1Safe Tcl(n) Tcl Built-In Commands Safe Tcl(n)
2
3
4
5______________________________________________________________________________
6
8 Safe Base - A mechanism for creating and manipulating safe interpreters
9
11 ::safe::interpCreate ?slave? ?options...?
12
13 ::safe::interpInit slave ?options...?
14
15 ::safe::interpConfigure slave ?options...?
16
17 ::safe::interpDelete slave
18
19 ::safe::interpAddToAccessPath slave directory
20
21 ::safe::interpFindInAccessPath slave directory
22
23 ::safe::setLogCmd ?cmd arg...?
24
25 OPTIONS
26 ?-accessPath pathList? ?-statics boolean? ?-noStatics? ?-nested bool‐
27 ean? ?-nestedLoadOk? ?-deleteHook script?
28_________________________________________________________________
29
31 Safe Tcl is a mechanism for executing untrusted Tcl scripts safely and
32 for providing mediated access by such scripts to potentially dangerous
33 functionality.
34
35 The Safe Base ensures that untrusted Tcl scripts cannot harm the host‐
36 ing application. The Safe Base prevents integrity and privacy attacks.
37 Untrusted Tcl scripts are prevented from corrupting the state of the
38 hosting application or computer. Untrusted scripts are also prevented
39 from disclosing information stored on the hosting computer or in the
40 hosting application to any party.
41
42 The Safe Base allows a master interpreter to create safe, restricted
43 interpreters that contain a set of predefined aliases for the source,
44 load, file, encoding, and exit commands and are able to use the auto-
45 loading and package mechanisms.
46
47 No knowledge of the file system structure is leaked to the safe inter‐
48 preter, because it has access only to a virtualized path containing
49 tokens. When the safe interpreter requests to source a file, it uses
50 the token in the virtual path as part of the file name to source; the
51 master interpreter transparently translates the token into a real
52 directory name and executes the requested operation (see the section
53 SECURITY below for details). Different levels of security can be
54 selected by using the optional flags of the commands described below.
55
56 All commands provided in the master interpreter by the Safe Base reside
57 in the safe namespace.
58
60 The following commands are provided in the master interpreter:
61
62 ::safe::interpCreate ?slave? ?options...?
63 Creates a safe interpreter, installs the aliases described in
64 the section ALIASES and initializes the auto-loading and package
65 mechanism as specified by the supplied options. See the OPTIONS
66 section below for a description of the optional arguments. If
67 the slave argument is omitted, a name will be generated.
68 ::safe::interpCreate always returns the interpreter name.
69
70 ::safe::interpInit slave ?options...?
71 This command is similar to interpCreate except it that does not
72 create the safe interpreter. slave must have been created by
73 some other means, like interp create -safe.
74
75 ::safe::interpConfigure slave ?options...?
76 If no options are given, returns the settings for all options
77 for the named safe interpreter as a list of options and their
78 current values for that slave. If a single additional argument
79 is provided, it will return a list of 2 elements name and value
80 where name is the full name of that option and value the current
81 value for that option and the slave. If more than two addi‐
82 tional arguments are provided, it will reconfigure the safe
83 interpreter and change each and only the provided options. See
84 the section on OPTIONS below for options description. Example
85 of use:
86
87 # Create new interp with the same configuration as "$i0":
88 set i1 [safe::interpCreate {*}[safe::interpConfigure $i0]]
89
90 # Get the current deleteHook
91 set dh [safe::interpConfigure $i0 -del]
92
93 # Change (only) the statics loading ok attribute of an
94 # interp and its deleteHook (leaving the rest unchanged):
95 safe::interpConfigure $i0 -delete {foo bar} -statics 0
96
97 ::safe::interpDelete slave
98 Deletes the safe interpreter and cleans up the corresponding
99 master interpreter data structures. If a deleteHook script was
100 specified for this interpreter it is evaluated before the inter‐
101 preter is deleted, with the name of the interpreter as an addi‐
102 tional argument.
103
104 ::safe::interpFindInAccessPath slave directory
105 This command finds and returns the token for the real directory
106 directory in the safe interpreter's current virtual access path.
