#!/bin/mksh # $MirSecuCron$ # $MirOS: src/etc/security,v 1.22 2009/10/17 16:20:04 tg Exp $ # $OpenBSD: security,v 1.71 2005/02/22 10:50:55 otto Exp $ # from: @(#)security 8.1 (Berkeley) 6/9/93 export TZ=UTC PATH=/bin:/usr/bin:/sbin:/usr/sbin RCSLOCALID='!MirSecuCron' cd / nl=' ' umask 077 function _diffhdr { print print ====== print -r -- "$1 diffs (-OLD +NEW)" print ====== } function _stripcom { cat "$@" | { set -o noglob; while read _line; do _line=${_line%%#*} [[ -n $_line ]] && print -r -- $_line done; } } rm -f /var/backups/rcs.log # fback [-m|-n] [] function fback { local fn bf cf local wd o fd fo ft fa fp if [[ $1 = -m ]]; then o=md5 shift elif [[ $1 = -n ]]; then o=nodiff shift elif [[ $1 = -- ]]; then shift fi fn=$1 cf=$fn bf=$2 ft=$3 [[ -s $fn ]] || return [[ -n $bf ]] || bf=$(sed 's/^\///;s/\//_/g' <<<"$fn") [[ -n $ft ]] || ft=$fn wd=$(pwd) cd /var/backups # migration for special cases if [[ $o = md5 ]]; then cf=$DIR/_md5 md5 <"$fn" >$cf [[ -e "$bf".current.md5 ]] && \ mv "$bf".current.md5 "$bf".md5.current [[ -e "$bf".backup.md5 ]] && \ mv "$bf".backup.md5 "$bf".md5.backup bf=$bf.md5 fi if [[ ! -x /usr/bin/co ]]; then # back things up without RCS tools if [[ ! -e $bf.current ]] || ! cmp -s "$cf" "$bf.current"; then [[ -e $bf.current ]] && \ cp -p "$bf.current" "$bf.backup" cp -p "$cf" "$bf.current" [[ $o = nodiff ]] || _diffhdr "$ft" [[ $o = nodiff ]] || if [[ -e $bf.backup ]]; then diff -up /var/backups/"$bf.backup" \ /var/backups/"$bf.current" else diff -u /dev/null /var/backups/"$bf.current" fi chown 0:0 "$bf.current" chmod 0600 "$bf.current" fi cd "$wd" return fi # migration for RCS/foo,x (-x,v/) to RCS/foo (-x) [[ -e RCS/$bf,v ]] && mv -f RCS/$bf,v RCS/$bf # migration for non-RCS to RCS schema if [[ -e $bf.backup ]]; then [[ -e RCS/$bf ]] && co -x -M -T -l "$bf" >>rcs.log 2>&1 fd=$(stat -f '%Sm' -t '%Y/%m/%d %H:%M:%S' "$bf.backup") fo=$(stat -f '%Su' "$bf.backup") mv -f "$bf.backup" "$bf" ci -x -M -T -u -d"$fd" -t-"automatic backup for $fn" -w"$fo" \ -sAncient -f -m"legacy backup $fn" "$bf" >>rcs.log 2>&1 fi if [[ -e $bf.current ]]; then [[ -e RCS/$bf ]] && co -x -M -T -l "$bf" >>rcs.log 2>&1 fd=$(stat -f '%Sm' -t '%Y/%m/%d %H:%M:%S' "$bf.current") fo=$(stat -f '%Su' "$bf.current") mv -f "$bf.current" "$bf" ci -x -M -T -u -d"$fd" -t-"automatic backup for $fn" -w"$fo" \ -sLegacy -f -m"legacy current $fn" "$bf" >>rcs.log 2>&1 fi rm -f "$bf.backup" "$bf.current" # back things up using RCS tools if [[ ! -e $bf ]] || ! cmp -s "$cf" "$bf"; then [[ -e RCS/$bf ]] && co -x -M -T -l "$bf" >>rcs.log 2>&1 rm -f "$bf" cp -p "$cf" "$bf" fd=$(stat -f '%Sm' -t '%Y/%m/%d %H:%M:%S' "$fn") fo=$(stat -f '%Su' "$fn") fa=$(stat -f '%u:%g' "$fn") fp=$(stat -f '%Mp%Lp' "$fn") [[ $o = nodiff ]] || _diffhdr "$ft" [[ $o = nodiff ]] || if [[ -e RCS/$bf ]]; then rcsdiff -x -q -u -p /var/backups/"$bf" else diff -u /dev/null /var/backups/"$bf" fi ci -x -M -T -u -d"$fd" -t-"automatic backup for $fn" -w"$fo" \ -sBackup -m"$(date) backup for $fn" "$bf" >>rcs.log 2>&1 cp -p "$bf" "$cf" chown 0:0 "$bf" "RCS/$bf" chmod 0400 "$bf" "RCS/$bf" chown $fa "$cf" chmod $fp "$cf" fi cd "$wd" } DIR=$(mktemp -d /tmp/_secure.XXXXXXXXXX) || exit 1 ERR=$DIR/_secure1 TMP1=$DIR/_secure2 TMP2=$DIR/_secure3 TMP3=$DIR/_secure4 LIST=$DIR/_secure5 OUTPUT=$DIR/_secure6 trap 'rm -rf $DIR; exit 1' 0 1 2 3 13 15 # Check the master password file syntax. MP=/etc/master.passwd awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); next; } if (NF != 10) printf("Line %d has the wrong number of fields:\n%s\n", NR, $0); if ($1 ~ /^[+-]/) next; if ($1 == "") printf("Line %d has an empty login field:\n%s\n", NR, $0); else if ($1 !