Annotation of src/etc/security, Revision 1.21
1.1 deraadt 1: #!/bin/sh -
2: #
1.21 ! deraadt 3: # $OpenBSD: security,v 1.20 1997/06/23 02:54:31 millert Exp $
1.13 millert 4: # from: @(#)security 8.1 (Berkeley) 6/9/93
1.1 deraadt 5: #
1.13 millert 6:
1.1 deraadt 7: PATH=/sbin:/usr/sbin:/bin:/usr/bin
8:
9: umask 077
10:
1.7 deraadt 11: DIR=/tmp/_secure$$
12: ERR=$DIR/_secure1
13: TMP1=$DIR/_secure2
14: TMP2=$DIR/_secure3
15: TMP3=$DIR/_secure4
16: LIST=$DIR/_secure5
17: OUTPUT=$DIR/_secure6
1.1 deraadt 18:
1.7 deraadt 19: if ! mkdir $DIR ; then
20: printf "tmp directory %s already exists, looks like:\n" $DIR
21: ls -alF $DIR
22: exit 1
23: fi
1.8 deraadt 24:
1.17 deraadt 25: trap 'rm -rf $DIR' 0 1 15
1.1 deraadt 26:
27: # Check the master password file syntax.
28: MP=/etc/master.passwd
29: awk -F: '{
30: if ($0 ~ /^[ ]*$/) {
31: printf("Line %d is a blank line.\n", NR);
32: next;
33: }
34: if (NF != 10)
35: printf("Line %d has the wrong number of fields.\n", NR);
1.15 millert 36: if ($1 ~ /^[+-]/)
1.2 deraadt 37: next;
38: if ($1 == "")
1.13 millert 39: printf("Line %d has an empty login field.\n", NR);
1.2 deraadt 40: else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/)
1.1 deraadt 41: printf("Login %s has non-alphanumeric characters.\n", $1);
42: if (length($1) > 8)
43: printf("Login %s has more than 8 characters.\n", $1);
44: if ($2 == "")
45: printf("Login %s has no password.\n", $1);
1.18 gene 46: if ((length($2) != 13 && ($10 ~ /.*sh$/ || $10 == "")) && ($2 !~ /^\$[0-9]+\$/) && system("if grep -q \"^"$1" \" /etc/skeykeys || test -d "$9"/.ssh -a ! -O "$9"/.ssh ; then exit 1 ; fi ; for i in .rhosts .shosts .klogin ; do test -s "$9"/$i -a ! -O "$9"/$i && exit 1 ; done ; exit 0") != 0)
1.1 deraadt 47: printf("Login %s is off but still has a valid shell.\n", $1);
1.9 deraadt 48: if ($3 == 0 && $1 != "root")
1.1 deraadt 49: printf("Login %s has a user id of 0.\n", $1);
50: if ($3 < 0)
51: printf("Login %s has a negative user id.\n", $1);
52: if ($4 < 0)
53: printf("Login %s has a negative group id.\n", $1);
54: }' < $MP > $OUTPUT
55: if [ -s $OUTPUT ] ; then
56: printf "\nChecking the $MP file:\n"
57: cat $OUTPUT
58: fi
59:
60: awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
61: if [ -s $OUTPUT ] ; then
62: printf "\n$MP has duplicate user names.\n"
63: column $OUTPUT
64: fi
65:
1.9 deraadt 66: awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 |
1.1 deraadt 67: uniq -d -f 1 | awk '{ print $2 }' > $TMP2
68: if [ -s $TMP2 ] ; then
69: printf "\n$MP has duplicate user id's.\n"
70: while read uid; do
71: grep -w $uid $TMP1
72: done < $TMP2 | column
73: fi
74:
75: # Backup the master password file; a special case, the normal backup
76: # mechanisms also print out file differences and we don't want to do
77: # that because this file has encrypted passwords in it.
