From 947815f59f59fab8405af84d0a80df99dd8d6e9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 5 Mar 2017 22:40:01 +0100 Subject: [PATCH] fcron: 3.1.2 -> 3.2.1 fixes #23320 #23413 --- nixos/modules/misc/ids.nix | 2 + nixos/modules/services/scheduling/fcron.nix | 48 ++++++++++++---- pkgs/tools/system/fcron/default.nix | 57 ++++++++++--------- .../system/fcron/relative-fcronsighup.patch | 16 ++++++ 4 files changed, 86 insertions(+), 37 deletions(-) create mode 100644 pkgs/tools/system/fcron/relative-fcronsighup.patch diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index d51b29b99dae..feecee3225be 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -288,6 +288,7 @@ kresd = 270; rpc = 271; geoip = 272; + fcron = 273; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -545,6 +546,7 @@ kresd = 270; #rpc = 271; # unused #geoip = 272; # unused + fcron = 273; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index e4ada2768715..bd1ecb40969b 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -23,7 +23,8 @@ let allowdeny = target: users: { source = pkgs.writeText "fcron.${target}" (concatStringsSep "\n" users); target = "fcron.${target}"; - mode = "600"; # fcron has some security issues.. So I guess this is most safe + mode = "644"; + gid = config.ids.gids.fcron; }; in @@ -89,7 +90,7 @@ in [ (allowdeny "allow" (cfg.allow)) (allowdeny "deny" cfg.deny) # see man 5 fcron.conf - { source = pkgs.writeText "fcon.conf" '' + { source = pkgs.writeText "fcron.conf" '' fcrontabs = /var/spool/fcron pidfile = /var/run/fcron.pid fifofile = /var/run/fcron.fifo @@ -97,16 +98,40 @@ in fcrondeny = /etc/fcron.deny shell = /bin/sh sendmail = /run/wrappers/bin/sendmail - editor = /run/current-system/sw/bin/vi + editor = ${pkgs.vim}/bin/vim ''; target = "fcron.conf"; - mode = "0600"; # max allowed is 644 + gid = config.ids.gids.fcron; + mode = "0644"; } ]; environment.systemPackages = [ pkgs.fcron ]; + users.extraUsers.fcron = { + uid = config.ids.uids.fcron; + home = "/var/spool/fcron"; + group = "fcron"; + }; + users.groups.fcron.gid = config.ids.gids.fcron; - security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab"; + security.wrappers = { + fcrontab = { + source = "${pkgs.fcron}/bin/fcrontab"; + owner = "fcron"; + group = "fcron"; + setgid = true; + }; + fcrondyn = { + source = "${pkgs.fcron}/bin/fcrondyn"; + owner = "fcron"; + group = "fcron"; + setgid = true; + }; + fcronsighup = { + source = "${pkgs.fcron}/bin/fcronsighup"; + group = "fcron"; + }; + }; systemd.services.fcron = { description = "fcron daemon"; after = [ "local-fs.target" ]; @@ -118,14 +143,17 @@ in }; preStart = '' - ${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/spool/fcron + ${pkgs.coreutils}/bin/mkdir -m 0770 -p /var/spool/fcron + ${pkgs.coreutils}/bin/chown -R fcron:fcron /var/spool/fcron # load system crontab file - ${pkgs.fcron}/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab} + set -x + #${pkgs.fcron}/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab} ''; - serviceConfig.Type = "forking"; - - script = "${pkgs.fcron}/sbin/fcron -m ${toString cfg.maxSerialJobs} ${queuelen}"; + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.fcron}/sbin/fcron -m ${toString cfg.maxSerialJobs} ${queuelen}"; + }; }; }; } diff --git a/pkgs/tools/system/fcron/default.nix b/pkgs/tools/system/fcron/default.nix index f546cd8f5ffc..ec52b5b3db8e 100644 --- a/pkgs/tools/system/fcron/default.nix +++ b/pkgs/tools/system/fcron/default.nix @@ -1,58 +1,61 @@ -# I've only worked on this till it compiled and