src - OpenBSD base system

diff options


context:
space:
mode:

author	Ingo Schwarze <schwarze@cvs.openbsd.org>	2011-04-17 21:35:23 +0000
committer	Ingo Schwarze <schwarze@cvs.openbsd.org>	2011-04-17 21:35:23 +0000
commit	9cb005d509dedaa074012f87db4b9dc88c03f1f1 (patch)
tree	25974b9aff4dd7e94e1d9f77a4c7e44793e5c6df /etc
parent	d15af56d674e7e6b1df409f114e6a6971e251091 (diff)

Replaced by src/libexec/security a few minutes ago;

deraadt@ suggests to remove the old file right away.

Diffstat (limited to 'etc')

-rw-r--r--

etc/security

664

1 files changed, 0 insertions, 664 deletions

diff --git a/etc/security b/etc/security
deleted file mode 100644
index d767a1c9e60..00000000000
--- a/etc/security
+++ /dev/null

@@ -1,664 +0,0 @@

-# $OpenBSD: security,v 1.88 2009/06/03 14:45:39 jj Exp $

-# from: @(#)security 8.1 (Berkeley) 6/9/93

-PATH=/bin:/usr/bin:/sbin:/usr/sbin

-umask 077

-DIR=`mktemp -d /tmp/_secure.XXXXXXXXXX` || exit 1

-TMP1=$DIR/_secure2

-TMP2=$DIR/_secure3

-LIST=$DIR/_secure5

-trap 'rm -rf $DIR; exit 1' 0 1 2 3 13 15

-# Check the master password file syntax.

-MP=/etc/master.passwd

-next_part "Checking the ${MP} file:"

-awk -F: '{

- if ($0 ~ /^[ ]*$/) {

- printf("Line %d is a blank line.\n", NR);

- next;

- }

- if (NF != 10)

- printf("Line %d has the wrong number of fields:\n%s\n", NR, $0);

- if ($1 ~ /^[+-]/)

- next;

- if ($1 == "")

- printf("Line %d has an empty login field:\n%s\n", NR, $0);

- else if ($1 !~ /^[A-Za-z0-9_][A-Za-z0-9_\-\.]*\$?$/)

- printf("Login %s has non-alphanumeric characters.\n", $1);

- if (length($1) > 31)

- printf("Login %s has more than 31 characters.\n", $1);

- if ($2 == "")

- printf("Login %s has no password.\n", $1);

- if ($2 != "" && length($2) != 13 && ($10 ~ /.*sh$/ || $10 == "") &&

- ($2 !~ /^\$[0-9a-f]+\$/) && ($2 != "skey")) {

- if (system("test -s /etc/skey/"$1"") == 0)

- printf("Login %s is off but still has a valid shell and an entry in /etc/skey.\n", $1);

- if (system("test -d "$9" -a ! -r "$9"") == 0)

- printf("Login %s is off but still has valid shell and home directory is unreadable\n\t by root; cannot check for existence of alternate access files.\n", $1);

- else if (system("for file in .ssh .rhosts .shosts .klogin; do if test -e "$9"/$file; then if ((ls -ld "$9"/$file | cut -b 2-10 | grep -q r) && (test ! -O "$9"/$file)) ; then exit 1; fi; fi; done"))

- printf("Login %s is off but still has a valid shell and alternate access files in\n\t home directory are still readable.\n",$1);

- }

- if ($3 == 0 && $1 != "root")

- printf("Login %s has a user ID of 0.\n", $1);

- if ($3 < 0)

- printf("Login %s has a negative user ID.\n", $1);

- if ($4 < 0)

- printf("Login %s has a negative group ID.\n", $1);

- if (int($7) != 0 && system("test "$7" -lt `date +%s`") == 0)

- printf("Login %s has expired.\n", $1);

-}' < $MP

-next_part "${MP} has duplicate user names."

-awk -F: '{ print $1 }' $MP | sort | uniq -d | column

-next_part "${MP} has duplicate user IDs."

