cron: fix things (mostly about fcron)

Document PATH behavior for each crond implementation.

roles/cron/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Recompile fcron systab
+  command:
+    cmd: /usr/bin/fcrontab -z -u systab
+    removes: /var/spool/fcron/systab.orig

roles/cron/tasks/busybox.yml

@@ -1,4 +1,6 @@
 ---
+# busybox's crond already inherits PATH so no need to do anything.
+# It doesn't have allow/deny feature though
 - name: crond | Add crond service to runlevel 'default'
   service:
     name: crond

roles/cron/tasks/cronie.yml

@@ -14,7 +14,8 @@
     mode: 0644
 
 # btrbk runs btrfs command directly (without specifying /sbin prefix),
-# hence we need to inherit PATH here
+# hence we need to inherit PATH here. Also log to syslog
+# (the default PATH is /usr/local/bin:/bin:/usr/bin)
 - name: cronie | Configure command options for cronie service
   copy:
     content: |

roles/cron/tasks/fcron.yml

@@ -1,26 +1,39 @@
 ---
 - name: fcron | Install fcron package
   community.general.packaging.os.apk:
-    name: fcron
+    name: fcron, fcron-pam
     state: present
 
-- name: fcron | Deny all users except root to access crontabs
+- name: fcron | Deny all users to access crontabs
   copy:
     content: |
       all
     dest: /etc/fcron/fcron.deny
     owner: root
-    group: root
-    mode: 0644
+    group: fcron
+    mode: 0640
 
-- name: fcron | Allow {{ username }} to access crontabs
+- name: fcron | Allow {{ username }} and root to access crontabs
   copy:
     content: |
+      root
       {{ username }}
     dest: /etc/fcron/fcron.allow
     owner: root
+    group: fcron
+    mode: 0640
+
+# The default PATH is /bin:/usr/bin
+- name: fcron | Set PATH inside system crontab (systab)
+  lineinfile:
+    path: /var/spool/fcron/systab.orig
+    line: "PATH=/bin:/usr/bin:/sbin:/usr/sbin"
+    insertbefore: BOF
+    mode: 0640
+    owner: root
     group: root
-    mode: 0644
+    state: present
+  notify: Recompile fcron systab
 
 - name: fcron | Start fcron service on runlevel default
   service: