security revision 1.62 
1#!/bin/sh -
2#
3#	$NetBSD: security,v 1.62 2001/10/01 02:21:20 atatat Exp $
4#	from: @(#)security	8.1 (Berkeley) 6/9/93
5#
6
7PATH=/sbin:/usr/sbin:/bin:/usr/bin
8
9if [ -f /etc/rc.subr ]; then
10	. /etc/rc.subr
11else
12	echo "Can't read /etc/rc.subr; aborting."
13	exit 1;
14fi
15
16umask 077
17
18if [ -s /etc/security.conf ]; then
19	. /etc/security.conf
20fi
21
22SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1
23
24trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT
25
26if ! cd "$SECUREDIR"; then
27	echo "Can not cd to $SECUREDIR".
28	exit 1
29fi
30
31if [ -z "$max_loginlen" ];then
32	max_loginlen=8
33fi
34
35if [ -z "$max_grouplen" ]; then
36	max_grouplen=8
37fi
38
39ERR=secure1.$$
40TMP1=secure2.$$
41TMP2=secure3.$$
42MPBYUID=secure4.$$
43MPBYPATH=secure5.$$
44LIST=secure6.$$
45OUTPUT=secure7.$$
46LABELS=secure8.$$
47PKGS=secure9.$$
48
49# Handle backup_dir not being set in .conf file
50backup_dir=${backup_dir:-/var/backups}
51CHANGELIST=""
52pkg_dbdir=${pkg_dbdir:-/var/db/pkg}
53
54MP=/etc/master.passwd
55
56# these is used several times.
57awk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
58awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
59
60# Check the master password file syntax.
61#
62if checkyesno check_passwd; then
63	awk -v "len=$max_loginlen" '
64	BEGIN {
65		while ( getline < "/etc/shells" > 0 ) {
66			if ($0 ~ /^\#/ || $0 ~ /^$/ )
67				continue;
68			shells[$1]++;
69		}
70		FS=":";
71	}
72
73	{
74		if ($0 ~ /^[	 ]*$/) {
75			printf "Line %d is a blank line.\n", NR;
76			next;
77		}
78		if (NF != 10 && ($1 != "+" || NF != 1))
79			printf "Line %d has the wrong number of fields.\n", NR;
80		if ($1 == "+" )  {
81			if (NF != 1 && $3 == 0)
82			    printf "Line %d includes entries with uid 0.\n", NR;
83			next;
84		}
85		if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/)
86			printf "Login %s has non-alphanumeric characters.\n",
87			    $1;
88		if (length($1) > len)
89			printf "Login %s has more than "len" characters.\n", $1;
90		if ($2 == "")
91			printf "Login %s has no password.\n", $1;
92		if (length($2) != 13 && 
93		    length($2) != 20 && 
94		    length($2) != 34 &&
95		    $2 != "" &&
96		    $2 !~ /^\*[A-z-]+$/ &&
97		    $1 != "toor") {
98			if ($10 == "" || shells[$10])
99		    printf "Login %s is off but still has a valid shell (%s)\n",
100				    $1, $10;
101		} else if (! shells[$10])
102			printf "Login %s does not have a valid shell (%s)\n",
103			    $1, $10;
104		if ($3 == 0 && $1 != "root" && $1 != "toor")
105			printf "Login %s has a user id of 0.\n", $1;
106		if ($3 < 0)
107			printf "Login %s has a negative user id.\n", $1;
108		if ($4 < 0)
109			printf "Login %s has a negative group id.\n", $1;
110	}' < $MP > $OUTPUT
111	if [ -s $OUTPUT ] ; then
112		printf "\nChecking the $MP file:\n"
113		cat $OUTPUT
114	fi
115
116	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
117	if [ -s $OUTPUT ] ; then
118		printf "\n$MP has duplicate user names.\n"
119		column $OUTPUT
120	fi
121
122# To not exclude 'toor', a standard duplicate root account, from the duplicate
123# account test, uncomment the line below (without egrep in it)and comment
124# out the line (with egrep in it) below it.
125#
126#	< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
127	< $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
128	if [ -s $TMP2 ] ; then
129		printf "\n$MP has duplicate user id's.\n"
130		while read uid; do
131			grep -w $uid $MPBYUID
132		done < $TMP2 | column
133	fi
134fi
135
136# Backup the master password file; a special case, the normal backup
137# mechanisms also print out file differences and we don't want to do
138# that because this file has encrypted passwords in it.
