How can I hide my Ruby code?

Hi,

I have my application on a Ubuntu 9.04 server edition. now i want to
hide my application some how, like a setup file creation on .net or
through any other way. so that nobody can use my code without my
permission. How can I do that?

What do you mean by hide the code? The ruby code should not be
visible to a user, only the html should be visible.

Colin

Yes. Ruby code should not be visible and if possible then also the html
too(should not be visible).

Thanks in advance.

I think that the OP wants the code to be unreadable in the same way that compiled apps are unreadable (for some value of unreadable).

Is that comment in response to my suggestion that the ruby code should
not be visible? It is best to leave in the comment you are referring
to so that the email makes sense.

What I meant was that the ruby code will not be visible anyway - a
visitor to the website cannot see the ruby code, only the html.

As for your suggestion that you want the html not to be visible, how
do you expect someone to use the website if the html is not visible,
as it is this that is interpreted by the browser to display the web
page?

Colin

Unreadable by who? A visitor to the website cannot see the Ruby code
anyway, and the html must be visible for the browser to display it.
Unless he is talking about javascript. Sumanta - is it the javascript
you are trying to hide?

Colin

Ok...may be I failed to clear my view. Sir, I have a server machine(OS-
Ubuntu 9.04 server edition). Now the application is running. What I want
is if somebody has the server's User Name and Password then he/she can
see my code. I want to protect my programs(Raw code). Is there any way?

When we use .Net we can create a setup file for a project, so there is
no chance to change or to see the code/program. this kind of hiding am
talking about. Or if there is any way so that I can encrypt my code
without interrupting the execution of the application.

Thanks in advance.

That is not a Rails question, it is a Ubuntu question. Set the
permissions on the folders so that only you and the web server can
view them. The Ubuntu support mailing list
(https://lists.ubuntu.com/mailman/listinfo/ubuntu-users) would be a
good place to ask if you need further help on this. Though I would
suggest reading up on folder permissions and trying it yourself first.

Colin

.NET is a compiled language like Java.

Ruby is only compiled to an internal format, each and every time it is run.

As such there is no standard Ruby compiler (like .NET or Java). Although compilers for Ruby do exist (but I have no experience of them).

You might like to look at JRuby which, if I remember this correctly, my allow you to compile Ruby code down to a Java class file. Any JRuby experts here who could cast some light on this?

JRuby is an interpreter, written in Java for ruby. So it is no different from the standard MRI interpreter.

Samanta, What you are looking for is encoder/decoder, I only know of http://www.rubyencoder.com/ try if it works for you.

Regards,
Amiruddin Nagri,
Bangalore, 560008, KA
India

Y! IM : amir_nagri@yahoo.com
GTalk : amir.nagri@gmail.com

Sir, as you suggested, I already did it- permission changing. But the
problem is, as i said before, that if anybody know the password &
username of the server then again he/she can change the permission very
easily- if he/she wished to access/change the code/program . So from
Ubuntu I will not get(most probably) any way to do that. Thats why am
searching for a Ruby way to do this. Any help?

Thanks In Advance.

You can do this (I’ve had to do it for a client) but it’s not simple and I can’t share my solution’s code. However, you basically go along the lines that you have a class responsible for decrypting/encrypting code (I used Base64 encoded AES). You then have Rake tasks that go through all Ruby (I did YAML too as YAML files are executed as ERB first) files, encrypt the content and replace the file contents with contents like this:

require ‘config_decryptor’

eval ConfigDecryptor.decrypt(…ENCRYPTED_CONTENT_HERE…)

Your config_decryptor.rb file has to be in the load path - I handled this by requiring the full path in a config/preinitializer.rb file.

The eval is done once as the Ruby class files are cached in memory during production mode.

The next problem is getting the key in to Ruby. I did this by having a Rake task that puts it in to a specific named file in /tmp which is then read by my class (during a call in preinitializer.rb) and deleted. It’s not ideal, but it works for my purpose and would also work for yours.

The last step, if you’re using Passenger ensure that the last child is never killed off (if it is, it will lose the decryption key which is now only in memory). I can’t remember the setting but there’s a timeout setting which you can set to zero so the last child never dies.

I would however, recommend against doing this - server security and not giving out the username/password is far and away the best solution. I work in a specific industry in a country with a lot of security requirements so had no choice - but it’s a solution and something I wished I never had to write :wink:

Cheers,

Andy

You can do this (I've had to do it for a client) but it's not simple
<snip super secret process>

Very interesting approach. Will file that for future reference.

