Securing Shell Scripts

Shell scripts are very handy to have around, but sometimes they include functions that require a password. For example, if a script has to reference a MySQL database, a user name and password must be provided. Because it’s unencrypted, anyone who can read the file or who has reasonable shell access to the system can grab the password either from the file or while the script is running.

Enter shc. As explained by Duane Dunston over at Linux Security, shc will take your shell script and turn it into a binary C program. The script performs the same function and is executed the same way, but now has an additional layer of protection against prying eyes.

Duane also points out a cool expiration feature. When shc is run with a specific switch, the script will expire after a given time and spit out a user-configurable message to notify the user. With a utility like this, a sysadmin could give a user specific privileges for a certain task without having to mess with sudo and similar utilities. If the user only needs the function for a day, the sysadmin could create the script with an expiration and not have to worry about forgetting to remove the privilege later.