Any tips to prevent code theft?

Portal Home > Knowledgebase > Articles Database > Any tips to prevent code theft?

Posted by softwarelabus, 03-01-2011, 06:51 PM
Hi, Regarding shared hosts, what all can I do to prevent source code theft? I discovered on my web host that the minimum file permissions that still allows my website to work is 0110 for public_html folder, and 0101 for cgi-bin. That allows the website to work, even WordPress, but in cPanel I can't even view the list of files in the public_html folder or cgi-bin, which is fine with me. If I write a perl script that tries to view a directory (e.g., print `ls -AFl` then it gives the same results as cPanel, which is an empty folder because it's hidden. I don't about PHP or Python. Maybe a PHP script could view the files, but I doubt it. Does this seem secure? I'll be using Python, and maybe some PHP. Are there any shared web hosts that might excel at protecting users code? I'm with Green Geeks. So far I don't see any security holes, but I'm not a security expert. I'd appreciate any tips, Paul
Posted by overthrow, 03-01-2011, 07:37 PM
File a support ticket and ask them to restrict permissions on your directory, at minimum.
Posted by tchen, 03-01-2011, 07:47 PM
Your shared host generally runs something like suPHP or suexec. This lets the server run as users while serving pages. It protects you in case someone else has an insecure script, since at most they can only get the compromised person's permissions. However, what this means is that if you can read/edit/modify those files from the shell, then you're not really protected if you happen to be that person. If you really want to at least secure your code from simple prying eyes, consider using an encoder. There was a discussion recently about several options on WHT. http://www.webhostingtalk.com/showthread.php?t=1025205
Posted by softwarelabus, 03-01-2011, 08:05 PM
I think you're right. After doing some more tests I was able to view the source code. It turns out that removing folder permissions does not prevent file reads. It only hides the directory contents. So they need to find the file location to read it, which they can obtain from the website index script. Encoding seems good, but it only seems like an annoyance for a good hacker. After all, the python engine knows how to decrypt it. Man, there must be a way to only allow python to read the files on a shared host, no? Paul