~ /^[A-Za-z0-9_][A-Za-z0-9_\-\.]*\$?$/) printf("Login %s has non-alphanumeric characters.\n", $1); if (length($1) > 31) printf("Login %s has more than 31 characters.\n", $1); if ($2 == "" && $1 !~ /^_*anoncvs$/ && $1 !~ /^_*rsync$/) printf("Login %s has no password.\n", $1); if ($2 != "" && length($2) != 13 && ($10 ~ /.*sh$/ || $10 == "") && ($2 !~ /^\$[0-9a-f]+\$/) && ($2 != "skey")) { if (system("test -s /etc/skey/"$1"") == 0) printf("Login %s is off but still has a valid shell and an entry in /etc/skey.\n", $1); if (system("test -d "$9" -a ! -r "$9"") == 0) printf("Login %s is off but still has valid shell and home directory is unreadable\n\t by root; cannot check for existence of alternate access files.\n", $1); else if (system("for file in .etc/ssh .rhosts .shosts .klogin; do if test -e "$9"/$file; then if ( (ls -ld "$9"/$file | cut -b 2-10 | grep -q r) && (test ! -O "$9"/$file)); then exit 1; fi; fi; done")) printf("Login %s is off but still has a valid shell and alternate access files in\n\t home directory are still readable.\n",$1); } if ($3 == 0 && $1 != "root") printf("Login %s has a user ID of 0.\n", $1); if ($3 < 0) printf("Login %s has a negative user ID.\n", $1); if ($4 < 0) printf("Login %s has a negative group ID.\n", $1); if (int($7) != 0 && system("test "$7" -lt $(date +%s)") == 0) printf("Login %s has expired.\n", $1); }' < $MP > $OUTPUT if [ -s $OUTPUT ] ; then echo "\nChecking the ${MP} file:" cat $OUTPUT fi awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then echo "\n${MP} has duplicate user names." column $OUTPUT fi awk -F: '/^[^\+]/ { print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 set -A dupusers if [ -s $TMP2 ] ; then echo "\n${MP} has duplicate user IDs." duptxt= while read uid; do grep " ${uid}\$" $TMP1 |& i=0 while read -p uline; do duptxt=$duptxt$uline$nl if (( i++ )); then dupusers[${#dupusers[*]}]=-e dupusers[${#dupusers[*]}]='^'${uline%% *}' ' fi done done <$TMP2 print -nr -- "$duptxt" | column fi (( ${#dupusers[*]} )) || set -A dupusers -- -e '^$' if [[ ! -d /var/backups/RCS/. ]]; then mkdir -p /var/backups/RCS chmod 700 /var/backups /var/backups/RCS fi for i in current backup; do f=/var/backups/master.passwd.$i [[ -e $f ]] && mv $f /var/backups/etc_master.passwd.$i done # Check the group file syntax. GRP=/etc/group awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); next; } if ($1 ~ /^[+-].*$/) next; if (NF != 4) printf("Line %d has the wrong number of fields:\n%s\n", NR, $0); if ($1 !~ /^[A-Za-z0-9_][A-Za-z0-9_\-\.]*$/) printf("Group %s has non-alphanumeric characters.\n", $1); if (length($1) > 31) printf("Group %s has more than 31 characters.\n", $1); if ($3 !~ /[0-9]*/) printf("Login %s has a negative group ID.\n", $1); }' < $GRP > $OUTPUT if [ -s $OUTPUT ] ; then echo "\nChecking the ${GRP} file:" cat $OUTPUT fi awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then echo "\n${GRP} has duplicate group names." column $OUTPUT fi # Check for root paths, umask values in startup files. # The check for the root paths is problematical -- it's likely to fail # in other environments. Once the shells have been modified to warn # of '.' in the path, the path tests should go away. > $OUTPUT rhome=/ umaskset=no list="/etc/profile ${rhome}/.profile" for i in $list; do if [ -s $i ] ; then if egrep umask $i > /dev/null ; then umaskset=yes fi egrep umask $i | awk '$2 % 100 < 20 \ { print "Root umask is group writable" } \ $2 % 10 < 2 \ { print "Root umask is other writable" }' >> $OUTPUT SAVE_PATH=$PATH SAVE_ENV=$ENV unset PATH ENV mksh << end-of-sh > /dev/null 2>&1 . $i if [ X"\$PATH" != "X" ]; then list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` /bin/ls -ldgT \$list > $TMP1 else > $TMP1 fi echo \$ENV >> $TMP2 end-of-sh PATH=$SAVE_PATH ENV=$SAVE_ENV awk '{ if ($10 ~ /^\.