How do I lock a python (.py) file for editing?
Asked Answered
W

6

6

I wrote an automation program which logs in to a website to perform a certain task. The .py file will be given to a number of users but I don't want them to be able to read the code and see the password used for logging in. How do I make sure that they can only execute the file but not read it?

Workhouse answered 2/7, 2016 at 5:14 Comment(0)
S
6

To lock a Python script so it cannot be edited, you compile the PY file into a PYC file. This ensures that the users are unable to make any changes to the existing code within the scripts. A PYC file is binary in nature and cannot be read directly. Below is code that compiles a PY file into a PYC file:

import py_compile

script = "C:\\temp\\myscript.py"
py_compile.compile(script)

That code would make myscript.pyc. PYC files run even if the PY files are not present.

Source : https://support.esri.com/en/technical-article/000010321

Sigh answered 19/7, 2018 at 0:18 Comment(0)
A
2

You can't do it. If you give a password to your users, no matter how much you try to hide it, it's always possible to find it out.

You can make it slightly more difficult to find out with encryption and obfuscation, but that only stops non-tech-savvy users. And those users probably wouldn't think to read through a bunch of code looking for a plaintext password anyways.

The correct way is to make it so that it's OK if users know their own passwords. Make the server side bit block people from doing things they're not supposed to do (if you don't have one, you need to make one). Use separate accounts for each user so you can separate deactivate them if needed.

Askja answered 2/7, 2016 at 5:17 Comment(4)
Thanks Matti. The thing is, my colleagues will be using the credentials of a super user on the website which needs to be used to perform the task so there is no way I can limit their privileges.Workhouse
@Chandral: If you don't trust your users then you can't give them the password. You can't change that. You could do what I suggested and create a small web service that sits inbetween your users and the website and only lets them do the things you want them to do. The web service would keep the password to itself.Askja
Could you point me to some online resources for learning how to do that?Workhouse
@Chandral: How to make a web service? There's countless ways to do it. Might want to just google.Askja
D
1

Include this in your code:

import py_compile
if not '.pyc' in __file__:
    TheNewPathGoesHear=__file__.replace('file.py', 'file.pyc')
    py_compile.compile(__file__, TheNewPathGoesHear)

this if statment ensures that this is not a pyc before compiling, if you compile with out this if statment thy will be a new file for the uses each time thy open the pyc file.

NOTE: there must be a '.pyc' in the format of the new file path, you can not to define the new path and that will send it to the __pycache__ folder in your main folder.

Deus answered 16/9, 2022 at 12:10 Comment(0)
H
1

Using chmod

If you are on linux (or possibly mac), you can use the command line tool chmod to edit the attributes of a file. For example, to allow reading and execution of the hello.py file (but not write access), use the following command:

chmod a=rx hello.py

This is especially useful for shared servers where you don't want people to accidentally overwrite key files.

However: if the user downloads the file on their local machine, they can always just use chmod to reverse the command and allow editing again. This does not stop developers editing local copies of the file.

Reversing chmod

If you want to make the file editable again, use the following command:

chmod a=rwx hello.py

Answer taken from my other post here. The post over there is more detailed and may be more useful!

Homework answered 28/2, 2023 at 23:52 Comment(0)
F
0

One possibility is to have a daemon (service) running which holds the password. That would be running under a restricted user to which normal security has been applied. The users should not be able to access anything under the daemon's user.

Users have a python program which communicates a login request to the daemon via an IPC mechanism, you could use a socket, named-pipe, etc. The daemon performs the task on behalf of the user and communicates the results back.

How practical that is depends on the amount of communication between the user and the server. There would be performance issues if this was an interactive task.

The daemon would probably have to be multi-threaded, depending on volumes, so this could be a lot of work.

A similar possibility is that the daemon could be a web server (using, say, Apache), and then the users access using a browser. That could be easier to program and maintain, but it depends on your environment if that is feasible.

Fastness answered 2/7, 2016 at 5:44 Comment(0)
S
0

Best way to do that would be as @cdarke offered, but a faster way would be to store the .py file in a hidden, password-protected folder.

Sacci answered 2/7, 2016 at 8:9 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.