Hi,
I have my application on a Ubuntu 9.04 server edition. now i want to hide my application some how, like a setup file creation on .net or through any other way. so that nobody can use my code without my permission. How can I do that?
Hi,
I have my application on a Ubuntu 9.04 server edition. now i want to hide my application some how, like a setup file creation on .net or through any other way. so that nobody can use my code without my permission. How can I do that?
What do you mean by hide the code? The ruby code should not be visible to a user, only the html should be visible.
Colin
Yes. Ruby code should not be visible and if possible then also the html too(should not be visible).
Thanks in advance.
I think that the OP wants the code to be unreadable in the same way that compiled apps are unreadable (for some value of unreadable).
Is that comment in response to my suggestion that the ruby code should not be visible? It is best to leave in the comment you are referring to so that the email makes sense.
What I meant was that the ruby code will not be visible anyway - a visitor to the website cannot see the ruby code, only the html.
As for your suggestion that you want the html not to be visible, how do you expect someone to use the website if the html is not visible, as it is this that is interpreted by the browser to display the web page?
Colin
Unreadable by who? A visitor to the website cannot see the Ruby code anyway, and the html must be visible for the browser to display it. Unless he is talking about javascript. Sumanta - is it the javascript you are trying to hide?
Colin
Ok...may be I failed to clear my view. Sir, I have a server machine(OS- Ubuntu 9.04 server edition). Now the application is running. What I want is if somebody has the server's User Name and Password then he/she can see my code. I want to protect my programs(Raw code). Is there any way?
When we use .Net we can create a setup file for a project, so there is no chance to change or to see the code/program. this kind of hiding am talking about. Or if there is any way so that I can encrypt my code without interrupting the execution of the application.
Thanks in advance.
That is not a Rails question, it is a Ubuntu question. Set the permissions on the folders so that only you and the web server can view them. The Ubuntu support mailing list (ubuntu-users Info Page) would be a good place to ask if you need further help on this. Though I would suggest reading up on folder permissions and trying it yourself first.
Colin
.NET is a compiled language like Java.
Ruby is only compiled to an internal format, each and every time it is run.
As such there is no standard Ruby compiler (like .NET or Java). Although compilers for Ruby do exist (but I have no experience of them).
You might like to look at JRuby which, if I remember this correctly, my allow you to compile Ruby code down to a Java class file. Any JRuby experts here who could cast some light on this?
JRuby is an interpreter, written in Java for ruby. So it is no different from the standard MRI interpreter.
Samanta, What you are looking for is encoder/decoder, I only know of http://www.rubyencoder.com/ try if it works for you.
Regards, Amiruddin Nagri, Bangalore, 560008, KA India
Y! IM : amir_nagri@yahoo.com GTalk : amir.nagri@gmail.com
Sir, as you suggested, I already did it- permission changing. But the problem is, as i said before, that if anybody know the password & username of the server then again he/she can change the permission very easily- if he/she wished to access/change the code/program . So from Ubuntu I will not get(most probably) any way to do that. Thats why am searching for a Ruby way to do this. Any help?
Thanks In Advance.
You can do this (I’ve had to do it for a client) but it’s not simple and I can’t share my solution’s code. However, you basically go along the lines that you have a class responsible for decrypting/encrypting code (I used Base64 encoded AES). You then have Rake tasks that go through all Ruby (I did YAML too as YAML files are executed as ERB first) files, encrypt the content and replace the file contents with contents like this:
require ‘config_decryptor’
eval ConfigDecryptor.decrypt(…ENCRYPTED_CONTENT_HERE…)
Your config_decryptor.rb file has to be in the load path - I handled this by requiring the full path in a config/preinitializer.rb file.
The eval is done once as the Ruby class files are cached in memory during production mode.
The next problem is getting the key in to Ruby. I did this by having a Rake task that puts it in to a specific named file in /tmp which is then read by my class (during a call in preinitializer.rb) and deleted. It’s not ideal, but it works for my purpose and would also work for yours.
The last step, if you’re using Passenger ensure that the last child is never killed off (if it is, it will lose the decryption key which is now only in memory). I can’t remember the setting but there’s a timeout setting which you can set to zero so the last child never dies.
I would however, recommend against doing this - server security and not giving out the username/password is far and away the best solution. I work in a specific industry in a country with a lot of security requirements so had no choice - but it’s a solution and something I wished I never had to write
Cheers,
Andy
You can do this (I've had to do it for a client) but it's not simple <snip super secret process>
Very interesting approach. Will file that for future reference.
