1Safe Tcl(n) Tcl Built-In Commands Safe Tcl(n)
2______________________________________________________________________________
6
8 Safe Base - A mechanism for creating and manipulating safe inter‐
9 preters.
10
12 ::safe::interpCreate ?slave? ?options...?
13 ::safe::interpInit slave ?options...?
15 ::safe::interpConfigure slave ?options...?
17 ::safe::interpDelete slave
19 ::safe::interpAddToAccessPath slave directory
21 ::safe::interpFindInAccessPath slave directory
23 ::safe::setLogCmd ?cmd arg...?
25
27 ?-accessPath pathList? ?-statics boolean? ?-noStatics? ?-nested bool‐
28 ean? ?-nestedLoadOk? ?-deleteHook script?
29_________________________________________________________________
30
33 Safe Tcl is a mechanism for executing untrusted Tcl scripts safely and
34 for providing mediated access by such scripts to potentially dangerous
35 functionality.
36 The Safe Base ensures that untrusted Tcl scripts cannot harm the host‐
38 ing application. The Safe Base prevents integrity and privacy attacks.
39 Untrusted Tcl scripts are prevented from corrupting the state of the
40 hosting application or computer. Untrusted scripts are also prevented
41 from disclosing information stored on the hosting computer or in the
42 hosting application to any party.
43 The Safe Base allows a master interpreter to create safe, restricted
45 interpreters that contain a set of predefined aliases for the source,
46 load, file, encoding, and exit commands and are able to use the auto-
47 loading and package mechanisms.
48 No knowledge of the file system structure is leaked to the safe inter‐
50 preter, because it has access only to a virtualized path containing
51 tokens. When the safe interpreter requests to source a file, it uses
52 the token in the virtual path as part of the file name to source; the
53 master interpreter transparently translates the token into a real
54 directory name and executes the requested operation (see the section
55 SECURITY below for details). Different levels of security can be
56 selected by using the optional flags of the commands described below.
57 All commands provided in the master interpreter by the Safe Base reside
59 in the safe namespace:
60
63 The following commands are provided in the master interpreter:
64 ::safe::interpCreate ?slave? ?options...?
66 Creates a safe interpreter, installs the aliases described in
67 the section ALIASES and initializes the auto-loading and package
68 mechanism as specified by the supplied options. See the OPTIONS
69 section below for a description of the optional arguments. If
70 the slave argument is omitted, a name will be generated.
71 ::safe::interpCreate always returns the interpreter name.
72 ::safe::interpInit slave ?options...?
74 This command is similar to interpCreate except it that does not
75 create the safe interpreter. slave must have been created by
76 some other means, like interp create -safe.
77 ::safe::interpConfigure slave ?options...?
79 If no options are given, returns the settings for all options
80 for the named safe interpreter as a list of options and their
81 current values for that slave. If a single additional argument
82 is provided, it will return a list of 2 elements name and value
83 where name is the full name of that option and value the current
84 value for that option and the slave. If more than two addi‐
85 tional arguments are provided, it will reconfigure the safe
86 interpreter and change each and only the provided options. See
87 the section on OPTIONS below for options description. Example
88 of use:
89 # Create a new interp with the same configuration as "$i0" :
90 set i1 [eval safe::interpCreate [safe::interpConfigure $i0]]
91 # Get the current deleteHook
92 set dh [safe::interpConfigure $i0 -del]
93 # Change (only) the statics loading ok attribute of an interp
94 # and its deleteHook (leaving the rest unchanged) :
95 safe::interpConfigure $i0 -delete {foo bar} -statics 0 ;
96 ::safe::interpDelete slave
98 Deletes the safe interpreter and cleans up the corresponding
99 master interpreter data structures. If a deleteHook script was
100 specified for this interpreter it is evaluated before the inter‐
101 preter is deleted, with the name of the interpreter as an addi‐
102 tional argument.
103 ::safe::interpFindInAccessPath slave directory
105 This command finds and returns the token for the real directory
106 directory in the safe interpreter's current virtual access path.
