one4k4 has asked for the wisdom of the Perl Monks concerning the following question:

This may be completly off base and out of my league.. but an interesting question came up the other day. We have some outside consultants working on various apsects of our system here. Our inside programmers have written a lot of code to tweak/get around/"fix"/speed-up various parts of the system. A programmer said that he wondered if the consultants would take the perl code and reuse it back "home". They don't currently have access to it, but they've requested access to the box it's on. Creating licenses aside, I wonder if the following idea is possible:

Create a secure/public keyring pair for the server itself.
Store secure keyring in /root/.whoknows/secret.gpg (whatever..)
Encrypt the perl code as if you were sending it to the server as the recipient. (server@yourhouse.com.. whatever)
Leave the encrypted code where it is. Delete the unencrypted code.
An Apache module, when the server is started, will read in the encrypted code, unencrypt it (via a passphrase that's stored in httpd.conf), and let Apache continue to store the unencrypted code in memory like normal.


I don't know if this has been talked about, recently or ever. If it has been I can see it getting shot down for a few reasons:
People having access to httpd.conf will get the passphrase
A httpd-start / httpd-restart would most likely take an incredibly long time to unencrypt all that code..

It's just a simple thought. I wondered if anybody had any insight. Either slap me and call me stupid or tell me where I can look into this a bit more. ;)

_14k4 - perlmonks@poorheart.com (www.poorheart.com)
  • Comment on Apache's mod_perl + (gnuPG + startup.pl) = encrypted code?

Replies are listed 'Best First'.
Re: Apache's mod_perl + (gnuPG + startup.pl) = encrypted code?
by Beatnik (Parson) on May 30, 2002 at 14:05 UTC
    I did a basic source filter that encrypts/decrypts code (Filter::CBC) but I havent tried any CGI or mod_perl based stuff and GPG isn't included since I use Crypt::CBC as base. Seems doable tho :)

    Greetz
    Beatnik
    ... Quidquid perl dictum sit, altum viditur.
[reply]
Re: Apache's mod_perl + (gnuPG + startup.pl) = encrypted code?
by Abigail-II (Bishop) on May 30, 2002 at 16:22 UTC
    Being a consultant myself, probably the best way is to not do business with people you do not trust.

    Of course, one might wonder, why just protect against consultants? It's not that employees never steal....

    Abigail

[reply]
      It's not that employees never steal

      Very good point! I like that. I can't tell if it's because the consultant is not trusted and somebody-somewhere-in-mgmt pulled him in, or the consultant wanting access to some things simply brought the question to light. I'd like to think that's what it's all about, at least for me it is. I'm more curious now than anything else :)

      _14k4 - perlmonks@poorheart.com (www.poorheart.com)
[reply]
Re: Apache's mod_perl + (gnuPG + startup.pl) = encrypted code?
by thraxil (Prior) on May 30, 2002 at 15:42 UTC

    i don't see any gaping holes. but i suspect that it's overkill. why not just take advantage of unix groups and permissions? it shouldn't be too hard to set things up so that the webserver and you can read the code but they can't. much less complicated, less of a potential performance hit, and it makes it easier for you to still have access to and modify those scripts if necessary.

    what would be really nice would be Access Control Lists. if you're using linux there's a kernel patch that will give you ACLs.

    anders pearson

[reply]
      Nice point. I hadn't thought about that fact that perl scripts are frequently changed. And a good reason to use perl is the fact that you don't have to do anything after you make the script.. User permissions would be a good idea, but you know, the geek in me ran with it. ;)

      _14k4 - perlmonks@poorheart.com (www.poorheart.com)
[reply]

Back to Seekers of Perl Wisdom