139#
140CUR=$backup_dir/${MP##*/}.current
141BACK=$backup_dir/${MP##*/}.backup
142if [ -s $CUR ] ; then
143	if cmp -s $CUR $MP; then
144		:
145	else
146		backup_file update $MP $CUR $BACK
147	fi
148else
149	backup_file add $MP $CUR $BACK
150fi
151
152# Check the group file syntax.
153#
154if checkyesno check_group; then
155	GRP=/etc/group
156	awk -F: -v "len=$max_grouplen" '{
157		if ($0 ~ /^[	 ]*$/) {
158			printf "Line %d is a blank line.\n", NR;
159			next;
160		}
161		if (NF != 4 && ($1 != "+" || NF != 1))
162			printf "Line %d has the wrong number of fields.\n", NR;
163		if ($1 == "+" )  {
164			next;
165		}
166		if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/)
167			printf "Group %s has non-alphanumeric characters.\n",
168			    $1;
169		if (length($1) > len)
170			printf "Group %s has more than "len" characters.\n", $1;
171		if ($3 !~ /[0-9]*/)
172			printf "Login %s has a negative group id.\n", $1;
173	}' < $GRP > $OUTPUT
174	if [ -s $OUTPUT ] ; then
175		printf "\nChecking the $GRP file:\n"
176		cat $OUTPUT
177	fi
178
179	awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
180	if [ -s $OUTPUT ] ; then
181		printf "\n$GRP has duplicate group names.\n"
182		column $OUTPUT
183	fi
184fi
185
186# Check for root paths, umask values in startup files.
187# The check for the root paths is problematical -- it's likely to fail
188# in other environments.  Once the shells have been modified to warn
189# of '.' in the path, the path tests should go away.
190#
191if checkyesno check_rootdotfiles; then
192	> $OUTPUT
193	rhome=`csh -fc "echo ~root"`
194	umaskset=no
195	list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
196	for i in $list ; do
197		if [ -f $i ] ; then
198			if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ; then
199				umaskset=yes
200			fi
201			# double check the umask value itself; ensure that both the
202			# 020 and 002 bits are set.
203			# we handle this in decimal initially to extract the digits,
204			# and then extract the `2' bit of each digit.
205			# this is made especially painful because 
206			# bitwise operations were left out of awk.
207			egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
208			awk '{ g= ($2 % 100) - ($2 % 10);
209			       g /= 10;
210			       g = g % 4;
211			       g -= g % 2;
212			       if (g != 2) { print "\tRoot umask is group writeable" }
213			       o = ($2 % 10);
214			       o = o % 4;
215			       o -= o % 2;
216			       if (o != 2) { print "\tRoot umask is other writeable" } }' |
217			    sort -u >> $OUTPUT
218			SAVE_PATH=$PATH
219			unset PATH
220			/bin/csh -f -s << end-of-csh > /dev/null 2>&1
221				source $i
222				/bin/ls -ldgT \$path > $TMP1
223end-of-csh
224			PATH=$SAVE_PATH
225			awk '{
226				if ($10 ~ /^\.$/) {
227					print "\tThe root path includes .";
228					next;
229				}
230			     }
231			     $1 ~ /^d....w/ \
232		{ print "\tRoot path directory " $10 " is group writeable." } \
233			     $1 ~ /^d.......w/ \
234		{ print "\tRoot path directory " $10 " is other writeable." }' \
235			< $TMP1 >> $OUTPUT
236		fi
237	done
238	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
239		printf "\nChecking root csh paths, umask values:\n$list\n\n"
240		if [ -s $OUTPUT ]; then
241			cat $OUTPUT
242		fi
243		if [ $umaskset = "no" ] ; then
244		    printf "\tRoot csh startup files do not set the umask.\n"
245		fi
246	fi
247
248	> $OUTPUT
249	rhome=/root
250	umaskset=no
251	list="/etc/profile ${rhome}/.profile"
252	for i in $list; do
253		if [ -f $i ] ; then
254			if egrep umask $i > /dev/null ; then
255				umaskset=yes
256			fi
257			egrep umask $i |
258			awk '$2 % 100 < 20 \
259				{ print "\tRoot umask is group writeable" } \
260			     $2 % 10 < 2 \
261				{ print "\tRoot umask is other writeable" }' \
262			    >> $OUTPUT
263			SAVE_PATH=$PATH
264			unset PATH
265			/bin/sh << end-of-sh > /dev/null 2>&1
266				. $i
267				list=\`echo \$PATH | /usr/bin/sed -e \
268				    's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
269				/bin/ls -ldgT \$list > $TMP1
270end-of-sh
271			PATH=$SAVE_PATH
272			awk '{
273				if ($10 ~ /^\.$/) {
274					print "\tThe root path includes .";
275					next;
276				}
277			     }
278			     $1 ~ /^d....w/ \
279		{ print "\tRoot path directory " $10 " is group writeable." } \
280			     $1 ~ /^d.......w/ \
281		{ print "\tRoot path directory " $10 " is other writeable." }' \
282			< $TMP1 >> $OUTPUT
283
284		fi
285	done
286	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
287		printf "\nChecking root sh paths, umask values:\n$list\n"
288		if [ -s $OUTPUT ]; then
289			cat $OUTPUT
290		fi
291		if [ $umaskset = "no" ] ; then
292			printf "\tRoot sh startup files do not set the umask.\n"
293		fi
294	fi
295fi
296
297# Root and uucp should both be in /etc/ftpusers.