107 It generates an error if the directory is not found. Example of
108 use:
109 $slave eval [list set tk_library [::safe::interpFindInAccessPath $name $tk_library]]
110 ::safe::interpAddToAccessPath slave directory
112 This command adds directory to the virtual path maintained for
113 the safe interpreter in the master, and returns the token that
114 can be used in the safe interpreter to obtain access to files in
115 that directory. If the directory is already in the virtual
116 path, it only returns the token without adding the directory to
117 the virtual path again. Example of use:
118 $slave eval [list set tk_library [::safe::interpAddToAccessPath $name $tk_library]]
119 ::safe::setLogCmd ?cmd arg...?
121 This command installs a script that will be called when inter‐
122 esting life cycle events occur for a safe interpreter. When
123 called with no arguments, it returns the currently installed
124 script. When called with one argument, an empty string, the
125 currently installed script is removed and logging is turned off.
126 The script will be invoked with one additional argument, a
127 string describing the event of interest. The main purpose is to
128 help in debugging safe interpreters. Using this facility you
129 can get complete error messages while the safe interpreter gets
130 only generic error messages. This prevents a safe interpreter
131 from seeing messages about failures and other events that might
132 contain sensitive information such as real directory names.
133 Example of use:
134 ::safe::setLogCmd puts stderr
135 Below is the output of a sample session in which a safe inter‐
136 preter attempted to source a file not found in its virtual
137 access path. Note that the safe interpreter only received an
138 error message saying that the file was not found:
139 NOTICE for slave interp10 : Created
140 NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=()
141 NOTICE for slave interp10 : auto_path in interp10 has been set to {$p(:0:)}
142 ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory
143
146 The following options are common to ::safe::interpCreate,
147 ::safe::interpInit, and ::safe::interpConfigure. Any option name can
148 be abbreviated to its minimal non-ambiguous name. Option names are not
149 case sensitive.
150 -accessPath directoryList
152 This option sets the list of directories from which the safe
153 interpreter can source and load files. If this option is not
154 specified, or if it is given as the empty list, the safe inter‐
155 preter will use the same directories as its master for auto-
156 loading. See the section SECURITY below for more detail about
157 virtual paths, tokens and access control.
158 -statics boolean
160 This option specifies if the safe interpreter will be allowed to
161 load statically linked packages (like load {} Tk). The default
162 value is true : safe interpreters are allowed to load statically
163 linked packages.
164 -noStatics
166 This option is a convenience shortcut for -statics false and
167 thus specifies that the safe interpreter will not be allowed to
168 load statically linked packages.
169 -nested boolean
171 This option specifies if the safe interpreter will be allowed to
172 load packages into its own sub-interpreters. The default value
173 is false : safe interpreters are not allowed to load packages
174 into their own sub-interpreters.
175 -nestedLoadOk
177 This option is a convenience shortcut for -nested true and thus
178 specifies the safe interpreter will be allowed to load packages
179 into its own sub-interpreters.
180 -deleteHook script
182 When this option is given a non-empty script, it will be evalu‐
183 ated in the master with the name of the safe interpreter as an
184 additional argument just before actually deleting the safe
185 interpreter. Giving an empty value removes any currently
186 installed deletion hook script for that safe interpreter. The
187 default value ({}) is not to have any deletion call back.
188
190 The following aliases are provided in a safe interpreter:
191 source fileName
193 The requested file, a Tcl source file, is sourced into the safe
194 interpreter if it is found. The source alias can only source
195 files from directories in the virtual path for the safe inter‐
196 preter. The source alias requires the safe interpreter to use
197 one of the token names in its virtual path to denote the direc‐
198 tory in which the file to be sourced can be found. See the sec‐
199 tion on SECURITY for more discussion of restrictions on valid
200 filenames.
201 load fileName
203 The requested file, a shared object file, is dynamically loaded
204 into the safe interpreter if it is found. The filename must
205 contain a token name mentioned in the virtual path for the safe
206 interpreter for it to be found successfully. Additionally, the
207 shared object file must contain a safe entry point; see the man‐
208 ual page for the load command for more details.
209 file ?subCmd args...?
211 The file alias provides access to a safe subset of the subcom‐
212 mands of the file command; it allows only dirname, join, exten‐
213 sion, root, tail, pathname and split subcommands. For more
214 details on what these subcommands do see the manual page for the
215 file command.
216 encoding ?subCmd args...?
