security revision 1.63 
1#!/bin/sh -
2#
3#	$NetBSD: security,v 1.63 2001/10/03 00:12:17 lukem Exp $
4#	from: @(#)security	8.1 (Berkeley) 6/9/93
5#
6
7PATH=/sbin:/usr/sbin:/bin:/usr/bin
8
9if [ -f /etc/rc.subr ]; then
10	. /etc/rc.subr
11else
12	echo "Can't read /etc/rc.subr; aborting."
13	exit 1;
14fi
15
16umask 077
17
18if [ -s /etc/security.conf ]; then
19	. /etc/security.conf
20fi
21
22SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1
23
24trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT
25
26if ! cd "$SECUREDIR"; then
27	echo "Can not cd to $SECUREDIR".
28	exit 1
29fi
30
31if [ -z "$max_loginlen" ];then
32	max_loginlen=8
33fi
34
35if [ -z "$max_grouplen" ]; then
36	max_grouplen=8
37fi
38
39ERR=secure1.$$
40TMP1=secure2.$$
41TMP2=secure3.$$
42MPBYUID=secure4.$$
43MPBYPATH=secure5.$$
44LIST=secure6.$$
45OUTPUT=secure7.$$
46LABELS=secure8.$$
47PKGS=secure9.$$
48
49# Handle backup_dir not being set in .conf file
50backup_dir=${backup_dir:-/var/backups}
51CHANGELIST=""
52pkg_dbdir=${pkg_dbdir:-/var/db/pkg}
53
54MP=/etc/master.passwd
55
56# these is used several times.
57awk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
58awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
59
60# Check the master password file syntax.
61#
62if checkyesno check_passwd; then
63	awk -v "len=$max_loginlen" '
64	BEGIN {
65		while ( getline < "/etc/shells" > 0 ) {
66			if ($0 ~ /^\#/ || $0 ~ /^$/ )
67				continue;
68			shells[$1]++;
69		}
70		FS=":";
71	}
72
73	{
74		if ($0 ~ /^[	 ]*$/) {
75			printf "Line %d is a blank line.\n", NR;
76			next;
77		}
78		if (NF != 10 && ($1 != "+" || NF != 1))
79			printf "Line %d has the wrong number of fields.\n", NR;
80		if ($1 == "+" )  {
81			if (NF != 1 && $3 == 0)
82			    printf "Line %d includes entries with uid 0.\n", NR;
83			next;
84		}
85		if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/)
86			printf "Login %s has non-alphanumeric characters.\n",
87			    $1;
88		if (length($1) > len)
89			printf "Login %s has more than "len" characters.\n", $1;
90		if ($2 == "")
91			printf "Login %s has no password.\n", $1;
92		if (length($2) != 13 && 
93		    length($2) != 20 && 
94		    length($2) != 34 &&
95		    $2 != "" &&
96		    $2 !~ /^\*[A-z-]+$/ &&
97		    $1 != "toor") {
98			if ($10 == "" || shells[$10])
99		    printf "Login %s is off but still has a valid shell (%s)\n",
100				    $1, $10;
101		} else if (! shells[$10])
102			printf "Login %s does not have a valid shell (%s)\n",
103			    $1, $10;
104		if ($3 == 0 && $1 != "root" && $1 != "toor")
105			printf "Login %s has a user id of 0.\n", $1;
106		if ($3 < 0)
107			printf "Login %s has a negative user id.\n", $1;
108		if ($4 < 0)
109			printf "Login %s has a negative group id.\n", $1;
110	}' < $MP > $OUTPUT
111	if [ -s $OUTPUT ] ; then
112		printf "\nChecking the $MP file:\n"
113		cat $OUTPUT
114	fi
115
116	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
117	if [ -s $OUTPUT ] ; then
118		printf "\n$MP has duplicate user names.\n"
119		column $OUTPUT
120	fi
121
122# To not exclude 'toor', a standard duplicate root account, from the duplicate
123# account test, uncomment the line below (without egrep in it)and comment
124# out the line (with egrep in it) below it.
125#
126#	< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
127	< $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
128	if [ -s $TMP2 ] ; then
129		printf "\n$MP has duplicate user id's.\n"
130		while read uid; do
131			grep -w $uid $MPBYUID
132		done < $TMP2 | column
133	fi
134fi
135
136# Backup the master password file; a special case, the normal backup
137# mechanisms also print out file differences and we don't want to do
138# that because this file has encrypted passwords in it.
