Solved

Can shell Script be protected

Posted on 2002-07-24
12
258 Views
Last Modified: 2013-12-26
Can I hide the code and deliver the shell script so that nobody else can change or view that.
I am working on solaris 2.6
0
Comment
Question by:rajiv_indya
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7176565
short answer: no
long amswer: there exist tools to convert a schell script into binary code, for example shc

 http://www.datsi.fi.upm.es/~frosal/frosal.html
 http://www.cactus.com/products/cactus/shell-lock.html
0
 
LVL 5

Expert Comment

by:nebeker
ID: 7178276
You could write two scripts.  Encrypt one of them and have the other one ask for a password, decrypt the second script and then run it...

I've never done this, though -- it is just an idea...
0
 
LVL 5

Expert Comment

by:nebeker
ID: 7178366
Continuing with my previous idea, create a "wrapper" script whose only purpose is to take a password, decrypt your script and then run it:

#!/bin/sh
# wrapper.sh
# Assumes the password was passed in on the command line

crypt $1 < myscript.esh > temp.sh;
chmod +x temp.sh
(temp.sh)            

# -- end of wrapper


To avoid having the "temp.sh" be somewhere on the disk while it is running, add this line to the top of your script:

if [ "`basename $0`" = "temp.sh" ];  then
  rm $0
fi

I don't know if this will work on all versions of Unix/Linux -- you'll just have to try it and see...  It worked on an HP/UX box that I tried it on.


Finally, encrypt your script (named "myscript.sh" in this example):

crypt key < myscript.sh > myscript.esh

where key is the string needed to decrypt the file...


Then, you just distribute wrapper.sh, myscript.esh and the key...
0
ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

 
LVL 5

Expert Comment

by:nebeker
ID: 7179254
Then again, I guess if you know the password, you could just decrypt "myscript.esh" :)...   Oh well, so much for that approach.  It was fun to think about, though...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7179527
nebeker's suggestion cracked down to the basics:

   crypt key < myscript.sh > myscript.esh

then use ithe encrypted script:

   crypt key < myscript.esh |sh

But how does this hide the script from the user?
You always need the key/password in clear text somewhere, and so you (and the user too) can always see the code.
Useless effort, just wasting performance, somehow ..
0
 

Expert Comment

by:tryno
ID: 7216412
Hi, I have done something like this myself. My solution is very much like nebeker's, only my "wrapper" is not a script, but a binary.  The encryptation key is coded into the binary and hence it is impossible to read if you are not able to decompile the binary.

So, Rajiv Indya, if you can write and compile a small program which contains the encryptation key, decrypt the script, copy the decrypted file in a "secret place", put a self-deleting command (rm $0) at the top of it and run it.
The decrypted file will then exist only for fraction of a second.
I am running a number of "secret" scripts this way, it works fine for me.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7216914
> The decrypted file will then exist only for fraction of a second.

Nonsense!
The decrypted file exists as long as I want to have it, 'cause I simply use adb, dbx, or whatever, to execute the binary :-))
And as side-effect I can tell you the password, nevertheless how much time and security algorithms you waste.

It's impossible. Dot.
You just can make it more harder to read. That's all.

0
 

Author Comment

by:rajiv_indya
ID: 7219016
for tryno

Is there any  way so that I can run the shell script using pipe
like
crypt key < myscript.sh |sh
This way no file will exist on the server.
Also If I  am writting a 'C' code and crypting it within the code using exec command , will the command will be visible with "ps -eaf"

Pl clarify


0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
ID: 7219257
> . will be visible with "ps -eaf"
YES
0
 

Expert Comment

by:tryno
ID: 7219291
Hello, as ahoffmann says, running the program thru pipe will make the cryptation key visible with process listing command ps as long as the program is running.  That's exactly the reason why I decided not to do this, but using a temporary decrypted file instead.
I decided that the risk is smaller using a temp file for a very short time.
I admit that I was not aware of the debugging tools mentioned by ahoffmann.  That means, if the people you want to protect against are competent enough, they will manage to crack the key anyway.  Nevertheless, if we talk about protection against "average" users, the method may still be of interest.
0
 
LVL 18

Expert Comment

by:liddler
ID: 9644404
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Answered by ahoffmann

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

liddler
EE Cleanup Volunteer
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
xyBalance chalenge 58 93
ODBC Connection Logging, ADO.NET 6 64
sameEnds challenge 3 161
child constructor and parent constructor, overriding and overloading 6 87
Here is how to use MFC's automatic Radio Button handling in your dialog boxes and forms.  Beginner programmers usually start with a OnClick handler for each radio button and that's just not the right way to go.  MFC has a very cool system for handli…
Introduction: Ownerdraw of the grid button.  A singleton class implentation and usage. Continuing from the fifth article about sudoku.   Open the project in visual studio. Go to the class view – CGridButton should be visible as a class.  R…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question