Re: "safe" perl cron environment?

I have to say that there is a delicious sense of irony in your comment but not nearly as important as the 4 scripts which I consider to be trade secrets. I'd like to use free software as much as possible. :-)

Afaik ROOT will _always_ be able to access your scripts. I am even hesitant to believe that ACL's will help. Whats to stop the admin setting the computer to run in single user mode as root, then changing the ACL's and then reviewing your code? Even worse, presumably your stuff will be getting backed up, so the sysadmin could take the backup restore to a seperate machine and then change ACL's to her hearts content and you would never even know.

And sysadmin hacks aside there are also things like running your code under -d and trace or even more elaborate hacks to get perl to regurgitate your code (howabout using B::Deparse on the code...)

Ultimately there is NO way in perl (that I am aware of) that will keep your code truely secret. It will always be possible for someone with sufficient privs to access the code.

Sorry,

--- demerphq
my friends call me, usually because I'm late....

Comment on Re: "safe" perl cron environment?

Replies are listed 'Best First'.
Re: Re: "safe" perl cron environment? by jhanna (Scribe) on Dec 02, 2002 at 18:52 UTC
have to say that there is a delicious sense of irony in your comment Yes... Sorry about that, but it makes sense in the end... The scripts implement a system which stands to make a ton of money for a non-profit. I'm really not too concerned about rebooting in single-user mode. I'm more concerned about remote root vulnerabilities. Ultimately there is NO way in perl (that I am aware of) that will keep your code truely secret. It will always be possible for someone with sufficient privs to access the code. If this is really true then that is the answer to my question. John	[reply]
Re: Re: Re: "safe" perl cron environment? by demerphq (Chancellor) on Dec 02, 2002 at 19:03 UTC
Yes... Sorry about that, but it makes sense in the end... Heh. No apology needed. Even if it was for a for-profit. :-) Ya gotta do whatchya gotta do! If this is really true then that is the answer to my question. (Un)fortunately I believe it is. Although i think it would take a skillful person to do it. But then that holds true of decompiling an executable too. BING! Heres a _really_ nasty way to do something like what you want: write a C wrapper that embedds perl inside of it. Then put your perl script within the C wrapper (perhaps encrypted using some reliable C library) and then have the wrapper pass the code to the embedded perl instance to be executed. At least that way it becomes nearly impossible for some kind of man in the middle attack, or the other easily implemnted routes from the command line. Dunno, could be a pipe dream, but i think it would have to be an especially talented and motivitated individual that figured that one out. --- demerphq my friends call me, usually because I'm late....	[reply]