How do I lock a python (.py) file for editing?
Question:
I wrote an automation program which logs in to a website to perform a certain task. The .py file will be given to a number of users but I don’t want them to be able to read the code and see the password used for logging in. How do I make sure that they can only execute the file but not read it?
Answers:
You can’t do it. If you give a password to your users, no matter how much you try to hide it, it’s always possible to find it out.
You can make it slightly more difficult to find out with encryption and obfuscation, but that only stops non-tech-savvy users. And those users probably wouldn’t think to read through a bunch of code looking for a plaintext password anyways.
The correct way is to make it so that it’s OK if users know their own passwords. Make the server side bit block people from doing things they’re not supposed to do (if you don’t have one, you need to make one). Use separate accounts for each user so you can separate deactivate them if needed.
One possibility is to have a daemon (service) running which holds the password. That would be running under a restricted user to which normal security has been applied. The users should not be able to access anything under the daemon’s user.
Users have a python program which communicates a login request to the daemon via an IPC mechanism, you could use a socket, named-pipe, etc. The daemon performs the task on behalf of the user and communicates the results back.
How practical that is depends on the amount of communication between the user and the server. There would be performance issues if this was an interactive task.
The daemon would probably have to be multi-threaded, depending on volumes, so this could be a lot of work.
A similar possibility is that the daemon could be a web server (using, say, Apache), and then the users access using a browser. That could be easier to program and maintain, but it depends on your environment if that is feasible.
Best way to do that would be as @cdarke offered, but a faster way would be to store the .py file in a hidden, password-protected folder.
To lock a Python script so it cannot be edited, you compile the PY file into a PYC file. This ensures that the users are unable to make any changes to the existing code within the scripts. A PYC file is binary in nature and cannot be read directly. Below is code that compiles a PY file into a PYC file:
import py_compile
script = "C:\temp\myscript.py"
py_compile.compile(script)
That code would make myscript.pyc. PYC files run even if the PY files are not present.
Source : https://support.esri.com/en/technical-article/000010321
Include this in your code:
import py_compile
if not '.pyc' in __file__:
TheNewPathGoesHear=__file__.replace('file.py', 'file.pyc')
py_compile.compile(__file__, TheNewPathGoesHear)
this if statment ensures that this is not a pyc before compiling, if you compile with out this if statment thy will be a new file for the uses each time thy open the pyc file.
NOTE: there must be a ‘.pyc’ in the format of the new file path, you can not to define the new path and that will send it to the __pycache__ folder in your main folder.
Using chmod
If you are on linux (or possibly mac), you can use the command line tool chmod to edit the attributes of a file. For example, to allow reading and execution of the hello.py file (but not write access), use the following command:
chmod a=rx hello.py
This is especially useful for shared servers where you don’t want people to accidentally overwrite key files.
However: if the user downloads the file on their local machine, they can always just use chmod to reverse the command and allow editing again. This does not stop developers editing local copies of the file.
Reversing chmod
If you want to make the file editable again, use the following command:
chmod a=rwx hello.py
Answer taken from my other post here. The post over there is more detailed and may be more useful!
I wrote an automation program which logs in to a website to perform a certain task. The .py file will be given to a number of users but I don’t want them to be able to read the code and see the password used for logging in. How do I make sure that they can only execute the file but not read it?
You can’t do it. If you give a password to your users, no matter how much you try to hide it, it’s always possible to find it out.
You can make it slightly more difficult to find out with encryption and obfuscation, but that only stops non-tech-savvy users. And those users probably wouldn’t think to read through a bunch of code looking for a plaintext password anyways.
The correct way is to make it so that it’s OK if users know their own passwords. Make the server side bit block people from doing things they’re not supposed to do (if you don’t have one, you need to make one). Use separate accounts for each user so you can separate deactivate them if needed.
One possibility is to have a daemon (service) running which holds the password. That would be running under a restricted user to which normal security has been applied. The users should not be able to access anything under the daemon’s user.
Users have a python program which communicates a login request to the daemon via an IPC mechanism, you could use a socket, named-pipe, etc. The daemon performs the task on behalf of the user and communicates the results back.
How practical that is depends on the amount of communication between the user and the server. There would be performance issues if this was an interactive task.
The daemon would probably have to be multi-threaded, depending on volumes, so this could be a lot of work.
A similar possibility is that the daemon could be a web server (using, say, Apache), and then the users access using a browser. That could be easier to program and maintain, but it depends on your environment if that is feasible.
Best way to do that would be as @cdarke offered, but a faster way would be to store the .py file in a hidden, password-protected folder.
To lock a Python script so it cannot be edited, you compile the PY file into a PYC file. This ensures that the users are unable to make any changes to the existing code within the scripts. A PYC file is binary in nature and cannot be read directly. Below is code that compiles a PY file into a PYC file:
import py_compile
script = "C:\temp\myscript.py"
py_compile.compile(script)
That code would make myscript.pyc. PYC files run even if the PY files are not present.
Source : https://support.esri.com/en/technical-article/000010321
Include this in your code:
import py_compile
if not '.pyc' in __file__:
TheNewPathGoesHear=__file__.replace('file.py', 'file.pyc')
py_compile.compile(__file__, TheNewPathGoesHear)
this if statment ensures that this is not a pyc before compiling, if you compile with out this if statment thy will be a new file for the uses each time thy open the pyc file.
NOTE: there must be a ‘.pyc’ in the format of the new file path, you can not to define the new path and that will send it to the __pycache__ folder in your main folder.
Using chmod
If you are on linux (or possibly mac), you can use the command line tool chmod to edit the attributes of a file. For example, to allow reading and execution of the hello.py file (but not write access), use the following command:
chmod a=rx hello.py
This is especially useful for shared servers where you don’t want people to accidentally overwrite key files.
However: if the user downloads the file on their local machine, they can always just use chmod to reverse the command and allow editing again. This does not stop developers editing local copies of the file.
Reversing chmod
If you want to make the file editable again, use the following command:
chmod a=rwx hello.py
Answer taken from my other post here. The post over there is more detailed and may be more useful!