Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
Safe Tcl(n)		     Tcl Built-In Commands		   Safe	Tcl(n)

______________________________________________________________________________

NAME
       Safe Base - A mechanism for creating and	manipulating safe interpreters

SYNOPSIS
       ::safe::interpCreate ?slave? ?options...?

       ::safe::interpInit slave	?options...?

       ::safe::interpConfigure slave ?options...?

       ::safe::interpDelete slave

       ::safe::interpAddToAccessPath slave directory

       ::safe::interpFindInAccessPath slave directory

       ::safe::setLogCmd ?cmd arg...?

   OPTIONS
       ?-accessPath pathList?  ?-statics boolean? ?-noStatics?	?-nested bool-
       ean? ?-nestedLoadOk?  ?-deleteHook script?
______________________________________________________________________________

DESCRIPTION
       Safe Tcl	is a mechanism for executing untrusted Tcl scripts safely  and
       for  providing mediated access by such scripts to potentially dangerous
       functionality.

       The Safe	Base ensures that untrusted Tcl	scripts	cannot harm the	 host-
       ing application.	 The Safe Base prevents	integrity and privacy attacks.
       Untrusted Tcl scripts are prevented from	corrupting the	state  of  the
       hosting	application  or	computer. Untrusted scripts are	also prevented
       from disclosing information stored on the hosting computer  or  in  the
       hosting application to any party.

       The  Safe  Base	allows a master	interpreter to create safe, restricted
       interpreters that contain a set of predefined aliases for  the  source,
       load,  file,  encoding, and exit	commands and are able to use the auto-
       loading and package mechanisms.

       No knowledge of the file	system structure is leaked to the safe	inter-
       preter, because it has access only to a virtualized path	containing to-
       kens. When the safe interpreter requests	to source a file, it uses  the
       token  in the virtual path as part of the file name to source; the mas-
       ter interpreter transparently translates	the token into a  real	direc-
       tory  name  and executes	the requested operation	(see the section SECU-
       RITY below for details).	 Different levels of security can be  selected
       by using	the optional flags of the commands described below.

       All commands provided in	the master interpreter by the Safe Base	reside
       in the safe namespace.

COMMANDS
       The following commands are provided in the master interpreter:

       ::safe::interpCreate ?slave? ?options...?
	      Creates a	safe interpreter, installs the	aliases	 described  in
	      the section ALIASES and initializes the auto-loading and package
	      mechanism	as specified by	the supplied options.  See the OPTIONS
	      section  below  for a description	of the optional	arguments.  If
	      the slave	 argument  is  omitted,	 a  name  will	be  generated.
	      ::safe::interpCreate always returns the interpreter name.

       ::safe::interpInit slave	?options...?
	      This  command is similar to interpCreate except it that does not
	      create the safe interpreter. slave must  have  been  created  by
	      some other means,	like interp create -safe.

       ::safe::interpConfigure slave ?options...?
	      If  no  options  are given, returns the settings for all options
	      for the named safe interpreter as	a list of  options  and	 their
	      current  values for that slave.  If a single additional argument
	      is provided, it will return a list of 2 elements name and	 value
	      where name is the	full name of that option and value the current
	      value for	that option and	the slave.  If	more  than  two	 addi-
	      tional  arguments	are provided, it will reconfigure the safe in-
	      terpreter	and change each	and only the  provided	options.   See
	      the  section  on OPTIONS below for options description.  Example
	      of use:

		     # Create new interp with the same configuration as	"$i0":
		     set i1 [safe::interpCreate	{*}[safe::interpConfigure $i0]]

		     # Get the current deleteHook
		     set dh [safe::interpConfigure $i0	-del]

		     # Change (only) the statics loading ok attribute of an
		     # interp and its deleteHook (leaving the rest unchanged):
		     safe::interpConfigure $i0	-delete	{foo bar} -statics 0

       ::safe::interpDelete slave
	      Deletes the safe interpreter and	cleans	up  the	 corresponding
	      master  interpreter data structures.  If a deleteHook script was
	      specified	for this interpreter it	is evaluated before the	inter-
	      preter  is deleted, with the name	of the interpreter as an addi-
	      tional argument.