218 The encoding alias provides access to a safe subset of the sub‐
219 commands of the encoding command; it disallows setting of the
220 system encoding, but allows all other subcommands including sys‐
221 tem to check the current encoding.
222 exit The calling interpreter is deleted and its computation is
224 stopped, but the Tcl process in which this interpreter exists is
225 not terminated.
226
229 The Safe Base does not attempt to completely prevent annoyance and
230 denial of service attacks. These forms of attack prevent the applica‐
231 tion or user from temporarily using the computer to perform useful
232 work, for example by consuming all available CPU time or all available
233 screen real estate. These attacks, while aggravating, are deemed to be
234 of lesser importance in general than integrity and privacy attacks that
235 the Safe Base is to prevent.
236 The commands available in a safe interpreter, in addition to the safe
238 set as defined in interp manual page, are mediated aliases for source,
239 load, exit, and safe subsets of file and encoding. The safe interpreter
240 can also auto-load code and it can request that packages be loaded.
241 Because some of these commands access the local file system, there is a
243 potential for information leakage about its directory structure. To
244 prevent this, commands that take file names as arguments in a safe
245 interpreter use tokens instead of the real directory names. These
246 tokens are translated to the real directory name while a request to,
247 e.g., source a file is mediated by the master interpreter. This vir‐
248 tual path system is maintained in the master interpreter for each safe
249 interpreter created by ::safe::interpCreate or initialized by
250 ::safe::interpInit and the path maps tokens accessible in the safe
251 interpreter into real path names on the local file system thus prevent‐
252 ing safe interpreters from gaining knowledge about the structure of the
253 file system of the host on which the interpreter is executing. The
254 only valid file names arguments for the source and load aliases pro‐
255 vided to the slave are path in the form of [file join token filename]
256 (i.e. when using the native file path formats: token/filename on Unix,
257 token\filename on Windows, and token:filename on the Mac), where token
258 is representing one of the directories of the accessPath list and file‐
259 name is one file in that directory (no sub directories access are
260 allowed).
261 When a token is used in a safe interpreter in a request to source or
263 load a file, the token is checked and translated to a real path name
264 and the file to be sourced or loaded is located on the file system.
265 The safe interpreter never gains knowledge of the actual path name
266 under which the file is stored on the file system.
267 To further prevent potential information leakage from sensitive files
269 that are accidentally included in the set of files that can be sourced
270 by a safe interpreter, the source alias restricts access to files meet‐
271 ing the following constraints: the file name must fourteen characters
272 or shorter, must not contain more than one dot ("."), must end up with
273 the extension .tcl or be called tclIndex.
274 Each element of the initial access path list will be assigned a token
276 that will be set in the slave auto_path and the first element of that
277 list will be set as the tcl_library for that slave.
278 If the access path argument is not given or is the empty list, the
280 default behavior is to let the slave access the same packages as the
281 master has access to (Or to be more precise: only packages written in
282 Tcl (which by definition can't be dangerous as they run in the slave
283 interpreter) and C extensions that provides a Safe_Init entry point).
284 For that purpose, the master's auto_path will be used to construct the
285 slave access path. In order that the slave successfully loads the Tcl
286 library files (which includes the auto-loading mechanism itself) the
287 tcl_library will be added or moved to the first position if necessary,
288 in the slave access path, so the slave tcl_library will be the same as
289 the master's (its real path will still be invisible to the slave
290 though). In order that auto-loading works the same for the slave and
291 the master in this by default case, the first-level sub directories of
292 each directory in the master auto_path will also be added (if not
293 already included) to the slave access path. You can always specify a
294 more restrictive path for which sub directories will never be searched
295 by explicitly specifying your directory list with the -accessPath flag
296 instead of relying on this default mechanism.
297 When the accessPath is changed after the first creation or initializa‐
299 tion (i.e. through interpConfigure -accessPath list), an auto_reset is
300 automatically evaluated in the safe interpreter to synchronize its
301 auto_index with the new token list.
302
305 interp(n), library(n), load(n), package(n), source(n), unknown(n)
306
309 alias, auto-loading, auto_mkindex, load, master interpreter, safe
310 interpreter, slave interpreter, source
311Tcl 8.0 Safe Tcl(n)