Clever Geek Handbook

Automatically decrypt and run encrypted bash script without saving the decrypted file to the file system

I have a wrapper script that creates responsive content on startup. It's on a box that only a few users have access to. However, I also added multilevel obfuscation to prevent unauthorized use using the following:

  • the script must be executed as root
  • the script must be passed specific command line arguments to generate any output
  • The script was coded by the shc shell compiler "to mask facts # 1 and # 2 from normal users (those who don't know whether to use TRACE or STRINGS to see the real code).

To add a layer of actual security to protect more advanced users and sysadmins again, I encrypted the script with gpg as well.

My question is, is there a gpg command (or another encryption method) that I could run that asks to defragment passwords, and decrypts the script and only runs it in memory (without saving the decrypted version of the file to the file system)?

I understand that sensitive information may still exist in unprotected memory during execution, I am addressing it separately.

+3


source to share


3 answers


You can write the decryption output to

decrypted=$(gpg -d ...)


Then you can evaluate the result

eval "$decrypted"
+3


source


Another simple option to contrast with choroba's answer:



Save the decrypted output to a file in /dev/shm/

. (This is the default in-ram tmpfs filesystem on almost all Linux distributions.) Set a trap

to delete the file when your script exits.

0


source


It's very possible I could clarify this, but there is another idea here where you are executing the script rather than evaluating it like in the choroba example. It allows you to pass arguments ...

bash <( gpg -d ... ) arg1 arg2

... it does, however, override the interpreter. That is, I ran my scripts with bash -ue

. It may or may not be an issue depending on the scripts and whether you write them yourself or not :)

0


source






More articles:


All Articles