security revision 1.36
1 #!/bin/sh - 2 # 3 # $NetBSD: security,v 1.36 1999/03/17 02:58:11 wrstuden Exp $ 4 # from: @(#)security 8.1 (Berkeley) 6/9/93 5 # 6 7 PATH=/sbin:/usr/sbin:/bin:/usr/bin 8 9 if [ -f /etc/rc.subr ]; then 10 . /etc/rc.subr 11 else 12 echo "Can't read /etc/rc.subr; aborting." 13 exit 1; 14 fi 15 16 umask 077 17 18 if [ -s /etc/security.conf ]; then 19 . /etc/security.conf 20 fi 21 22 SECUREDIR=/tmp/_securedir.$$ 23 if ! mkdir $SECUREDIR; then 24 echo can not create $SECUREDIR. 25 exit 1 26 fi 27 28 if ! cd $SECUREDIR; then 29 echo can not chdir to $SECUREDIR. 30 exit 1 31 fi 32 33 if [ -z "$max_loginlen" ];then 34 max_loginlen=8 35 fi 36 37 ERR=secure1.$$ 38 TMP1=secure2.$$ 39 TMP2=secure3.$$ 40 MPBYUID=secure4.$$ 41 MPBYPATH=secure5.$$ 42 LIST=secure6.$$ 43 OUTPUT=secure7.$$ 44 LABELS=secure8.$$ 45 46 trap '/bin/rm -rf $SECUREDIR ; exit 0' 0 2 3 47 48 MP=/etc/master.passwd 49 50 # these is used several times. 51 awk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID 52 awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH 53 54 # Check the master password file syntax. 55 # 56 if checkyesno check_passwd; then 57 awk -v "len=$max_loginlen" ' 58 BEGIN { 59 while ( getline < "/etc/shells" > 0 ) { 60 if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 61 continue; 62 shells[$1]++; 63 } 64 FS=":"; 65 } 66 67 { 68 if ($0 ~ /^[ ]*$/) { 69 printf "Line %d is a blank line.\n", NR; 70 next; 71 } 72 if (NF != 10 && ($1 != "+" || NF != 1)) 73 printf "Line %d has the wrong number of fields.\n", NR; 74 if ($1 == "+" ) { 75 if (NF != 1 && $3 == 0) 76 printf "Line %d includes entries with uid 0.\n", NR; 77 next; 78 } 79 if ($1 !~ /^[A-Za-z0-9]*$/) 80 printf "Login %s has non-alphanumeric characters.\n", 81 $1; 82 if (length($1) > len) 83 printf "Login %s has more than "len" characters.\n", $1; 84 if ($2 == "") 85 printf "Login %s has no password.\n", $1; 86 if (length($2) != 13 && length($2) != 20 && $2 != "") { 87 if ($10 == "" || shells[$10]) 88 printf "Login %s is off but still has a valid shell (%s)\n", 89 $1, $10; 90 } else if (! shells[$10]) 91 printf "Login %s does not have a valid shell (%s)\n", 92 $1, $10; 93 if ($3 == 0 && $1 != "root" && $1 != "toor") 94 printf "Login %s has a user id of 0.\n", $1; 95 if ($3 < 0) 96 printf "Login %s has a negative user id.\n", $1; 97 if ($4 < 0) 98 printf "Login %s has a negative group id.\n", $1; 99 }' < $MP > $OUTPUT 100 if [ -s $OUTPUT ] ; then 101 printf "\nChecking the $MP file:\n" 102 cat $OUTPUT 103 fi 104 105 awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT 106 if [ -s $OUTPUT ] ; then 107 printf "\n$MP has duplicate user names.\n" 108 column $OUTPUT 109 fi 110 111 # the corner case of a "toor " account is caught in the invalid character 112 # test above. 113 < $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 114 if [ -s $TMP2 ] ; then 115 printf "\n$MP has duplicate user id's.