freebsd-skq/etc/periodic/daily/200.backup-passwd
cjc 05f295d22b After further discussion on -CURRENT, some people (jhb) do not like
the idea of not masking passwords on comments in case the
administrator comments out an entry without clearing the
password. Instead completely ignore comments (since they have no
security impact) when doing the diff of the old and new passwd file.

Suggested by:	rwatson
2001-11-14 09:30:01 +00:00

78 lines
1.6 KiB
Bash
Executable File

#!/bin/sh
#
# $FreeBSD$
#
# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$daily_backup_passwd_enable" in
[Yy][Ee][Ss])
if [ ! -f /etc/master.passwd ]
then
echo '$daily_backup_passwd_enable" is set but /etc/master.passwd' \
"doesn't exist"
rc=2
elif [ ! -f /etc/group ]
then
echo '$daily_backup_passwd_enable" is set but /etc/group' \
"doesn't exist"
rc=2
else
bak=/var/backups
rc=0
echo ""
echo "Backup passwd and group files:"
if [ ! -f $bak/master.passwd.bak ]
then
rc=1
echo "no $bak/master.passwd.bak"
cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3
fi
if ! cmp -s $bak/master.passwd.bak /etc/master.passwd
then
[ $rc -lt 1 ] && rc=1
echo "$host passwd diffs:"
diff -I '^#' $bak/master.passwd.bak /etc/master.passwd |\
sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/'
mv $bak/master.passwd.bak $bak/master.passwd.bak2
cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3
fi
if [ ! -f $bak/group.bak ]
then
[ $rc -lt 1 ] && rc=1
echo "no $bak/group.bak"
cp -p /etc/group $bak/group.bak || rc=3
fi
if ! cmp -s $bak/group.bak /etc/group
then
[ $rc -lt 1 ] && rc=1
echo "$host group diffs:"
diff $bak/group.bak /etc/group
mv $bak/group.bak $bak/group.bak2
cp -p /etc/group $bak/group.bak || rc=3
fi
if [ -f /etc/group ]
then
echo ""
echo "Verifying group file syntax:"
chkgrp /etc/group || rc=3
fi
fi;;
*) rc=0;;
esac
exit $rc