问题描述
Update2:
感谢您的输入。我已经实现了该算法,可以在下载。这是我的第一个开源项目,所以是仁慈的。
Thanks for the input. I have implemented the algorithm and it is available for download at SourceForge. It is my first open source project so be merciful.
更新:
我不知道我是否够清楚,或者所有人都回应这一点了解贝壳如何消耗#!输入类型一本很好的书,是高级Unix编程。调用popen并提供其标准输入就足够了,如
I am not sure I was clear enough or everyone responding to this understands how shells consume #! type of input. A great book to look at is Advanced Unix Programming. It is sufficient to call popen and feed its standard input as demonstrated here.
原始问题
我们的脚本运行在高度分散的环境中与许多用户。使用权限来隐藏它们是有问题的,原因很多。
Our scripts run in highly distributed environment with many users. Using permissions to hide them is problematic for many reasons.
由于第一行可用于为脚本指定解释器,因此可以使用初始行定义aa decrypter
Since the first line can be used to designate the "interpreter" for a script the initial line can be used to define a a decrypter
#!/bin/decryptandrun
*(&(*S&DF(*SD(F*SDJKFHSKJDFHLKJHASDJHALSKJD
SDASDJKAHSDUAS(DA(S*D&(ASDAKLSDHASD*(&A*SD&AS
ASD(*A&SD(*&AS(D*&AS(*D&A(SD&*(A*S&D(A*&DS
编写脚本进行加密并放置相应的标题,我想解密脚本(它本身可能有一个解释器行,如顶部的#!/ bin / perl),而不会像写入临时文件那样愚蠢我发现一些愚蠢的商业产品来做到这一点,我认为这可以在几个小时内完成,有没有一种众所周知的方法来做管道,而不是编码系统调用?我在想使用,但最好替换当前进程或创建子进程?
Given that I can write the script to encrypt and place the appropriate header I want to decrypt the script (which itself may have an interpreter line such as #!/bin/perl at the top of it) without doing anything dumb like writing it out to a temporary file. I have found some silly commercial products to do this. I think this could be accomplished in a matter of hours. Is there a well known method to do this with pipes rather than coding the system calls? I was thinking of using execvp but is it better to replace the current process or to create a child process?
推荐答案
如果您的用户可以执行decryptandrun程序,那么他们可以读取它(以及需要读取的任何文件,如解密键)。所以他们可以提取代码来解密脚本本身。
If your users can execute the decryptandrun program, then they can read it (and any files it needs to read such as decryption keys). So they can just extract the code to decrypt the scripts themselves.
你可以通过使decrtyptandrun suid来解决这个问题。但是其中的任何错误都可能导致用户获得root权限(或至少拥有保存解密密钥的帐户的权限)。所以这可能不是一个好主意。当然,如果你把所有这些解密脚本的内容或密钥都隐藏起来,使它们不能被用户读取,那么为什么你不能对脚本的内容做同样的处理呢? '尝试隐藏?
You could work around this by making the decrtyptandrun suid. But then any bug in it could lead to the user getting root privileges (or at least privileges to the account that holds the decryption keys). So that's probably not a good idea. And of course, if you've gone to all the trouble of hiding the contents or keys of these decryption scripts by making them not readable to the user... then why can't you do the same with the contents of the scripts you're trying to hide?
此外,您不能将#!解释为可执行文件作为解释器另一个#!解释可执行文件。
Also, you can't have a #! interpreted executable as an interpreter for another #! interpreted executable.
密码学的基本规则之一是,不要发明自己的加密算法(或工具),除非你是一个经验丰富的密码分析器。
And one of the fundamental rules of cryptography is, don't invent your own encryption algorithm (or tools) unless you're an experienced cryptanalyst.
这让我想知道为什么你觉得需要加密你的用户将要运行的脚本。他们看到脚本的内容有什么问题吗?
Which leads me to wonder why you feel the need to encrypt scripts that your users will be running. Is there anything wrong with them seeing the contents of the scripts?
这篇关于建议加密/解密脚本优雅?[现在在Sourceforge]的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!