\n" 116 while read uid; do 117 grep -w $uid $MPBYUID 118 done < $TMP2 | column 119 fi 120 fi 121 122 # Backup the master password file; a special case, the normal backup 123 # mechanisms also print out file differences and we don't want to do 124 # that because this file has encrypted passwords in it. 125 # 126 CUR=/var/backups/`basename $MP`.current 127 BACK=/var/backups/`basename $MP`.backup 128 if [ -s $CUR ] ; then 129 if cmp -s $CUR $MP; then 130 : 131 else 132 cp -p $CUR $BACK 133 cp -p $MP $CUR 134 chown root.wheel $CUR 135 fi 136 else 137 cp -p $MP $CUR 138 chown root.wheel $CUR 139 fi 140 141 # Check the group file syntax. 142 # 143 if checkyesno check_group; then 144 GRP=/etc/group 145 awk -F: '{ 146 if ($0 ~ /^[ ]*$/) { 147 printf "Line %d is a blank line.\n", NR; 148 next; 149 } 150 if (NF != 4 && ($1 != "+" || NF != 1)) 151 printf "Line %d has the wrong number of fields.\n", NR; 152 if ($1 == "+" ) { 153 next; 154 } 155 if ($1 !~ /^[A-za-z0-9]*$/) 156 printf "Group %s has non-alphanumeric characters.\n", 157 $1; 158 if (length($1) > 8) 159 printf "Group %s has more than 8 characters.\n", $1; 160 if ($3 !~ /[0-9]*/) 161 printf "Login %s has a negative group id.\n", $1; 162 }' < $GRP > $OUTPUT 163 if [ -s $OUTPUT ] ; then 164 printf "\nChecking the $GRP file:\n" 165 cat $OUTPUT 166 fi 167 168 awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT 169 if [ -s $OUTPUT ] ; then 170 printf "\n$GRP has duplicate group names.\n" 171 column $OUTPUT 172 fi 173 fi 174 175 # Check for root paths, umask values in startup files. 176 # The check for the root paths is problematical -- it's likely to fail 177 # in other environments. Once the shells have been modified to warn 178 # of '.' in the path, the path tests should go away. 179 # 180 if checkyesno check_rootdotfiles; then 181 > $OUTPUT 182 rhome=`csh -fc "echo ~root"` 183 umaskset=no 184 list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" 185 for i in $list ; do 186 if [ -f $i ] ; then 187 if egrep umask $i > /dev/null ; then 188 umaskset=yes 189 fi 190 egrep umask $i | 191 awk '$2 % 100 < 20 \ 192 { print "\tRoot umask is group writeable" } 193 $2 % 10 < 2 \ 194 { print "\tRoot umask is other writeable" }' \ 195 >> $OUTPUT 196 SAVE_PATH=$PATH 197 unset PATH 198 /bin/csh -f -s << end-of-csh > /dev/null 2>&1 199 source $i 200 /bin/ls -ldgT \$path > $TMP1 201 end-of-csh 202 PATH=$SAVE_PATH 203 awk '{ 204 if ($10 ~ /^\.$/) { 205 print "\tThe root path includes ."; 206 next; 207 } 208 } 209 $1 ~ /^d....w/ \ 210 { print "\tRoot path directory " $10 " is group writeable." } \ 211 $1 ~ /^d.......w/ \ 212 { print "\tRoot path directory " $10 " is other writeable." }' \ 213 < $TMP1 >> $OUTPUT 214 fi 215 done 216 if [ $umaskset = "no" -o -s $OUTPUT ] ; then 217 printf "\nChecking root csh paths, umask values:\n$list\n\n" 218 if [ -s $OUTPUT ]; then 219 cat $OUTPUT 220 fi 221 if [ $umaskset = "no" ] ; then 222 printf "\tRoot csh startup files do not set the umask.\n" 223 fi 224 fi 225 226 > $OUTPUT 227 rhome=/root 228 umaskset=no 229 list="/etc/profile ${rhome}/.profile" 230 for i in $list; do 231 if [ -f $i ] ; then 232 if egrep umask $i > /dev/null ; then 233 umaskset=yes 234 fi 235 egrep umask $i | 236 awk '$2 % 100 < 20 \ 237 { print "\tRoot umask is group writeable" } \ 238 $2 % 10 < 2 \ 239 { print "\tRoot umask is other writeable" }' \ 240 >> $OUTPUT 241 SAVE_PATH=$PATH 242 unset PATH 243 /bin/sh << end-of-sh > /dev/null 2>&1 244 . $i 245 list=\`echo \$PATH | /usr/bin/sed -e \ 246 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` 247 /bin/ls -ldgT \$list > $TMP1 248 end-of-sh 249 PATH=$SAVE_PATH 250 awk '{ 251 if ($10 ~ /^\.