139#
140CUR=$backup_dir/${MP##*/}.current
141BACK=$backup_dir/${MP##*/}.backup
142if [ -s $CUR ] ; then
143	if cmp -s $CUR $MP; then
144		:
145	else
146		backup_file update $MP $CUR $BACK
147	fi
148else
149	backup_file add $MP $CUR $BACK
150fi
151
152# Check the group file syntax.
153#
154if checkyesno check_group; then
155	GRP=/etc/group
156	awk -F: -v "len=$max_grouplen" '{
157		if ($0 ~ /^[	 ]*$/) {
158			printf "Line %d is a blank line.\n", NR;
159			next;
160		}
161		if (NF != 4 && ($1 != "+" || NF != 1))
162			printf "Line %d has the wrong number of fields.\n", NR;
163		if ($1 == "+" )  {
164			next;
165		}
166		if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9])*$/)
167			printf "Group %s has non-alphanumeric characters.\n",
168			    $1;
169		if (length($1) > len)
170			printf "Group %s has more than "len" characters.\n", $1;
171		if ($3 !~ /[0-9]*/)
172			printf "Login %s has a negative group id.\n", $1;
173	}' < $GRP > $OUTPUT
174	if [ -s $OUTPUT ] ; then
175		printf "\nChecking the $GRP file:\n"
176		cat $OUTPUT
177	fi
178
179	awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
180	if [ -s $OUTPUT ] ; then
181		printf "\n$GRP has duplicate group names.\n"
182		column $OUTPUT
183	fi
184fi
185
186# Check for root paths, umask values in startup files.
187# The check for the root paths is problematical -- it's likely to fail
188# in other environments.  Once the shells have been modified to warn
189# of '.' in the path, the path tests should go away.
190#
191if checkyesno check_rootdotfiles; then
192	> $OUTPUT
193	rhome=`csh -fc "echo ~root"`
194	umaskset=no
195	list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
196	for i in $list ; do
197		if [ -f $i ] ; then
198			if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ; then
199				umaskset=yes
200			fi
201			# Double check the umask value itself; ensure that
202			# both the 020 and 002 bits are set.
203			# We handle this in decimal initially to extract the
204			# digits, and then extract the `2' bit of each digit.
205			# This is made especially painful because 
206			# bitwise operations were left out of awk.
207			egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
208			awk '{
209				g= ($2 % 100) - ($2 % 10);
210				g /= 10;
211				g = g % 4;
212				g -= g % 2;
213				if (g != 2) {
214					print "\tRoot umask is group writeable"
215				}
216				o = ($2 % 10);
217				o = o % 4;
218				o -= o % 2;
219				if (o != 2) {
220					print "\tRoot umask is other writeable"
221			    	}
222			    }' | sort -u >> $OUTPUT
223			SAVE_PATH=$PATH
224			unset PATH
225			/bin/csh -f -s << end-of-csh > /dev/null 2>&1
226				source $i
227				/bin/ls -ldgT \$path > $TMP1
228end-of-csh
229			PATH=$SAVE_PATH
230			awk '{
231				if ($10 ~ /^\.$/) {
232					print "\tThe root path includes .";
233					next;
234				}
235			     }
236			     $1 ~ /^d....w/ \
237		{ print "\tRoot path directory " $10 " is group writeable." } \
238			     $1 ~ /^d.......w/ \
239		{ print "\tRoot path directory " $10 " is other writeable." }' \
240			< $TMP1 >> $OUTPUT
241		fi
242	done
243	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
244		printf "\nChecking root csh paths, umask values:\n$list\n\n"
245		if [ -s $OUTPUT ]; then
246			cat $OUTPUT
247		fi
248		if [ $umaskset = "no" ] ; then
249		    printf "\tRoot csh startup files do not set the umask.\n"
250		fi
251	fi
252
253	> $OUTPUT
254	rhome=/root
255	umaskset=no
256	list="/etc/profile ${rhome}/.profile"
257	for i in $list; do
258		if [ -f $i ] ; then
259			if egrep umask $i > /dev/null ; then
260				umaskset=yes
261			fi
262			egrep umask $i |
263			awk '$2 % 100 < 20 \
264				{ print "\tRoot umask is group writeable" } \
265			     $2 % 10 < 2 \
266				{ print "\tRoot umask is other writeable" }' \
267			    >> $OUTPUT
268			SAVE_PATH=$PATH
269			unset PATH
270			/bin/sh << end-of-sh > /dev/null 2>&1
271				. $i
272				list=\`echo \$PATH | /usr/bin/sed -e \
273				    's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
274				/bin/ls -ldgT \$list > $TMP1
275end-of-sh
276			PATH=$SAVE_PATH
277			awk '{
278				if ($10 ~ /^\.$/) {
279					print "\tThe root path includes .";
280					next;
281				}
282			     }
283			     $1 ~ /^d....w/ \
284		{ print "\tRoot path directory " $10 " is group writeable." } \
285			     $1 ~ /^d.......w/ \
286		{ print "\tRoot path directory " $10 " is other writeable." }' \
287			< $TMP1 >> $OUTPUT
288
289		fi
290	done
291	if [ $umaskset = "no" -o -s $OUTPUT ] ; then
292		printf "\nChecking root sh paths, umask values:\n$list\n"
293		if [ -s $OUTPUT ]; then
294			cat $OUTPUT
295		fi
296		if [ $umaskset = "no" ] ; then
297			printf "\tRoot sh startup files do not set the umask.\n"
298		fi
299	fi
300fi
301
302# Root and uucp should both be in /etc/ftpusers.