worked. So maybe there are some things which should be done but I've missed # restart using 'killall -TERM fcron; fcron -b # use convert-fcrontab to update fcrontab files { stdenv, fetchurl, perl, busybox, vim }: stdenv.mkDerivation rec { - name = "fcron-3.1.2"; + name = "fcron-${version}"; + version = "3.2.1"; src = fetchurl { url = "http://fcron.free.fr/archives/${name}.src.tar.gz"; - sha256 = "0p8sn4m3frh2x2llafq2gbcm46rfrn6ck4qi0d0v3ql6mfx9k4hw"; + sha256 = "0sjz7r050myj6zgixzx3pk5ff819v6b0zfn0q1lkd19jkaix0531"; }; buildInputs = [ perl ]; + patches = [ ./relative-fcronsighup.patch ]; + configureFlags = [ "--with-sendmail=${busybox}/sbin/sendmail" "--with-editor=${vim}/bin/vi" # TODO customizable "--with-bootinstall=no" + "--localstatedir=/var" "--sysconfdir=/etc" - # fcron would have been default user/grp - "--with-username=root" - "--with-groupname=root" "--with-rootname=root" "--with-rootgroup=root" "--disable-checks" ]; - + installTargets = "install-staged"; # install does also try to change permissions of /etc/* files - - preConfigure = - '' - sed -i 's@/usr/bin/env perl@${perl}/bin/perl@g' configure script/* - # Don't let fcron create the group fcron, nix(os) should do this - sed -i '2s@.*@exit 0@' script/user-group - # --with-bootinstall=no shoud do this, didn't work. So just exit the script before doing anything - sed -i '2s@.*@exit 0@' script/boot-install + # fcron tries to install pid into system directory on install + installFlags = [ + "ETC=." + "PIDDIR=." + "PIDFILE=fcron.pid" + "REBOOT_LOCK=fcron.reboot" + "FIFODIR=." + "FIFOFILE=fcron.fifo" + "FCRONTABS=." + ]; - # also don't use chown or chgrp for documentation (or whatever) when installing - find -type f | xargs sed -i -e 's@^\(\s\)*chown@\1:@' -e 's@^\(\s\)*chgrp@\1:@' - ''; + preConfigure = '' + sed -i 's@/usr/bin/env perl@${perl}/bin/perl@g' configure script/* + # Don't let fcron create the group fcron, nix(os) should do this + sed -i '2s@.*@exit 0@' script/user-group - patchPhase = - '' - # don't try to create /etc/fcron.{allow,deny,conf} - sed -i -e 's@test -f $(DESTDIR)$(ETC)/fcron.conf @ # @' \ - -e 's@if test ! -f $(DESTDIR)$(ETC)/fcron.allow@ # @' Makefile.in - ''; + # --with-bootinstall=no shoud do this, didn't work. So just exit the script before doing anything + sed -i '2s@.*@exit 0@' script/boot-install - meta = { + # also don't use chown or chgrp for documentation (or whatever) when installing + find -type f | xargs sed -i -e 's@^\(\s\)*chown@\1:@' -e 's@^\(\s\)*chgrp@\1:@' + ''; + + meta = with stdenv.lib; { description="A command scheduler with extended capabilities over cron and anacron"; homepage = http://fcron.free.fr; - license = stdenv.lib.licenses.gpl2; - platforms = stdenv.lib.platforms.all; + license = licenses.gpl2; + }; } diff --git a/pkgs/tools/system/fcron/relative-fcronsighup.patch b/pkgs/tools/system/fcron/relative-fcronsighup.patch new file mode 100644 index 000000000000..c0bbfc1ee3ef --- /dev/null +++ b/pkgs/tools/system/fcron/relative-fcronsighup.patch @@ -0,0 +1,16 @@ +Use relative fcronsighup to prefer setuid executable over package binary. +--- fcron-3.2.1.orig/fcrontab.c 2016-06-26 17:02:48.000000000 +0200 ++++ fcron-3.2.1/fcrontab.c 2017-03-05 21:54:24.676871335 +0100 +@@ -154,10 +154,10 @@ + fcrontab_gid); + exit(ERR); + } +- execl(BINDIREX "/fcronsighup", BINDIREX "/fcronsighup", fcronconf, ++ execlp("fcronsighup", "fcronsighup", fcronconf, + NULL); + +- error_e("Could not exec " BINDIREX " fcronsighup"); ++ error_e("Could not exec fcronsighup"); + exit(ERR); + break; +