298#
299if checkyesno check_ftpusers; then
300	> $OUTPUT
301	list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID`
302	for i in $list; do
303		if /usr/libexec/ftpd -C $i ; then
304			printf "\t$i is not denied\n" >> $OUTPUT
305		fi
306	done
307	if [ -s $OUTPUT ]; then
308		printf "\nChecking the /etc/ftpusers configuration:\n"
309		cat $OUTPUT
310	fi
311fi
312
313# Uudecode should not be in the /etc/mail/aliases file.
314#
315if checkyesno check_aliases; then
316	for f in /etc/mail/aliases /etc/aliases; do
317		if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
318			printf "\nEntry for uudecode in $f file.\n"
319		fi
320	done
321fi
322
323# Files that should not have + signs.
324#
325if checkyesno check_rhosts; then
326	list="/etc/hosts.equiv /etc/hosts.lpd"
327	for f in $list ; do
328		if [ -f $f ] && egrep '\+' $f > /dev/null ; then
329			printf "\nPlus sign in $f file.\n"
330		fi
331	done
332
333	# Check for special users with .rhosts files.  Only root and toor should
334	# have .rhosts files.  Also, .rhosts files should not have plus signs.
335	awk -F: '$1 != "root" && $1 != "toor" && \
336		($3 < 100 || $1 == "ftp" || $1 == "uucp") \
337			{ print $1 " " $9 }' $MP |
338	sort -k2 |
339	while read uid homedir; do
340		if [ -f ${homedir}/.rhosts ] ; then
341			rhost=`ls -ldgT ${homedir}/.rhosts`
342			printf -- "$uid: $rhost\n"
343		fi
344	done > $OUTPUT
345	if [ -s $OUTPUT ] ; then
346		printf "\nChecking for special users with .rhosts files.\n"
347		cat $OUTPUT
348	fi
349
350	while read uid homedir; do
351		if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \
352		    cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then
353			printf -- "$uid: + in .rhosts file.\n"
354		fi
355	done < $MPBYPATH > $OUTPUT
356	if [ -s $OUTPUT ] ; then
357		printf "\nChecking .rhosts files syntax.\n"
358		cat $OUTPUT
359	fi
360fi
361
362# Check home directories.  Directories should not be owned by someone else
363# or writeable.
364#
365if checkyesno check_homes; then
366	while read uid homedir; do
367		if [ -d ${homedir}/ ] ; then
368			file=`ls -ldgT ${homedir}`
369			printf -- "$uid $file\n"
370		fi
371	done < $MPBYPATH |
372	awk '$1 != $4 && $4 != "root" \
373		{ print "user " $1 " home directory is owned by " $4 }
374	     $2 ~ /^-....w/ \
375		{ print "user " $1 " home directory is group writeable" }
376	     $2 ~ /^-.......w/ \
377		{ print "user " $1 " home directory is other writeable" }' \
378	    > $OUTPUT
379	if [ -s $OUTPUT ] ; then
380		printf "\nChecking home directories.\n"
381		cat $OUTPUT
382	fi
383
384	# Files that should not be owned by someone else or readable.
