Cactus International isn’t a new face to SCO administrators and users. Cactus has been around for a decade, delivering innovative and useful utilities for SCO systems. Their latest product is Shell-Lock, which replaces an older shell script compiler the company offered years ago. Shell-Lock is available for SCO OpenServer V, IBM AIX, Sunsoft Solaris, and Linux.
Shell-Lock compiles shell scripts in an executable file. There are a number of reasons you may want to compile shell scripts, but the most important is to protect the script from tampering or snooping. Since Shell-Lock generates an executable binary, the shell script code behind the binary is masked, making it impossible for a user to modify the script without your knowledge. Also, if you are selling or distributing scripts as part of another product, Shell-Lock hides the code from snooping eyes that may want to figure out what you’ve done. While it is unlikely you will use Shell-Lock on a dozen-line script, when the script gets to run into the thousands of lines, protecting the code becomes much more important. There is no fee for distributing a Shell-Lock compiled binary (no run-time fees).
Shell-Lock installs easily enough from a single diskette. An interesting aspect of the product is the licensing: Cactus licenses Shell-Lock only for a year, with the license renewable on a single year basis. Cactus claims they will sell Shell-Lock only to VARs, system administrators and "responsible technicians" but that would seem to be easy enough to qualify for. While the Shell-Lock compiler license may expire, the executables never do.
To test Shell-Lock we ran it against a few dozen scripts, ranging from a couple of lines to eight thousand (a complex installation and configuration script for a larger application). On a Pentium 350 the compilation time is barely noticeable except on the larger scripts. Even on our largest test, compilation only took a few seconds. Execution times of compiled scripts are no faster than the script itself. We found it virtually impossible to reverse engineer an executable back to the script code although a devoted enough hacker just may be able to do this. The strings command returns nothing useful at all. We compiled only Bourne and Korn scripts, as Shell-Lock does not support the C shell scripting language. Using the compiler is very much like using any C compiler, right down to support for the –o option for output file naming.
One useful aspect of Shell-Lock is that it lets an executable run with suid privileges, removing the need to hand out root passwords to users. A few other aspects of the tool will appeal to those who write more complex scripts. To start with, exit codes can now be returned (Cactus’ earlier shell compiler couldn’t do this). Also, extremely long PATH variables can be set (up to 5120 characters), which is an improvement over the earlier product, too. If you want to compile for more than one operating system you can license additional codeshells for $99 per platform. This lets you write and compile a shell script on one platform for rollout to any supported UNIX variant.
Shell-Lock isn’t going to appeal to all programmers and system administrators. However, once you have compiled a few oft-used scripts, you’ll be surprised how much more easily you rest knowing that some of your users can’t mess up your source code. As mentioned earlier, there is no performance gain using Shell-Lock, but the ability to protect your script code itself justifies the Shell-Lock package for most of us.
509 E Ridgeville Blvd
Summary: For protecting shell scripts from modification and snooping, there is no product like Shell-Lock.