       ::safe::interpFindInAccessPath slave directory
	      This command finds and returns the token for the real  directory
	      directory	in the safe interpreter's current virtual access path.
	      It generates an error if the directory is	not found.  Example of
	      use:

		     $slave eval [list set tk_library \
			   [::safe::interpFindInAccessPath $name $tk_library]]

       ::safe::interpAddToAccessPath slave directory
	      This  command  adds directory to the virtual path	maintained for
	      the safe interpreter in the master, and returns the  token  that
	      can be used in the safe interpreter to obtain access to files in
	      that directory.  If the directory	 is  already  in  the  virtual
	      path,  it	only returns the token without adding the directory to
	      the virtual path again.  Example of use:

		     $slave eval [list set tk_library \
			   [::safe::interpAddToAccessPath $name	$tk_library]]

       ::safe::setLogCmd ?cmd arg...?
	      This command installs a script that will be called  when	inter-
	      esting  life  cycle  events  occur for a safe interpreter.  When
	      called with no arguments,	it  returns  the  currently  installed
	      script.	When  called  with  one	argument, an empty string, the
	      currently	installed script is removed and	logging	is turned off.
	      The  script  will	 be  invoked  with  one	additional argument, a
	      string describing	the event of interest.	The main purpose is to
	      help  in	debugging  safe	interpreters.  Using this facility you
	      can get complete error messages while the	safe interpreter  gets
	      only  generic  error messages.  This prevents a safe interpreter
	      from seeing messages about failures and other events that	 might
	      contain sensitive	information such as real directory names.

	      Example of use:

		     ::safe::setLogCmd puts stderr

	      Below  is	 the output of a sample	session	in which a safe	inter-
	      preter attempted to source a file	not found in its  virtual  ac-
	      cess  path.  Note	that the safe interpreter only received	an er-
	      ror message saying that the file was not found:

		     NOTICE for	slave interp10 : Created
		     NOTICE for	slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=()
		     NOTICE for	slave interp10 : auto_path in interp10 has been	set to {$p(:0:)}
		     ERROR for slave interp10 :	/foo/bar/init.tcl: no such file	or directory

   OPTIONS
       The following options are common	to  ::safe::interpCreate,  ::safe::in-
       terpInit, and ::safe::interpConfigure.  Any option name can be abbrevi-
       ated to its minimal non-ambiguous name.	Option names are not case sen-
       sitive.

       -accessPath directoryList
	      This option sets the list	of directories from which the safe in-
	      terpreter	can source and load files.   If	 this  option  is  not
	      specified,  or if	it is given as the empty list, the safe	inter-
	      preter will use the same directories as  its  master  for	 auto-
	      loading.	 See  the section SECURITY below for more detail about
	      virtual paths, tokens and	access control.

       -statics	boolean
	      This option specifies if the safe	interpreter will be allowed to
	      load  statically linked packages (like load {} Tk).  The default
	      value is true : safe interpreters	are allowed to load statically
	      linked packages.

       -noStatics
	      This  option  is	a  convenience shortcut	for -statics false and
	      thus specifies that the safe interpreter will not	be allowed  to
	      load statically linked packages.

       -nested boolean
	      This option specifies if the safe	interpreter will be allowed to
	      load packages into its own sub-interpreters.  The	default	 value
	      is  false	 :  safe interpreters are not allowed to load packages
	      into their own sub-interpreters.

       -nestedLoadOk
	      This option is a convenience shortcut for	-nested	true and  thus
	      specifies	 the safe interpreter will be allowed to load packages
	      into its own sub-interpreters.