$/) { 252 print "\tThe root path includes ."; 253 next; 254 } 255 } 256 $1 ~ /^d....w/ \ 257 { print "\tRoot path directory " $10 " is group writeable." } \ 258 $1 ~ /^d.......w/ \ 259 { print "\tRoot path directory " $10 " is other writeable." }' \ 260 < $TMP1 >> $OUTPUT 261 262 fi 263 done 264 if [ $umaskset = "no" -o -s $OUTPUT ] ; then 265 printf "\nChecking root sh paths, umask values:\n$list\n" 266 if [ -s $OUTPUT ]; then 267 cat $OUTPUT 268 fi 269 if [ $umaskset = "no" ] ; then 270 printf "\tRoot sh startup files do not set the umask.\n" 271 fi 272 fi 273 fi 274 275 # Root and uucp should both be in /etc/ftpusers. 276 # 277 if checkyesno check_ftpusers; then 278 > $OUTPUT 279 list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID` 280 for i in $list; do 281 if /usr/libexec/ftpd -C $i ; then 282 printf "\t$i is not denied\n" >> $OUTPUT 283 fi 284 done 285 if [ -s $OUTPUT ]; then 286 printf "\nChecking the /etc/ftpusers configuration:\n" 287 cat $OUTPUT 288 fi 289 fi 290 291 # Uudecode should not be in the /etc/aliases file. 292 # 293 if checkyesno check_aliases; then 294 if egrep '^[^#]*(uudecode|decode).*\|' /etc/aliases; then 295 printf "\nEntry for uudecode in /etc/aliases file.\n" 296 fi 297 fi 298 299 # Files that should not have + signs. 300 # 301 if checkyesno check_rhosts; then 302 list="/etc/hosts.equiv /etc/hosts.lpd" 303 for f in $list ; do 304 if [ -f $f ] && egrep '\+' $f > /dev/null ; then 305 printf "\nPlus sign in $f file.\n" 306 fi 307 done 308 309 # Check for special users with .rhosts files. Only root and toor should 310 # have .rhosts files. Also, .rhosts files should not have plus signs. 311 awk -F: '$1 != "root" && $1 != "toor" && \ 312 ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ 313 { print $1 " " $9 }' $MP | 314 sort -k2 | 315 while read uid homedir; do 316 if [ -f ${homedir}/.rhosts ] ; then 317 rhost=`ls -ldgT ${homedir}/.rhosts` 318 printf "$uid: $rhost\n" 319 fi 320 done > $OUTPUT 321 if [ -s $OUTPUT ] ; then 322 printf "\nChecking for special users with .rhosts files.\n" 323 cat $OUTPUT 324 fi 325 326 while read uid homedir; do 327 if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \ 328 egrep '\+' ${homedir}/.rhosts > /dev/null ; then 329 printf "$uid: + in .rhosts file.\n" 330 fi 331 done < $MPBYPATH > $OUTPUT 332 if [ -s $OUTPUT ] ; then 333 printf "\nChecking .rhosts files syntax.\n" 334 cat $OUTPUT 335 fi 336 fi 337 338 # Check home directories. Directories should not be owned by someone else 339 # or writeable. 340 # 341 if checkyesno check_homes; then 342 while read uid homedir; do 343 if [ -d ${homedir}/ ] ; then 344 file=`ls -ldgT ${homedir}` 345 printf "$uid $file\n" 346 fi 347 done < $MPBYPATH | 348 awk '$1 != $4 && $4 != "root" \ 349 { print "user " $1 " home directory is owned by " $4 } 350 $2 ~ /^-....w/ \ 351 { print "user " $1 " home directory is group writeable" } 352 $2 ~ /^-.......w/ \ 353 { print "user " $1 " home directory is other writeable" }' \ 354 > $OUTPUT 355 if [ -s $OUTPUT ] ; then 356 printf "\nChecking home directories.