1.2 deraadt 78: if [ ! -d /var/backups ] ; then
79: mkdir /var/backups
80: chmod 755 /var/backups
81: fi
1.1 deraadt 82: CUR=/var/backups/`basename $MP`.current
83: BACK=/var/backups/`basename $MP`.backup
84: if [ -s $CUR ] ; then
85: if cmp -s $CUR $MP; then
86: :
87: else
88: cp -p $CUR $BACK
89: cp -p $MP $CUR
90: chown root.wheel $CUR
91: fi
92: else
93: cp -p $MP $CUR
94: chown root.wheel $CUR
95: fi
96:
97: # Check the group file syntax.
98: GRP=/etc/group
99: awk -F: '{
100: if ($0 ~ /^[ ]*$/) {
101: printf("Line %d is a blank line.\n", NR);
102: next;
103: }
1.2 deraadt 104: if ($1 ~ /^[+-].*$/)
105: next;
1.1 deraadt 106: if (NF != 4)
107: printf("Line %d has the wrong number of fields.\n", NR);
1.13 millert 108: if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/)
1.1 deraadt 109: printf("Group %s has non-alphanumeric characters.\n", $1);
110: if (length($1) > 8)
111: printf("Group %s has more than 8 characters.\n", $1);
112: if ($3 !~ /[0-9]*/)
113: printf("Login %s has a negative group id.\n", $1);
114: }' < $GRP > $OUTPUT
115: if [ -s $OUTPUT ] ; then
116: printf "\nChecking the $GRP file:\n"
117: cat $OUTPUT
118: fi
119:
120: awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
121: if [ -s $OUTPUT ] ; then
122: printf "\n$GRP has duplicate group names.\n"
123: column $OUTPUT
124: fi
125:
126: # Check for root paths, umask values in startup files.
127: # The check for the root paths is problematical -- it's likely to fail
128: # in other environments. Once the shells have been modified to warn
129: # of '.' in the path, the path tests should go away.
130: > $OUTPUT
131: rhome=/root
132: umaskset=no
133: list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
134: for i in $list ; do
1.15 millert 135: if [ -s $i ] ; then
1.1 deraadt 136: if egrep umask $i > /dev/null ; then
137: umaskset=yes
138: fi
139: egrep umask $i |
140: awk '$2 % 100 < 20 \
141: { print "Root umask is group writeable" }
142: $2 % 10 < 2 \
143: { print "Root umask is other writeable" }' >> $OUTPUT
1.21 ! deraadt 144: SAVE_PATH=$PATH
! 145: unset PATH
1.1 deraadt 146: /bin/csh -f -s << end-of-csh > /dev/null 2>&1
147: source $i
148: /bin/ls -ldgT \$path > $TMP1
149: end-of-csh
1.21 ! deraadt 150: PATH=$SAVE_PATH
1.1 deraadt 151: awk '{
152: if ($10 ~ /^\.$/) {
153: print "The root path includes .";
154: next;
155: }
156: }
157: $1 ~ /^d....w/ \
158: { print "Root path directory " $10 " is group writeable." } \
159: $1 ~ /^d.......w/ \
160: { print "Root path directory " $10 " is other writeable." }' \
161: < $TMP1 >> $OUTPUT
162: fi
163: done
164: if [ $umaskset = "no" -o -s $OUTPUT ] ; then
165: printf "\nChecking root csh paths, umask values:\n$list\n"
1.13 millert 166: if [ -s $OUTPUT ] ; then
1.1 deraadt 167: cat $OUTPUT
168: fi
169: if [ $umaskset = "no" ] ; then
170: printf "\nRoot csh startup files do not set the umask.\n"
171: fi
172: fi
173:
174: > $OUTPUT
175: rhome=/root
176: umaskset=no
1.20 millert 177: list="/etc/profile ${rhome}/.profile"
1.1 deraadt 178: for i in $list; do
1.15 millert 179: if [ -s $i ] ; then
1.1 deraadt 180: if egrep umask $i > /dev/null ; then
181: umaskset=yes
182: fi
183: egrep umask $i |
184: awk '$2 % 100 < 20 \
185: { print "Root umask is group writeable" } \
186: $2 % 10 < 2 \
187: { print "Root umask is other writeable" }' >> $OUTPUT
1.21 ! deraadt 188: SAVE_PATH=$PATH
! 189: unset PATH
