I have received numerous replies as always from the list members. I will
summarize the responses and offer to provide more detail (including
supplied software) upon request.
In retrospect, my question should have been somewhat clearer. My objective
wasn't just to keep unpriviledged users on my net from reading the source but
even other sysadmins as well who have root priviledges on their own net.
I think that either the 'C' executable for calling the shell script
or the Perl solution is the right way to go. I will probably opt for
the 'C' wrapper first since it appears simple and straightforward.
Thanks again.
-- Joel
Special thanks go to:
Con Nakos <cbn@mrd.dsto.gov.au>
Justin Keery <justin@independent.co.uk>
Zuercher.Werner@ch.swissbank.com
Dave Hightower <hightowr@afwc.af.mil>
rwolf@dretor.dciem.dnd.ca
Matthew R. Hofener (matthew.hofener@camp.org)
Pat Cain (Denver) <pjc@denver.ssds.com>
gal@simpson.ny.jpmorgan.com (Gal Shalif)
Patrick O'Callaghan <poc@usb.ve>
-----------------------------------------------------------------------------
From: Con Nakos <cbn@mrd.dsto.gov.au>
I have used a PERL script that puts a C wrapper around scripts. I got the
PERL script out of a PERL manual (exact name escapes me ). I have included
it in case it is useful. If you need more info I can dig up the book when
I get back to work next Monday.
Cheers,
Con Nakos E-mail: cbn@mrd.dsto.gov.au
Microwave Radar Division Phone: +61 8 259 7190
Surveillance Research Laboratory Fax: +61 8 259 5405
DSTO Salisbury, South Australia
The Perl script is available upon request.
------------------------------------------------------------------------------
From: Justin Keery <justin@independent.co.uk>
How about encrypting the shell scripts somehow, then using a
C prog that decrypts then executes....
-------------------------------------------------------------------------------
From: Zuercher.Werner@ch.swissbank.com (Werner Zuercher)
Hi Joel, this is Werner Zuercher, ex-Sun Boston member, now
also working for a bank, in this case Swiss Bank in Basel Switzerland.
Unix World listed some encryption routines a while back that allow
you to have someone execute, but not look at, scripts. We are
going to use this stuff. The drawback is that you can't pass
command line arguments to the encrypted scripts directly. We
get around this by wrapping a script section around the encrypted part
that sets global variables. I have a script which does most of the
setup work. Take a look at this if you find no better solutions, and
if you make improvements, let me know.
Regards,
Werner Zuercher
PS The version of DES we have here (from GNU) has a -h hex key flag
that we use. Sun's DES doesn't. You'd have to change the key
section of the C code.
PPS If you need to have a passwd stored soemwhere, that's another
problem, unless you want to 'recompile' everytime the passwd
changes.
Attachements available upon request.
-------------------------------------------------------------------------------
From: Dave Hightower <hightowr@afwc.af.mil>
We use the perl passwd program here (modified for NIS and password
aging). This is a script, so it can't be suid.
What we did--and what will work for shell scripts--is create a
suidwrapper in C. The program is simply:
main(argc,argv)
int argc;
char **argv;
{
execv("/vol/local/bin/top_3.1",argv);
}
Compile this, and chown it to whoever you want. Then, give that user
ONLY permission to read and execute the script.
Voila!
Dave
-------------------------------------------------------------------------------
From: Robert J Wolf
There was an article in a unix magazine on how to encrypt shell scripts
using a simple C program. Send me your full addresss and fax number and
I will dig up the article and fax it to you.
-------------------------------------------------------------------------------
From: Matthew R. Hofener (matthew.hofener@camp.org)
UNIXworld magazine (now called UNIXworld's Open Computing, I believe) had
the very same question asked last year. I don't recall the answer, which
included many options such as encrypting the script and decrypting on the
fly, but you should be able to look in a December issue for a summary list
of questions/answers from that year. Hold on....
I'm back. I just looked it up in the Dec. '93 issue, "Answers to UNIX".
The program was called shide (April '93), and "hides a shell script by
encrypting the source code and then decrypting it before it is executed.
Unfortunately, due to export restrictions, cryps isn't available on any
system sold outside the U.S." (I looked up April '93, couldn't find it.
Must have been the wrong issue cited.)
Anyway, they archive their source on ftp.uu.net in ~ftp/published/unix-world.
Get the file "downloading" first for info. I believe shide is in the
ans2unix subdirectory. If you need a replacement for crypt, be sure to
get mycrypt as well.
Hope this helps,
Matt Hofener
-------------------------------------------------------------------------------
From: Pat Cain (Denver) <pjc@denver.ssds.com>
Change thier permissions to "--x--x--x" instead of "r-xr-xr-x" and
they won't be able to read them.
-------------------------------------------------------------------------------
From: gal@simpson.ny.jpmorgan.com (Gal Shalif)
I am afraid they is no such compiler. You can try the perl language.
Anyway, please summarize.
-------------------------------------------------------------------------------
-- Sincerely,
Gal Shalif, R&D group
-------------------------------------------------------------------------------
From: "Patrick O'Callaghan" <poc@usb.ve>
You might try Perl. It's not one of the standard Shells, but can do
anything a Shell can do and more, and is good both for quick
prototyping and for serious work. You can dump a binary image of your
program as a Unix executable (so they say - I've never done it.)
Perl is available all over the place. Ask Archie. There are also two
books on it from O'Reilly and Associates.
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:58 CDT