fcron: 3.1.2 -> 3.2.1

fixes #23320 #23413 (cherry picked from commit 947815f)
NixOS · Mar 5, 2017 · 6bc2d87 · 6bc2d87
1 parent 5c1fdb1
commit 6bc2d87
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 42 deletions.
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
@@ -288,6 +288,7 @@
       kresd = 270;
       rpc = 271;
       geoip = 272;
+      fcron = 273;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -545,6 +546,7 @@
       kresd = 270;
       #rpc = 271; # unused
       #geoip = 272; # unused
+      fcron = 273;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix
@@ -23,7 +23,8 @@ let
   allowdeny = target: users:
     { source = pkgs.writeText "fcron.${target}" (concatStringsSep "\n" users);
       target = "fcron.${target}";
-      mode = "600"; # fcron has some security issues.. So I guess this is most safe
+      mode = "644";
+      gid = config.ids.gids.fcron;
     };
 
 in
@@ -89,24 +90,48 @@ in
       [ (allowdeny "allow" (cfg.allow))
         (allowdeny "deny" cfg.deny)
         # see man 5 fcron.conf
-        { source = pkgs.writeText "fcon.conf" ''
+        { source = pkgs.writeText "fcron.conf" ''
             fcrontabs   =       /var/spool/fcron
             pidfile     =       /var/run/fcron.pid
             fifofile    =       /var/run/fcron.fifo
             fcronallow  =       /etc/fcron.allow
             fcrondeny   =       /etc/fcron.deny
             shell       =       /bin/sh
             sendmail    =       /run/wrappers/bin/sendmail
-            editor      =       /run/current-system/sw/bin/vi
+            editor      =       ${pkgs.vim}/bin/vim
           '';
           target = "fcron.conf";
-          mode = "0600"; # max allowed is 644
+          gid = config.ids.gids.fcron;
+          mode = "0644";
         }
       ];
 
     environment.systemPackages = [ pkgs.fcron ];
-
-    security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab";
+    users.extraUsers.fcron = {
+      uid = config.ids.uids.fcron;
+      home = "/var/spool/fcron";
+      group = "fcron";
+    };
+    users.groups.fcron.gid = config.ids.gids.fcron;
+
+    security.wrappers = {
+      fcrontab = {
+        source = "${pkgs.fcron}/bin/fcrontab";
+        owner = "fcron";
+        group = "fcron";
+        setgid = true;
+      };
+      fcrondyn = {
+        source = "${pkgs.fcron}/bin/fcrondyn";
+        owner = "fcron";
+        group = "fcron";
+        setgid = true;
+      };
+      fcronsighup = {
+        source = "${pkgs.fcron}/bin/fcronsighup";
+        group = "fcron";
+      };
+    };
     systemd.services.fcron = {
       description = "fcron daemon";
       after = [ "local-fs.target" ];
@@ -118,14 +143,17 @@ in
       };
 
       preStart = ''
-        ${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/spool/fcron
+        ${pkgs.coreutils}/bin/mkdir -m 0770 -p /var/spool/fcron
+        ${pkgs.coreutils}/bin/chown -R fcron:fcron /var/spool/fcron
         # load system crontab file
-        ${pkgs.fcron}/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab}
+        set -x
+        #${pkgs.fcron}/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab}
       '';
 
-      serviceConfig.Type = "forking";
-
-      script = "${pkgs.fcron}/sbin/fcron -m ${toString cfg.maxSerialJobs} ${queuelen}";
+      serviceConfig = {
+        Type = "forking";
+        ExecStart = "${pkgs.fcron}/sbin/fcron -m ${toString cfg.maxSerialJobs} ${queuelen}";
+      };
     };
   };
 }
diff --git a/pkgs/tools/system/fcron/default.nix b/pkgs/tools/system/fcron/default.nix
@@ -1,58 +1,61 @@
-# I've only worked on this till it compiled and worked. So maybe there are some things which should be done but I've missed
 # restart using 'killall -TERM fcron; fcron -b
 # use convert-fcrontab to update fcrontab files
 
