Community discussions

MikroTik App
 
MikRu
just joined
Topic Author
Posts: 19
Joined: Sat Mar 09, 2013 6:59 pm

Script - protection

Wed Sep 24, 2014 12:50 pm

I need to give full access to MIKROTIK to another user, but i don't want to give him my scripts.

Is there any way to protect from viewing scripts?

my be there is some method to make it unreadable but working?
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Script - protection

Wed Sep 24, 2014 6:16 pm

In short: No.


There's no way to encrypt scripts, or otherwise forbid someone from seeing their source while also allowing them to run them. The closest thing to that you can do is to let someone write files via FTP, and nothing else. You can then configure a scheduler script to regularly check for new files, and "import" them as a full permissioned admin.

Of course, that won't really prevent someone from stealing your scripts if they REEEALLY want to - they could always make a "/tool fetch" request that contains the script source as a query string parameter... Unless you run the scheduler without... umm... "test" permission I believe, but I'm not sure... which would simultaneously disable a few other things (e.g. ping) for your semi-trusted fellow.


HOWEVER

There is an ugly workaround you can employ to both have scripts be runnable, and unreadable.

Store your scripts into a web server. Whenever a script of yours needs to be invoked, invoke it by making a "/tool fetch" request to a special web page. That web page will execute your scripts via the API protocol. That way, the user won't see the scripts (because they're never at the router), but the actual "stuff" is being done by the web server.

This is a somewhat ugly workaround because it requires a separate device, plus it means the router needs to be able to connect to the web server in order to invoke those scripts. "Server unreachable = No scripts".
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
nonac
newbie
Posts: 27
Joined: Tue Sep 02, 2014 7:36 pm

Re: Script - protection

Thu Sep 25, 2014 2:11 am

this is interesting, the problem is i dont know hot to! heheh.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Script - protection

Thu Sep 25, 2014 1:52 pm

1. Install something like XAMPP.
2. Add "httpd" and "php-cgi" (both are located somewhere in XAMPP's folder) to your Firewall's whitelist for outgoing connections, or at least let any application make outgoing connections to port 8728.
3. Download the "PHAR" file from my signature, and place it in XAMPP's "htdocs" folder.
4. Place your RouterOS scripts in a folder that's OUTSIDE of "htdocs" folder. I'll use "D:\ROS", but the location can be anywhere you want, as long as it's not in the "htdocs" folder (or otherwise publically visible to outsides - you do want to protect your scripts, don't you?).
5. In the "htdocs" folder, create a new file and call it "index.php". It should have the following contents:
<?php
use PEAR2\Net\RouterOS;

if (isset($_GET['script'])) {
    require_once 'PEAR2_Net_RouterOS-1.0.0b4.phar';

    $scriptsDir = 'D:\ROS\\';
    $util = new RouterOS\Util(new RouterOS\Client($_SERVER['REMOTE_ADDR'], 'admin', 'password'));

    chdir($scriptsDir);
    $scriptLocation = realpath($_GET['script']);
    if (false !== $scriptLocation && strpos($scriptLocation, $scriptsDir) === 0) {
        $util->exec(file_get_contents($scriptLocation));
    }
} 
(adjust your RouterOS credentials on the line with "new RouterOS\Client")


One you have that set up, from the router, you can do:
/tool fetch url="http://192.168.0.254/\?script=myScript.rsc"
to make the server execute "myScript.rsc" on the router.

(adjust the IP to what the IP of the machine with XAMPP is, of course)
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
MikRu
just joined
Topic Author
Posts: 19
Joined: Sat Mar 09, 2013 6:59 pm

Re: Script - protection

Tue Oct 07, 2014 2:58 pm

Thanks, but not all the time web server is connected with router :(

need some other variant.

may be it'is possible to encode scripts, like viruses in php
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69
eval(gzinflate(base64_decode('FJzHkqPatkU
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Script - protection

Wed Oct 08, 2014 4:07 pm

Yes, but then you (or your semi-trusted fellow) can't execute them on the router.

In fact, you could even as well encrypt them using OpenSSL (see this post), but you again have that same problem of not being able to actually run the scripts while they're encrypted.


I guess you could encode the script into a single string of escape codes that MikroTik recognizes, and pass them to the :parse command. While this prevents a "trivial" steal (in that the source isn't "immediately" visible), it's very easy to decode the escape sequences back into their original characters... In fact, it's as easy as storing the string a global variable, and reading it's value afterwards, since the source's encoding is lost as soon as it's used for any purpose, and a global variable is just an easy means to read it back.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
jondavy
Member Candidate
Member Candidate
Posts: 140
Joined: Tue May 12, 2009 11:14 pm
Location: Brasil

Re: Script - protection

Thu Oct 10, 2019 8:02 pm

hello, yes we really need that,
Does anyone know if there is already a solution ?.
because here we are a WISP and I deliver to the technician a notebook with a plain text script containing several users to configure a DISC Lite or hAP for example with several users with various privileges and I would like to encrypt this script to precisely the technician or someone can not read passwords if open script

Thanks, but not all the time web server is connected with router :(

need some other variant.

may be it'is possible to encode scripts, like viruses in php
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69
eval(gzinflate(base64_decode('FJzHkqPatkU
 
MikRu
just joined
Topic Author
Posts: 19
Joined: Sat Mar 09, 2013 6:59 pm

Re: Script - protection

Thu Jan 21, 2021 11:45 am

any news for this goal?

Who is online

Users browsing this forum: No registered users and 39 guests