-awk -F: '/^[^\+]/ { print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 |

-uniq -d -f 1 | awk '{ print $2 }' > $TMP2

-if [ -s $TMP2 ] ; then

- while read uid; do

- grep -w $uid $TMP1

- done < $TMP2 | column

-fi

-# Backup the master password file; a special case, the normal backup

-# mechanisms also print out file differences and we don't want to do

-# that because this file has encrypted passwords in it.

-if [ ! -d /var/backups ] ; then

- mkdir /var/backups

- chmod 700 /var/backups

-fi

-CUR=/var/backups/`basename $MP`.current

-BACK=/var/backups/`basename $MP`.backup

-if [ -s $CUR ] ; then

- if cmp -s $CUR $MP; then

- :

- else

- cp -p $CUR $BACK

- cp -p $MP $CUR

- chown root:wheel $CUR

- fi

-else

- cp -p $MP $CUR

- chown root:wheel $CUR

-fi

-# Check the group file syntax.

-GRP=/etc/group

-next_part "Checking the ${GRP} file:"

-awk -F: '{

- if ($0 ~ /^[ ]*$/) {

- printf("Line %d is a blank line.\n", NR);

- next;

- }

- if ($1 ~ /^[+-].*$/)

- next;

- if (NF != 4)

- printf("Line %d has the wrong number of fields:\n%s\n", NR, $0);

- if ($1 !~ /^[A-Za-z0-9_][A-Za-z0-9_\-\.]*$/)

- printf("Group %s has non-alphanumeric characters.\n", $1);

- if (length($1) > 31)

- printf("Group %s has more than 31 characters.\n", $1);

- if ($3 !~ /^[0-9]*$/)

- printf("Group %s has an invalid group ID.\n", $1);

-}' < $GRP

-next_part "${GRP} has duplicate group names."

-awk -F: '{ print $1 }' $GRP | sort | uniq -d | column

-# Check for root paths, umask values in startup files.

-# The check for the root paths is problematical -- it's likely to fail

-# in other environments. Once the shells have been modified to warn

-# of '.' in the path, the path tests should go away.

-rhome=/root

-umaskset=no

-list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"

-next_part "Checking root csh paths, umask values:\n${list}"

-for i in $list ; do

- if [ -s $i ] ; then

- if egrep -aq '[[:space:]]*umask[[:space:]]' $i ; then

- umaskset=yes

- fi

- awk '{

- if ($1 == "umask") {

- if ($2 % 100 / 10 ~ /^[0145]/)

- print "Root umask is group writable";

- if ($2 % 10 ~ /^[0145]/)

- print "Root umask is other writable";

- }

- }' < $i

- SAVE_PATH=$PATH

- unset PATH

- /bin/csh -f -s << end-of-csh > /dev/null 2>&1

- source $i

- if (\$?path) then

- /bin/ls -ldgT \$path > $TMP1

- else

- cat /dev/null > $TMP1

- endif

-end-of-csh

- PATH=$SAVE_PATH

- awk '{

- if ($10 ~ /^\.$/) {

- print "The root path includes .";

- next;

- }

- $1 ~ /^d....w/ \

- { print "Root path directory " $10 " is group writable." } \

- $1 ~ /^d.......w/ \

- { print "Root path directory " $10 " is other writable." }' \

- < $TMP1

- fi

-done

-if [ $umaskset = "no" ] ; then

- echo "\nRoot csh startup files do not set the umask."

-fi

-> $TMP2

-rhome=/root

-umaskset=no

-list="/etc/profile ${rhome}/.profile"

-next_part "Checking root sh paths, umask values:\n${list}"

-for i in $list; do

- if [ -s $i ] ; then

- if egrep -a umask $i > /dev/null ; then

- umaskset=yes

- fi

- egrep -a umask $i |

- awk '$2 % 100 < 20 \

- { print "Root umask is group writable" } \

- $2 % 10 < 2 \

- { print "Root umask is other writable" }'

- SAVE_PATH=$PATH

- SAVE_ENV=$ENV

- unset PATH ENV

- /bin/sh << end-of-sh > /dev/null 2>&1

- . $i

- if [ X"\$PATH" != "X" ]; then

- list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\`

- /bin/ls -ldgT \$list > $TMP1

- else

- > $TMP1

- fi

- echo \$ENV >> $TMP2

-end-of-sh

- PATH=$SAVE_PATH

- ENV=$SAVE_ENV

- awk '{

- if ($10 ~ /^\.$/) {

- print "The root path includes .";

- next;

- }

- $1 ~ /^d....w/ \

- { print "Root path directory " $10 " is group writable." } \

- $1 ~ /^d.......w/ \

- { print "Root path directory " $10 " is other writable." }' \

- < $TMP1

- fi

-done

-if [ $umaskset = "no" ] ; then

- echo "\nRoot sh startup files do not set the umask."