385	list=".Xauthority .netrc"
386	while read uid homedir; do
387		for f in $list ; do
388			file=${homedir}/${f}
389			if [ -f $file ] ; then
390				printf -- "$uid $f `ls -ldgT $file`\n"
391			fi
392		done
393	done < $MPBYPATH |
394	awk '$1 != $5 && $5 != "root" \
395		{ print "user " $1 " " $2 " file is owned by " $5 }
396	     $3 ~ /^-...r/ \
397		{ print "user " $1 " " $2 " file is group readable" }
398	     $3 ~ /^-......r/ \
399		{ print "user " $1 " " $2 " file is other readable" }
400	     $3 ~ /^-....w/ \
401		{ print "user " $1 " " $2 " file is group writeable" }
402	     $3 ~ /^-.......w/ \
403		{ print "user " $1 " " $2 " file is other writeable" }' \
404	    > $OUTPUT
405
406	# Files that should not be owned by someone else or writeable.
407	list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
408	      .cshrc .emacs .exrc .forward .history .klogin .login .logout \
409	      .profile .qmail .rc_history .rhosts .tcshrc .twmrc .xinitrc \
410	      .xsession"
411	while read uid homedir; do
412		for f in $list ; do
413			file=${homedir}/${f}
414			if [ -f $file ] ; then
415				printf -- "$uid $f `ls -ldgT $file`\n"
416			fi
417		done
418	done < $MPBYPATH |
419	awk '$1 != $5 && $5 != "root" \
420		{ print "user " $1 " " $2 " file is owned by " $5 }
421	     $3 ~ /^-....w/ \
422		{ print "user " $1 " " $2 " file is group writeable" }
423	     $3 ~ /^-.......w/ \
424		{ print "user " $1 " " $2 " file is other writeable" }' \
425	    >> $OUTPUT
426	if [ -s $OUTPUT ] ; then
427		printf "\nChecking dot files.\n"
428		cat $OUTPUT
429	fi
430fi
431
432# Mailboxes should be owned by user and unreadable.
433#
434if checkyesno check_varmail; then
435	ls -l /var/mail | sed 1d | \
436	awk '$3 != $9 \
437		{ print "user " $9 " mailbox is owned by " $3 }
438	     $1 != "-rw-------" \
439		{ print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT
440	if [ -s $OUTPUT ] ; then
441		printf "\nChecking mailbox ownership.\n"
442		cat $OUTPUT
443	fi
444fi
445
446# NFS exports shouldn't be globally exported
447#
448if checkyesno check_nfs && [ -f /etc/exports ]; then
449	awk '{
450		# ignore comments and blank lines
451		if ($0 ~ /^\#/ || $0 ~ /^$/ )
452			next;
453
454		readonly = 0;
455		for (i = 2; i <= NF; ++i) {
456			if ($i ~ /-ro/)
457				readonly = 1;
458			else if ($i !~ /^-/)
459				next;
460		}
461		if (readonly)
462			print "File system " $1 " globally exported, read-only."
463		else
464			print "File system " $1 " globally exported, read-write."
465	}' < /etc/exports > $OUTPUT
466	if [ -s $OUTPUT ] ; then
467		printf "\nChecking for globally exported file systems.\n"
468		cat $OUTPUT
469	fi
470fi
471
472# Display any changes in setuid files and devices.
473#
474if checkyesno check_devices; then
475	> $ERR
476	(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
477			-o -fstype procfs \) -a -prune -o \
478	    \( \( -perm -u+s -a ! -type d \) -o \
479	       \( -perm -g+s -a ! -type d \) -o \
480	       -type b -o -type c \) -print0 | \
481	xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT
482
483	# Display any errors that occurred during system file walk.
484	if [ -s $OUTPUT ] ; then
485		printf "Setuid/device find errors:\n" >> $ERR
486		cat $OUTPUT >> $ERR
487		printf "\n" >> $ERR
488	fi
489
490	# Display any changes in the setuid file list.
491	egrep -v '^[bc]' $LIST > $TMP1
492	if [ -s $TMP1 ] ; then
493		# Check to make sure uudecode isn't setuid.
