I can't help feeling there is something fundamentally inconsistent in your reply here and your response to fullermd. I'll grant that you know your client and your situation and you may be limited in your ability to explain your true requirements but... just food for thought.

You write, in reply to fullermd

The main security risk I can see is the possibility of an attacker copying my program (stealing a hard drive or system unit wouldn't work) and running it on his computer to gain access via a hole in the wall...I only need to delay an attacker a few hours and his attack becomes pointless. Though he can steal the program and run on it on his computer I am hoping he is unlikely to clone my users. I want to authenticate my system users with every pass of my program loop and shred my perlapps if any of various conditions

If security is so very important to your client, about the last thing you should be considering is an end-run around PAM. The more places security is defined, the more places changes to security protocols need to be updated, and the more long term problems. Also the more places you need to secure and protect from access. By adding a second authentication mechanism outside of PAM you are in fact increasing the number of potential attack vectors.

Second, modern versions of PAM support some pretty sophisticated user identification mechanisms, including bio-identification. Presumably, if those scripts are run on a personal computer, they have to log in at some point into the sensitive computer. I'm going to assume you are sophisticated enough to never ever put login information in the clear in your scripts, especially in a high security situation.

Why aren't you making your scripts owned by a user who can only be activated with a bio marker? Then it wouldn't matter what computer your would-be attacker ran the program on: when he tried to access the sensitive computer and reached the bio-security check, he'd be stopped dead in his tracks.

Third, if this is really so very important to your client and you really have no option but to run security checks before each and every operation, your client should be willing to provide a box with sufficient memory and CPU to handle the hit rate and security checks.

Forth, if stealing a disk won't work, how is it that these scripts are being stolen or copied in the first place? How is it that merely running the scripts on a personal computer would give someone access? That doesn't sound right at all. Have you considered front-ending the computer with these valuable scripts with a gateway computer that validates the users? Putting these scripts on a secure computer accessible only via the IP of that gateway computer or by an on-site login with bio-id? Limiting the actions those users can take?

Fifth, if your scripts can be stolen or copied, why wouldn't your user base be stolen or cloned? Seems to me that would be a much more direct way of cracking your system. Why wouldn't a serious attacker read your source code? I certainly wouldn't write off a script as not worth reading even if it contained only one line in it. Would you? I hope not. I'm not following your logic when it comes to likely cracker behavior.

Sixth, if security is essential to your client, should you even be using scripts for such sensitive operations? Might it not be wiser for both performance and security reasons to go with a compiled executable? With any scripting solution there is always a risk that an enterprising hacker can intentionally create and take advantage of time gaps between the launching of the Perl interpreter and the loading of your script to change the effective user id or wreck other havoc. If you must use scripts you might want to take a good hard look at the implementation and security checks done by Apache's mod_suexec.

Seventh, I question your logic that a pure Perl script hacking /etc/shadow would in fact be faster. If PAM is doing nothing more than a password check, my first guess is that it would be faster because you are using pre-parsed code compiled into machine code ops. With a script you have to parse and compile it with each run. Even if you are pre-loading modules and using signals or function calls for each user check, you'd still be running Perl OP codes which have to be translated into machine ops rather than machine ops. If PAM is doing more than a simple password check, then you aren't really doing a complete authentication if you by-pass PAM and as soon as your would be hacker figures that out, they'll find a backdoor through the things you aren't checking.

I don't know your situation, but based on what you've shared so far, it seems to me that you are trying to solve a problem with scripting that needs to be solved in a much more systemic way. I think you need to have a very serious talk with your client.

Thanks. That's a lot to think about.

One immediate answer to part of your post is that physically stealing something - hard drive or system unit - would be immediately noticed. Copying software would be much harder to prevent in this environment.

Yes, chunks of it need rewriting as compiled binaries but the client moved the goalposts and wants it running next week - no time

I have absolutely no objection to using PAM for this but it looked like a lot of overhead so I thought of a quick password hash comparison.