-fi

-# A good .kshrc will not have a umask or path, that being set in .profile

-# check anyway.

-rhome=/root

-list="/etc/ksh.kshrc `cat $TMP2`"

-next_part "Checking root ksh paths, umask values:\n${list}"

-(cd $rhome

- for i in $list; do

- if [ -s $i ] ; then

- egrep -a umask $i |

- awk '$2 % 100 < 20 \

- { print "Root umask is group writable" } \

- $2 % 10 < 2 \

- { print "Root umask is other writable" }'

- if egrep -a PATH= $i > /dev/null ; then

- SAVE_PATH=$PATH

- unset PATH

- /bin/ksh << end-of-sh > /dev/null 2>&1

- . $i

- if [ X"\$PATH" != "X" ]; then

- list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\`

- /bin/ls -ldgT \$list > $TMP1

- else

- > $TMP1

- fi

-end-of-sh

- PATH=$SAVE_PATH

- awk '{

- if ($10 ~ /^\.$/) {

- print "The root path includes .";

- next;

- }

- $1 ~ /^d....w/ \

- { print "Root path directory " $10 " is group writable." } \

- $1 ~ /^d.......w/ \

- { print "Root path directory " $10 " is other writable." }' \

- < $TMP1

- fi

- done

-next_part "Checking configuration files:"

-# Root and uucp should both be in /etc/ftpusers.

-if egrep root /etc/ftpusers > /dev/null ; then

- :

-else

- echo "Root not listed in /etc/ftpusers file."

-fi

-if egrep uucp /etc/ftpusers > /dev/null ; then

- :

-else

- echo "Uucp not listed in /etc/ftpusers file."

-fi

-# Uudecode should not be in the /etc/mail/aliases file.

-if egrep 'uudecode|decode' /etc/mail/aliases; then

- echo "There is an entry for uudecode in the /etc/mail/aliases file."

-fi

-# hostname.if files may contain secrets and should not be

-# world-readable.

-for f in /etc/hostname.* ; do

- if [ ! -e $f ]; then

- continue

- fi

- if [ "$(stat -Lf "%SLp" $f)" != "---" ]; then

- echo "$f is world readable."

- fi

-done

-# Files that should not have + signs.

-list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"

-for f in $list ; do

- if [ -s $f ] ; then

- awk '{

- if ($0 ~ /^\+@.*$/)

- next;

- if ($0 ~ /^\+.*$/)

- printf("Plus sign in %s file.\n", FILENAME);

- }' $f

- fi

-done

-# Check for special users with .rhosts/.shosts files. Only root

-# should have .rhosts/.shosts files. Also, .rhosts/.shosts

-# files should not have plus signs.

-next_part "Checking for special users with .rhosts/.shosts files."

-awk -F: '$1 != "root" && $1 !~ /^[+-]/ && \

- ($3 < 100 || $1 == "ftp" || $1 == "uucp") \

- { print $1 " " $6 }' /etc/passwd |

-while read uid homedir; do

- for j in .rhosts .shosts; do

- # Root owned .rhosts/.shosts files are ok.

- if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then

- rhost=`ls -ldgT ${homedir}/$j`

- echo "${uid}: ${rhost}"

- fi

- done

-done

-next_part "Checking .rhosts/.shosts files syntax."

-awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \

-while read uid homedir; do

- for j in .rhosts .shosts; do

- if [ -s ${homedir}/$j ] ; then

- awk '{

- if ($0 ~ /^+@.*$/ )

- next;

- if ($0 ~ /^\+[ ]*$/ )

- printf("%s has + sign in it.\n",

- FILENAME);

- }' ${homedir}/$j

- fi

- done

-done

-# Check home directories. Directories should not be owned by someone else

-# or writeable.