494		if grep -w uudecode $TMP1 > /dev/null ; then
495			printf "\nUudecode is setuid.\n" >> $ERR
496		fi
497
498		CUR=$backup_dir/setuid.current
499		BACK=$backup_dir/setuid.backup
500
501		if [ -s $CUR ] ; then
502			if cmp -s $CUR $TMP1 ; then
503				:
504			else
505				> $TMP2
506				join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
507				if [ -s $OUTPUT ] ; then
508					printf "Setuid additions:\n" >> $ERR
509					tee -a $TMP2 < $OUTPUT >> $ERR
510					printf "\n" >> $ERR
511				fi
512
513				join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
514				if [ -s $OUTPUT ] ; then
515					printf "Setuid deletions:\n" >> $ERR
516					tee -a $TMP2 < $OUTPUT >> $ERR
517					printf "\n" >> $ERR
518				fi
519
520				sort -k10 $TMP2 $CUR $TMP1 | \
521				    sed -e 's/[	 ][	 ]*/ /g' | \
522				    uniq -u > $OUTPUT
523				if [ -s $OUTPUT ] ; then
524					printf "Setuid changes:\n" >> $ERR
525					column -t $OUTPUT >> $ERR
526					printf "\n" >> $ERR
527				fi
528
529				backup_file update $TMP1 $CUR $BACK
530			fi
531		else
532			printf "Setuid additions:\n" >> $ERR
533			column -t $TMP1 >> $ERR
534			printf "\n" >> $ERR
535			backup_file add $TMP1 $CUR $BACK
536		fi
537	fi
538
539	# Check for block and character disk devices that are readable or
540	# writeable or not owned by root.operator.
541	>$TMP1
542	DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
543	    sd se ss uk up vnd wd xd xy"
544#	DISKLIST="$DISKLIST ct mt st wt"
545	for i in $DISKLIST; do
546		egrep "^b.*/${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
547		egrep "^c.*/r${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
548	done
549
550	awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
551		{ printf "Disk %s is user %s, group %s, permissions %s.\n", \
552		    $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
553	if [ -s $OUTPUT ] ; then
554		printf "\nChecking disk ownership and permissions.\n" >> $ERR
555		cat $OUTPUT >> $ERR
556		printf "\n" >> $ERR
557	fi
558
559	# Display any changes in the device file list.
560	egrep '^[bc]' $LIST | sort -k11 > $TMP1
561	if [ -s $TMP1 ] ; then
562		CUR=$backup_dir/device.current
563		BACK=$backup_dir/device.backup
564
565		if [ -s $CUR ] ; then
566			if cmp -s $CUR $TMP1 ; then
567				:
568			else
569				> $TMP2
570				join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
571				if [ -s $OUTPUT ] ; then
572					printf "Device additions:\n" >> $ERR
573					tee -a $TMP2 < $OUTPUT >> $ERR
574					printf "\n" >> $ERR
575				fi
576
577				join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
578				if [ -s $OUTPUT ] ; then
579					printf "Device deletions:\n" >> $ERR
580					tee -a $TMP2 < $OUTPUT >> $ERR
581					printf "\n" >> $ERR
582				fi
583
584				# Report any block device change. Ignore
585				# character devices, only the name is
586				# significant.
587				cat $TMP2 $CUR $TMP1 | \
588				    sed -e '/^c/d' | \
589				    sort -k11 | \
590				    sed -e 's/[	 ][	 ]*/ /g' | \
591				    uniq -u > $OUTPUT
592				if [ -s $OUTPUT ] ; then
593					printf "Block device changes:\n" >> $ERR
594					column -t $OUTPUT >> $ERR
595					printf "\n" >> $ERR
596				fi
597
598				backup_file update $TMP1 $CUR $BACK
599			fi
600		else
601			printf "Device additions:\n" >> $ERR
602			column -t $TMP1 >> $ERR
603			printf "\n" >> $ERR
604			backup_file add $TMP1 $CUR $BACK >> $ERR
605		fi
606	fi
607	if [ -s $ERR ] ; then
608		printf "\nChecking setuid files and devices:\n"
609		cat $ERR
610		printf "\n"
611	fi
612fi
613
614# Check special files.
615# Check system binaries.
616#
617# Create the mtree tree specifications using:
618#
619#	mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure
620#	chown root:wheel DIR.secure
621#	chmod 600 DIR.secure
622#
623# Note, this is not complete protection against Trojan horsed binaries, as
624# the hacker can modify the tree specification to match the replaced binary.
625# For details on really protecting yourself against modified binaries, see
626# the mtree(8) manual page.