The last step, if you're using Passenger ensure that the last child is never killed off (if it is, it will lose the decryption key which is now only in memory). I can't remember the setting but there's a timeout setting which you can set to zero so the last child never dies.
Hope you've got good UPS and redundancy too (and a well-negotiated
call-out fee to re-encrypt everything if the YTS boy unplugs the power
I would however, recommend against doing this - server security and not giving out the username/password is far and away the best solution.
+1
You can do this (I’ve had to do it for a client) but it’s not simple
Very interesting approach. Will file that for future reference.
I hope you never need it
The last step, if you’re using Passenger ensure that the last child is never
killed off (if it is, it will lose the decryption key which is now only in
memory). I can’t remember the setting but there’s a timeout setting which
you can set to zero so the last child never dies.
Hope you’ve got good UPS and redundancy too (and a well-negotiated
call-out fee to re-encrypt everything if the YTS boy unplugs the power
We’re developing the site but the day to day running is down the client (but they have lots of power from various sources, redundancy and sysadmins to type the password back in).
Cheers,
Andy
Is the client trying to keep the code hidden from his own sysadmins or are you trying to hide it from the client?
Colin
You do this in linux - not in ruby. Make the directory and all the files viewable by no one but the process that runs them (apache.apache), and make it so no one can login as apache.apache. Of course, if you login as root, you can see anything, so if the client has root then all bets are off.
Exactly, proper permission management in Linux is the key to making this work. On top of that, if it’s an internet-enabled server, I would never ever ever ever ever allow username + password access to the server unless that user is sandboxed, let alone allow root access (which is like putting a big sign on your porch saying: THE KEY IS UNDERNEATH THE DOORMAT). Use SSH key-based authentication instead. Give your customer an account that has rights to view their own home folder, but nothing else.
If you really want to hide the code from the customer, host it yourself and let them pay for the hosted solution. If that’s a no go and they don’t want to give up their server management rights, then just rely on a very good contract (i.e. let a lawyer make it) that prohibits them from messing with the code. We should all know by know how effective DRM is, in whatever form you want to sell it (hiding code, checking licenses, always online measures, …)
The company I work for had the same mindset, since we came from desktop apps where we had set up this whole structure of internet authenticating clients and monitoring systems and license keys and what not. My boss was afraid that our RoR projects would be copied or distributed illegally and he would lose money. Well, we didn’t implement any security at all, and we’ve made a lot more money more than we used to, simply because we could spend more time making a great app instead of implementing great license validations and restrictions (if you can call those great to start off with). If you’re worried about them changing the maximum number of users etc in your code, rethink your licensing strategy.
Andy Jeffries wrote:
Or if there is any way so that I can encrypt my code without interrupting the execution of the application.
If your client is determined to access your code even an encryption of the Ruby source code will not be sufficient. In order for MRI to interpret Ruby it must be decrypted. If the client has full access to the system then this means that they also have access to the encryption keys.
This is the same issue that makes decrypting DVDs possible. The keys must be available to the system performing the decryption. Now maybe doing this will discourage a client from making the attempt, but if they are determined then there's nothing stopping them from hiring someone to "crack" your encryption. But, as I said it's not really cracking it since the encryption keys exist in a location where the client has access.
Other compiled languages such as Java or .Net don't effectively protect your code either. Java (and likely .Net) can be easily decompiled into amazingly readable source code.
In the end the only real solution is to protect your source code using operating system security and by contractual licensing.
Interesting solution, but also not secure. Anybody who has root can read out your running processes' memory spaces and either (a) grab the key and yer pwned or (b) grab the bytecodes, decompile and yer pwned.
Add to that bonus nasties like directly frobbing the core of a running VPS instance from the hypervisor, and you're back in security hell again.
BTW, .Net code is similarly not "secure", since you're handing over binaries with the setup program.
The real question is not "is the code 100% secure" - it's physically impossible for that to be the case unless the server itself is somehow locked up, etc etc etc. The real question is, "is the code worth stealing"? If it is, then the best protection to invest in is the oldest: LAWYERS. The reason that (for instance) stolen copies of the Windows source aren't available has nothing to do with l33t security on the code repository, but rather the army of rabid lawyers bound to descend on anyone that posts it. If your code is worth stealing, then it's worth getting an effective license drawn up - and worth *pursuing* that license in court should it be broken.
--Matt Jones