-next_part "Checking home directories."

-awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \

-while read uid homedir; do

- if [ -d ${homedir}/ ] ; then

- file=`ls -ldgT ${homedir}`

- echo "${uid} ${file}"

- fi

-done |

-awk '$1 != $4 && $4 != "root" \

- { print "user " $1 " home directory is owned by " $4 }

- $2 ~ /^-....w/ \

- { print "user " $1 " home directory is group writable" }

- $2 ~ /^-.......w/ \

- { print "user " $1 " home directory is other writable" }'

-# Files that should not be owned by someone else or readable.

-list=".netrc .rhosts .gnupg/secring.gpg .gnupg/random_seed \

- .pgp/secring.pgp .shosts .ssh/identity .ssh/id_dsa .ssh/id_rsa"

-next_part "Checking dot files."

-awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \

-while read uid homedir; do

- for f in $list ; do

- file=${homedir}/${f}

- if [ -f $file ] ; then

- echo "${uid} ${f} `ls -ldgT ${file}`"

- fi

- done

-done |

-awk '$1 != $5 && $5 != "root" \

- { print "user " $1 " " $2 " file is owned by " $5 }

- $3 ~ /^-...r/ \

- { print "user " $1 " " $2 " file is group readable" }

- $3 ~ /^-......r/ \

- { print "user " $1 " " $2 " file is other readable" }

- $3 ~ /^-....w/ \

- { print "user " $1 " " $2 " file is group writable" }

- $3 ~ /^-.......w/ \

- { print "user " $1 " " $2 " file is other writable" }'

-# Files that should not be owned by someone else or writeable.

-list=".bashrc .bash_profile .bash_login .bash_logout .cshrc \

- .emacs .exrc .forward .fvwmrc .inputrc .klogin .kshrc .login \

- .logout .nexrc .profile .screenrc .ssh .ssh/config \

- .ssh/authorized_keys .ssh/authorized_keys2 .ssh/environment \

- .ssh/known_hosts .ssh/rc .tcshrc .twmrc .xsession .xinitrc \

- .Xdefaults .Xauthority"

-awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \

-while read uid homedir; do

- for f in $list ; do

- file=${homedir}/${f}

- if [ -f $file ] ; then

- echo "${uid} ${f} `ls -ldgT ${file}`"

- fi

- done

-done |

-awk '$1 != $5 && $5 != "root" \

- { print "user " $1 " " $2 " file is owned by " $5 }

- $3 ~ /^-....w/ \

- { print "user " $1 " " $2 " file is group writable" }

- $3 ~ /^-.......w/ \

- { print "user " $1 " " $2 " file is other writable" }'

-# Mailboxes should be owned by user and unreadable.

-next_part "Checking mailbox ownership."

-ls -l /var/mail | sed 1d | \

-awk '$3 != $9 \

- { print "user " $9 " mailbox is owned by " $3 }

- $1 != "-rw-------" \

- { print "user " $9 " mailbox is " $1 ", group " $4 }'

-# File systems should not be globally exported.

-next_part "Checking for globally exported file systems."

-if [ -s /etc/exports ] ; then

- awk '{

- if (($1 ~ /^#/) || ($1 ~ /^$/))

- next;

- readonly = 0;

- for (i = 2; i <= NF; ++i) {

- if ($i ~ /^-ro$/)

- readonly = 1;

- else if ($i !~ /^-/ || $i ~ /^-network/)

- next;

- }

- if (readonly)

- print "File system " $1 " globally exported, read-only."

- else

- print "File system " $1 " globally exported, read-write."

- }' < /etc/exports

-fi

-# Display any changes in setuid/setgid files and devices.

-next_part "Setuid/device find errors:"

-( set -o noglob

- find / \

- \( ! -fstype local -o -fstype procfs -o -fstype afs -o -fstype nnpfs \

- `for f in $SUIDSKIP; do echo -o -path $f; done` \

- \) -a -prune -o \

- -type f -a $ -perm -u+s -o -perm -g+s $ -print0 -o \

- ! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \

- -print0 | xargs -0 -r ls -ldgT | sort +9 > $LIST

-# Display any changes in the setuid/setgid file list.