$/) { print "The root path includes ."; next; } } $1 ~ /^d....w/ \ { print "Root path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writable." }' \ < $TMP1 >> $OUTPUT fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then echo "\nChecking root sh paths, umask values:\n${list}" if [ -s $OUTPUT ] ; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then echo "\nRoot sh startup files do not set the umask." fi fi # Root and uucp should both be in /etc/ftpusers. if egrep root /etc/ftpusers > /dev/null ; then : else echo "\nRoot not listed in /etc/ftpusers file." fi if egrep uucp /etc/ftpusers > /dev/null ; then : else echo "\nUucp not listed in /etc/ftpusers file." fi # Uudecode should not be in the /etc/mail/aliases file. if egrep 'uudecode|decode' /etc/mail/aliases; then echo "\nThere is an entry for uudecode in the /etc/mail/aliases file." fi # Files that should not have + signs. list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" for f in $list ; do if [ -s $f ] ; then awk '{ if ($0 ~ /^\+@.*$/) next; if ($0 ~ /^\+.*$/) printf("\nPlus sign in %s file.\n", FILENAME); }' $f fi done # Check for special users with .rhosts/.shosts files. Only root # should have .rhosts/.shosts files. Also, .rhosts/.shosts # files should not have plus signs. awk -F: '$1 != "root" && $1 !~ /^[+-]/ && \ ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ { print $1 " " $6 }' /etc/passwd | grep -v "${dupusers[@]}" | while read uid homedir; do for j in .rhosts .shosts; do # Root owned .rhosts/.shosts files are ok. if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then rhost=$(ls -ldgT ${homedir}/$j) echo "${uid}: ${rhost}" fi done done > $OUTPUT if [ -s $OUTPUT ] ; then echo "\nChecking for special users with .rhosts/.shosts files." cat $OUTPUT fi awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ grep -v "${dupusers[@]}" | while read uid homedir; do for j in .rhosts .shosts; do if [ -s ${homedir}/$j ] ; then awk '{ if ($0 ~ /^+@.*$/ ) next; if ($0 ~ /^\+[ ]*$/ ) printf("%s has + sign in it.\n", FILENAME); }' ${homedir}/$j fi done done > $OUTPUT if [ -s $OUTPUT ] ; then echo "\nChecking .rhosts/.shosts files syntax." cat $OUTPUT fi # Check home directories. Directories should not be owned by someone else # or writeable. awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ grep -v "${dupusers[@]}" | while read uid homedir; do if [ -d ${homedir}/ ] ; then file=$(ls -ldgT ${homedir}) echo "${uid} ${file}" fi done | awk '$1 != $4 && $4 != "root" \ { print "user " $1 " home directory is owned by " $4 } $2 ~ /^-....w/ \ { print "user " $1 " home directory is group writable" } $2 ~ /^-.......w/ \ { print "user " $1 " home directory is other writable" }' > $OUTPUT if [ -s $OUTPUT ] ; then echo "\nChecking home directories." cat $OUTPUT fi # Files that should not be owned by someone else or readable. list=".netrc .rhosts .gnupg/secring.gpg .gnupg/random_seed \ .pgp/secring.pgp .shosts .etc/ssh/identity .etc/ssh/id_dsa .etc/ssh/id_rsa" awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ grep -v "${dupusers[@]}" | while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then echo "${uid} ${f} $(ls -ldgT ${file})" fi done done | awk '$1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-...r/ \ { print "user " $1 " " $2 " file is group readable" } $3 ~ /^-......r/ \ { print "user " $1 " " $2 " file is other readable" } $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writable" }' > $OUTPUT # Files that should not be owned by someone else or writeable. list=".bashrc .bash_profile .bash_login .bash_logout .cshrc \ .emacs .exrc .forward .fvwmrc .inputrc .klogin .kshrc .login \ .logout .nexrc .profile .screenrc .etc/ssh .etc/ssh/config \ .etc/ssh/authorized_keys .etc/ssh/authorized_keys2 .etc/ssh/environment \ .etc/ssh/known_hosts .etc/ssh/rc .tcshrc .twmrc .xsession .xinitrc \ .Xdefaults .Xauthority mail" awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ grep -v "${dupusers[@]}" | while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then echo "${uid} ${f} $(ls -ldgT ${file})" fi done done | awk '$1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writable" }' >> $OUTPUT if [ -s $OUTPUT ] ; then echo "\nChecking dot files." cat $OUTPUT fi # Mailboxes should be owned by user and unreadable. ls -l /var/mail | sed 1d | \ awk '$3 != $9 \ { print "user " $9 " mailbox is owned by " $3 } $1 != "-rw-------" \ { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT if [ -s $OUTPUT ] ; then echo "\nChecking mailbox ownership." cat $OUTPUT fi # File systems should not be globally exported. if [ -s /etc/exports ] ; then awk '{ if (($1 ~ /^#/) || ($1 ~ /^$/)) next; readonly = 0; for (i = 2; i <= NF; ++i) { if ($i ~ /^-ro$/) readonly = 1; else if ($i !~ /^-/ || $i ~ /^-network/) next; } if (readonly) print "File system " $1 " globally exported, read-only." else print "File system " $1 " globally exported, read-write." }' < /etc/exports > $OUTPUT if [ -s $OUTPUT ] ; then echo "\nChecking for globally exported file systems." cat $OUTPUT fi fi # Display any changes in setuid/setgid files and devices. pending="\nChecking setuid/setgid files and devices:\n" (find / $ ! -fstype local -o -fstype fdesc -o -fstype kernfs \ -o -fstype procfs $ -a -prune -o \ -type f -a $ -perm -u+s -o -perm -g+s $ -print0 -o \ ! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \ -print0 | xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then echo "${pending}Setuid/device find errors:" pending= cat $OUTPUT echo "" fi # Display any changes in the setuid/setgid file list. FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,0 FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,0 egrep -av '^[bc]' $LIST | join -o $FIELDS2 -110 -210 -v2 /dev/null - > $TMP1 if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -aw uudecode $TMP1 > /dev/null ; then echo "${pending}\nUudecode is setuid." pending= fi CUR=/var/backups/setuid.current BACK=/var/backups/setuid.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -o $FIELDS2 -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then echo "${pending}Setuid additions:" pending= tee -a $TMP2 < $OUTPUT | column -t echo "" fi join -o $FIELDS1 -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then echo "${pending}Setuid deletions:" pending= tee -a $TMP2 < $OUTPUT | column -t echo "" fi sort +9 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then echo "${pending}Setuid changes:" pending= column -t $OUTPUT echo "" fi cp $CUR $BACK cp $TMP1 $CUR fi else echo "${pending}Setuid additions:" pending= column -t $TMP1 echo "" cp $TMP1 $CUR fi fi # Check for block and character disk devices that are readable or writeable # or not owned by root.operator. >$TMP1 DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd" for i in $DISKLIST; do egrep "^b.*/${i}[0-9][0-9]*[B-H]?[a-p]$" $LIST >> $TMP1 egrep "^c.*/r${i}[0-9][0-9]*[B-H]?[a-p]$" $LIST >> $TMP1 done awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ { printf("Disk %s is user %s, group %s, permissions %s.