107 It generates an error if the directory is not found. Example of
108 use:
109
110 $slave eval [list set tk_library \
111 [::safe::interpFindInAccessPath $name $tk_library]]
112
113 ::safe::interpAddToAccessPath slave directory
114 This command adds directory to the virtual path maintained for
115 the safe interpreter in the master, and returns the token that
116 can be used in the safe interpreter to obtain access to files in
117 that directory. If the directory is already in the virtual
118 path, it only returns the token without adding the directory to
119 the virtual path again. Example of use:
120
121 $slave eval [list set tk_library \
122 [::safe::interpAddToAccessPath $name $tk_library]]
123
124 ::safe::setLogCmd ?cmd arg...?
125 This command installs a script that will be called when inter‐
126 esting life cycle events occur for a safe interpreter. When
127 called with no arguments, it returns the currently installed
128 script. When called with one argument, an empty string, the
129 currently installed script is removed and logging is turned off.
130 The script will be invoked with one additional argument, a
131 string describing the event of interest. The main purpose is to
132 help in debugging safe interpreters. Using this facility you
133 can get complete error messages while the safe interpreter gets
134 only generic error messages. This prevents a safe interpreter
135 from seeing messages about failures and other events that might
136 contain sensitive information such as real directory names.
137
138 Example of use:
139
140 ::safe::setLogCmd puts stderr
141
142 Below is the output of a sample session in which a safe inter‐
143 preter attempted to source a file not found in its virtual
144 access path. Note that the safe interpreter only received an
145 error message saying that the file was not found:
146
147 NOTICE for slave interp10 : Created
148 NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=()
149 NOTICE for slave interp10 : auto_path in interp10 has been set to {$p(:0:)}
150 ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory
151
152 OPTIONS
153 The following options are common to ::safe::interpCreate,
154 ::safe::interpInit, and ::safe::interpConfigure. Any option name can
155 be abbreviated to its minimal non-ambiguous name. Option names are not
156 case sensitive.
157
158 -accessPath directoryList
159 This option sets the list of directories from which the safe
160 interpreter can source and load files. If this option is not
161 specified, or if it is given as the empty list, the safe inter‐
162 preter will use the same directories as its master for auto-
163 loading. See the section SECURITY below for more detail about
164 virtual paths, tokens and access control.
165
166 -statics boolean
167 This option specifies if the safe interpreter will be allowed to
168 load statically linked packages (like load {} Tk). The default
169 value is true : safe interpreters are allowed to load statically
170 linked packages.
171
172 -noStatics
173 This option is a convenience shortcut for -statics false and
174 thus specifies that the safe interpreter will not be allowed to
175 load statically linked packages.
176
177 -nested boolean
178 This option specifies if the safe interpreter will be allowed to
179 load packages into its own sub-interpreters. The default value
180 is false : safe interpreters are not allowed to load packages
181 into their own sub-interpreters.
182
183 -nestedLoadOk
184 This option is a convenience shortcut for -nested true and thus
185 specifies the safe interpreter will be allowed to load packages
186 into its own sub-interpreters.
187
188 -deleteHook script
189 When this option is given a non-empty script, it will be evalu‐
190 ated in the master with the name of the safe interpreter as an
191 additional argument just before actually deleting the safe
192 interpreter. Giving an empty value removes any currently
193 installed deletion hook script for that safe interpreter. The
194 default value ({}) is not to have any deletion call back.
195
197 The following aliases are provided in a safe interpreter:
198
199 source fileName
200 The requested file, a Tcl source file, is sourced into the safe
201 interpreter if it is found. The source alias can only source
202 files from directories in the virtual path for the safe inter‐
203 preter. The source alias requires the safe interpreter to use
204 one of the token names in its virtual path to denote the direc‐
205 tory in which the file to be sourced can be found. See the sec‐
206 tion on SECURITY for more discussion of restrictions on valid
207 filenames.
208
209 load fileName
210 The requested file, a shared object file, is dynamically loaded
211 into the safe interpreter if it is found. The filename must
212 contain a token name mentioned in the virtual path for the safe
213 interpreter for it to be found successfully. Additionally, the
214 shared object file must contain a safe entry point; see the man‐
215 ual page for the load command for more details.
216
217 file ?subCmd args...?
218 The file alias provides access to a safe subset of the subcom‐
219 mands of the file command; it allows only dirname, join, exten‐
220 sion, root, tail, pathname and split subcommands. For more
221 details on what these subcommands do see the manual page for the
222 file command.