627#
628if checkyesno check_mtree; then
629	mtree -e -l -p / -f /etc/mtree/special > $OUTPUT
630	if [ -s $OUTPUT ]; then
631		printf "\nChecking special files and directories.\n"
632		cat $OUTPUT
633	fi
634
635	> $OUTPUT
636	for file in /etc/mtree/*.secure; do
637		[ $file = '/etc/mtree/*.secure' ] && continue
638		tree=`sed -n -e '3s/.* //p' -e 3q $file`
639		mtree -f $file -p $tree > $TMP1
640		if [ -s $TMP1 ]; then
641			printf "\nChecking $tree:\n" >> $OUTPUT
642			cat $TMP1 >> $OUTPUT
643		fi
644	done
645	if [ -s $OUTPUT ]; then
646		printf "\nChecking system binaries:\n"
647		cat $OUTPUT
648	fi
649fi
650
651# Backup disklabels of available disks
652#
653if checkyesno check_disklabels; then
654		# generate list of old disklabels and remove them
655	ls -1d $backup_dir/disklabel.* 2>/dev/null |
656	    egrep -v '\.(backup|current)(,v)?$' > $LABELS
657	xargs rm < $LABELS
658
659	disks=`iostat -x | sed 1d | awk '$1 !~ /^[cfm]d/ { print $1; }'`
660	for i in $disks; do
661		dlf="$backup_dir/disklabel.$i"
662		disklabel $i > $dlf 2>/dev/null
663	done
664
665		# append list of new disklabels, sort list
666	ls -1d $backup_dir/disklabel.* 2>/dev/null |
667	    egrep -v '\.(backup|current)(,v)?$' >> $LABELS
668	sort -u -o $LABELS $LABELS
669	CHANGELIST="$LABELS $CHANGELIST"
670fi
671
672# Check for changes in the list of installed pkgs
673#
674if checkyesno check_pkgs && [ -d $pkg_dbdir ]; then
675	pkgs=$backup_dir/pkgs
676	(	cd $pkg_dbdir
677		pkg_info | sort
678		echo ""
679		find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
680			xargs -0 ls -l | sort -t. +1 | sed -e 's, \./, ,'
681	 ) > $pkgs
682	echo $pkgs > $PKGS
683	CHANGELIST="$PKGS $CHANGELIST"
684fi
685
686# List of files that get backed up and checked for any modifications.  Each
687# file is expected to have two backups, $backup_dir/file.{current,backup}.
688# Any changes cause the files to rotate.
689#
690if checkyesno check_changelist && [ -s /etc/changelist ] ; then
691	CHANGELIST="/etc/changelist $CHANGELIST"
692fi
693
694if [ -n "$CHANGELIST" ]; then
695	for file in `egrep -hv "^#|$MP" $CHANGELIST`; do
696		# old changelist backup names
697		OCUR=$backup_dir/${file##*/}.current
698		OBACK=$backup_dir/${file##*/}.backup
699		# new changelist backup names
700		CUR=$backup_dir$file.current
701		BACK=$backup_dir$file.backup
702		# roll over old backups
703		if [ ! -d ${CUR%/*} ]; then
704			mkdir -p ${CUR%/*}
705		fi
706		if [ -f $OCUR -a ! -f $CUR ]; then
707			mv $OCUR $CUR
708		fi
709		if [ -f $OCUR,v -a ! -f $CUR,v ]; then
710			mv $OCUR,v $CUR,v
711		fi
712		if [ -f $OBACK -a ! -f $BACK ]; then
713			mv $OBACK $BACK
714		fi
715		# and down to work
716		if [ -f $file ]; then
717			if [ -f $CUR ] ; then
718				diff $CUR $file > $OUTPUT
719				if [ -s $OUTPUT ] ; then
720		printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file
721					cat $OUTPUT
722					backup_file update $file $CUR $BACK
723				fi
724			else
725		printf "\n======\n%s added\n======\n" $file
726				diff /dev/null $file
727				backup_file add $file $CUR $BACK
728			fi
729		else
730			if [ -f $CUR ]; then
731		printf "\n======\n%s removed\n======\n" $file
732				diff $CUR /dev/null
733				backup_file remove $file $CUR $BACK
734			fi
735		fi
736	done
737fi
738
739if [ -f /etc/security.local ]; then
740	echo ""
741	echo "Running /etc/security.local:"
742	. /etc/security.local
743fi
744