fcron: 3.1.2 -> 3.2.1

fixes #23320 #23413
This commit is contained in:
Jörg Thalheim 2017-03-05 22:40:01 +01:00
parent 64138b3334
commit 947815f59f
No known key found for this signature in database
GPG Key ID: CA4106B8D7CC79FA
4 changed files with 86 additions and 37 deletions

View File

@ -288,6 +288,7 @@
kresd = 270;
rpc = 271;
geoip = 272;
fcron = 273;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -545,6 +546,7 @@
kresd = 270;
#rpc = 271; # unused
#geoip = 272; # unused
fcron = 273;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

View File

@ -23,7 +23,8 @@ let
allowdeny = target: users:
{ source = pkgs.writeText "fcron.${target}" (concatStringsSep "\n" users);
target = "fcron.${target}";
mode = "600"; # fcron has some security issues.. So I guess this is most safe
mode = "644";
gid = config.ids.gids.fcron;
};
in
@ -89,7 +90,7 @@ in
[ (allowdeny "allow" (cfg.allow))
(allowdeny "deny" cfg.deny)
# see man 5 fcron.conf
{ source = pkgs.writeText "fcon.conf" ''
{ source = pkgs.writeText "fcron.conf" ''
fcrontabs = /var/spool/fcron
pidfile = /var/run/fcron.pid
fifofile = /var/run/fcron.fifo
@ -97,16 +98,40 @@ in
fcrondeny = /etc/fcron.deny
shell = /bin/sh
sendmail = /run/wrappers/bin/sendmail
editor = /run/current-system/sw/bin/vi
editor = ${pkgs.vim}/bin/vim
'';
target = "fcron.conf";
mode = "0600"; # max allowed is 644
gid = config.ids.gids.fcron;
mode = "0644";
}
];
environment.systemPackages = [ pkgs.fcron ];
users.extraUsers.fcron = {
uid = config.ids.uids.fcron;
home = "/var/spool/fcron";
group = "fcron";
};
users.groups.fcron.gid = config.ids.gids.fcron;
security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab";
security.wrappers = {
fcrontab = {
source = "${pkgs.fcron}/bin/fcrontab";
owner = "fcron";
group = "fcron";
setgid = true;
};
fcrondyn = {
source = "${pkgs.fcron}/bin/fcrondyn";
owner = "fcron";
group = "fcron";
setgid = true;
};
fcronsighup = {
source = "${pkgs.fcron}/bin/fcronsighup";
group = "fcron";
};
};
systemd.services.fcron = {
description = "fcron daemon";
after = [ "local-fs.target" ];
@ -118,14 +143,17 @@ in
};
preStart = ''
${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/spool/fcron
${pkgs.coreutils}/bin/mkdir -m 0770 -p /var/spool/fcron
${pkgs.coreutils}/bin/chown -R fcron:fcron /var/spool/fcron
# load system crontab file
${pkgs.fcron}/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab}
set -x
#${pkgs.fcron}/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab}
'';
serviceConfig.Type = "forking";
script = "${pkgs.fcron}/sbin/fcron -m ${toString cfg.maxSerialJobs} ${queuelen}";
serviceConfig = {
Type = "forking";
ExecStart = "${pkgs.fcron}/sbin/fcron -m ${toString cfg.maxSerialJobs} ${queuelen}";
};
};
};
}

View File

@ -1,58 +1,61 @@
# I've only worked on this till it compiled and worked. So maybe there are some things which should be done but I've missed
# restart using 'killall -TERM fcron; fcron -b
# use convert-fcrontab to update fcrontab files
{ stdenv, fetchurl, perl, busybox, vim }:
stdenv.mkDerivation rec {
name = "fcron-3.1.2";
name = "fcron-${version}";
version = "3.2.1";
src = fetchurl {
url = "http://fcron.free.fr/archives/${name}.src.tar.gz";
sha256 = "0p8sn4m3frh2x2llafq2gbcm46rfrn6ck4qi0d0v3ql6mfx9k4hw";
sha256 = "0sjz7r050myj6zgixzx3pk5ff819v6b0zfn0q1lkd19jkaix0531";
};
buildInputs = [ perl ];
patches = [ ./relative-fcronsighup.patch ];
configureFlags =
[ "--with-sendmail=${busybox}/sbin/sendmail"
"--with-editor=${vim}/bin/vi" # TODO customizable
"--with-bootinstall=no"
"--localstatedir=/var"
"--sysconfdir=/etc"
# fcron would have been default user/grp
"--with-username=root"
"--with-groupname=root"
"--with-rootname=root"
"--with-rootgroup=root"
"--disable-checks"
];
installTargets = "install-staged"; # install does also try to change permissions of /etc/* files
preConfigure =
''
sed -i 's@/usr/bin/env perl@${perl}/bin/perl@g' configure script/*
# Don't let fcron create the group fcron, nix(os) should do this
sed -i '2s@.*@exit 0@' script/user-group
# --with-bootinstall=no shoud do this, didn't work. So just exit the script before doing anything
sed -i '2s@.*@exit 0@' script/boot-install
# fcron tries to install pid into system directory on install
installFlags = [
"ETC=."
"PIDDIR=."
"PIDFILE=fcron.pid"
"REBOOT_LOCK=fcron.reboot"
"FIFODIR=."
"FIFOFILE=fcron.fifo"
"FCRONTABS=."
];
# also don't use chown or chgrp for documentation (or whatever) when installing
find -type f | xargs sed -i -e 's@^\(\s\)*chown@\1:@' -e 's@^\(\s\)*chgrp@\1:@'
'';
preConfigure = ''
sed -i 's@/usr/bin/env perl@${perl}/bin/perl@g' configure script/*
# Don't let fcron create the group fcron, nix(os) should do this
sed -i '2s@.*@exit 0@' script/user-group
patchPhase =
''
# don't try to create /etc/fcron.{allow,deny,conf}
sed -i -e 's@test -f $(DESTDIR)$(ETC)/fcron.conf @ # @' \
-e 's@if test ! -f $(DESTDIR)$(ETC)/fcron.allow@ # @' Makefile.in
'';
# --with-bootinstall=no shoud do this, didn't work. So just exit the script before doing anything
sed -i '2s@.*@exit 0@' script/boot-install
meta = {
# also don't use chown or chgrp for documentation (or whatever) when installing
find -type f | xargs sed -i -e 's@^\(\s\)*chown@\1:@' -e 's@^\(\s\)*chgrp@\1:@'
'';
meta = with stdenv.lib; {
description="A command scheduler with extended capabilities over cron and anacron";
homepage = http://fcron.free.fr;
license = stdenv.lib.licenses.gpl2;
platforms = stdenv.lib.platforms.all;
license = licenses.gpl2;
};
}

View File

@ -0,0 +1,16 @@
Use relative fcronsighup to prefer setuid executable over package binary.
--- fcron-3.2.1.orig/fcrontab.c 2016-06-26 17:02:48.000000000 +0200
+++ fcron-3.2.1/fcrontab.c 2017-03-05 21:54:24.676871335 +0100
@@ -154,10 +154,10 @@
fcrontab_gid);
exit(ERR);
}
- execl(BINDIREX "/fcronsighup", BINDIREX "/fcronsighup", fcronconf,
+ execlp("fcronsighup", "fcronsighup", fcronconf,
NULL);
- error_e("Could not exec " BINDIREX " fcronsighup");
+ error_e("Could not exec fcronsighup");
exit(ERR);
break;