-next_part "Checking setuid/setgid files and devices:"

-FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,0

-FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,0

-egrep -av '^[bc]' $LIST | join -o $FIELDS2 -110 -210 -v2 /dev/null - > $TMP1

-if [ -s $TMP1 ] ; then

- # Check to make sure uudecode isn't setuid.

- if grep -aw uudecode $TMP1 > /dev/null ; then

- echo "Uudecode is setuid."

- fi

- CUR=/var/backups/setuid.current

- BACK=/var/backups/setuid.backup

- if [ -s $CUR ] ; then

- if cmp -s $CUR $TMP1 ; then

- :

- else

- next_part "Setuid additions:"

- join -o $FIELDS2 -110 -210 -v2 $CUR $TMP1 | \

- tee $TMP2 | column -t

- next_part "Setuid deletions:"

- join -o $FIELDS1 -110 -210 -v1 $CUR $TMP1 | \

- tee -a $TMP2 | column -t

- next_part "Setuid changes:"

- sort +9 $TMP2 $CUR $TMP1 | \

- sed -e 's/[ ][ ]*/ /g' | uniq -u | column -t

- cp $CUR $BACK

- cp $TMP1 $CUR

- fi

- else

- next_part "Setuid additions:"

- column -t $TMP1

- cp $TMP1 $CUR

- fi

-fi

-# Check for block and character disk devices that are readable or writeable

-# or not owned by root.operator.

-next_part "Checking disk ownership and permissions."

->$TMP1

-DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd"

-for i in $DISKLIST; do

- egrep "^b.*/${i}[0-9][0-9]*[B-H]?[a-p]$" $LIST >> $TMP1

- egrep "^c.*/r${i}[0-9][0-9]*[B-H]?[a-p]$" $LIST >> $TMP1

-done

-awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \

- { printf("Disk %s is user %s, group %s, permissions %s.\n", \

- $11, $3, $4, $1); }' < $TMP1

-FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,1.10,0

-FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,2.10,0

-# Display any changes in the device file list.

-egrep -a '^[bc]' $LIST | sort +10 | \

- join -o $FIELDS2 -111 -211 -v2 /dev/null - > $TMP1

-if [ -s $TMP1 ] ; then

- CUR=/var/backups/device.current

- BACK=/var/backups/device.backup

- if [ -s $CUR ] ; then

- if cmp -s $CUR $TMP1 ; then

- :

- else

- next_part "Device additions:"

- join -o $FIELDS2 -111 -211 -v2 $CUR $TMP1 | \

- tee $TMP2 | column -t

- next_part "Device deletions:"

- join -o $FIELDS1 -111 -211 -v1 $CUR $TMP1 | \

- tee -a $TMP2 | column -t

- # Report any block device change. Ignore character

- # devices, only the name is significant.

- next_part "Block device changes:"

- cat $TMP2 $CUR $TMP1 | \

- sed -e '/^c/d' | \

- sort +10 | \

- sed -e 's/[ ][ ]*/ /g' | \

- uniq -u | \

- column -t

- cp $CUR $BACK

- cp $TMP1 $CUR

- fi

- else

- next_part "Device additions:"

- column -t $TMP1

- cp $TMP1 $CUR

- fi

-fi

-# Check special files.

-# Check system binaries.

-# Create the mtree tree specifications using:

-# mtree -cx -p DIR -K md5digest,type >/etc/mtree/DIR.secure

-# chown root:wheel /etc/mtree/DIR.secure

-# chmod 600 /etc/mtree/DIR.secure

-# Note, this is not complete protection against Trojan horsed binaries, as

-# the hacker can modify the tree specification to match the replaced binary.

-# For details on really protecting yourself against modified binaries, see

-# the mtree(8) manual page.

-next_part "Checking special files and directories.

-Output format is:\n\tfilename:\n\t\tcriteria (shouldbe, reallyis)"

-if [ -d /etc/mtree ] ; then

- cd /etc/mtree

- mtree -e -l -p / -f /etc/mtree/special

- for file in *.secure; do

- [ $file = '*.secure' ] && continue

- tree=`sed -n -e '3s/.* //p' -e 3q $file`

- next_part "Checking system binaries in ${tree}:"

- mtree -f $file -p $tree

- done

-else

- echo /etc/mtree is missing

-fi

-# List of files that get backed up and checked for any modifications. Each

-# file is expected to have two backups, /var/backups/file.{current,backup}.

