Making cron/fcron set their setuid wrappers. And made fcron use the nixos systemCrontabJobs by

default. It does not look very modular, and the manual may not look very good, but I think it works better than before. And setting cron.enable = false and fcron.enable = true works fine. svn path=/nixos/trunk/; revision=24199
2010-10-10 11:35:15 +00:00 · 2010-10-10 11:35:15 +00:00 · 79ded36abf
commit 79ded36abf
parent dc11ce585f
3 changed files with 19 additions and 14 deletions
--- a/modules/security/setuid-wrappers.nix
+++ b/modules/security/setuid-wrappers.nix
@ -75,7 +75,7 @@ in
  config = {
    security.setuidPrograms =
-      [ "crontab" "fusermount" "wodim" "cdrdao" "growisofs" ];
+      [ "fusermount" "wodim" "cdrdao" "growisofs" ];
    system.activationScripts.setuid =
      let
--- a/modules/services/scheduling/cron.nix
+++ b/modules/services/scheduling/cron.nix
@ -58,6 +58,10 @@ in
          If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
          will is allowed to have its own crontab file. The /var/cron/cron.deny file
          is created automatically for you. So every user can use a crontab.
          Many nixos modules set systemCronJobs, so if you decide to disable vixie cron
          and enable another cron daemon, you may want it to get its system crontab
          based on systemCronJobs.
        '';
      };
@ -68,7 +72,7 @@ in
  ###### implementation
-  config = mkIf config.services.cron.enable {  
+  config = mkIf config.services.cron.enable {
    environment.etc = singleton
      # The system-wide crontab.
@ -77,6 +81,8 @@ in
        mode = "0600"; # Cron requires this.
      };
    security.setuidPrograms = [ "crontab" ];
    environment.systemPackages = [ cronNixosPkg ];
    jobs.cron =
--- a/modules/services/scheduling/fcron.nix
+++ b/modules/services/scheduling/fcron.nix
@ -4,20 +4,17 @@ with pkgs.lib;
 let
  # Put all the system cronjobs together.
  # TODO allow using fcron only..
  #systemCronJobs =
  #  config.services.cron.systemCronJobs;
  cfg = config.services.fcron;
  queuelen = if cfg.queuelen == "" then "" else "-q ${toString cfg.queuelen}";
-  # shell is set to /sh in config..
+  systemCronJobsFile = pkgs.writeText "system-crontab"
  # ${pkgs.lib.concatStrings (map (job: job + "\n") systemCronJobs)}
  systemCronJobsFile = pkgs.writeText "fcron-systab"
    ''
-      SHELL=${pkgs.bash}/bin/sh
+      SHELL=${pkgs.bash}/bin/bash
-      PATH=${pkgs.coreutils}/bin:${pkgs.findutils}/bin:${pkgs.gnused}/bin
+      PATH=${config.system.path}/bin:${config.system.path}/sbin
      MAILTO="${config.services.cron.mailto}"
      NIX_CONF_DIR=/nix/etc/nix
      ${pkgs.lib.concatStrings (map (job: job + "\n") config.services.cron.systemCronJobs)}
    '';
  allowdeny = target: users:
@ -42,7 +39,7 @@ in
      };
      allow = mkOption {
-        default = [];
+        default = [ "all" ];
        description = ''
          Users allowed to use fcrontab and fcrondyn (one name per line, "all" for everyone).
        '';
@ -64,7 +61,7 @@ in
      };
      systab = mkOption {
-        default = "";
+        default = systemCronJobsFile;
        description = ''The "system" crontab contents.'';
      };
    };
@ -77,7 +74,7 @@ in
  config = mkIf cfg.enable {
    environment.etc =
-      [ (allowdeny "allow" (["root"] ++ cfg.allow))
+      [ (allowdeny "allow" (cfg.allow))
        (allowdeny "deny" cfg.deny)
        # see man 5 fcron.conf
        { source = pkgs.writeText "fcon.conf" ''
@ -97,6 +94,8 @@ in
    environment.systemPackages = [ pkgs.fcron ];
    security.setuidPrograms = [ "fcrontab" ];
    jobs.fcron =
      { description = "fcron daemon";