\n", \ $11, $3, $4, $1); }' < $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then echo "\nChecking disk ownership and permissions." cat $OUTPUT echo "" fi FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,1.10,0 FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,2.10,0 # Display any changes in the device file list. egrep -a '^[bc]' $LIST | sort +10 | \ join -o $FIELDS2 -111 -211 -v2 /dev/null - > $TMP1 if [ -s $TMP1 ] ; then CUR=/var/backups/device.current BACK=/var/backups/device.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -o $FIELDS2 -111 -211 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then echo "Device additions:" tee -a $TMP2 < $OUTPUT | column -t echo "" fi join -o $FIELDS1 -111 -211 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then echo "Device deletions:" tee -a $TMP2 < $OUTPUT | column -t echo "" fi # Report any block device change. Ignore character # devices, only the name is significant. cat $TMP2 $CUR $TMP1 | \ sed -e '/^c/d' | \ sort +10 | \ sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then echo "Block device changes:" column -t $OUTPUT echo "" fi cp $CUR $BACK cp $TMP1 $CUR fi else echo "Device additions:" column -t $TMP1 echo "" cp $TMP1 $CUR fi fi # Check special files. # Check system binaries. # # Create the mtree tree specifications using: # # mtree -cx -p DIR -K md5digest,type >/etc/mtree/DIR.secure # chown root:wheel /etc/mtree/DIR.secure # chmod 600 /etc/mtree/DIR.secure # # Note, this is not complete protection against Trojan horsed binaries, as # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. if [ -d /etc/mtree ] ; then cd /etc/mtree mtree -e -l -p / -f /etc/mtree/special > $OUTPUT if [ -s $OUTPUT ] ; then echo "\nChecking special files and directories." echo "Output format is:\n\tfilename:" echo "\t\tcriteria (shouldbe, reallyis)" cat $OUTPUT echo "\nIf this message bugs you, use:" echo "\tmtree -e -p / -f /etc/mtree/special -U" fi > $OUTPUT for file in *.secure; do [ $file = '*.secure' ] && continue tree=$(sed -n -e '3s/.* //p' -e 3q $file) mtree -f $file -p $tree > $TMP1 if [ -s $TMP1 ] ; then echo "\nChecking ${tree}:" >> $OUTPUT cat $TMP1 >> $OUTPUT fi done if [ -s $OUTPUT ] ; then echo "\nChecking system binaries:" cat $OUTPUT fi else echo /etc/mtree is missing fi # Record a list of installed packages too; be sure to record # the change to emptiness if previously recorded, but to not # complain if no MirPorts Framework package tools installed. if [[ -s /var/backups/pkglist || -x /usr/mpkg/sbin/pkg_info ]]; then if [[ -x /usr/mpkg/sbin/pkg_info ]]; then /usr/mpkg/sbin/pkg_info | sort else : fi >/var/backups/pkglist fi # List of files that get backed up and checked for any modifications. # We try to use GNU RCS for versioning backups, otherwise, rotate: Each # file is expected to have two backups, /var/backups/file.{current,backup}. # Any changes cause the files to rotate. if [ -s /etc/changelist ] ; then # Handle /etc/changelist.local if R=$(mktemp); then cat /etc/changelist >$R [ -e /etc/changelist.local ] && \ cat /etc/changelist.local >>$R else R=/etc/changelist fi # Now check _stripcom $R | while read file; do case $file { (+*) fback -m "${file#+}" ;; (-*) fback -n "${file#-}" ;; (/*) fback -- "${file}" ;; } done for file in $(egrep -v "^(#|\+|$MP)" $R); do fback -- "$file" done for file in $(egrep "^\+" $R); do fback -m "${file#+}" done [ /etc/changelist = $R ] || rm -f $R fi # Make backups of the labels for any mounted disks and produce diffs # when they change. for d in `df -ln | sed -n 's:^/dev/$[a-z]*[0-9]*$[a-p].*$:\1:p' | sort -u`; do if disklabel $d >$DIR/_disklabel 2>&1; then fback -- $DIR/_disklabel disklabel.$d fi done