Script Launchers and Python Setup

Setting up secure launchers for scripts like Python and Perl.

1: How Script Launchers Work

2: Configuring Script Launchers

3: Included Script Launchers

Overview: Without Secure Script Launchers, every Python or Perl script would share the interpreter’s permissions — if python3 is allowed to access the network, every Python script can access the network. Secure Script Launchers solve this by giving each script its own allowlist entry, so you control exactly what each script can do. The Dashboard presents this as Phase 3 when script interpreters are detected on the system.

Key Guides

Dive into specific setup and reference areas:

How Script Launchers Work - Security rationale and how Secure Script Launchers enforce script permissions.
Configuring Script Launchers - Direct use for testing and permanent symbolic link setups.
Included Script Launchers - List of available launchers for Python, Perl, PHP, etc.

1 - How Script Launchers Work

Explanation of HeartSuite Core Secure’s secure script launchers and their security benefits.

Overview: Without Secure Script Launchers, every script run by an interpreter (Python, Perl, PHP) shares the interpreter’s permissions. If python3 is allowed to access the network, every Python script inherits that access. Secure Script Launchers solve this by giving each script its own allowlist entry.

The Problem

Interpreter programs (Python, PHP, Perl, Bash) execute code from files. When you allowlist python3, you grant permissions to the interpreter — and every script it runs inherits those permissions. A malicious Python script would have the same file and network access as your legitimate scripts.

The Solution

Secure Script Launchers create a wrapper that applies the individual script’s allowlist entry instead of the interpreter’s:

Each script is treated like a standalone program with its own permissions
One script can have network access while another cannot
Interpreters can be blocked entirely, ensuring only allowlisted scripts run

Using Launchers

HeartSuite Core Secure provides Secure Script Launchers for each supported interpreter (e.g., hs-python-launcher). Once activated via the Dashboard’s Launchers screen ([l]), every call to that interpreter automatically routes through the launcher — applying per-script permissions without any change to how you run scripts.

See Configuring Script Launchers for the activation steps.

2 - Configuring Script Launchers

Setting up HeartSuite Core Secure script launchers for secure script execution.

Overview: When the Dashboard detects script interpreters (Python, Perl, PHP) in use without launcher configuration, it presents Phase 3 as the Suggested Next Step. The Launchers screen ([l]) shows detected interpreters and activates launchers in one step.

Dashboard-Guided Setup

From the Dashboard, select the Launchers screen ([l]). The screen shows two panels:

Script Launcher Status — how many interpreters were detected and how many launchers are pending activation
Detected Interpreters — the list of interpreter paths found in the activity log, with their current launcher status

When launchers are pending, the status panel shows:

2 interpreter(s) found across 47 log event(s).
2 launcher(s) available but not yet activated.

[a] Activate   [s] Skip

Press [a] to activate all pending launchers at once. HeartSuite Core Secure registers each interpreter with its Secure Script Launcher — from this point forward, every call to that interpreter automatically routes through the launcher, applying per-script permissions.

After activation, the result panel confirms which launchers were activated:

Activated 2 Secure Script Launcher(s): python3, perl.
Each interpreter now routes through its launcher. Scripts using
these interpreters will be reviewed on their own permission terms.

Press [q] to return to the Dashboard. Phase 3 is marked complete automatically.

If No Script Events Are Detected

If none of the known interpreters have appeared in the activity log yet, the screen shows:

No script interpreter log events detected.
You may proceed to the next phase without activating any launchers.

Phase 3 is not required if your system does not use script interpreters. The Dashboard updates the Suggested Next Step to proceed to Phase 4.

Skipping Launcher Setup

Press [s] to skip without activating. HeartSuite Core Secure notifies you:

Script launcher activation skipped.
Interpreters will remain blocked in Secure Mode until approved.

You can return to the Launchers screen ([l]) at any time to activate launchers before switching to Secure Mode.

Advanced: Testing a Launcher Directly

Before or after Dashboard activation, you can run a script through a specific launcher directly to verify it works under its own permissions:

# hs-python-launcher /path/to/your-script.py

This applies the script’s allowlist entry rather than the interpreter’s. Running the same script with python3 directly uses the interpreter’s broader permissions. This is useful for verifying per-script permissions in isolation before relying on them in Secure Mode.

3 - Included Script Launchers

List of available secure script launchers in HeartSuite Core Secure.

Overview: HeartSuite Core Secure ships with Secure Script Launchers for common interpreters. The Dashboard presents these during Phase 3 (if applicable) when the corresponding interpreters are detected on the system.

Available Launchers

Python 3 (hs-python-launcher)
Python 2 (hs-python2-launcher)
Perl (hs-perl-launcher)
PHP (hs-php-launcher)

For questions about launcher support for other interpreters, contact us at support@heartsecsuite.com — we’re happy to help.