I'm using twisted to create a server.
Problem is, I must protect my code. Since I don't want to publish it, I'm not really interess into obfuscation or compilation of the python code.
My problem is, my twisted application must run with root uid and a lot of people have root access to this server.
I don't care if they can read it, but I want sure they can't modify it!
What is the best solution, knowing I'm using twisted? I've seen in twistd, tapconvert and mktap that twisted can "encrypt" my code, but I didn't find any good documentation about that.
Anybody to help me?
Thanks in advance for any answer =)
Have a nice day!
/!\ EDIT:
I got another question, I've wrote my code following this part of twisted documentation: http://twistedmatrix.com/documents/current/core/howto/application.html so I launch my server using a command like twistd -y server.py --logfile ...
Since I'm doing that, I assume I can't use software like cx_Freeze to hide my code right ?
You have a number of problems here.
my twisted application must run with root uid
This is bad. If there are vulnerabilities in your application, then they will be made more serious by running as root. You should consider finding a way to not run as root. For example, if you only run as root so you can bind to a low numbered port, consider using authbind instead.
a lot of people have root access to this server
Perhaps you should limit privileged access to those people who actually need it. If that isn't an option, then perhaps you should at least limit access to people you can trust. Someone who has root on a machine can do anything they want on that machine, and defeat any scheme you dream up.
I don't care if they can read it, but I want sure they can't modify it!
You should ask them not to modify it, then.
I've seen in twistd, tapconvert and mktap that twisted can "encrypt" my code, but I didn't find any good documentation about that. Anybody to help me?
You shouldn't bother trying to use the encryption features of twistd and mktap. These don't prevent anyone from changing your code. At best they might prevent someone from reading some of it. As you said, this isn't even your goal. Even if it were your goal, someone with root access will be able to decrypt these files easily, so it doesn't even help there.
If you give code to someone, expect them to be able to do anything and everything they want with it. If you put code on a server, you are effectively giving it to everyone with root access to that server.
So, stop thinking about encryption and other technical issues and think of some other way to achieve your goals - fire the untrustworthy administrators, use an appropriate license on the code, get an actual contract, etc.
AFAIK, there is no way to prevent a root user from modifying a plain text file. Root is just that, they can do anything they want with it including modifying. Why do so many people have root access to the machine anyway?
If you're concerned, you really have two options:
Encrypt the files in whatever way you want (I don't know if Twisted does it or how)
'Compile' the code for your platform. There are a few Python compilers out there but I don't know if they work with Linux. I'm a free software guy so I want people to read and modify my code. Protecting it doesn't concern me.
I guess you do have a third option of protecting it legally with a license. But if they violate your license then there's the cost of taking them to court over it.
Not many options. Sorry.
Anthony
Related
I am trying to make an application that should not portable between computers or between users of the same computer.
Which is the best way to do this?
edit:
By not portable I meant, the application should not be usable without installing it. ie) moving the installed folder to a different computer or different user login of the same computer.
How can we get an id that is always unique to a user login in a computer?.
please excuse my poor english.
Almost no matter what mechanism you implement, the other user will always be able to decompile the program and route around what prevents running it with relative ease. Two exceptions:
Move key functionality + authentication into c modules. This makes circumvention harder, but not impossible
Move key functionality + authentication into a call to a program executing on a remote machine that you control. Here the other user needs to re-implement the function(s) based on sample input and output - direct reverse engineering is not possible.
These points are covered in further detail in the answers to the linked-to question. Of course, as some answers point out, you need to determine how much trouble you wish to go to and if it is worth your while to do so. Maybe a naive python native access control is enough deterrant, even if an adept programmer can work around it.
Let your installation script copy some modules of your program to user application directory.
In your program add that path to sys.path, that import would find your modules.
If you want only one user to have access you have to create some kind of "login".
That's what registration or activation keys are for.
http://en.wikipedia.org/wiki/Product_key
You include the user name and some machine identification in the key,
We have begun upgrading hardware and software to a 64-bit architecture using Apache with mod_jk and four Tomcat servers (the new hardware). We need to be able to test this equipment with a large number of simultaneous connections while still actually doing things in the app (logging in, etc.)
I currently am using Python with the Mechanize library to do this, but it's just not cutting it. Threading is not "real" in Python, and multiprocessing makes the local box work harder than the machines we are trying to test since it has to load so much into memory for Mechanize.
