Re: Is i possible hide AppleScript "do shell script" commands from bash/bash history?


Deivy Petrescu
 

On Dec 28, 2017, at 09:48 , davew@wegenermedia.com wrote:

I was recommended to come here, by some knowledgeable folks on a Filemaker Pro forum.

So, I'm using some older versions in an active filemaker solution (FMPA 13, 14, 15), and need to enhance some security features.


This is within a database solution that's 'in the wild', on customers' Macs around the world. We don't really want them being able to view certain encrypted data nuggets (which may need to be sent back & forth via email). And for certain other reasons, we can't force an upgrade to a different database version (with built-in encryption)..


So, to accomplish this, I use Applescript to pass data from a field into an openssl shell for encryption, then put results into an encrypted data field..


Calculated AppleScript here:

"property targetCell: \"cp_thisismyencrypteddatafield\" ¶

set theResult to do shell script \"echo " & cp_thisismydatasourcefield & " | openssl aes-256-cbc -k thisisMYP5SSW0rd! -base64\" ¶

copy theResult to cell targetCell of current record"


So, this work perfectly well, in that I'm able to pass both data and a password into openssl for encryption, and pass back.


My concern is this: is this action visible to prying eyes? I've been given multiple conflicting answers from multiple 'experts', but would really appreciate someone who actually **IS** an expert to confirm or deny the security of this..


I thought perhaps I could see the command thru ./bash_history, but it doesn't show up.. Nor does it in any console logs that I can find... nor in 'history' (as either a user or as root). Some folks have said that a 'do shell script' (being non-interactive) is shielded from bash history...


But all of this is moot without something definitive - I am concerned that a well-informed hacker can perform some level of 'ps aux' at some point and actually see (or log) that shell script going by... is that so?


1. IF it can be logged or viewed, how? Can I replicate that action (to prove/disprove it)?

2. IF it can be viewed, is there another (better) way to do this, without any plug-ins (yeah, i'm biased against 3rd party plug-ins), which would hide it from sight/log?

3. IF it IS hidden, (but I created a variable - theResult), is theResult visible anywhere (or could someone simply dump that variable into plaintext somehow)? Or does that variable self-flush when I end the script?


Thanks for any definitive clarity on this!
Dave, you will not be able to see the command in your Terminal.
do shell script does not use Terminal to send it commands, so it is sheltered from Terminal’s command history.
However, thisisMYP5SSW0rd! is legible in the script, meaning if you “open” the script on a text editor, it will be there for everyone to see.
There was a big discussion here and Shane managed to break all the passwords.
May be something has changed, but I don’t think so.

I am thinking of a way to save passwords securely on an AS, but haven’t worked on that yet!


Deivy Petrescu
applescript@dicas.com

Join applescript@apple-dev.groups.io to automatically receive all group messages.