diff options
author | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-12 18:53:48 +0200 |
---|---|---|
committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-13 13:48:13 +0200 |
commit | fedd7cd6901646cb7e2a94a148d300f7b632d7e0 (patch) | |
tree | 14b7af8318d75536656849335e20c51cdfdf3447 /nixos/modules/services/scheduling/cron.nix | |
parent | 8f76a6eefcfa0c9904e0749f04b27090527ce09f (diff) |
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
Diffstat (limited to 'nixos/modules/services/scheduling/cron.nix')
-rw-r--r-- | nixos/modules/services/scheduling/cron.nix | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index 3bc31832946b..c28956b3bfeb 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -93,7 +93,12 @@ in { services.cron.enable = mkDefault (allFiles != []); } (mkIf (config.services.cron.enable) { - security.wrappers.crontab.source = "${cronNixosPkg}/bin/crontab"; + security.wrappers.crontab = + { setuid = true; + owner = "root"; + group = "root"; + source = "${cronNixosPkg}/bin/crontab"; + }; environment.systemPackages = [ cronNixosPkg ]; environment.etc.crontab = { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; } |