20

I'm building a fairly complex interpreted program in Python. I've been working on most of this code for other purposes for a few months, and therefore don't want my client to be able to simply copy and try to sell it, as I think it's worth a fair amount.

The problem is that I need the script to run on a server that my client is paying for, so is there any way I can secure a particular folder on the machine from root access, or make it so only one particular use can access the directory? The OS is Ubuntu.

Mike Partridge
6,7171 gold badge28 silver badges42 bronze badges
asked Apr 6, 2011 at 15:45
6
  • 13
    What kind of contract/agreement exists between you and your client? Do they own the code, or have you merely licensed usage of it to them? Or have you not worked any of this out? Commented Apr 6, 2011 at 15:46
  • 2
    I thought it was possible to compile python source into binary. Is possible for this project? If so you could deploy the binary instead. Commented Apr 6, 2011 at 15:51
  • nightcracker is right in my opinion. Proper licensing and contracts should prevent all this, not technical measures. Especially because you can always decompile/de-obfuscate something and root is allowed to do everything. Commented Apr 6, 2011 at 16:02
  • 9
    Everybody always says their code is worth a fair amount. Commented Apr 9, 2011 at 1:39
  • 1
    There's a good discussion on this topic here: groups.google.com/forum/#!topic/nodejs/mPIcq5mHihM Commented Aug 7, 2013 at 1:36

6 Answers 6

40

License it.

Really, that's all!

answered Apr 6, 2011 at 15:46
15
  • 6
    My first thought was to downvote this as not an answer, but heck, you're right. Licensing and signing contracts is the way to go here. Commented Apr 6, 2011 at 15:52
  • @Bobby: Almost the only way to go. The alternative is to keep adding delightful, useful new features so quickly that stealing the old version would be a waste of time. Commented Apr 6, 2011 at 17:11
  • 14
    -1 The question asks for ways to stop a client seeing the code, this does not do that. People do not always obey licenses, and it may not be possible to find out for sure legally in order to sue. Commented Apr 9, 2011 at 2:05
  • 8
    You can't stop the client seeing Python code, it's too easy to disassemble. DRM doesn't work (if they can run it, they can disassemble it). So the only answer is a legal one. And once you're relying on the law for enforcement, there's no point making life harder for yourself or your customers by complicating the technical base. Commented Apr 9, 2011 at 10:52
  • 1
    @ncoghlan: Putting signs and laws (i.e. the license) in place is generally not enough to stop people with bad intentions. So you need fences and controls to achieve at least part of the goal. To prevent the offence (seeing/reusing/stealing code in this case) you need to take all reasonable measures. This includes licensing the code, of course, but also making a potential felon's life harder by using simple yet effective solutions. Indeed, finding the balance is hard (e.g. invasive DRMs suck) but that is the price of efficiency. What if the police gave up saying "they won't obey the law" ? Commented May 10, 2016 at 10:26
9

You can always compile all you files to byte code pyc. There are decompilers out there that can generate source code out of it but nothing serious.

However that will just solve the ability to read the code of your program. To protect the only way is to license it as nightcracker said, because even if you compiled your code, to lets say machine code, if your work is not protected by a license, it can still be commercialized against your will.

Bottom line, compile to byte code and more importantly License it

answered Apr 6, 2011 at 15:55
2
  • I have a question. Does the byte compiler use arbitrary variable names, or does it use the old variable names? (I would imagine it would have to use the old ones, as external modules rely on that namespace). Commented Apr 6, 2011 at 16:19
  • @Garrett: The bytecode contains the variable names. It's still a relatively unreadable mess when disassembled (try digesting the disassembly of this recipe), and there aren't any (recent) decompilers. Commented Apr 6, 2011 at 16:35
7

Use Cython. This will allow you to compile your program as a native executable. Then it should be much harder to steal.

As for the directory, the only advice I can give you is make sure you've got your permissions set up correctly. ACLs may be your friend, although I'm not 100% sure that they can restrict root from accessing a file. Even if they could, root could still just change the permission. He's root, he's god -- that's just how these things work.

http://www.korokithakis.net/node/109

answered Apr 6, 2011 at 15:51
1

As the user above showed, disassemblers can get the code back, but as yet it is not very readable (at least not for the open source disassemblers).

I was thinking about this, and one way that I think you could solve this problem (if you call forced open code a problem) is to write an automatic re factoring script. This would be fairly simple actually. You would just feed the script your module, and it would rename all the module-specific variables. This, along with only releasing the compiled file, would do a lot to obfuscate your code.

Doing a search on the PyPI, I found this: http://pypi.python.org/pypi/pyfuscate/0.1 . You should check it and other's like it out and report back :D

Also: You should also License it, of course.

answered Apr 6, 2011 at 16:50
1

I'd suggest licensing, too. On top of licensing, let's encrypt the source code of main routines using asymmetric key algorithm so that only your client's machine can run it. One of the key in the pair be something obtained from the hardware (example: network card's serial number) of your client's machine. Use the other key in the pair to decrypt the source code when running the program. Note that the only deliverable in plaintext would be the decryption routine and the rest would be in ciphertext.

This way your client can copy-and-paste your seemingly gibberish code but can't run it elsewhere. My suggestion is not completely bullet-proof however: the interpreter may store the decrypted program somewhere in memory. Then it is possible that some hacker retrieve your program in plaintext during execution I guess.

As for preventing folders from root access, I agree that root can't be stopped from accessing any files/folders.

answered Nov 15, 2011 at 20:51
2
  • This is just obfuscation, with the right tools, there will always be a point in time where the code is in plain text. A simple way to defeat your solution would be to simply swap out ruby/python/node with a custom program mirrors the execution API and outputs the code. Commented Aug 7, 2013 at 1:40
  • Additionally, the private key (for decryption) will have to be available to the environment, therefore available to an attacker. Commented Oct 10, 2017 at 23:47
0

Licensing is the best answer here. That said, why does it have to run on their gear? If it is so critically important you might want to spring for a service and build some sort of service API around things so folks can't even see your intellectual property to steal it.

answered Nov 15, 2011 at 19:40

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.