SHC
SHC
SHC
com
Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). There is a program called "shc" that can be used to add an extra layer of security to those shell scripts. SHC will encrypt shell scripts using RC4 and make an executable binary out of the shell script and run it as a normal shell script. This utility is great for programs that require a password to either encrypt, decrypt, or require a password that can be passed to a command line argument.
A binary named "shc" will be created along with some test programs. Let's give it a try.
echo "I love Duane's articles and will send him a donation via PayPal."
http://www.linuxsecurity.com
LinuxSecurity.com
shc -f script.sh
The switch "-f" specifies the source script to encrypt. The above command will create two files: script.sh.x.c and script.sh.x.
The program "shc" creates C source code out of your shell script then encrypts it (script.sh.x.c). The encrypted shell script is: script.sh.x. Run that binary and see the output:
./script.sh.x I love Duane's articles and will send him a donation via PayPal.
Now copy the original "script.sh" file to a floppy disk or some other system for backup or in case you need to edit it in the future. Then, delete it from the server and delete the "script.sh.x.c" file it creates.
Neat feature
You can also specify a time limit on the shell script so that it will no longer execute after a certain date and you can specify a custom message to echo back to the user. Run this command on the "script.sh" file we created earlier in this tut:
shc -e 09/10/2004 -m "Dude it is too late to run this script." -f script.sh ./script.sh.x ./script.sh.x has expired! Dude it is too late to run this script.
http://www.linuxsecurity.com
LinuxSecurity.com
In the above command the date October 9, 2004 is set as the expiration date (-e 09/10/2004) and the custom message was set to display to the user (-m "Dude it is too late to run this script.") when the binary is executed. Note the date format is dd/mm/yyyy.
Check out the man pages for more info on "shc". Remember that the binary is only encrypted on the local system. If you encrypt a script that transmits sensitive information in clear text across a network, you will need some other encrypted communication channel to transmit that information.
Duane Dunston received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS. Hey,Ann Curry"!
http://www.linuxsecurity.com