AnsweredAssumed Answered

How can I hide AppleScript shell scripts from bash history?

Question asked by wedgeman on Dec 27, 2017
Latest reply on Dec 31, 2017 by bigtom

I'm sorry if this is in the wrong sub-forum.. the new layout (and some account issues) aren't allowing me to post this in an appropriate location.  Perhaps a mod could move it to an appropriate neighborhood? tx

 

 

So, I'm using some older versions in an active solution (FMPA 13, 14, 15), and need to enhance some security features.

 

This is within a .fmp12 solution that's 'in the wild', on customers' Macs around the world. We don't really want them being able to view certain encrypted data nuggets (which may need to be sent back & forth via email).  And for certain other reasons, we can't force an upgrade to 16 (and, yes I know 16 does all this internally - and that's wonderful but utterly useless information to the problem at hand)..

 

So, to accomplish this, I use Applescript to pass data from a field into an openssl shell for encryption, then put results into an encrypted data field..

 

Calculated AppleScript here:

"property targetCell: \"cp_thisismyencrypteddatafield\" ¶

set theResult to do shell script \"echo " & cp_thisismydatasourcefield & " | openssl aes-256-cbc -k thisisMYP5SSW0rd! -base64\" ¶

copy theResult to cell targetCell of current record"

 

So, this work perfectly well, in that I'm able to pass both data and a password into openssl for encryption, and pass back.

 

My concern is this: is this action visible to prying eyes?  I've been given multiple conflicting answers from multiple 'experts', but would really appreciate someone who actually **IS** an expert to confirm or deny the security of this..

 

I thought perhaps I could see the command thru ./bash_history, but it doesn't show up.. Nor does it in any console logs that I can find... nor in 'history' (as either a user or as root). Some folks have said that a 'do shell script' (being non-interactive) is shielded from bash history...

 

But all of this is moot without something definitive - I am concerned that a well-informed hacker can perform some level of 'ps aux' at some point and actually see (or log) that shell script going by... is that so?

 

1. IF it can be logged or viewed, how?  Can I replicate that action (to prove/disprove it)?

2. IF it can be viewed, is there another (better) way to do this, without any plug-ins (yeah, i'm biased against 3rd party plug-ins), which would hide it from sight/log?

3. IF it IS hidden, (but I created a variable  - theResult), is theResult visible anywhere (or could someone simply dump that variable into plaintext somehow)?  Or does that variable self-flush when I end the script?

 

Thanks for any definitive clarity on this!

Outcomes