303#
304if checkyesno check_ftpusers; then
305	> $OUTPUT
306	list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID`
307	for i in $list; do
308		if /usr/libexec/ftpd -C $i ; then
309			printf "\t$i is not denied\n" >> $OUTPUT
310		fi
311	done
312	if [ -s $OUTPUT ]; then
313		printf "\nChecking the /etc/ftpusers configuration:\n"
314		cat $OUTPUT
315	fi
316fi
317
318# Uudecode should not be in the /etc/mail/aliases file.
319#
320if checkyesno check_aliases; then
321	for f in /etc/mail/aliases /etc/aliases; do
322		if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
323			printf "\nEntry for uudecode in $f file.\n"
324		fi
325	done
326fi
327
328# Files that should not have + signs.
329#
330if checkyesno check_rhosts; then
331	list="/etc/hosts.equiv /etc/hosts.lpd"
332	for f in $list ; do
333		if [ -f $f ] && egrep '\+' $f > /dev/null ; then
334			printf "\nPlus sign in $f file.\n"
335		fi
336	done
337
338	# Check for special users with .rhosts files.  Only root and toor should
339	# have .rhosts files.  Also, .rhosts files should not have plus signs.
340	awk -F: '$1 != "root" && $1 != "toor" && \
341		($3 < 100 || $1 == "ftp" || $1 == "uucp") \
342			{ print $1 " " $9 }' $MP |
343	sort -k2 |
344	while read uid homedir; do
345		if [ -f ${homedir}/.rhosts ] ; then
346			rhost=`ls -ldgT ${homedir}/.rhosts`
347			printf -- "$uid: $rhost\n"
348		fi
349	done > $OUTPUT
350	if [ -s $OUTPUT ] ; then
351		printf "\nChecking for special users with .rhosts files.\n"
352		cat $OUTPUT
353	fi
354
355	while read uid homedir; do
356		if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \
357		    cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then
358			printf -- "$uid: + in .rhosts file.\n"
359		fi
360	done < $MPBYPATH > $OUTPUT
361	if [ -s $OUTPUT ] ; then
362		printf "\nChecking .rhosts files syntax.\n"
363		cat $OUTPUT
364	fi
365fi
366
367# Check home directories.  Directories should not be owned by someone else
368# or writeable.
369#
370if checkyesno check_homes; then
371	while read uid homedir; do
372		if [ -d ${homedir}/ ] ; then
373			file=`ls -ldgT ${homedir}`
374			printf -- "$uid $file\n"
375		fi
376	done < $MPBYPATH |
377	awk '$1 != $4 && $4 != "root" \
378		{ print "user " $1 " home directory is owned by " $4 }
379	     $2 ~ /^-....w/ \
380		{ print "user " $1 " home directory is group writeable" }
381	     $2 ~ /^-.......w/ \
382		{ print "user " $1 " home directory is other writeable" }' \
383	    > $OUTPUT
384	if [ -s $OUTPUT ] ; then
385		printf "\nChecking home directories.\n"
386		cat $OUTPUT
387	fi
388
389	# Files that should not be owned by someone else or readable.