1.1 deraadt 190: /bin/sh << end-of-sh > /dev/null 2>&1
191: . $i
192: list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\`
193: /bin/ls -ldgT \$list > $TMP1
194: end-of-sh
1.21 ! deraadt 195: PATH=$SAVE_PATH
1.1 deraadt 196: awk '{
197: if ($10 ~ /^\.$/) {
198: print "The root path includes .";
199: next;
200: }
201: }
202: $1 ~ /^d....w/ \
203: { print "Root path directory " $10 " is group writeable." } \
204: $1 ~ /^d.......w/ \
205: { print "Root path directory " $10 " is other writeable." }' \
206: < $TMP1 >> $OUTPUT
207:
208: fi
209: done
210: if [ $umaskset = "no" -o -s $OUTPUT ] ; then
211: printf "\nChecking root sh paths, umask values:\n$list\n"
1.13 millert 212: if [ -s $OUTPUT ] ; then
1.1 deraadt 213: cat $OUTPUT
214: fi
215: if [ $umaskset = "no" ] ; then
216: printf "\nRoot sh startup files do not set the umask.\n"
217: fi
218: fi
219:
220: # Root and uucp should both be in /etc/ftpusers.
221: if egrep root /etc/ftpusers > /dev/null ; then
222: :
223: else
224: printf "\nRoot not listed in /etc/ftpusers file.\n"
225: fi
226: if egrep uucp /etc/ftpusers > /dev/null ; then
227: :
228: else
229: printf "\nUucp not listed in /etc/ftpusers file.\n"
230: fi
231:
232: # Uudecode should not be in the /etc/aliases file.
233: if egrep 'uudecode|decode' /etc/aliases; then
234: printf "\nThere is an entry for uudecode in the /etc/aliases file.\n"
235: fi
236:
237: # Files that should not have + signs.
1.2 deraadt 238: list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
1.1 deraadt 239: for f in $list ; do
1.6 millert 240: if [ -s $f ] ; then
1.2 deraadt 241: awk '{
1.13 millert 242: if ($0 ~ /^\+@.*$/)
1.2 deraadt 243: next;
1.13 millert 244: if ($0 ~ /^\+.*$/)
1.2 deraadt 245: printf("\nPlus sign in %s file.\n", FILENAME);
246: }' $f
1.1 deraadt 247: fi
248: done
249:
1.13 millert 250: # Check for special users with .rhosts/.shosts files. Only root
251: # should have .rhosts/.shosts files. Also, .rhosts/.shosts
252: # files should not have plus signs.
1.14 millert 253: awk -F: '$1 != "root" && $1 !~ /^[+-]/ && \
1.1 deraadt 254: ($3 < 100 || $1 == "ftp" || $1 == "uucp") \
255: { print $1 " " $6 }' /etc/passwd |
256: while read uid homedir; do
1.2 deraadt 257: for j in .rhosts .shosts; do
1.14 millert 258: # Root owned .rhosts/.shosts files are ok.
1.15 millert 259: if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then
1.2 deraadt 260: rhost=`ls -ldgT ${homedir}/$j`
261: printf "$uid: $rhost\n"
262: fi
263: done
1.1 deraadt 264: done > $OUTPUT
265: if [ -s $OUTPUT ] ; then
1.2 deraadt 266: printf "\nChecking for special users with .rhosts/.shosts files.\n"
1.1 deraadt 267: cat $OUTPUT
268: fi
269:
1.14 millert 270: awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
1.1 deraadt 271: while read uid homedir; do
1.2 deraadt 272: for j in .rhosts .shosts; do
1.13 millert 273: if [ -s ${homedir}/$j ] ; then
1.2 deraadt 274: awk '{
275: if ($0 ~ /^+@.*$/ )
276: next;
1.4 deraadt 277: if ($0 ~ /^\+[ ]*$/ )
1.2 deraadt 278: printf("%s has + sign in it.\n",
1.13 millert 279: FILENAME);
1.2 deraadt 280: }' ${homedir}/$j
281: fi
282: done
1.1 deraadt 283: done > $OUTPUT
284: if [ -s $OUTPUT ] ; then
1.2 deraadt 285: printf "\nChecking .rhosts/.shosts files syntax.\n"
1.1 deraadt 286: cat $OUTPUT
287: fi
288:
289: # Check home directories. Directories should not be owned by someone else
290: # or writeable.