\n" 357 cat $OUTPUT 358 fi 359 360 # Files that should not be owned by someone else or readable. 361 list=".Xauthority .netrc" 362 while read uid homedir; do 363 for f in $list ; do 364 file=${homedir}/${f} 365 if [ -f $file ] ; then 366 printf "$uid $f `ls -ldgT $file`\n" 367 fi 368 done 369 done < $MPBYPATH | 370 awk '$1 != $5 && $5 != "root" \ 371 { print "user " $1 " " $2 " file is owned by " $5 } 372 $3 ~ /^-...r/ \ 373 { print "user " $1 " " $2 " file is group readable" } 374 $3 ~ /^-......r/ \ 375 { print "user " $1 " " $2 " file is other readable" } 376 $3 ~ /^-....w/ \ 377 { print "user " $1 " " $2 " file is group writeable" } 378 $3 ~ /^-.......w/ \ 379 { print "user " $1 " " $2 " file is other writeable" }' \ 380 > $OUTPUT 381 382 # Files that should not be owned by someone else or writeable. 383 list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ 384 .cshrc .emacs .exrc .forward .history .klogin .login .logout \ 385 .profile .qmail .rc_history .rhosts .tcshrc .twmrc .xinitrc \ 386 .xsession" 387 while read uid homedir; do 388 for f in $list ; do 389 file=${homedir}/${f} 390 if [ -f $file ] ; then 391 printf "$uid $f `ls -ldgT $file`\n" 392 fi 393 done 394 done < $MPBYPATH | 395 awk '$1 != $5 && $5 != "root" \ 396 { print "user " $1 " " $2 " file is owned by " $5 } 397 $3 ~ /^-....w/ \ 398 { print "user " $1 " " $2 " file is group writeable" } 399 $3 ~ /^-.......w/ \ 400 { print "user " $1 " " $2 " file is other writeable" }' \ 401 >> $OUTPUT 402 if [ -s $OUTPUT ] ; then 403 printf "\nChecking dot files.\n" 404 cat $OUTPUT 405 fi 406 fi 407 408 # Mailboxes should be owned by user and unreadable. 409 # 410 if checkyesno check_varmail; then 411 ls -l /var/mail | sed 1d | \ 412 awk '$3 != $9 \ 413 { print "user " $9 " mailbox is owned by " $3 } 414 $1 != "-rw-------" \ 415 { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT 416 if [ -s $OUTPUT ] ; then 417 printf "\nChecking mailbox ownership.\n" 418 cat $OUTPUT 419 fi 420 fi 421 422 # NFS exports shouldn't be globally exported 423 # 424 if checkyesno check_nfs && [ -f /etc/exports ]; then 425 awk '{ 426 # ignore comments and blank lines 427 if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 428 next; 429 430 readonly = 0; 431 for (i = 2; i <= NF; ++i) { 432 if ($i ~ /-ro/) 433 readonly = 1; 434 else if ($i !~ /^-/) 435 next; 436 } 437 if (readonly) 438 print "File system " $1 " globally exported, read-only." 439 else 440 print "File system " $1 " globally exported, read-write." 441 }' < /etc/exports > $OUTPUT 442 if [ -s $OUTPUT ] ; then 443 printf "\nChecking for globally exported file systems.\n" 444 cat $OUTPUT 445 fi 446 fi 447 448 # Display any changes in setuid files and devices. 449 # 450 if checkyesno check_devices; then 451 > $ERR 452 (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ 453 -o -fstype procfs \) -a -prune -o \ 454 \( \( -perm -u+s -a ! -type d \) -o \ 455 \( -perm -g+s -a ! -type d \) -o \ 456 -type b -o -type c \) -print0 | \ 457 xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT 458 459 # Display any errors that occurred during system file walk. 460 if [ -s $OUTPUT ] ; then 461 printf "Setuid/device find errors:\n" >> $ERR 462 cat $OUTPUT >> $ERR 463 printf "\n" >> $ERR 464 fi 465 466 # Display any changes in the setuid file list. 467 egrep -v '^[bc]' $LIST > $TMP1 468 if [ -s $TMP1 ] ; then 469 # Check to make sure uudecode isn't setuid. 