Protecting user login security is almost irrelevant since unauthorised login is not possible without physical attack and is almost meaningless in this context anyway since many varied people will use this system on the premises with no personal login at all. I am not trying to safeguard that type of security. I am not trying to authenticate user logins, I am trying to detect if my system is running off the premises and prevent or delay it's use.

One interesting point you made touches exactly on one of my major concerns - "a risk that an enterprising hacker can intentionally create and take advantage of time gaps between the launching of the Perl interpreter and the loading of your script to change the effective user id or wreck other havoc." In an attempt to counter such an approach my program checks it's effective user id on each pass. My assumption was that to crack a perlapp, this would be a likely route. My hope was that for an attacker to take this route the perlapp would have to be run and so would have a chance to fork and render itself useless.

I am looking for roadblocks and delays in an unusual security context.

And, sorry, I am aware that there are inconsistencies in what I am telling you. A bit like visiting the doctor and lying about your symptoms. However, your critical input is helpful nevertheless.

I feel like I'm shooting in the dark here, but ...

If the particular computer you are running on is an issue, why not check the BIOS serial number and manufacturer id and have your script run only if it is on the correct machine? If buying time is also concern you could generate fake output and even try to silently send an email to supervisors if it running on the wrong machine complete with the CPU info of the interloper so that follow-up actions or even prosecution would be easier. No point in letting the attacker know his/her attack even failed.

Also do you have in place some sort of digital signing? Can you prevent scripts running if their checksum or digital signature changes? If someone can copy your scripts, might they also not be able to edit them to remove any security checks and delaying tactics you try to insert? If that is the case your EUID check solution (or for that matter a CPU check) isn't a solution at all. If you encapsulate your checks in function calls, Perl makes it dirt easy to redefine a function call. If you hard code your checks in several places in your script, you will be dealing with a maintenance problem. Furthermore, assuming your envisioned attacker is more than your average script kiddie, I'd suspect that he or she would be quite adept at using sed, vi, emacs/emacs, perl or any number of tools to do regex based global search and replace.

Please don't.

In my programming life, I've seen at least 2 orders of magnitude more problems caused by people manually mucking about with things that have nice defined API's for fanciful reasons, than problems caused by something being too slow for doing so.

If it's a problem, find out that it's a problem first, then fix it. And in this case, you'll eat the crypto overhead either way, so what do you think you'll save?

Well, maybe the monks could think of a better route to take if I told more of the story. This could then be a long post and there will be discrepancies in what I tell you because I can't tell you everything.

Normally I would agree entirely with the point you just made.

My problem is:-

I have a program that loops once a second and provides command and control for a real world system - like a perl emulation of a plc. The real world system I am controlling has massive security significance for my client. It isn't exposed to wan access but it will never have very good physical security.

The main security risk I can see is the possibility of an attacker copying my program (stealing a hard drive or system unit wouldn't work) and running it on his computer to gain access via a hole in the wall. My program is a perlapp so trivial code inspection is unlikely. The situation is changing constantly and I only need to delay an attacker a few hours and his attack becomes pointless. Though he can steal the program and run on it on his computer I am hoping he is unlikely to clone my users. I want to authenticate my system users with every pass of my program loop and shred my perlapps if any of various conditions (user validation being one indicator that my program is running under an alien environment) are not met, thus causing the needed delay. Only one of my checks needs to fail and my program will commit suicide.
(security of some user passwords is not a consideration - I don't mind hard coding some of them in my perlapp)

The need for speed and low system overhead is due to the fact that my program may have to handle up to 50 requests with each pass and all the validity checks have to be done on every pass (if an attacker successfully runs a single pass then all could be lost). There will only ever be a handful of system users. All this is far from perfect and it isn't security but it's better than nothing.

I can probably thwart the unskilled with this sort of stuff and maybe delay the skilled long enough if I'm lucky. Anyway, physical security isn't really my responsibility - I'm just trying to help them out a bit.