Hi,
I have my application on a Ubuntu 9.04 server edition. now i want to
hide my application some how, like a setup file creation on .net or
through any other way. so that nobody can use my code without my
permission. How can I do that?
On 6 July 2010 09:06, Sumanta D. [email protected] wrote:
Hi,
I have my application on a Ubuntu 9.04 server edition. now i want to
hide my application some how, like a setup file creation on .net or
through any other way. so that nobody can use my code without my
permission. How can I do that?
What do you mean by hide the code? The ruby code should not be
visible to a user, only the html should be visible.
Colin
Yes. Ruby code should not be visible and if possible then also the html
too(should not be visible).
Thanks in advance.
I think that the OP wants the code to be unreadable in the same way that
compiled apps are unreadable (for some value of unreadable).
On 6 July 2010 10:08, Sumanta D. [email protected] wrote:
Yes. Ruby code should not be visible and if possible then also the html
too(should not be visible).
Is that comment in response to my suggestion that the ruby code should
not be visible? It is best to leave in the comment you are referring
to so that the email makes sense.
What I meant was that the ruby code will not be visible anyway - a
visitor to the website cannot see the ruby code, only the html.
As for your suggestion that you want the html not to be visible, how
do you expect someone to use the website if the html is not visible,
as it is this that is interpreted by the browser to display the web
page?
Colin
Ok…may be I failed to clear my view. Sir, I have a server machine(OS-
Ubuntu 9.04 server edition). Now the application is running. What I want
is if somebody has the server’s User Name and Password then he/she can
see my code. I want to protect my programs(Raw code). Is there any way?
On 6 July 2010 10:17, Peter H. [email protected]
wrote:
I think that the OP wants the code to be unreadable in the same way that
compiled apps are unreadable (for some value of unreadable).
Unreadable by who? A visitor to the website cannot see the Ruby code
anyway, and the html must be visible for the browser to display it.
Unless he is talking about javascript. Sumanta - is it the javascript
you are trying to hide?
Colin
.NET is a compiled language like Java.
Ruby is only compiled to an internal format, each and every time it is
run.
As such there is no standard Ruby compiler (like .NET or Java). Although
compilers for Ruby do exist (but I have no experience of them).
You might like to look at JRuby which, if I remember this correctly, my
allow you to compile Ruby code down to a Java class file. Any JRuby
experts
here who could cast some light on this?
When we use .Net we can create a setup file for a project, so there is
no chance to change or to see the code/program. this kind of hiding am
talking about. Or if there is any way so that I can encrypt my code
without interrupting the execution of the application.
Thanks in advance.
On 6 July 2010 10:29, Sumanta D. [email protected] wrote:
Ok…may be I failed to clear my view. Sir, I have a server machine(OS-
Ubuntu 9.04 server edition). Now the application is running. What I want
is if somebody has the server’s User Name and Password then he/she can
see my code. I want to protect my programs(Raw code). Is there any way?
That is not a Rails question, it is a Ubuntu question. Set the
permissions on the folders so that only you and the web server can
view them. The Ubuntu support mailing list
(ubuntu-users Info Page) would be a
good place to ask if you need further help on this. Though I would
suggest reading up on folder permissions and trying it yourself first.
Colin
Sir, as you suggested, I already did it- permission changing. But the
problem is, as i said before, that if anybody know the password &
username of the server then again he/she can change the permission very
easily- if he/she wished to access/change the code/program . So from
Ubuntu I will not get(most probably) any way to do that. Thats why am
searching for a Ruby way to do this. Any help?
Thanks In Advance.
JRuby is an interpreter, written in Java for ruby. So it is no different
from the standard MRI interpreter.
Samanta, What you are looking for is encoder/decoder, I only know of
http://www.rubyencoder.com/ try if it works for you.
Regards,
Amiruddin N.,
Bangalore, 560008, KA
India
Y! IM : [email protected]
GTalk : [email protected]
On Tue, Jul 6, 2010 at 3:26 PM, Peter H. <
On 6 July 2010 11:19, Andy J. [email protected] wrote:
You can do this (I’ve had to do it for a client) but it’s not simple
Very interesting approach. Will file that for future reference.
The last step, if you’re using Passenger ensure that the last child is never
killed off (if it is, it will lose the decryption key which is now only in
memory). I can’t remember the setting but there’s a timeout setting which
you can set to zero so the last child never dies.
Hope you’ve got good UPS and redundancy too (and a well-negotiated
call-out fee to re-encrypt everything if the YTS boy unplugs the power
I would however, recommend against doing this - server security and not
giving out the username/password is far and away the best solution.
+1
On 6 July 2010 10:34, Sumanta D. [email protected] wrote:
Or if there is any way so that I can encrypt my code
without interrupting the execution of the application.