390	list=".Xauthority .netrc"
391	while read uid homedir; do
392		for f in $list ; do
393			file=${homedir}/${f}
394			if [ -f $file ] ; then
395				printf -- "$uid $f `ls -ldgT $file`\n"
396			fi
397		done
398	done < $MPBYPATH |
399	awk '$1 != $5 && $5 != "root" \
400		{ print "user " $1 " " $2 " file is owned by " $5 }
401	     $3 ~ /^-...r/ \
402		{ print "user " $1 " " $2 " file is group readable" }
403	     $3 ~ /^-......r/ \
404		{ print "user " $1 " " $2 " file is other readable" }
405	     $3 ~ /^-....w/ \
406		{ print "user " $1 " " $2 " file is group writeable" }
407	     $3 ~ /^-.......w/ \
408		{ print "user " $1 " " $2 " file is other writeable" }' \
409	    > $OUTPUT
410
411	# Files that should not be owned by someone else or writeable.
412	list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
413	      .cshrc .emacs .exrc .forward .history .klogin .login .logout \
414	      .profile .qmail .rc_history .rhosts .tcshrc .twmrc .xinitrc \
415	      .xsession"
416	while read uid homedir; do
417		for f in $list ; do
418			file=${homedir}/${f}
419			if [ -f $file ] ; then
420				printf -- "$uid $f `ls -ldgT $file`\n"
421			fi
422		done
423	done < $MPBYPATH |
424	awk '$1 != $5 && $5 != "root" \
425		{ print "user " $1 " " $2 " file is owned by " $5 }
426	     $3 ~ /^-....w/ \
427		{ print "user " $1 " " $2 " file is group writeable" }
428	     $3 ~ /^-.......w/ \
429		{ print "user " $1 " " $2 " file is other writeable" }' \
430	    >> $OUTPUT
431	if [ -s $OUTPUT ] ; then
432		printf "\nChecking dot files.\n"
433		cat $OUTPUT
434	fi
435fi
436
437# Mailboxes should be owned by user and unreadable.
438#
439if checkyesno check_varmail; then
440	ls -l /var/mail | \
441	awk '	NR == 1 { next; }
442	    	$3 != $9 {
443			print "user " $9 " mailbox is owned by " $3
444		}
445		$1 != "-rw-------" {
446			print "user " $9 " mailbox is " $1 ", group " $4
447		}' > $OUTPUT
448	if [ -s $OUTPUT ] ; then
449		printf "\nChecking mailbox ownership.\n"
450		cat $OUTPUT
451	fi
452fi
453
454# NFS exports shouldn't be globally exported
455#
456if checkyesno check_nfs && [ -f /etc/exports ]; then
457	awk '{
458		# ignore comments and blank lines
459		if ($0 ~ /^\#/ || $0 ~ /^$/ )
460			next;
461
462		readonly = 0;
463		for (i = 2; i <= NF; ++i) {
464			if ($i ~ /-ro/)
465				readonly = 1;
466			else if ($i !~ /^-/)
467				next;
468		}
469		if (readonly)
470			print "File system " $1 " globally exported, read-only."
471		else
472			print "File system " $1 " globally exported, read-write."
473	}' < /etc/exports > $OUTPUT
474	if [ -s $OUTPUT ] ; then
475		printf "\nChecking for globally exported file systems.\n"
476		cat $OUTPUT
477	fi
478fi
479
480# Display any changes in setuid files and devices.
481#
482if checkyesno check_devices; then
483	> $ERR
484	(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
485			-o -fstype procfs \) -a -prune -o \
486	    \( \( -perm -u+s -a ! -type d \) -o \
487	       \( -perm -g+s -a ! -type d \) -o \
488	       -type b -o -type c \) -print0 | \
489	xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT
490
491	# Display any errors that occurred during system file walk.
492	if [ -s $OUTPUT ] ; then
493		printf "Setuid/device find errors:\n" >> $ERR
494		cat $OUTPUT >> $ERR
495		printf "\n" >> $ERR
496	fi
497
498	# Display any changes in the setuid file list.
499	egrep -v '^[bc]' $LIST > $TMP1
500	if [ -s $TMP1 ] ; then
501		# Check to make sure uudecode isn't setuid.
