Make unix shell script protected so that noone open and read it

Hi ,

I have a unix shell script which has most piece of code written in it.
The name of the file is runBatch.sh

Now problem is anyone can open this executable shell script with vi
and read the code.

Which we dont want.

Is there a way / procedure / unitlity which we can use to encrypt the
file so that noone can read its contents by cat or vi or any unix
editor ...

Any help would be greatly appreciated.

Re: Make unix shell script protected so that noone open and read it

You cannot encrypt the script itself, but you can create a real executable
from it.

Take a little look here:

http://www.linuxsecurity.com/content/view/117920/171/

If you want to execute the script in another machine which doesn't have
the libraries, then don't forget to use the "static" flag. (see comments)

Greets,
Andy

Re: Make unix shell script protected so that noone open and read it

rohitsa...@yahoo.com wrote:
> I have a unix shell script which has most piece of code written in it.
> Now problem is anyone can open this executable shell script with vi
> and read the code -- which we dont want.

It is generally true that a script cannot be made both unreadable and
executable by all users. Some tricks may be played, such as allowing
the script to delete itself, which will remain functional until such
time as the script terminates. But this does not solve the problem of
the archiving of the script.

> Is there a way / procedure / unitlity which we can use to encrypt the
> file so that noone can read its contents by cat or vi or any unix
> editor ...

Sudo(1) (sudosh) may be used as an access control frontend to the
script, which requires administrative setup but at least is a
workaround for which security issues are determinately understood.

http://www.askdavetaylor.com/how_can_i_hide_passwords_in_a_s hell_script.html

"sudo.c": allow limited root privileges
http://www.gratisoft.us/sudo/
http://www.sudo.ws/sudo/
^ "sysctl": SYStem ConTroL -- a distributed sudo(1) (URL?)
^ "sudosh": http://sf.net/projects/sudosh/

Anyone: can expect(1) be used as security frontend?

Besides the above, and understanding that technique's limitations,

Read my submission of script "compilers" at:

http://groups.google.com/group/comp.unix.shell/browse_thread /thread/f2f0572961b5c336/8930ac22c2bd94d4?lnk=st&q=author%3A brian_hiles%40rocketmail.com#8930ac22c2bd94d4

(shc 2.4 has a very weak encryption mechanism: it merely XORs each
command-line to argv[]. shc 3.8 uses much stronger encryption, but
is still breakable).

I recommend shcomp -- although I've not yet got it to work in my
few informal attempts!

Mind that what even the author's sometimes call "compilation" is
just obscuration or shrouding -- which can be defeated by a simple
Web search of known vulnerabilities of the respective programs by
the dedicated cracker.

=Brian

Re: Make unix shell script protected so that noone open and read it

On Oct 15, 8:51 am, rohitsa...@yahoo.com wrote:
> Hi ,
>
> I have a unix shell script which has most piece of code written in it.
> The name of the file is runBatch.sh
>
> Now problem is anyone can open this executable shell script with vi
> and read the code.

Rewrite the secret pieces in C, and compile it to an executable. Then
you can mark it executable, but not readable.

You can't do that with scripts. Depending on your OS, an unreadable
script may ``execute'' to the point that the interpreter is extracted
from the #! line, and run, given the script as a parameter. At that
point, the interpreter can't open it, so you're screwed.

You might not have to rewrite the actual logic of the script in C,
just use C to write a wrapper program that passes the script to the
interpreter.

A simple way to do this would be to write the script as a one liner
and use the system() function to execute it. Even large-ish shell
scripts can be decimated to one-liners, as any Makefile writer
knows. :)

(I'm assuming that the program won't need root privs, since it
replaces a script, otherwise pretend I inserted notes here about
system() and security).

#include

char *script = "echo secret psst do not tell anyone";

/*...*/

int ret = system(script);

Good idea to parse the returned value, and pass the script's
indication of success or failure up to the caller.

Re: Make unix shell script protected so that noone open and read it

On Mon, 15 Oct 2007 08:51:37 -0700, rohitsagar@yahoo.com wrote:

>Hi ,
>
>I have a unix shell script which has most piece of code written in it.
>The name of the file is runBatch.sh
>
>Now problem is anyone can open this executable shell script with vi
>and read the code.
>
>Which we dont want.
>
>Is there a way / procedure / unitlity which we can use to encrypt the
>file so that noone can read its contents by cat or vi or any unix
>editor ...
>
>Any help would be greatly appreciated.

shc http://www.datsi.fi.upm.es/~frosal/ ? Never used it myself but it
appears to do what you are looking for.

A Google for "compile shell scripts" will yield a number of hits...



Scott McMillan

Re: Make unix shell script protected so that noone open and read it

rohitsagar@yahoo.com wrote:
> Hi ,
>
> I have a unix shell script which has most piece of code written in it.
> The name of the file is runBatch.sh
>
> Now problem is anyone can open this executable shell script with vi
> and read the code.
>
> Which we dont want.
>
> Is there a way / procedure / unitlity which we can use to encrypt the
> file so that noone can read its contents by cat or vi or any unix
> editor ...

You could encrypt your script using, for instance, openssl and uuencode
it. Then you write another script which is used to uudecode and decrypt
your script and execute it on the fly (i.e. pass it to the interpreter).
Both scripts can be merged into a single file, just like in the example
below:

----[ begin of script ]-------------------------------------------------

#!/bin/sh

uudecode -o /dev/stdout "$0" | openssl enc -des3 -d | sh
exit

begin-base64 644 -
U2FsdGVkX1+CQjs07q3p8AeowbO60cbyhC/Y8qMIgz0gn1pytPYd/IHVl7Rb 87am
====

----[ end of script ]-------------------------------------------------

The caveat is that you have to enter the correct passphrase to decrypt
the original script before it is executed. In order to make the script
completely non-interactive you would need expect or a similar tool, but
that would expose your passphrase and you are again at the beginning
of the same problem. Another issue is the exposure of the encryption
algorithm that was used to encrypt the original script.

If you have openssl installed on your system, you can try the above
example using different passphrases to see what happens. Guessing the
correct one is not a big problem though... :-)

--
Kenan Kalajdzic