Author: viric
Date: Sun Oct 10 11:35:15 2010
New Revision: 24199
URL: https://svn.nixos.org/websvn/nix/?rev=24199&sc=1
Log:
Making cron/fcron set their setuid wrappers. And made fcron use the nixos
systemCrontabJobs by
default.
It does not look very modular, and the manual may not look very good, but I
think it
works better than before. And setting cron.enable = false and fcron.enable =
true works fine.
Modified:
nixos/trunk/modules/security/setuid-wrappers.nix
nixos/trunk/modules/services/scheduling/cron.nix
nixos/trunk/modules/services/scheduling/fcron.nix
Modified: nixos/trunk/modules/security/setuid-wrappers.nix
==============================================================================
--- nixos/trunk/modules/security/setuid-wrappers.nix Sun Oct 10 11:14:02
2010 (r24198)
+++ nixos/trunk/modules/security/setuid-wrappers.nix Sun Oct 10 11:35:15
2010 (r24199)
@@ -75,7 +75,7 @@
config = {
security.setuidPrograms =
- [ "crontab" "fusermount" "wodim" "cdrdao" "growisofs" ];
+ [ "fusermount" "wodim" "cdrdao" "growisofs" ];
system.activationScripts.setuid =
let
Modified: nixos/trunk/modules/services/scheduling/cron.nix
==============================================================================
--- nixos/trunk/modules/services/scheduling/cron.nix Sun Oct 10 11:14:02
2010 (r24198)
+++ nixos/trunk/modules/services/scheduling/cron.nix Sun Oct 10 11:35:15
2010 (r24199)
@@ -58,6 +58,10 @@
If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only
root
will is allowed to have its own crontab file. The
/var/cron/cron.deny file
is created automatically for you. So every user can use a crontab.
+
+ Many nixos modules set systemCronJobs, so if you decide to disable
vixie cron
+ and enable another cron daemon, you may want it to get its system
crontab
+ based on systemCronJobs.
'';
};
@@ -68,7 +72,7 @@
###### implementation
- config = mkIf config.services.cron.enable {
+ config = mkIf config.services.cron.enable {
environment.etc = singleton
# The system-wide crontab.
@@ -77,6 +81,8 @@
mode = "0600"; # Cron requires this.
};
+ security.setuidPrograms = [ "crontab" ];
+
environment.systemPackages = [ cronNixosPkg ];
jobs.cron =
Modified: nixos/trunk/modules/services/scheduling/fcron.nix
==============================================================================
--- nixos/trunk/modules/services/scheduling/fcron.nix Sun Oct 10 11:14:02
2010 (r24198)
+++ nixos/trunk/modules/services/scheduling/fcron.nix Sun Oct 10 11:35:15
2010 (r24199)
@@ -4,20 +4,17 @@
let
- # Put all the system cronjobs together.
- # TODO allow using fcron only..
- #systemCronJobs =
- # config.services.cron.systemCronJobs;
cfg = config.services.fcron;
queuelen = if cfg.queuelen == "" then "" else "-q ${toString cfg.queuelen}";
- # shell is set to /sh in config..
- # ${pkgs.lib.concatStrings (map (job: job + "\n") systemCronJobs)}
- systemCronJobsFile = pkgs.writeText "fcron-systab"
+ systemCronJobsFile = pkgs.writeText "system-crontab"
''
- SHELL=${pkgs.bash}/bin/sh
- PATH=${pkgs.coreutils}/bin:${pkgs.findutils}/bin:${pkgs.gnused}/bin
+ SHELL=${pkgs.bash}/bin/bash
+ PATH=${config.system.path}/bin:${config.system.path}/sbin
+ MAILTO="${config.services.cron.mailto}"
+ NIX_CONF_DIR=/nix/etc/nix
+ ${pkgs.lib.concatStrings (map (job: job + "\n")
config.services.cron.systemCronJobs)}
'';
allowdeny = target: users:
@@ -42,7 +39,7 @@
};
allow = mkOption {
- default = [];
+ default = [ "all" ];
description = ''
Users allowed to use fcrontab and fcrondyn (one name per line, "all"
for everyone).
'';
@@ -64,7 +61,7 @@
};
systab = mkOption {
- default = "";
+ default = systemCronJobsFile;
description = ''The "system" crontab contents.'';
};
};
@@ -77,7 +74,7 @@
config = mkIf cfg.enable {
environment.etc =
- [ (allowdeny "allow" (["root"] ++ cfg.allow))
+ [ (allowdeny "allow" (cfg.allow))
(allowdeny "deny" cfg.deny)
# see man 5 fcron.conf
{ source = pkgs.writeText "fcon.conf" ''
@@ -97,6 +94,8 @@
environment.systemPackages = [ pkgs.fcron ];
+ security.setuidPrograms = [ "fcrontab" ];
+
jobs.fcron =
{ description = "fcron daemon";
_______________________________________________
nix-commits mailing list
[email protected]
http://mail.cs.uu.nl/mailman/listinfo/nix-commits