1.14 millert 291: awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
1.1 deraadt 292: while read uid homedir; do
293: if [ -d ${homedir}/ ] ; then
294: file=`ls -ldgT ${homedir}`
295: printf "$uid $file\n"
296: fi
297: done |
298: awk '$1 != $4 && $4 != "root" \
299: { print "user " $1 " home directory is owned by " $4 }
300: $2 ~ /^-....w/ \
301: { print "user " $1 " home directory is group writeable" }
302: $2 ~ /^-.......w/ \
303: { print "user " $1 " home directory is other writeable" }' > $OUTPUT
304: if [ -s $OUTPUT ] ; then
305: printf "\nChecking home directories.\n"
306: cat $OUTPUT
307: fi
308:
309: # Files that should not be owned by someone else or readable.
1.2 deraadt 310: list=".netrc .rhosts .shosts"
1.14 millert 311: awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
1.1 deraadt 312: while read uid homedir; do
313: for f in $list ; do
314: file=${homedir}/${f}
315: if [ -f $file ] ; then
316: printf "$uid $f `ls -ldgT $file`\n"
317: fi
318: done
319: done |
320: awk '$1 != $5 && $5 != "root" \
321: { print "user " $1 " " $2 " file is owned by " $5 }
1.13 millert 322: $3 ~ /^-...r/ \
323: { print "user " $1 " " $2 " file is group readable" }
1.1 deraadt 324: $3 ~ /^-......r/ \
325: { print "user " $1 " " $2 " file is other readable" }
326: $3 ~ /^-....w/ \
327: { print "user " $1 " " $2 " file is group writeable" }
328: $3 ~ /^-.......w/ \
329: { print "user " $1 " " $2 " file is other writeable" }' > $OUTPUT
330:
331: # Files that should not be owned by someone else or writeable.
332: list=".bashrc .cshrc .emacs .exrc .forward .klogin .login .logout \
333: .profile .tcshrc"
1.14 millert 334: awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
1.1 deraadt 335: while read uid homedir; do
336: for f in $list ; do
337: file=${homedir}/${f}
338: if [ -f $file ] ; then
339: printf "$uid $f `ls -ldgT $file`\n"
340: fi
341: done
342: done |
343: awk '$1 != $5 && $5 != "root" \
344: { print "user " $1 " " $2 " file is owned by " $5 }
345: $3 ~ /^-....w/ \
346: { print "user " $1 " " $2 " file is group writeable" }
347: $3 ~ /^-.......w/ \
348: { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT
349: if [ -s $OUTPUT ] ; then
350: printf "\nChecking dot files.\n"
351: cat $OUTPUT
352: fi
353:
354: # Mailboxes should be owned by user and unreadable.
355: ls -l /var/mail | sed 1d | \
356: awk '$3 != $9 \
357: { print "user " $9 " mailbox is owned by " $3 }
358: $1 != "-rw-------" \
359: { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT
360: if [ -s $OUTPUT ] ; then
361: printf "\nChecking mailbox ownership.\n"
362: cat $OUTPUT
363: fi
364:
1.13 millert 365: # File systems should not be globally exported.