502		if grep -w uudecode $TMP1 > /dev/null ; then
503			printf "\nUudecode is setuid.\n" >> $ERR
504		fi
505
506		CUR=$backup_dir/setuid.current
507		BACK=$backup_dir/setuid.backup
508
509		if [ -s $CUR ] ; then
510			if cmp -s $CUR $TMP1 ; then
511				:
512			else
513				> $TMP2
514				join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
515				if [ -s $OUTPUT ] ; then
516					printf "Setuid additions:\n" >> $ERR
517					tee -a $TMP2 < $OUTPUT >> $ERR
518					printf "\n" >> $ERR
519				fi
520
521				join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
522				if [ -s $OUTPUT ] ; then
523					printf "Setuid deletions:\n" >> $ERR
524					tee -a $TMP2 < $OUTPUT >> $ERR
525					printf "\n" >> $ERR
526				fi
527
528				sort -k10 $TMP2 $CUR $TMP1 | \
529				    sed -e 's/[	 ][	 ]*/ /g' | \
530				    uniq -u > $OUTPUT
531				if [ -s $OUTPUT ] ; then
532					printf "Setuid changes:\n" >> $ERR
533					column -t $OUTPUT >> $ERR
534					printf "\n" >> $ERR
535				fi
536
537				backup_file update $TMP1 $CUR $BACK
538			fi
539		else
540			printf "Setuid additions:\n" >> $ERR
541			column -t $TMP1 >> $ERR
542			printf "\n" >> $ERR
543			backup_file add $TMP1 $CUR $BACK
544		fi
545	fi
546
547	# Check for block and character disk devices that are readable or
548	# writeable or not owned by root.operator.
549	>$TMP1
550	DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
551	    sd se ss uk up vnd wd xd xy"
552#	DISKLIST="$DISKLIST ct mt st wt"
553	for i in $DISKLIST; do
554		egrep "^b.*/${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
555		egrep "^c.*/r${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
556	done
557
558	awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
559		{ printf "Disk %s is user %s, group %s, permissions %s.\n", \
560		    $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
561	if [ -s $OUTPUT ] ; then
562		printf "\nChecking disk ownership and permissions.\n" >> $ERR
563		cat $OUTPUT >> $ERR
564		printf "\n" >> $ERR
565	fi
566
567	# Display any changes in the device file list.
568	egrep '^[bc]' $LIST | sort -k11 > $TMP1
569	if [ -s $TMP1 ] ; then
570		CUR=$backup_dir/device.current
571		BACK=$backup_dir/device.backup
572
573		if [ -s $CUR ] ; then
574			if cmp -s $CUR $TMP1 ; then
575				:
576			else
577				> $TMP2
578				join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
579				if [ -s $OUTPUT ] ; then
580					printf "Device additions:\n" >> $ERR
581					tee -a $TMP2 < $OUTPUT >> $ERR
582					printf "\n" >> $ERR
583				fi
584
585				join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
586				if [ -s $OUTPUT ] ; then
587					printf "Device deletions:\n" >> $ERR
588					tee -a $TMP2 < $OUTPUT >> $ERR
589					printf "\n" >> $ERR
590				fi
591
592				# Report any block device change. Ignore
593				# character devices, only the name is
594				# significant.
595				cat $TMP2 $CUR $TMP1 | \
596				    sed -e '/^c/d' | \
597				    sort -k11 | \
598				    sed -e 's/[	 ][	 ]*/ /g' | \
599				    uniq -u > $OUTPUT
600				if [ -s $OUTPUT ] ; then
601					printf "Block device changes:\n" >> $ERR
602					column -t $OUTPUT >> $ERR
603					printf "\n" >> $ERR
604				fi
605
606				backup_file update $TMP1 $CUR $BACK
607			fi
608		else
609			printf "Device additions:\n" >> $ERR
610			column -t $TMP1 >> $ERR
611			printf "\n" >> $ERR
612			backup_file add $TMP1 $CUR $BACK >> $ERR
613		fi
614	fi
615	if [ -s $ERR ] ; then
616		printf "\nChecking setuid files and devices:\n"
617		cat $ERR
618		printf "\n"
619	fi
620fi
621
622# Check special files.
623# Check system binaries.
624#
625# Create the mtree tree specifications using:
626#
627#	mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure
628#	chown root:wheel DIR.secure
629#	chmod 600 DIR.secure
630#
631# Note, this is not complete protection against Trojan horsed binaries, as
632# the hacker can modify the tree specification to match the replaced binary.