The last step, if you're using Passenger ensure that the last child is never
killed off (if it is, it will lose the decryption key which is now only in
memory). I can't remember the setting but there's a timeout setting which
you can set to zero so the last child never dies.

Hope you've got good UPS and redundancy too (and a well-negotiated
call-out fee to re-encrypt everything if the YTS boy unplugs the power
:slight_smile:

I would however, recommend against doing this - server security and not
giving out the username/password is far and away the best solution.

+1

You can do this (I’ve had to do it for a client) but it’s not simple

Very interesting approach. Will file that for future reference.

I hope you never need it :slight_smile:

The last step, if you’re using Passenger ensure that the last child is never

killed off (if it is, it will lose the decryption key which is now only in

memory). I can’t remember the setting but there’s a timeout setting which

you can set to zero so the last child never dies.

Hope you’ve got good UPS and redundancy too (and a well-negotiated

call-out fee to re-encrypt everything if the YTS boy unplugs the power

:slight_smile:

We’re developing the site but the day to day running is down the client (but they have lots of power from various sources, redundancy and sysadmins to type the password back in).

Cheers,

Andy

Is the client trying to keep the code hidden from his own sysadmins or
are you trying to hide it from the client?

Colin

You do this in linux - not in ruby. Make the directory and all the
files viewable by no one but the process that runs them
(apache.apache), and make it so no one can login as apache.apache. Of
course, if you login as root, you can see anything, so if the client
has root then all bets are off.

Exactly, proper permission management in Linux is the key to making this work. On top of that, if it’s an internet-enabled server, I would never ever ever ever ever allow username + password access to the server unless that user is sandboxed, let alone allow root access (which is like putting a big sign on your porch saying: THE KEY IS UNDERNEATH THE DOORMAT). Use SSH key-based authentication instead. Give your customer an account that has rights to view their own home folder, but nothing else.

If you really want to hide the code from the customer, host it yourself and let them pay for the hosted solution. If that’s a no go and they don’t want to give up their server management rights, then just rely on a very good contract (i.e. let a lawyer make it) that prohibits them from messing with the code. We should all know by know how effective DRM is, in whatever form you want to sell it (hiding code, checking licenses, always online measures, …)

The company I work for had the same mindset, since we came from desktop apps where we had set up this whole structure of internet authenticating clients and monitoring systems and license keys and what not. My boss was afraid that our RoR projects would be copied or distributed illegally and he would lose money. Well, we didn’t implement any security at all, and we’ve made a lot more money more than we used to, simply because we could spend more time making a great app instead of implementing great license validations and restrictions (if you can call those great to start off with). If you’re worried about them changing the maximum number of users etc in your code, rethink your licensing strategy.

Andy Jeffries wrote:

Or if there is any way so that I can encrypt my code
without interrupting the execution of the application.

If your client is determined to access your code even an encryption of
the Ruby source code will not be sufficient. In order for MRI to
interpret Ruby it must be decrypted. If the client has full access to
the system then this means that they also have access to the encryption
keys.

This is the same issue that makes decrypting DVDs possible. The keys
must be available to the system performing the decryption. Now maybe
doing this will discourage a client from making the attempt, but if they
are determined then there's nothing stopping them from hiring someone to
"crack" your encryption. But, as I said it's not really cracking it
since the encryption keys exist in a location where the client has
access.

Other compiled languages such as Java or .Net don't effectively protect
your code either. Java (and likely .Net) can be easily decompiled into
amazingly readable source code.

In the end the only real solution is to protect your source code using
operating system security and by contractual licensing.

Interesting solution, but also not secure. Anybody who has root can
read out your running processes' memory spaces and either (a) grab the
key and yer pwned or (b) grab the bytecodes, decompile and yer pwned.

Add to that bonus nasties like directly frobbing the core of a running
VPS instance from the hypervisor, and you're back in security hell
again.

BTW, .Net code is similarly not "secure", since you're handing over
binaries with the setup program.

The real question is not "is the code 100% secure" - it's physically
impossible for that to be the case unless the server itself is somehow
locked up, etc etc etc. The real question is, "is the code worth
stealing"? If it is, then the best protection to invest in is the
oldest: LAWYERS. The reason that (for instance) stolen copies of the
Windows source aren't available has nothing to do with l33t security
on the code repository, but rather the army of rabid lawyers bound to
descend on anyone that posts it. If your code is worth stealing, then
it's worth getting an effective license drawn up - and worth
*pursuing* that license in court should it be broken.

--Matt Jones