366: if [ -s /etc/exports ] ; then
367: awk '{
1.19 flipk 368: if (($1 ~ /^#/) || ($1 ~ /^$/))
1.1 deraadt 369: next;
1.13 millert 370: readonly = 0;
371: for (i = 2; i <= NF; ++i) {
1.19 flipk 372: if ($i ~ /^-ro$/)
1.13 millert 373: readonly = 1;
374: else if ($i !~ /^-/)
375: next;
376: }
377: if (readonly)
378: print "File system " $1 " globally exported, read-only."
379: else
380: print "File system " $1 " globally exported, read-write."
381: }' < /etc/exports > $OUTPUT
382: if [ -s $OUTPUT ] ; then
383: printf "\nChecking for globally exported file systems.\n"
384: cat $OUTPUT
385: fi
1.1 deraadt 386: fi
387:
1.5 deraadt 388: # Display any changes in setuid/setgid files and devices.
389: pending="\nChecking setuid/setgid files and devices:\n"
1.1 deraadt 390: (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
1.13 millert 391: -o -fstype procfs \) -a -prune -o \
392: -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
393: ! -type d -a ! -type f -a ! -type l -a ! -type s -print0 | \
394: xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT
1.1 deraadt 395:
396: # Display any errors that occurred during system file walk.
397: if [ -s $OUTPUT ] ; then
1.2 deraadt 398: printf "${pending}Setuid/device find errors:\n"
399: pending=
1.1 deraadt 400: cat $OUTPUT
401: printf "\n"
402: fi
403:
1.12 millert 404: # Display any changes in the setuid/setgid file list.
1.13 millert 405: egrep -v '^[bc]' $LIST > $TMP1
1.1 deraadt 406: if [ -s $TMP1 ] ; then
407: # Check to make sure uudecode isn't setuid.
408: if grep -w uudecode $TMP1 > /dev/null ; then
1.2 deraadt 409: printf "${pending}\nUudecode is setuid.\n"
410: pending=
1.1 deraadt 411: fi
412:
413: CUR=/var/backups/setuid.current
414: BACK=/var/backups/setuid.backup
415:
416: if [ -s $CUR ] ; then
417: if cmp -s $CUR $TMP1 ; then
418: :
419: else
420: > $TMP2
1.13 millert 421: join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
1.1 deraadt 422: if [ -s $OUTPUT ] ; then
1.2 deraadt 423: printf "${pending}Setuid additions:\n"
424: pending=
1.1 deraadt 425: tee -a $TMP2 < $OUTPUT
426: printf "\n"
427: fi
428:
1.13 millert 429: join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
1.1 deraadt 430: if [ -s $OUTPUT ] ; then
1.2 deraadt 431: printf "${pending}Setuid deletions:\n"
432: pending=
1.1 deraadt 433: tee -a $TMP2 < $OUTPUT
434: printf "\n"
435: fi
436:
1.13 millert 437: sort +9 $TMP2 $CUR $TMP1 | \
1.1 deraadt 438: sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT
439: if [ -s $OUTPUT ] ; then
1.2 deraadt 440: printf "${pending}Setuid changes:\n"
441: pending=
1.1 deraadt 442: column -t $OUTPUT
443: printf "\n"
444: fi
445:
446: cp $CUR $BACK
447: cp $TMP1 $CUR
448: fi
449: else
1.2 deraadt 450: printf "${pending}Setuid additions:\n"
451: pending=
1.1 deraadt 452: column -t $TMP1
453: printf "\n"
454: cp $TMP1 $CUR
455: fi
456: fi
457:
458: # Check for block and character disk devices that are readable or writeable
459: # or not owned by root.operator.
460: >$TMP1
1.13 millert 461: DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd"
1.1 deraadt 462: for i in $DISKLIST; do
1.11 tholo 463: egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
464: egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
1.1 deraadt 465: done
466:
467: awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
468: { printf("Disk %s is user %s, group %s, permissions %s.\n", \
469: $11, $3, $4, $1); }' < $TMP1 > $OUTPUT
470: if [ -s $OUTPUT ] ; then
471: printf "\nChecking disk ownership and permissions.\n"
472: cat $OUTPUT
473: printf "\n"
474: fi
475:
476: # Display any changes in the device file list.
