Make a password protected bash script resist/refuse “bash -x” when the password is given


 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Make a password protected bash script resist/refuse “bash -x” when the password is given
# 1  
Old 12-09-2013
Make a password protected bash script resist/refuse “bash -x” when the password is given

I want to give my long scripts to customer. The customer must not be able to read the scripts even if he has the password. The following command locks and unlocks the script but the set +x is simply ignored.

The code:

Code:
read -p 'Script: ' S && C=$S.crypt H='eval "$((dd if=$0 bs=1 skip=//|gpg -d)2>/dev/null)"; exit;' && gpg -c<$S|cat >$C <(echo $H|sed s://:$(echo "$H"|wc -c):) - <(chmod +x $C)

I want to give to customer a script that he can run by entering a password. The customer must not be able to see the code via cat/vim/bash -x. To counter the "bash -x" we can use set +x in the beginning of the script but it does not work for the password protected script. we run bash -x script.secure, put the password and we see the commands even if the script starts with set +x
# 2  
Old 12-09-2013
There is a utility shc (shc.c) that turns a script into a compiled executable, with any text encrypted.

http://www.datsi.fi.upm.es/~frosal/ - download the tar ball.

IMO - what you are doing does not seem secure.
# 3  
Old 12-09-2013
yes I know about shc. I hear that rc4 can be "broken".
# 4  
Old 12-09-2013
It's worse than that -- the program runs the code through sh ultimately, so substituting a false sh can get the code directly.

Many people have been down this road before. Rube goldberg machines are not and cannot be the solution.

In short, if you don't want the customer to see the code, you can try either
1) Don't give it to them -- make it a service they access over the network

or

2) Put it on a machine you control, where they do not have root, and deny them access via file access permissions and isolate it further with sudo.

You cannot expect to protect a program by encryption when, by definition, the program contains the necessary code to decrypt itself in unencrypted form.

You cannot expect to protect anything run in plaintext from root.

If you rewrote your application in a language like C, decoding it would be a lot harder since quite a lot of information is thrown away in the compiling/linking process.

Last edited by Corona688; 12-09-2013 at 11:45 AM..
# 5  
Old 12-09-2013
How safe is shc? Can redundant code make the shc.x safer? ref:http://tipstrickshack.blogspot.ch/20...-from-shc.html
# 6  
Old 12-09-2013
The question is not "how much safer can I make it". The question is, "how many more hoops can I put in the way of the unobscured code".

That is always the problem with rube goldberg solutions. The code will always still be there, and has to contain all the necessary steps for decrypting itself in plain, or it won't work.

Your real options remain as I gave them.
This User Gave Thanks to Corona688 For This Post:
# 7  
Old 12-09-2013
I have to use wget, gnuplot etc. If I use c++ and call the external program, can I hide the syntax?

I have experience with the following bash embedding technique:
Code:
#define test1 "\
#!/bin/sh --posix \n\
echo \"2222222222222222222222222222222222222222222222222222\"  \n\
"


int main()
{

system(test1);     
return 0;

}

When we cut the executable we can see the bash code
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Bash script for password changes help

I am super new to scripting and I am trying to create a bash script that is interactive that will change other user passwords as well as a few other thing (ie. change SMB pw, see pw expiration,lock/unlock user). I have started it by making it check to see if the username entered is in the... (2 Replies)
Discussion started by: thumbelina
2 Replies

2. Shell Programming and Scripting

Password check in bash script calling on expect

password check in bash script calling on expect Background: I have to copy a file from one server, to over 100 servers in a test environment. once the file is copied, it requires to have the permissions on the file changed/verified. These are all linux servers. most of them have the same... (1 Reply)
Discussion started by: 2legit2quit
1 Replies

3. Shell Programming and Scripting

Masking Password from within a Bash Shell Script

Is there a way to mask the password inside of a script to minimize the impact of a comprimised server? So ssh -o "PasswordAuthentication no" -o "HostbasedAuthentication yes" -l testuser 192.168.3.1 "mysqldump --opt --all-databases -u root -pPassword| gzip" > $backup_dir/mysqldump.gz a... (2 Replies)
Discussion started by: metallica1973
2 Replies

4. Shell Programming and Scripting

Feeding password in bash script

Hello I am doing some test. In a script I have to call a change password routine ( ldap ) which ask confirmation. This can be done from terminal. Is there a way to do something like this : #!/bin/bash # blabla blabla blabla blabla # changing_password_routine user_name... (2 Replies)
Discussion started by: jcdole
2 Replies

5. Shell Programming and Scripting

bash script for password recovery

Hi all, I'm a complete newbie to bash scripting, although I have some experience in programming. The thing is that I have a .dmg file on my mac which I protected with a password, and now I've forgotten it. I remember the first few letters of the password and the characters that represent the... (4 Replies)
Discussion started by: sujay.jauhar
4 Replies

6. Shell Programming and Scripting

Best way to hide password in bash script?

Dear folks, The title of my thread says mostly all of what I want to do. Basically I want to auto-ssh to a remote host, and run a program on it (VLC is just an example). I wrote a script which calls xterm and then runs expect on it. The code is as follow #!/bin/bash export PASS="xxxxxxx"... (22 Replies)
Discussion started by: dukevn
22 Replies

7. Shell Programming and Scripting

Passing a MySql password from bash script

Hi all, I am running this script on Mandrakelinux release 10.1, 2.6.8.1-12mdksmp #1 SMP I have also installed 'expect' separately. I have created an Rsync script, but before any Rsync command does run, a MySql dump must be done first, and I am battling a bit to pass the MySql password from... (2 Replies)
Discussion started by: codenjanod
2 Replies

8. Shell Programming and Scripting

How to make files/folders Password protected

Any idea how to make files/folders password protected... I dont want to change the permissions of the files/folders... (1 Reply)
Discussion started by: know d unknown
1 Replies

9. OS X (Apple)

Bash script prompt for sudo password?

I'm making a script that will be a double clickable .command file and I need it to prompt for the users admin password. So far I have: if ]; then sudo -p "Please enter your admin password: " date 2>/dev/null 1>&2 if ; then echo "You entered an invalid password... (2 Replies)
Discussion started by: PatGmac
2 Replies

10. Shell Programming and Scripting

How to make script password protected

Hi All, I want to make my script password protected. i e: if somebody runs my script it should prompt for password. Can somebody help me in to execute the same?? Thanks in Advance :b: (11 Replies)
Discussion started by: achararun
11 Replies
Login or Register to Ask a Question