wissem.jimdo.com
Wissem Mediouni Web Site
Encrypting Shell Scripts
This is a good article for a great tools, needed to encypt scripts with passwords and sensitive data.
I'm develpping it for different uses, keep you informed.
Source: Duane Dunsto
Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). There is a program called "shc" that can be used to add an extra layer of security to those shell scripts. SHC will encrypt shell scripts using RC4 and make an executable binary out of the shell script and run it as a normal shell script. This utility is great for programs that require a password to either encrypt, decrypt, or require a password that can be passed to a command line argument.
Download shc (http://www.datsi.fi.upm.es/~frosal/) and untar it:
tar -xzvf shc-X.X.tgz
cd shc-X.X/
make
make install
A binary named "shc" will be created along with some test programs. Let's give it a try.
Create a file called: "script.sh" and add the following contents:
############################### script.sh ##############################
#!/bin/sh
echo "I love Duane's articles and will send him a donation via PayPal."
############################### script.sh ##############################
Now run the command:
shc -f script.sh
The switch "-f" specifies the source script to encrypt. The above command will create two files: script.sh.x.c and script.sh.x.
The program "shc" creates C source code out of your shell script then encrypts it (script.sh.x.c). The encrypted shell script is: script.sh.x. Run that binary and see the output:
./script.sh.x
I love Duane's articles and will send him a donation via PayPal.
Now copy the original "script.sh" file to a floppy disk or some other system for backup or in case you need to edit it in the future. Then, delete it from the server and delete the "script.sh.x.c" file it creates.
Neat feature
You can also specify a time limit on the shell script so that it will no longer execute after a certain date and you can specify a custom message to echo back to the user. Run this command on the "script.sh" file we created earlier in this tut:
shc -e 09/10/2004 -m "Dude it is too late to run this script." -f script.sh
./script.sh.x
./script.sh.x has expired!
Dude it is too late to run this script.
In the above command the date October 9, 2004 is set as the expiration date (-e 09/10/2004) and the custom message was set to display to the user (-m "Dude it is too late to run this script.") when the binary is executed. Note the date format is dd/mm/yyyy.
Check out the man pages for more info on "shc". Remember that the binary is only encrypted on the local system. If you encrypt a script that transmits sensitive information in clear text across a network, you will need some other encrypted communication channel to transmit that information.
Duane Dunston received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification
from SANS. Hey,Ann Curry"!
Manpage for shc(1)
NAME
shc - Generic shell script compiler
SYNOPSIS
shc [ -e date ] [ -m addr ] [ -i iopt ] [ -x cmnd ]
[ -l lopt ] [ -ACDhTv ] -f script
DESCRIPTION
shc creates a stripped binary executable version of the
script specified with -f on the command line.
The binary version will get a .x extension appended and will
usually be a bit larger in size than the original ascii
code. Generated C source code is saved in a file with the
extension .x.c
If you supply an expiration date with the -e option the com-
piled binary will refuse to run after the date specified.
The message "Please contact your provider" will be displayed
instead. This message can be changed with the -m option.
You can compile any kind of shell script, but you need to
supply valid -i, -x and -l options.
The compiled binary will still be dependent on the shell
specified in the first line of the shell code (i.e.
#!/bin/sh), thus shc does not create completely independent
binaries.
shc itself is not a compiler such as cc, it rather encodes
and encrypts a shell script and generates C source code with
the added expiration capability. It then uses the system
compiler to compile a stripped binary which behaves exactly
like the original script. Upon execution, the compiled
binary will decrypt and execute the code with the shell -c
option. Unfortunatelly, it will not give you any speed
improvement as a real C program would.
shc's main purpose is to protect your shell scripts from
modification or inspection. You can use it if you wish to
distribute your scripts but don't want them to be easily
readable by other people.
OPTIONS
The command line options are:
-e date
Expiration date in dd/mm/yyyy format [none]
-m message
message to display upon expiration ["Please contact
your provider"]
-f script_name
File name of the script to compile
-i inline_option
Inline option for the shell interpreter i.e: -e
-x comand
eXec command, as a printf format i.e:
exec(\\'%s\\',@ARGV);
-l last_option
Last shell option i.e: --
-r Relax security. Make a redistributable binary which
executes on different systems running the same operat-
ing system.
-v Verbose compilation
-D Switch on debug exec calls
-T Allow binary to be traceable (using strace, ptrace,
truss, etc.)
-C Display license and exit
-A Display abstract and exit
-h Display help and exit
ENVIRONMENT VARIABLES
CC C compiler command [cc]
CFLAGS
C compiler flags [none]
EXAMPLES
Compile a script which can be run on other systems with the
trace option enabled:
example% shc -v -r -T -f myscript
BUGS
The maximum size of the script that could be executed once com
piled is limited by the operating system configuration parameter
_SC_ARG_MAX (see sysconf(2))
AUTHOR
Francisco Rosales <[email protected]>
A second good explanation:
Q: How do I encrypt my bash shell script on Linux environment? The shell script contains password, and I don’t want others who have execute access to view the shell script and
get the password. Is there a way to encrypt my shell script?