-# Any changes cause the files to rotate.

-_fnchg() {

- echo "$1" | sed 's/^\///;s/\//_/g'

-if [ -s /etc/changelist ] ; then

- for file in `egrep -v "^(#|\+|$MP)" /etc/changelist`; do

- CUR=/var/backups/$(_fnchg "$file").current

- BACK=/var/backups/$(_fnchg "$file").backup

- next_part "======\n${file} diffs (-OLD +NEW)\n======"

- if [ -s $file -a ! -d $file ] ; then

- if [ -s $CUR ] ; then

- diff -ua $CUR $file

- if [ -s $PARTOUT ] ; then

- cp -p $CUR $BACK

- cp -p $file $CUR

- chown root:wheel $CUR $BACK

- fi

- else

- diff -u /dev/null $file

- cp -p $file $CUR

- chown root:wheel $CUR

- fi

- if [ ! -s $file -a -s $CUR ]; then

- diff -u $CUR /dev/null

- cp -p $CUR $BACK

- rm -f $CUR

- chown root:wheel $BACK

- fi

- done

- for file in `sed -n 's/^+//p' /etc/changelist`; do

- CUR=/var/backups/$(_fnchg "$file").current.md5

- BACK=/var/backups/$(_fnchg "$file").backup.md5

- if [ -s $file -a ! -d $file ] ; then

- MD5_NEW=`md5 $file | sed 's/^.* //'`

- if [ -s $CUR ] ; then

- MD5_OLD="`cat $CUR`"

- if [ "$MD5_NEW" != "$MD5_OLD" ]; then

- next_part "======\n${file} MD5 checksums\n======"

- echo "OLD: $MD5_OLD"

- echo "NEW: $MD5_NEW"

- cp -p $CUR $BACK

- echo $MD5_NEW > $CUR

- chown root:wheel $CUR $BACK

- chmod 600 $CUR

- fi

- else

- next_part "======\n${file} new MD5 checksum\n======"

- echo "NEW: $MD5_NEW"

- echo $MD5_NEW > $CUR

- chown root:wheel $CUR

- chmod 600 $CUR

- fi

- if [ ! -s $file -a -s $CUR ]; then

- MD5_OLD="`cat $CUR`"

- next_part "======\n${file} removed MD5 checksum\n======"

- echo "OLD: $MD5_OLD"

- cp -p $CUR $BACK

- rm $CUR

- chown root:wheel $BACK

- fi

- done

-fi

-# Make backups of the labels for any mounted disks and produce diffs

-# when they change.

-for d in `df -ln | sed -n 's:^/dev/$[a-z]*[0-9]*$[a-p].*$:\1:p' | sort -u`; do

- file=/var/backups/disklabel.$d

- CUR=$file.current

- BACK=$file.backup

- next_part "======\n${d} diffs (-OLD +NEW)\n======"

- if disklabel $d > $file 2>&1 ; then

- if [ -s $CUR ] ; then

- diff -u $CUR $file

- if [ -s $PARTOUT ] ; then

- cp -p $CUR $BACK

- cp -p $file $CUR

- chown root:wheel $CUR $BACK

- fi

- else

- cp -p $file $CUR

- chown root:wheel $CUR

- fi

- rm -f $file

-done

-# Backup the list of installed packages and produce diffs when it changes.

-next_part "======\nPackage list changes (-OLD +NEW)\n======"

-file=/var/backups/pkglist

-CUR=$file.current

-BACK=$file.backup

-if pkg_info > $file 2>&1 ; then

- if [ -s $CUR ] ; then

- diff -u $CUR $file

- if [ -s $PARTOUT ] ; then

- cp -p $CUR $BACK

- cp -p $file $CUR

- chown root:wheel $CUR $BACK

- fi

- else

- cp -p $file $CUR

- chown root:wheel $CUR

- fi

-fi

-rm -f $file