MacOS – Make shell script contents difficult to read

command linemacos

I am setting up an escape-room-esque experience for a group of 11 and 12 year olds. As part of the activity, I'm going to set up an old Mac (likely running Snow Leopard) with a specially-created user account. The desktop will contain an interactive, executable .command shell script that asks the kids to input a series of "passwords" to obtain the code to a safe.

I'm a little concerned that some enterprising child will realize they can open the script in a text editor and just read all the passwords. Making the account boot directly to a console might help, but I'd rather not do that, and there's still a risk someone will know the nano command.

How can I make this script as difficult to read as possible?

Best Answer

Option 1: use the shell script compiler to turn the script into a binary executable. The binary will still contain the script (in highly obscured form), but unlike a regular script, you can set the file permissions so the account the kids are using doesn't have read access to it (just execute).

Option 2: Encrypt the safe code using the "passwords", store the encrypted code in the script, and use what the kids enter to decrypt it. Here's an encryption process you could use with three passwords, "sekrit1", "hunter2", and "p4ssw0rd3":

$ echo '12 left, 25 right, 9 left' | openssl enc -aes256 -base64 -pass "pass:sekrit1|hunter2|p4ssw0rd3"
U2FsdGVkX18IFQAaSjEv2AJJ16z6wjROjcHiqHWGvji3MEsmcHwPgu3MQeh2O+c1

Then in the script:

read -p "Enter the first password: " pass1
read -p "Enter the second password: " pass2
read -p "Enter the third password: " pass3
encrypted="U2FsdGVkX18IFQAaSjEv2AJJ16z6wjROjcHiqHWGvji3MEsmcHwPgu3MQeh2O+c1"
if result=$(echo "$encrypted" | openssl enc -d -aes256 -base64 -pass "pass:$pass1|$pass2|$pass3" 2>/dev/null); then
    echo "The safe combination is $result"
else
    echo "At least one password is wrong!"
fi

If you want to give the kids password-by-password feedback, you could add checking the hashes of the passwords as they're entered:

$ echo "sekrit1" | shasum
b19fb68c28bff07cf8fcc7c53ab48c5d6f41e993  -

In script:

read -p "Enter the first password: " pass1
if [ "$(echo "$pass1" | shasum)" = "b19fb68c28bff07cf8fcc7c53ab48c5d6f41e993  -" ]; then
        echo "Correct so far..."
else
        echo "Wrong!"
        exit
fi
...etc

BTW, this isn't a really secure way to store passwords; proper secure password hashes are designed to be slow and use "salt". But this should be secure enough for some kids.

Related Solutions

Shell Script for Yesterday’s Date

Try using date like this:

dd=$(date -v -1d '+%m-%d-%y')

as mentioned yesterday is part of GNU Date, but using an offset of -1d should be equivalent for OS X use.

Shell script help

This should work. I don't have time currently to explain the changes/additions, but I'll update. You must run this script as sudo for it to work.

Even easier, sudo chmod +s yourscript - will run as root without requiring password.

#!/bin/bash

#Machines must have cURL installed as a prerequisite to download software from internet or FTP server 

#Change to your working directory. 
cd ~/Downloads

#grab files from www.teamviewer.com or custom FTP server
curl -O http://downloadus3.teamviewer.com/download/TeamViewerHost.dmg

#grab TeamViewer from custom FTP server
curl -O https://www.dropbox.com/s/******/com.apple.TeamViewer8.Settings.plist

#Place customized plist file into Library/Preferences
mv ~/Downloads/com.apple.TeamViewer8.Settings.plist /Library/Preferences/

#Mount and Install TeamViewer
hdiutil mount ~/Downloads/TeamViewerHost.dmg
installer -pkg /Volumes/TeamViewerHost/Install\ TeamViewerHost.pkg -target LocalSystem

#Softkill process in order to unmount package
ps aux | grep -i TeamViewer | awk {'print $2'} | xargs kill

#Unmount package
hdiutil unmount /Volumes/TeamViewerHost/

Best Answer

Related Solutions

Shell Script for Yesterday’s Date

Shell script help

Related Question