633# For details on really protecting yourself against modified binaries, see
634# the mtree(8) manual page.
635#
636if checkyesno check_mtree; then
637	mtree -e -l -p / -f /etc/mtree/special > $OUTPUT
638	if [ -s $OUTPUT ]; then
639		printf "\nChecking special files and directories.\n"
640		cat $OUTPUT
641	fi
642
643	> $OUTPUT
644	for file in /etc/mtree/*.secure; do
645		[ $file = '/etc/mtree/*.secure' ] && continue
646		tree=`sed -n -e '3s/.* //p' -e 3q $file`
647		mtree -f $file -p $tree > $TMP1
648		if [ -s $TMP1 ]; then
649			printf "\nChecking $tree:\n" >> $OUTPUT
650			cat $TMP1 >> $OUTPUT
651		fi
652	done
653	if [ -s $OUTPUT ]; then
654		printf "\nChecking system binaries:\n"
655		cat $OUTPUT
656	fi
657fi
658
659# Backup disklabels of available disks
660#
661if checkyesno check_disklabels; then
662		# generate list of old disklabels and remove them
663	ls -1d $backup_dir/disklabel.* 2>/dev/null |
664	    egrep -v '\.(backup|current)(,v)?$' > $LABELS
665	xargs rm < $LABELS
666
667	disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d/ { print $1; }'`
668	for i in $disks; do
669		dlf="$backup_dir/disklabel.$i"
670		disklabel $i > $dlf 2>/dev/null
671	done
672
673		# append list of new disklabels, sort list
674	ls -1d $backup_dir/disklabel.* 2>/dev/null |
675	    egrep -v '\.(backup|current)(,v)?$' >> $LABELS
676	sort -u -o $LABELS $LABELS
677	CHANGELIST="$LABELS $CHANGELIST"
678fi
679
680# Check for changes in the list of installed pkgs
681#
682if checkyesno check_pkgs && [ -d $pkg_dbdir ]; then
683	pkgs=$backup_dir/pkgs
684	(	cd $pkg_dbdir
685		pkg_info | sort
686		echo ""
687		find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
688			xargs -0 ls -l | sort -t. +1 | sed -e 's, \./, ,'
689	 ) > $pkgs
690	echo $pkgs > $PKGS
691	CHANGELIST="$PKGS $CHANGELIST"
692fi
693
694# List of files that get backed up and checked for any modifications.  Each
695# file is expected to have two backups, $backup_dir/file.{current,backup}.
696# Any changes cause the files to rotate.
697#
698if checkyesno check_changelist && [ -s /etc/changelist ] ; then
699	CHANGELIST="/etc/changelist $CHANGELIST"
700fi
701
702if [ -n "$CHANGELIST" ]; then
703	for file in `egrep -hv "^#|$MP" $CHANGELIST`; do
704		# old changelist backup names
705		OCUR=$backup_dir/${file##*/}.current
706		OBACK=$backup_dir/${file##*/}.backup
707		# new changelist backup names
708		CUR=$backup_dir$file.current
709		BACK=$backup_dir$file.backup
710		# roll over old backups
711		if [ ! -d ${CUR%/*} ]; then
712			mkdir -p ${CUR%/*}
713		fi
714		if [ -f $OCUR -a ! -f $CUR ]; then
715			mv $OCUR $CUR
716		fi
717		if [ -f $OCUR,v -a ! -f $CUR,v ]; then
718			mv $OCUR,v $CUR,v
719		fi
720		if [ -f $OBACK -a ! -f $BACK ]; then
721			mv $OBACK $BACK
722		fi
723		# and down to work
724		if [ -f $file ]; then
725			if [ -f $CUR ] ; then
726				diff $CUR $file > $OUTPUT
727				if [ -s $OUTPUT ] ; then
728		printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file
729					cat $OUTPUT
730					backup_file update $file $CUR $BACK
731				fi
732			else
733		printf "\n======\n%s added\n======\n" $file
734				diff /dev/null $file
735				backup_file add $file $CUR $BACK
736			fi
737		else
738			if [ -f $CUR ]; then
739		printf "\n======\n%s removed\n======\n" $file
740				diff $CUR /dev/null
741				backup_file remove $file $CUR $BACK
742			fi
743		fi
744	done
745fi
746
747if [ -f /etc/security.local ]; then
748	echo ""
749	echo "Running /etc/security.local:"
750	. /etc/security.local
751fi
752