 { stdenv, fetchurl, perl, busybox, vim }:
 
 stdenv.mkDerivation rec {
-  name = "fcron-3.1.2";
+  name = "fcron-${version}";
+  version = "3.2.1";
 
   src = fetchurl {
     url = "http://fcron.free.fr/archives/${name}.src.tar.gz";
-    sha256 = "0p8sn4m3frh2x2llafq2gbcm46rfrn6ck4qi0d0v3ql6mfx9k4hw";
+    sha256 = "0sjz7r050myj6zgixzx3pk5ff819v6b0zfn0q1lkd19jkaix0531";
   };
 
   buildInputs = [ perl ];
 
+  patches = [ ./relative-fcronsighup.patch ];
+
   configureFlags =
     [ "--with-sendmail=${busybox}/sbin/sendmail"
       "--with-editor=${vim}/bin/vi"  # TODO customizable
       "--with-bootinstall=no"
+      "--localstatedir=/var"
       "--sysconfdir=/etc"
-      # fcron would have been default user/grp
-      "--with-username=root"
-      "--with-groupname=root"
       "--with-rootname=root"
       "--with-rootgroup=root"
       "--disable-checks"
     ];
-    
+
   installTargets = "install-staged"; # install does also try to change permissions of /etc/* files
-
-  preConfigure =
-    ''
-      sed -i 's@/usr/bin/env perl@${perl}/bin/perl@g' configure script/*
-      # Don't let fcron create the group fcron, nix(os) should do this
-      sed -i '2s@.*@exit 0@' script/user-group
-
-      # --with-bootinstall=no shoud do this, didn't work. So just exit the script before doing anything
-      sed -i '2s@.*@exit 0@' script/boot-install
-
-      # also don't use chown or chgrp for documentation (or whatever) when installing
-      find -type f | xargs sed -i -e 's@^\(\s\)*chown@\1:@' -e 's@^\(\s\)*chgrp@\1:@'
-    '';
-
-  patchPhase =
-    ''
-      # don't try to create /etc/fcron.{allow,deny,conf} 
-      sed -i -e 's@test -f $(DESTDIR)$(ETC)/fcron.conf @ # @' \
-             -e 's@if test ! -f $(DESTDIR)$(ETC)/fcron.allow@ # @' Makefile.in
-    '';
-
-  meta = { 
+
+  # fcron tries to install pid into system directory on install
+  installFlags = [
+    "ETC=."
+    "PIDDIR=."
+    "PIDFILE=fcron.pid"
+    "REBOOT_LOCK=fcron.reboot"
+    "FIFODIR=."
+    "FIFOFILE=fcron.fifo"
+    "FCRONTABS=."
+  ];
+
+  preConfigure = ''
+    sed -i 's@/usr/bin/env perl@${perl}/bin/perl@g' configure script/*
+    # Don't let fcron create the group fcron, nix(os) should do this
+    sed -i '2s@.*@exit 0@' script/user-group
+
+    # --with-bootinstall=no shoud do this, didn't work. So just exit the script before doing anything
+    sed -i '2s@.*@exit 0@' script/boot-install
+
+    # also don't use chown or chgrp for documentation (or whatever) when installing
+    find -type f | xargs sed -i -e 's@^\(\s\)*chown@\1:@' -e 's@^\(\s\)*chgrp@\1:@'
+  '';
+
+  meta = with stdenv.lib; {
     description="A command scheduler with extended capabilities over cron and anacron";
     homepage = http://fcron.free.fr;
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.all;
+    license = licenses.gpl2;
+
   };
 }
diff --git a/pkgs/tools/system/fcron/relative-fcronsighup.patch b/pkgs/tools/system/fcron/relative-fcronsighup.patch
@@ -0,0 +1,16 @@
+Use relative fcronsighup to prefer setuid executable over package binary.
+--- fcron-3.2.1.orig/fcrontab.c	2016-06-26 17:02:48.000000000 +0200
++++ fcron-3.2.1/fcrontab.c	2017-03-05 21:54:24.676871335 +0100
+@@ -154,10 +154,10 @@
+                         fcrontab_gid);
+                 exit(ERR);
+             }
+-            execl(BINDIREX "/fcronsighup", BINDIREX "/fcronsighup", fcronconf,
++            execlp("fcronsighup",  "fcronsighup", fcronconf,
+                   NULL);
+
+-            error_e("Could not exec " BINDIREX " fcronsighup");
++            error_e("Could not exec fcronsighup");
+             exit(ERR);
+             break;
+