A: First, as a best practice you should not be encrypting your shell script. You should really document your shell script properly so that anybody who views it understands
exactly what it does. If it contains sensitive information like password, you should figure out a different approach to write the shell script without having to encrypt it.
That being said, if you still insist on encrypting a shell script, you can use SHC utility as explained below. Please note that encrypted shell script created by shc is not readable by normal users. However someone who understands how this works can extract the original shell script from the encrypted binary created by shc.
SHC stands for shell script compiler.
1. Download shc and install it
Download shc and install it as shown below.
# wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.7.tgz # tar xvfz shc-3.8.7.tgz # cd shc-3.8.7 # make
Verify that shc is installed properly.
$ ./shc -v shc parse(-f): No source file specified shc Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-rvDTCAh] -f script
2. Create a Sample Shell Script
Create a sample bash shell script that you like to encrypt using shc for testing purpose.
For testing purpose, let us create the following random.sh shell script which generates random numbers. You have to specify how many random numbers you like to generate.
$ vi random.sh #!/bin/bash echo -n "How many random numbers do you want to generate? " read max for (( start = 1; start <= $max; start++ )) do echo -e $RANDOM done $ ./random.sh How many random numbers do you want to generate? 3 24682 1678 491
3. Encrypt the Shell Script Using shc
Encrypt the random.sh shell scripting using shc as shown below.
$ ./shc -f random.sh
This will create the following two files:
$ ls -l random.sh* -rwxrw-r--. 1 ramesh ramesh 149 Mar 27 01:09 random.sh -rwx-wx--x. 1 ramesh ramesh 11752 Mar 27 01:12 random.sh.x -rw-rw-r--. 1 ramesh ramesh 10174 Mar 27 01:12 random.sh.x.c
- random.sh is the original unencrypted shell script
- random.sh.x is the encrypted shell script in binary format
- random.sh.x.c is the C source code of the random.sh file. This C source code is compiled to create the above encrypted random.sh.x file. The whole logic behind the shc is to convert the random.sh shell script to random.sh.x.c C program (and of course compile that to generate the random.sh.x executable)
$ file random.sh random.sh: Bourne-Again shell script text executable $ file random.sh.x random.sh.x: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped $ file random.sh.x.c random.sh.x.c: ASCII C program text
4. Execute the Encrypted Shell Script
Now, let us execute the encrypted shell script to make sure it works as expected.
$ ./random.sh.x How many random numbers do you want to generate? 3 7489 10494 29627
Please note that the binary itself is still dependent on the shell (the first line provided in the random.sh. i.e /bin/bash) to be available to execute the script.
5. Specifying Expiration Date for Your Shell Script
Using shc you can also specify an expiration date. i.e After this expiration date when somebody tries to execute the shell script, they'll get an error message.
Let us say that you don't want anybody to execute the random.sh.x after 31-Dec-2011 (I used last year date for testing purpose).
Create a new encrypted shell script using "shc -e" option to specify expiration date. The expiration date is specified in the dd/mm/yyyy format.
$ ./shc -e 31/12/2011 -f random.sh
In this example, if someone tries to execute the random.sh.x, after 31-Dec-2011, they'll get a default expiration message as shown below.
$ ./random.sh.x ./random.sh.x: has expired! Please contact your provider
If you like to specify your own custom expiration message, use -m option (along with -e option as shown below).
$ ./shc -e 31/12/2011 -m "Contact [email protected] for new version of this script" -f random.sh $ ./random.sh.x ./random.sh.x: has expired! Contact [email protected] for new version of this script
6. Create Redistributable Encrypted Shell Scripts
Apart from -e, and -m (for expiration), you can also use the following options:
- -r will relax security to create a redistributable binary that executes on other systems that runs the same operating system as the one on which it was compiled.
- -T will allow the created binary files to be traceable using programs like strace, ltrace, etc.
- -v is for verbose
Typically you might want to use both -r and -T option to craete a redistributable and tracable shell encrypted shell script as shown below.
$ ./shc -v -r -T -f random.sh shc shll=bash shc [-i]=-c shc [-x]=exec '%s' "$@" shc [-l]= shc opts= shc: cc random.sh.x.c -o random.sh.x shc: strip random.sh.x shc: chmod go-r random.sh.x $ ./random.sh.x How many random numbers do you want to generate? 3 28954 1410 15234
Finally, it is worth repeating again: You should not be encrypting your shell script in the first place. But, if you decided to encrypt your shell script using shc, please remember that a smart person can still generate the original shell script from the encrypted binary that was created by shc.