shc
Encrypt and compile shell scripts
TLDR
Compile a shell script
Compile a shell script and specify an output binary file
Compile a shell script and set an expiration date for the executable
Compile a shell script and set a message to display upon expiration
SYNOPSIS
shc [options] -f script_file
PARAMETERS
-f script_file
Specifies the input shell script file to be compiled.
-o output_file
Defines the name of the output executable binary file. If not specified, it defaults to script_file.x.
-r
Relaxes security. Allows the compiled script to be executed by any user, not just the one who compiled it (setuid/setgid issues apply).
-T
Enables traceability. Allows the compiled script to be traced (e.g., with strace) and debugged, compromising obfuscation.
-e date
Sets an expiration date for the compiled binary in YYYY/MM/DD format. After this date, the script will not execute.
-m message
Specifies a message to be displayed when the compiled script expires.
-v
Enables verbose output, showing compilation steps and messages.
-h
Displays the help message and exits.
-i inclusion_file
Includes an external file into the compiled script. Useful for shared libraries or data.
-l last_lines_file
Appends the content of last_lines_file to the end of the compiled script's C source code before compilation.
-x extra_options
Passes extra options to the C compiler (e.g., -static for static linking).
DESCRIPTION
shc (Shell Script Compiler) is a tool designed to convert a shell script into a C source code file, which is then compiled into a self-contained, executable binary. Its primary purpose is to provide a basic level of obfuscation and protection for shell scripts. By compiling the script, shc makes it more difficult for unauthorized users to read, understand, or modify the original script's logic, as the human-readable script content is embedded within a compiled binary.
While shc offers a deterrent against casual inspection, it is important to note that it does not provide strong encryption or true security. A determined attacker with appropriate tools and knowledge could potentially reverse-engineer the binary to recover the original script or its logic. However, for many common use cases, it effectively hides the script's content from a quick glance, adding a layer of obscurity. The resulting binary can then be distributed and executed without requiring the original script file or even an interpreter on the target system (if static compilation is ensured).
CAVEATS
shc provides obfuscation, not strong security or encryption. The compiled binary can potentially be reverse-engineered to reveal the original script's content or logic, especially by skilled individuals.
The generated executable is platform-dependent; a binary compiled on one architecture (e.g., x86) may not run on another (e.g., ARM).
Debugging compiled shc scripts is significantly harder, even with the -T option.
For scripts requiring high security, shc should not be relied upon as the sole protection mechanism. Consider alternative methods like proper access control, encryption of sensitive data, or rewriting critical parts in a compiled language.
RUNTIME ENVIRONMENT
The shc compiled binary still requires the standard shell (e.g., bash, sh) to be present on the target system for execution, as it effectively embeds the script and executes it through the system's shell interpreter at runtime. It's not a true compiler in the sense that it translates the script directly into machine code; instead, it wraps the script in a C program that executes the script.
SECURITY IMPLICATIONS
While shc hides the script, the original script is typically stored in an obfuscated form within the binary. Tools like strings can often extract fragments of the original script, and more advanced reverse engineering can fully recover it. Therefore, avoid embedding sensitive information (like passwords or API keys) directly within scripts compiled with shc unless other robust security measures are in place.
HISTORY
shc was created by Francisco Rosales. Its development began in the early 2000s, providing a unique solution for shell script obfuscation in environments where basic protection against casual inspection was desired. While not part of core Linux distributions, it has found its niche among system administrators and script developers looking to distribute scripts without fully exposing their source code. Its design principles reflect the practicality of making shell scripts less readable without the overhead of full-fledged encryption or more complex protection schemes.