From d603484180707a10915cbf0bb1ea45b31f8b7f30 Mon Sep 17 00:00:00 2001
From: Sander van der Burg <svanderburg@gmail.com>
Date: Sun, 4 Apr 2021 14:52:49 +0200
Subject: [PATCH] Make fcron work for any unprivileged user

---
 example-deployments/services/processes.nix | 4 +++-
 services-agnostic/constructors.nix         | 6 ++++--
 services-agnostic/fcron/declarative.nix    | 6 ++----
 services-agnostic/fcron/default.nix        | 4 ++--
 tests/fcron/processes.nix                  | 4 +++-
 5 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/example-deployments/services/processes.nix b/example-deployments/services/processes.nix
index 1b9d055..ca2c437 100644
--- a/example-deployments/services/processes.nix
+++ b/example-deployments/services/processes.nix
@@ -8,6 +8,8 @@
 , libDir ? "${stateDir}/lib"
 , tmpDir ? (if stateDir == "/var" then "/tmp" else "${stateDir}/tmp")
 , forceDisableUserChange ? false
+, callingUser ? null
+, callingGroup ? null
 , processManager
 }:
 
@@ -15,7 +17,7 @@ let
   ids = if builtins.pathExists ./ids.nix then (import ./ids.nix).ids else {};
 
   constructors = import ../../services-agnostic/constructors.nix {
-    inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir libDir forceDisableUserChange processManager ids;
+    inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir libDir forceDisableUserChange callingUser callingGroup processManager ids;
   };
 in
 rec {
diff --git a/services-agnostic/constructors.nix b/services-agnostic/constructors.nix
index aa4c5db..67c25ea 100644
--- a/services-agnostic/constructors.nix
+++ b/services-agnostic/constructors.nix
@@ -8,6 +8,8 @@
 , libDir
 , tmpDir
 , forceDisableUserChange
+, callingUser ? null
+, callingGroup ? null
 , processManager
 , ids ? {}
 }:
@@ -68,12 +70,12 @@ in
   };
 
   fcron = import ./fcron {
-    inherit createManagedProcess stateDir spoolDir runtimeDir tmpDir forceDisableUserChange;
+    inherit createManagedProcess stateDir spoolDir runtimeDir tmpDir forceDisableUserChange callingUser callingGroup;
     inherit (pkgs) lib writeTextFile fcron;
   };
 
   declarativeFcron = import ./fcron/declarative.nix {
-    inherit createManagedProcess stateDir spoolDir runtimeDir tmpDir forceDisableUserChange;
+    inherit createManagedProcess stateDir spoolDir runtimeDir tmpDir forceDisableUserChange callingUser callingGroup;
     inherit (pkgs) lib writeTextFile fcron utillinux;
   };
 
diff --git a/services-agnostic/fcron/declarative.nix b/services-agnostic/fcron/declarative.nix
index 6ba05b2..ab4ea78 100644
--- a/services-agnostic/fcron/declarative.nix
+++ b/services-agnostic/fcron/declarative.nix
@@ -1,4 +1,4 @@
-{createManagedProcess, writeTextFile, lib, fcron, utillinux, stateDir, runtimeDir, tmpDir, spoolDir, forceDisableUserChange}:
+{createManagedProcess, writeTextFile, lib, fcron, utillinux, stateDir, runtimeDir, tmpDir, spoolDir, forceDisableUserChange, callingUser, callingGroup}:
 
 { instanceSuffix ? ""
 , instanceName ? "fcron${instanceSuffix}"
@@ -11,7 +11,7 @@ let
   fcronEtcDir = "${stateDir}/etc/${instanceName}";
 in
 import ./default.nix {
-  inherit createManagedProcess writeTextFile lib fcron stateDir runtimeDir tmpDir spoolDir forceDisableUserChange;
+  inherit createManagedProcess writeTextFile lib fcron stateDir runtimeDir tmpDir spoolDir forceDisableUserChange callingUser callingGroup;
 } {
   inherit instanceSuffix instanceName;
 
@@ -26,8 +26,6 @@ import ./default.nix {
       in
       ''
         cp ${fcrontabFile} ${fcronSpoolDir}/${user}.orig
-      ''
-      + ''
         ${lib.optionalString (!forceDisableUserChange) "${utillinux}/bin/runuser -u root -g ${instanceName} --"} fcrontab -c ${fcronEtcDir}/fcron.conf -u systab -z
       ''
     ) (builtins.attrNames fcrontabPerUser)
diff --git a/services-agnostic/fcron/default.nix b/services-agnostic/fcron/default.nix
index 0b1b3ee..76a287f 100644
--- a/services-agnostic/fcron/default.nix
+++ b/services-agnostic/fcron/default.nix
@@ -1,4 +1,4 @@
-{createManagedProcess, writeTextFile, lib, fcron, stateDir, runtimeDir, tmpDir, spoolDir, forceDisableUserChange}:
+{createManagedProcess, writeTextFile, lib, fcron, stateDir, runtimeDir, tmpDir, spoolDir, forceDisableUserChange, callingUser, callingGroup}:
 {instanceSuffix ? "", instanceName ? "fcron${instanceSuffix}", initialize ? ""}:
 
 let
@@ -26,7 +26,7 @@ let
   fcronPkg =
     if forceDisableUserChange then fcron.overrideAttrs (originalAttrs:
       originalAttrs // {
-        configureFlags = originalAttrs.configureFlags ++ [ "--with-run-non-privileged" "--with-rootname=unprivileged" "--with-rootgroup=users" "--with-username=unprivileged" "--with-groupname=users" ];
+        configureFlags = originalAttrs.configureFlags ++ [ "--with-run-non-privileged" "--with-rootname=${callingUser}" "--with-rootgroup=${callingGroup}" "--with-username=${callingUser}" "--with-groupname=${callingGroup}" ];
       }
     )
     else if user != "fcron" || group != "fcron" then fcron.overrideAttrs (originalAttrs:
diff --git a/tests/fcron/processes.nix b/tests/fcron/processes.nix
index 2b35227..330e09f 100644
--- a/tests/fcron/processes.nix
+++ b/tests/fcron/processes.nix
@@ -8,12 +8,14 @@
 , libDir ? "${stateDir}/lib"
 , tmpDir ? (if stateDir == "/var" then "/tmp" else "${stateDir}/tmp")
 , forceDisableUserChange ? false
+, callingUser ? null
+, callingGroup ? null
 , processManager
 }:
 
 let
   constructors = import ../../services-agnostic/constructors.nix {
-    inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir libDir spoolDir forceDisableUserChange processManager;
+    inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir libDir spoolDir forceDisableUserChange callingUser callingGroup processManager;
   };
 in
 rec {