470 if grep -w uudecode $TMP1 > /dev/null ; then 471 printf "\nUudecode is setuid.\n" >> $ERR 472 fi 473 474 CUR=/var/backups/setuid.current 475 BACK=/var/backups/setuid.backup 476 477 if [ -s $CUR ] ; then 478 if cmp -s $CUR $TMP1 ; then 479 : 480 else 481 > $TMP2 482 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT 483 if [ -s $OUTPUT ] ; then 484 printf "Setuid additions:\n" >> $ERR 485 tee -a $TMP2 < $OUTPUT >> $ERR 486 printf "\n" >> $ERR 487 fi 488 489 join -110 -210 -v1 $CUR $TMP1 > $OUTPUT 490 if [ -s $OUTPUT ] ; then 491 printf "Setuid deletions:\n" >> $ERR 492 tee -a $TMP2 < $OUTPUT >> $ERR 493 printf "\n" >> $ERR 494 fi 495 496 sort -k10 $TMP2 $CUR $TMP1 | \ 497 sed -e 's/[ ][ ]*/ /g' | \ 498 uniq -u > $OUTPUT 499 if [ -s $OUTPUT ] ; then 500 printf "Setuid changes:\n" >> $ERR 501 column -t $OUTPUT >> $ERR 502 printf "\n" >> $ERR 503 fi 504 505 cp $CUR $BACK 506 cp $TMP1 $CUR 507 fi 508 else 509 printf "Setuid additions:\n" >> $ERR 510 column -t $TMP1 >> $ERR 511 printf "\n" >> $ERR 512 cp $TMP1 $CUR 513 fi 514 fi 515 516 # Check for block and character disk devices that are readable or 517 # writeable or not owned by root.operator. 518 >$TMP1 519 DISKLIST="acd ccd cd ch fd hk hp mcd md ra rb rd rl rx rz \ 520 sd se ss tz uk up vnd wd xd xy" 521 # DISKLIST="$DISKLIST ct mt st wt" 522 for i in $DISKLIST; do 523 egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 524 egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 525 done 526 527 awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ 528 { printf "Disk %s is user %s, group %s, permissions %s.\n", \ 529 $11, $3, $4, $1; }' < $TMP1 > $OUTPUT 530 if [ -s $OUTPUT ] ; then 531 printf "\nChecking disk ownership and permissions.\n" >> $ERR 532 cat $OUTPUT >> $ERR 533 printf "\n" >> $ERR 534 fi 535 536 # Display any changes in the device file list. 537 egrep '^[bc]' $LIST | sort -k11 > $TMP1 538 if [ -s $TMP1 ] ; then 539 CUR=/var/backups/device.current 540 BACK=/var/backups/device.backup 541 542 if [ -s $CUR ] ; then 543 if cmp -s $CUR $TMP1 ; then 544 : 545 else 546 > $TMP2 547 join -111 -211 -v2 $CUR $TMP1 > $OUTPUT 548 if [ -s $OUTPUT ] ; then 549 printf "Device additions:\n" >> $ERR 550 tee -a $TMP2 < $OUTPUT >> $ERR 551 printf "\n" >> $ERR 552 fi 553 554 join -111 -211 -v1 $CUR $TMP1 > $OUTPUT 555 if [ -s $OUTPUT ] ; then 556 printf "Device deletions:\n" >> $ERR 557 tee -a $TMP2 < $OUTPUT >> $ERR 558 printf "\n" >> $ERR 559 fi 560 561 # Report any block device change. Ignore 562 # character devices, only the name is 563 # significant. 564 cat $TMP2 $CUR $TMP1 | \ 565 sed -e '/^c/d' | \ 566 sort -k11 | \ 567 sed -e 's/[ ][ ]*/ /g' | \ 568 uniq -u > $OUTPUT 569 if [ -s $OUTPUT ] ; then 570 printf "Block device changes:\n" >> $ERR 571 column -t $OUTPUT >> $ERR 572 printf "\n" >> $ERR 573 fi 574 575 cp $CUR $BACK 576 cp $TMP1 $CUR 577 fi 578 else 579 printf "Device additions:\n" >> $ERR 580 column -t $TMP1 >> $ERR 581 printf "\n" >> $ERR 582 cp $TMP1 $CUR >> $ERR 583 fi 584 fi 585 if [ -s $ERR ] ; then 586 printf "\nChecking setuid files and devices:\n" 587 cat $ERR 588 printf "\n" 589 fi 590 fi 591 592 # Check special files. 