You can do this (I’ve had to do it for a client) but it’s not simple and
I
can’t share my solution’s code. However, you basically go along the
lines
that you have a class responsible for decrypting/encrypting code (I used
Base64 encoded AES). You then have Rake tasks that go through all Ruby
(I
did YAML too as YAML files are executed as ERB first) files, encrypt the
content and replace the file contents with contents like this:
require ‘config_decryptor’
eval ConfigDecryptor.decrypt(…ENCRYPTED_CONTENT_HERE…)
Your config_decryptor.rb file has to be in the load path - I handled
this by
requiring the full path in a config/preinitializer.rb file.
The eval is done once as the Ruby class files are cached in memory
during
production mode.
The next problem is getting the key in to Ruby. I did this by having a
Rake
task that puts it in to a specific named file in /tmp which is then read
by
my class (during a call in preinitializer.rb) and deleted. It’s not
ideal,
but it works for my purpose and would also work for yours.
The last step, if you’re using Passenger ensure that the last child is
never
killed off (if it is, it will lose the decryption key which is now only
in
memory). I can’t remember the setting but there’s a timeout setting
which
you can set to zero so the last child never dies.
I would however, recommend against doing this - server security and not
giving out the username/password is far and away the best solution. I
work
in a specific industry in a country with a lot of security requirements
so
had no choice - but it’s a solution and something I wished I never had
to
write 
Cheers,
Andy
On 6 July 2010 11:31, Michael P. [email protected] wrote:
On 6 July 2010 11:19, Andy J. [email protected] wrote:
You can do this (I’ve had to do it for a client) but it’s not simple
Very interesting approach. Will file that for future reference.
I hope you never need it
We’re developing the site but the day to day running is down the client
(but
they have lots of power from various sources, redundancy and sysadmins
to
type the password back in).
Cheers,
Andy
On 6 July 2010 13:18, Andy J. [email protected] wrote:
We’re developing the site but the day to day running is down the client (but
they have lots of power from various sources, redundancy and sysadmins to
type the password back in).
Is the client trying to keep the code hidden from his own sysadmins or
are you trying to hide it from the client?
Colin
Yes, Sir. I am trying to hide the code from client due to some reason. I
am afraid of code tampering. So I want to hide it.
You do this in linux - not in ruby. Make the directory and all the
files viewable by no one but the process that runs them
(apache.apache), and make it so no one can login as apache.apache. Of
course, if you login as root, you can see anything, so if the client
has root then all bets are off.
Exactly, proper permission management in Linux is the key to making
this work. On top of that, if it’s an internet-enabled server, I would
never ever ever ever ever allow username + password access to the
server unless that user is sandboxed, let alone allow root access
(which is like putting a big sign on your porch saying: THE KEY IS
UNDERNEATH THE DOORMAT). Use SSH key-based authentication instead.
Give your customer an account that has rights to view their own home
folder, but nothing else.
If you really want to hide the code from the customer, host it
yourself and let them pay for the hosted solution. If that’s a no go
and they don’t want to give up their server management rights, then
just rely on a very good contract (i.e. let a lawyer make it) that
prohibits them from messing with the code. We should all know by know
how effective DRM is, in whatever form you want to sell it (hiding
code, checking licenses, always online measures, …)
The company I work for had the same mindset, since we came from
desktop apps where we had set up this whole structure of internet
authenticating clients and monitoring systems and license keys and
what not. My boss was afraid that our RoR projects would be copied or
distributed illegally and he would lose money. Well, we didn’t
implement any security at all, and we’ve made a lot more money more
than we used to, simply because we could spend more time making a
great app instead of implementing great license validations and
restrictions (if you can call those great to start off with). If
you’re worried about them changing the maximum number of users etc in
your code, rethink your licensing strategy.
On Jul 6, 6:19 am, Andy J. [email protected] wrote:
content and replace the file contents with contents like this:
The next problem is getting the key in to Ruby. I did this by having a Rake
task that puts it in to a specific named file in /tmp which is then read by
my class (during a call in preinitializer.rb) and deleted. It’s not ideal,
but it works for my purpose and would also work for yours.The last step, if you’re using Passenger ensure that the last child is never
killed off (if it is, it will lose the decryption key which is now only in
memory). I can’t remember the setting but there’s a timeout setting which
you can set to zero so the last child never dies.
Interesting solution, but also not secure. Anybody who has root can
read out your running processes’ memory spaces and either (a) grab the
key and yer pwned or (b) grab the bytecodes, decompile and yer pwned.
Add to that bonus nasties like directly frobbing the core of a running
VPS instance from the hypervisor, and you’re back in security hell
again.
BTW, .Net code is similarly not “secure”, since you’re handing over
binaries with the setup program.
The real question is not “is the code 100% secure” - it’s physically
impossible for that to be the case unless the server itself is somehow
locked up, etc etc etc. The real question is, “is the code worth
stealing”? If it is, then the best protection to invest in is the
oldest: LAWYERS. The reason that (for instance) stolen copies of the
Windows source aren’t available has nothing to do with l33t security
on the code repository, but rather the army of rabid lawyers bound to
descend on anyone that posts it. If your code is worth stealing, then
it’s worth getting an effective license drawn up - and worth
pursuing that license in court should it be broken.
–Matt J.