477: egrep '^[bc]' $LIST | sort +10 > $TMP1
478: if [ -s $TMP1 ] ; then
479: CUR=/var/backups/device.current
480: BACK=/var/backups/device.backup
481:
482: if [ -s $CUR ] ; then
483: if cmp -s $CUR $TMP1 ; then
484: :
485: else
486: > $TMP2
487: join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
488: if [ -s $OUTPUT ] ; then
489: printf "Device additions:\n"
490: tee -a $TMP2 < $OUTPUT
491: printf "\n"
492: fi
493:
494: join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
495: if [ -s $OUTPUT ] ; then
496: printf "Device deletions:\n"
497: tee -a $TMP2 < $OUTPUT
498: printf "\n"
499: fi
500:
501: # Report any block device change. Ignore character
502: # devices, only the name is significant.
503: cat $TMP2 $CUR $TMP1 | \
504: sed -e '/^c/d' | \
505: sort +10 | \
506: sed -e 's/[ ][ ]*/ /g' | \
507: uniq -u > $OUTPUT
508: if [ -s $OUTPUT ] ; then
509: printf "Block device changes:\n"
510: column -t $OUTPUT
511: printf "\n"
512: fi
513:
514: cp $CUR $BACK
515: cp $TMP1 $CUR
516: fi
517: else
518: printf "Device additions:\n"
519: column -t $TMP1
520: printf "\n"
521: cp $TMP1 $CUR
522: fi
523: fi
524:
525: # Check special files.
526: # Check system binaries.
527: #
528: # Create the mtree tree specifications using:
529: #
530: # mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure
1.2 deraadt 531: # chown root.wheel DIR.secure
532: # chmod 600 DIR.secure
1.1 deraadt 533: #
534: # Note, this is not complete protection against Trojan horsed binaries, as
535: # the hacker can modify the tree specification to match the replaced binary.
536: # For details on really protecting yourself against modified binaries, see
537: # the mtree(8) manual page.
1.13 millert 538: if [ -d /etc/mtree ] ; then
1.2 deraadt 539: cd /etc/mtree
1.1 deraadt 540: mtree -e -p / -f /etc/mtree/special > $OUTPUT
541: if [ -s $OUTPUT ] ; then
542: printf "\nChecking special files and directories.\n"
543: cat $OUTPUT
544: fi
545:
546: > $OUTPUT
547: for file in *.secure; do
1.2 deraadt 548: [ $file = '*.secure' ] && continue
1.1 deraadt 549: tree=`sed -n -e '3s/.* //p' -e 3q $file`
550: mtree -f $file -p $tree > $TMP1
1.13 millert 551: if [ -s $TMP1 ] ; then
1.1 deraadt 552: printf "\nChecking $tree:\n" >> $OUTPUT
553: cat $TMP1 >> $OUTPUT
554: fi
555: done
556: if [ -s $OUTPUT ] ; then
557: printf "\nChecking system binaries:\n"
558: cat $OUTPUT
559: fi
1.2 deraadt 560: else
561: echo /etc/mtree is missing
1.1 deraadt 562: fi
563:
564: # List of files that get backed up and checked for any modifications. Each
565: # file is expected to have two backups, /var/backups/file.{current,backup}.
566: # Any changes cause the files to rotate.
567: if [ -s /etc/changelist ] ; then
568: for file in `cat /etc/changelist`; do
569: CUR=/var/backups/`basename $file`.current
570: BACK=/var/backups/`basename $file`.backup
1.13 millert 571: if [ -s $file ] ; then
1.1 deraadt 572: if [ -s $CUR ] ; then
573: diff $CUR $file > $OUTPUT
574: if [ -s $OUTPUT ] ; then
575: printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file
576: cat $OUTPUT
577: cp -p $CUR $BACK
578: cp -p $file $CUR
579: chown root.wheel $CUR $BACK
580: fi
581: else
582: cp -p $file $CUR
583: chown root.wheel $CUR
584: fi
585: fi
586: done
587: fi