How to Encrypt Your Bash Shell Script on Linux Using SHC?(加密shell script)

当需要写shell连接数据库取一些数据或备份等操作时，shell中可能包含数据库的用户密码等敏感信息，被一些不怀好意的人发现是你的灾难，出于安全的考虑需要对shell明文加密，使用shc 就可以把原shell编译为可执行程序(二进制)，这样就无法再明文打开shell。
下面做个简单的测试：

[root@s19118 ~]# cat /etc/issue
Oracle Linux Server release 5.8
[root@s19118 ~]# uname -a
Linux s19118 2.6.32-300.10.1.el5uek #1 SMP Wed Feb 22 17:37:40 EST 2012 x86_64 x86_64 x86_64 GNU/Linux

1. Download shc and install it

[root@s19118 ~]# wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.7.tgz
--2013-06-18 16:32:08--  http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.7.tgz
Resolving www.datsi.fi.upm.es... 138.100.9.22
Connecting to www.datsi.fi.upm.es|138.100.9.22|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20498 (20K) [application/x-gzip]
Saving to: `shc-3.8.7.tgz'
100%[=======================================================>] 20,498      11.1K/s   in 1.8s    
2013-06-18 16:32:12 (11.1 KB/s) - `shc-3.8.7.tgz' saved [20498/20498]
[root@s19118 ~]# tar zxvf shc-3.8.7.tgz 
shc-3.8.7/CHANGES
shc-3.8.7/Copying
shc-3.8.7/Makefile
shc-3.8.7/match
shc-3.8.7/pru.sh
shc-3.8.7/shc-3.8.7.c
shc-3.8.7/shc.1
shc-3.8.7/shc.README
shc-3.8.7/shc.c
shc-3.8.7/shc.html
shc-3.8.7/test.bash
shc-3.8.7/test.csh
shc-3.8.7/test.ksh
[root@s19118 ~]# cd shc-3.8.7
[root@s19118 shc-3.8.7]# ls
CHANGES  Copying  Makefile  match  pru.sh  shc.1  shc-3.8.7.c  shc.c  shc.html  shc.README  test.bash  test.csh  test.ksh
[root@s19118 shc-3.8.7]# make
[root@s19118 shc-3.8.7]# ./shc -v
shc parse(-f): No source file specified
shc Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-rvDTCAh] -f script

2. Encrypt A Shell Script Using shc

[root@s19118 shc-3.8.7]# ./test.bash 
+ echo '$@ is '
$@ is 
+ echo 'command line: ./test.bash '
command line: ./test.bash 
+ echo 'hello world'
hello world
+ echo '[26053] PAUSED... Hit return!'
[26053] PAUSED... Hit return!
+ read DUMMY
+ exit 0
[root@s19118 shc-3.8.7]# cat test.bash 
#!/bin/bash -x
echo "\\$@ is $@"
echo "command line: $0 $*"
echo "hello world"
# Added
echo "[$$] PAUSED... Hit return!"
read DUMMY
exit 0
[root@s19118 shc-3.8.7]# ./shc -f test.bash
# 加密后生成两文件.x.c C源文件，.x可执行文件
-rw-r--r-- 1 root root  9905 Jun 18 16:39 test.bash.x.c
-rwx--x--x 1 root root 11840 Jun 18 16:39 test.bash.x

[root@s19118 shc-3.8.7]# strings test.bash.x|head
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
sprintf
perror
fork
time
_exit
getpid
kill
[root@s19118 shc-3.8.7]# strings test.bash.x.c|head
#if 0
        shc Version 3.8.7, Generic Script Compiler
        Copyright (c) 1994-2009 Francisco Rosales 
        ./shc -f test.bash 
#endif
static  char data [] = 
#define      opts_z     3
#define      opts       ((&data[0]))
        "\\266\\246\\304"
#define      tst2_z     19
[root@s19118 shc-3.8.7]# file test.bash.x
test.bash.x: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), stripped
[root@s19118 shc-3.8.7]# file test.bash.x.c
test.bash.x.c: ASCII C program text

3. Execute the Encrypted Shell Script

[root@s19118 shc-3.8.7]# ./test.bash.x 
+ echo '$@ is '
$@ is 
+ echo 'command line: ./test.bash.x '
command line: ./test.bash.x 
+ echo 'hello world'
hello world
+ echo '[25194] PAUSED... Hit return!'
[25194] PAUSED... Hit return!
+ read DUMMY
+ exit 0

4. Specifying Expiration Date for Your Shell Script

# 可以用shc 指定文件的过期时间，过了那个时间用户再调用执行文件会报错。
[root@s19118 shc-3.8.7]# rm test.bash.x*
rm: remove regular file `test.bash.x'? yes
rm: remove regular file `test.bash.x.c'? yes
#日期格式是dd/mm/yyyy
[root@s19118 shc-3.8.7]# ./shc -e 18/6/2013 -f test.bash
[root@s19118 shc-3.8.7]# date
Tue Jun 18 17:02:06 CST 2013
[root@s19118 shc-3.8.7]# ./test.bash.x 
./test.bash.x: has expired!
Please contact your provider
[root@s19118 shc-3.8.7]# date -s "20130617"
Mon Jun 17 00:00:00 CST 2013
[root@s19118 shc-3.8.7]# ./test.bash.x 
+ echo '$@ is '
$@ is 
+ echo 'command line: ./test.bash.x '
command line: ./test.bash.x 
+ echo 'hello world'
hello world
+ echo '[22106] PAUSED... Hit return!'
[22106] PAUSED... Hit return!
+ read DUMMY

# 也可以定义过期后的提示信息使用-m 选项如下
[root@s19118 shc-3.8.7]# ./shc -e 18/6/2013 -m "Contact dba@anbob.com for new version of this script" -f test.bash
Notice:
通过shc加密后的文件并不是不可以解密。