nixos: explicitely set security.wrappers ownership

This is slightly more verbose and inconvenient, but it forces you to think about what the wrapper ownership and permissions will be.
author: rnhmjoj <rnhmjoj@inventati.org> 2021-09-12 18:53:48 +0200
committer: rnhmjoj <rnhmjoj@inventati.org> 2021-09-13 13:48:13 +0200
commit: fedd7cd6901646cb7e2a94a148d300f7b632d7e0 (patch)
tree: 14b7af8318d75536656849335e20c51cdfdf3447 /nixos/modules/services/scheduling/cron.nix
parent: 8f76a6eefcfa0c9904e0749f04b27090527ce09f (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix
index 3bc31832946b..c28956b3bfeb 100644
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@@ -93,7 +93,12 @@ in
 
     { services.cron.enable = mkDefault (allFiles != []); }
     (mkIf (config.services.cron.enable) {
-      security.wrappers.crontab.source = "${cronNixosPkg}/bin/crontab";
+      security.wrappers.crontab =
+        { setuid = true;
+          owner = "root";
+          group = "root";
+          source = "${cronNixosPkg}/bin/crontab";
+        };
       environment.systemPackages = [ cronNixosPkg ];
       environment.etc.crontab =
         { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }
author	rnhmjoj <rnhmjoj@inventati.org>	2021-09-12 18:53:48 +0200
committer	rnhmjoj <rnhmjoj@inventati.org>	2021-09-13 13:48:13 +0200
commit	fedd7cd6901646cb7e2a94a148d300f7b632d7e0 (patch)
tree	14b7af8318d75536656849335e20c51cdfdf3447 /nixos/modules/services/scheduling/cron.nix
parent	8f76a6eefcfa0c9904e0749f04b27090527ce09f (diff)