593 # Check system binaries. 594 # 595 # Create the mtree tree specifications using: 596 # 597 # mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure 598 # chown root.wheel DIR.secure 599 # chmod 600 DIR.secure 600 # 601 # Note, this is not complete protection against Trojan horsed binaries, as 602 # the hacker can modify the tree specification to match the replaced binary. 603 # For details on really protecting yourself against modified binaries, see 604 # the mtree(8) manual page. 605 # 606 if checkyesno check_mtree; then 607 mtree -e -p / -f /etc/mtree/special > $OUTPUT 608 if [ -s $OUTPUT ]; then 609 printf "\nChecking special files and directories.\n" 610 cat $OUTPUT 611 fi 612 613 > $OUTPUT 614 for file in /etc/mtree/*.secure; do 615 [ $file = '/etc/mtree/*.secure' ] && continue 616 tree=`sed -n -e '3s/.* //p' -e 3q $file` 617 mtree -f $file -p $tree > $TMP1 618 if [ -s $TMP1 ]; then 619 printf "\nChecking $tree:\n" >> $OUTPUT 620 cat $TMP1 >> $OUTPUT 621 fi 622 done 623 if [ -s $OUTPUT ]; then 624 printf "\nChecking system binaries:\n" 625 cat $OUTPUT 626 fi 627 fi 628 629 CHANGELIST="" 630 631 # Backup disklabels of available disks 632 # 633 if checkyesno check_disklabels; then 634 # generate list of old disklabels and remove them 635 ls -1d /var/backups/disklabel.* 2>/dev/null | 636 egrep -v '\.(backup|current)$' > $LABELS 637 xargs rm < $LABELS 638 639 disks=`iostat -x | sed 1d | awk '$1 !~ /^[mf]d/ { print $1; }'` 640 for i in $disks; do 641 dlf="/var/backups/disklabel.$i" 642 disklabel $i > $dlf 2>/dev/null 643 done 644 645 # append list of new disklabels, sort list 646 ls -1d /var/backups/disklabel.* 2>/dev/null | 647 egrep -v '\.(backup|current)$' >> $LABELS 648 sort -u -o $LABELS $LABELS 649 CHANGELIST=$LABELS 650 fi 651 652 # List of files that get backed up and checked for any modifications. Each 653 # file is expected to have two backups, /var/backups/file.{current,backup}. 654 # Any changes cause the files to rotate. 655 # 656 if checkyesno check_changelist && [ -s /etc/changelist ] ; then 657 CHANGELIST="/etc/changelist $CHANGELIST" 658 fi 659 660 if [ -n "$CHANGELIST" ]; then 661 for file in `egrep -hv "^#|$MP" $CHANGELIST`; do 662 CUR=/var/backups/`basename $file`.current 663 BACK=/var/backups/`basename $file`.backup 664 if [ -f $file ]; then 665 if [ -f $CUR ] ; then 666 diff $CUR $file > $OUTPUT 667 if [ -s $OUTPUT ] ; then 668 printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file 669 cat $OUTPUT 670 mv -f $CUR $BACK 671 cp -p $file $CUR 672 chown root.wheel $CUR 673 fi 674 else 675 printf "\n======\n%s added\n======\n" $file 676 diff /dev/null $file 677 cp -p $file $CUR 678 chown root.wheel $CUR 679 fi 680 else 681 if [ -f $CUR ]; then 682 printf "\n======\n%s removed\n======\n" $file 683 diff $CUR /dev/null 684 mv -f $CUR $BACK 685 fi 686 fi 687 done 688 fi 689
Indexes created Tue Sep 30 11:09:46 GMT 2025