosPkg ];

    jobs.cron =
--- a/modules/services/scheduling/fcron.nix
+++ b/modules/services/scheduling/fcron.nix
@ -4,20 +4,17 @@ with pkgs.lib;

 let

-  # Put all the system cronjobs together.
-  # TODO allow using fcron only..
-  #systemCronJobs =
-  #  config.services.cron.systemCronJobs;
  cfg = config.services.fcron;
  
  queuelen = if cfg.queuelen == "" then "" else "-q ${toString cfg.queuelen}";

-  # shell is set to /sh in config..
-  # ${pkgs.lib.concatStrings (map (job: job + "\n") systemCronJobs)}
-  systemCronJobsFile = pkgs.writeText "fcron-systab"
+  systemCronJobsFile = pkgs.writeText "system-crontab"
    ''
-      SHELL=${pkgs.bash}/bin/sh
-      PATH=${pkgs.coreutils}/bin:${pkgs.findutils}/bin:${pkgs.gnused}/bin
+      SHELL=${pkgs.bash}/bin/bash
+      PATH=${config.system.path}/bin:${config.system.path}/sbin
+      MAILTO="${config.services.cron.mailto}"
+      NIX_CONF_DIR=/nix/etc/nix
+      ${pkgs.lib.concatStrings (map (job: job + "\n") config.services.cron.systemCronJobs)}
    '';

  allowdeny = target: users:
@ -42,7 +39,7 @@ in
      };
      
      allow = mkOption {
-        default = [];
+        default = [ "all" ];
        description = ''
          Users allowed to use fcrontab and fcrondyn (one name per line, "all" for everyone).
        '';
@ -64,7 +61,7 @@ in
      };
      
      systab = mkOption {
-        default = "";
+        default = systemCronJobsFile;
        description = ''The "system" crontab contents.'';
      };
    };
@ -77,7 +74,7 @@ in
  config = mkIf cfg.enable {

    environment.etc =
-      [ (allowdeny "allow" (["root"] ++ cfg.allow))
+      [ (allowdeny "allow" (cfg.allow))
        (allowdeny "deny" cfg.deny)
        # see man 5 fcron.conf
        { source = pkgs.writeText "fcon.conf" ''
@ -97,6 +94,8 @@ in

    environment.systemPackages = [ pkgs.fcron ];

+    security.setuidPrograms = [ "fcrontab" ];
+
    jobs.fcron =
      { description = "fcron daemon";