223
224 encoding ?subCmd args...?
225 The encoding alias provides access to a safe subset of the sub‐
226 commands of the encoding command; it disallows setting of the
227 system encoding, but allows all other subcommands including sys‐
228 tem to check the current encoding.
229
230 exit The calling interpreter is deleted and its computation is
231 stopped, but the Tcl process in which this interpreter exists is
232 not terminated.
233
235 The Safe Base does not attempt to completely prevent annoyance and
236 denial of service attacks. These forms of attack prevent the applica‐
237 tion or user from temporarily using the computer to perform useful
238 work, for example by consuming all available CPU time or all available
239 screen real estate. These attacks, while aggravating, are deemed to be
240 of lesser importance in general than integrity and privacy attacks that
241 the Safe Base is to prevent.
242
243 The commands available in a safe interpreter, in addition to the safe
244 set as defined in interp manual page, are mediated aliases for source,
245 load, exit, and safe subsets of file and encoding. The safe interpreter
246 can also auto-load code and it can request that packages be loaded.
247
248 Because some of these commands access the local file system, there is a
249 potential for information leakage about its directory structure. To
250 prevent this, commands that take file names as arguments in a safe
251 interpreter use tokens instead of the real directory names. These
252 tokens are translated to the real directory name while a request to,
253 e.g., source a file is mediated by the master interpreter. This vir‐
254 tual path system is maintained in the master interpreter for each safe
255 interpreter created by ::safe::interpCreate or initialized by
256 ::safe::interpInit and the path maps tokens accessible in the safe
257 interpreter into real path names on the local file system thus prevent‐
258 ing safe interpreters from gaining knowledge about the structure of the
259 file system of the host on which the interpreter is executing. The
260 only valid file names arguments for the source and load aliases pro‐
261 vided to the slave are path in the form of [file join token filename]
262 (i.e. when using the native file path formats: token/filename on Unix
263 and token\filename on Windows), where token is representing one of the
264 directories of the accessPath list and filename is one file in that
265 directory (no sub directories access are allowed).
266
267 When a token is used in a safe interpreter in a request to source or
268 load a file, the token is checked and translated to a real path name
269 and the file to be sourced or loaded is located on the file system.
270 The safe interpreter never gains knowledge of the actual path name
271 under which the file is stored on the file system.
272
273 To further prevent potential information leakage from sensitive files
274 that are accidentally included in the set of files that can be sourced
275 by a safe interpreter, the source alias restricts access to files meet‐
276 ing the following constraints: the file name must fourteen characters
277 or shorter, must not contain more than one dot (“.”), must end up with
278 the extension (“.tcl”) or be called (“tclIndex”.)
279
280 Each element of the initial access path list will be assigned a token
281 that will be set in the slave auto_path and the first element of that
282 list will be set as the tcl_library for that slave.
283
284 If the access path argument is not given or is the empty list, the
285 default behavior is to let the slave access the same packages as the
286 master has access to (Or to be more precise: only packages written in
287 Tcl (which by definition cannot be dangerous as they run in the slave
288 interpreter) and C extensions that provides a _SafeInit entry point).
289 For that purpose, the master's auto_path will be used to construct the
290 slave access path. In order that the slave successfully loads the Tcl
291 library files (which includes the auto-loading mechanism itself) the
292 tcl_library will be added or moved to the first position if necessary,
293 in the slave access path, so the slave tcl_library will be the same as
294 the master's (its real path will still be invisible to the slave
295 though). In order that auto-loading works the same for the slave and
296 the master in this by default case, the first-level sub directories of
297 each directory in the master auto_path will also be added (if not
298 already included) to the slave access path. You can always specify a
299 more restrictive path for which sub directories will never be searched
300 by explicitly specifying your directory list with the -accessPath flag
301 instead of relying on this default mechanism.
302
303 When the accessPath is changed after the first creation or initializa‐
304 tion (i.e. through interpConfigure -accessPath list), an auto_reset is
305 automatically evaluated in the safe interpreter to synchronize its
306 auto_index with the new token list.
307
309 interp(n), library(n), load(n), package(n), source(n), unknown(n)
310
312 alias, auto-loading, auto_mkindex, load, master interpreter, safe
313 interpreter, slave interpreter, source
314
315
316
317Tcl 8.0 Safe Tcl(n)