The bottom line is that I need something that will really hammer this thing's connections and hold a session to make sure that the sticky sessions are working in mod_jk. I need to be able to code it quickly, it needs to be lightweight, and being able to do true multithreading would be a perk. Other than that, I am open-minded.
Any input will be greatly appreciated. Thanks.
Open Source Testing Tools
Not knowing the full requirements makes it difficult, however something from the list might fit the bill.
In order to accomplish what I wanted to do, I just went back to basics. Mechanize is somewhat bulky, and there was a lot of bloat involved in the main functionality tests I had before. So I started with a clean slate and just used cookielib.CookieJar and urllib2 to build a linear test and then run them in a while 1 loop. This provided enough strain on the Apache system to see how it would react in the new environment, and for the record, it did VERY well.
Can you guys please tell if building my own birtviewer like reporting tool but using python is a crazy idea. The company I'm working now, we are using birtviewer to generate reports for the clients, but I'm already getting frustrated tweaking the code to suit our client needs and it's written on massive java code which I don't have any experience at all. And they don't want to mavenize birtviewer, so every new releases I have to manually update my local copy and mavenize it. And the fact that it is really owned by a private company worries me about the future of birtviewer. What do you guys think?
Sure. Write it. Make it open source and give us a git repo to have a little look... Honestly if the problem exists solve it.
I'm planning to develop a GUI application that uses curses. The idea is to provide an extra interface for a web interface, so that everything on the web site could also be done via the UI.
Basically, it should be platform independent: the user would have to SSH to the server after which the UI would automatically take over.
First of all, is this doable? As far as I understand, it would be platform independent as long as the end-user had the proper terminal software installed. Correct me, if I'm wrong.
I was planning to use Python for this, as it is the language I'm the most proficient in. Python comes with the ncurses library and Urwid, which I've been told, is quite good.
After having a quick test with Urwid, I had some problems. The thing is, I'm quite worried that I won't find answers to the problems that I will encounter down the road because apparently curses UI-s aren't all the rage nowadays. Documentation and examples are thus quite scarce.
In conclusion, should really I embark on this and quit my whining or drop the idea altogether? Any other suggestions?
It's certainly possible, and curses-based applications are still written regularly (e.g. PuDB is only 14 months old) although maybe not very often.
Did you try asking questions on the Urwid mailing list and/or IRC channel?
oh my, wouldn't this be a dream!
i've seen a couple of things out there to varying degrees of success.
Morticious Thrind: http://thrind.xamai.ca/
future death toll: http://f-dt.com/?wptheme=wp-cli
wordpress yadda yadda, this could be as simple as a 960/blueprint CSS, prototype.js, and a oneliner:
//TODO: Implement useful functionality && unit tests && documentation
//TODO: read
try { eval($F(x)); } catch (e) { panic(); }
BUT! this type of thing is pretty radical. i mean- ANYTHING can happen on the canvas of a web-browser these days, but any terminal emulator or lynx serves this purpose with flare.
also be sure to check out: https://stackoverflow.com/questions/472644/javascript-collection-of-one-line-useful-functions
the real question is what sort of software you plan on ncursing (sic,pun,etc.)-- it probably already has some rather useful command-line interfaces (sh).
It can be done but it's a struggle. I would recommend improving the web interface. You can use JavaScript to add keyboard shortcuts, for example, which can be very helpful for a faster workflow (see Gmail's interface, for example).
Is it possible to make python run on your homepage? I know, this is a really stupid question but please don't pick on me for my stupidity :)
If it is possible, how? Do you have to upload/install the executing part of Python to you website using FTP? or...?
Edit: Just found out my provider does not support python and that shell access is completely restricted. Problem solved :)
Everything depends on the hosting provider you use for your homepage -- do they offer Python among their services, and, if so, what version, and how do you write server-side scripts to use it (is it CGI-only, or...?) -- if not, or the version / deployment options disappoint, what do they allow in terms of giving you shell access and running long-time processes?
It's impossible for us to judge any of these aspects, because every single one of them depends on your hosting provider, and absolutely none of them depends on Python itself!-)
Yes, you can. I don't know exactly how but I know it is possible. Mabye look into this website:
https://trinket.io/
This website lets you do this. I sent them a message to see how they do it so I will update this to let you know after they respond.
Python is a scripting language, though it is used gracefully for building back end web applications.