       -deleteHook script
	      When this	option is given	a non-empty script, it will be	evalu-
	      ated  in	the master with	the name of the	safe interpreter as an
	      additional argument just before actually deleting	the  safe  in-
	      terpreter.   Giving  an  empty  value  removes any currently in-
	      stalled deletion hook script for that safe interpreter.  The de-
	      fault value ({}) is not to have any deletion call	back.

ALIASES
       The following aliases are provided in a safe interpreter:

       source fileName
	      The  requested file, a Tcl source	file, is sourced into the safe
	      interpreter if it	is found.  The source alias  can  only	source
	      files  from  directories in the virtual path for the safe	inter-
	      preter. The source alias requires	the safe  interpreter  to  use
	      one  of the token	names in its virtual path to denote the	direc-
	      tory in which the	file to	be sourced can be found.  See the sec-
	      tion  on	SECURITY  for more discussion of restrictions on valid
	      filenames.

       load fileName
	      The requested file, a shared object file,	is dynamically	loaded
	      into  the	 safe  interpreter  if it is found.  The filename must
	      contain a	token name mentioned in	the virtual path for the  safe
	      interpreter  for it to be	found successfully.  Additionally, the
	      shared object file must contain a	safe entry point; see the man-
	      ual page for the load command for	more details.

       file ?subCmd args...?
	      The  file	 alias provides	access to a safe subset	of the subcom-
	      mands of the file	command; it allows only	dirname, join,	exten-
	      sion,  root,  tail, pathname and split subcommands. For more de-
	      tails on what these subcommands do see the manual	page  for  the
	      file command.

       encoding	?subCmd	args...?
	      The  encoding alias provides access to a safe subset of the sub-
	      commands of the encoding command;	 it disallows setting  of  the
	      system encoding, but allows all other subcommands	including sys-
	      tem to check the current encoding.

       exit   The calling  interpreter	is  deleted  and  its  computation  is
	      stopped, but the Tcl process in which this interpreter exists is
	      not terminated.

SECURITY
       The Safe	Base does not attempt to completely prevent annoyance and  de-
       nial  of	service	attacks. These forms of	attack prevent the application
       or user from temporarily	using the computer to perform useful work, for
       example	by  consuming  all  available CPU time or all available	screen
       real estate.  These attacks, while aggravating, are  deemed  to	be  of
       lesser  importance  in  general than integrity and privacy attacks that
       the Safe	Base is	to prevent.

       The commands available in a safe	interpreter, in	addition to  the  safe
       set  as defined in interp manual	page, are mediated aliases for source,
       load, exit, and safe subsets of file and	encoding. The safe interpreter
       can also	auto-load code and it can request that packages	be loaded.

       Because some of these commands access the local file system, there is a
       potential for information leakage about its  directory  structure.   To
       prevent	this, commands that take file names as arguments in a safe in-
       terpreter use tokens instead of the real	directory names.  These	tokens
       are  translated	to  the	 real directory	name while a request to, e.g.,
       source a	file is	mediated by the	master interpreter.  This virtual path
       system  is  maintained  in  the master interpreter for each safe	inter-
       preter created by ::safe::interpCreate or initialized by	::safe::inter-
       pInit  and the path maps	tokens accessible in the safe interpreter into
       real path names on the local file system	thus  preventing  safe	inter-
       preters	from  gaining knowledge	about the structure of the file	system
       of the host on which the	interpreter is executing.  The only valid file
       names  arguments	 for the source	and load aliases provided to the slave
       are path	in the form of [file join token	filename] (i.e.	when using the
       native  file path formats: token/filename on Unix and token\filename on
       Windows), where token is	representing one of the	directories of the ac-
       cessPath	list and filename is one file in that directory	(no sub	direc-
       tories access are allowed).

       When a token is used in a safe interpreter in a request	to  source  or
       load  a	file,  the token is checked and	translated to a	real path name
       and the file to be sourced or loaded is located	on  the	 file  system.
       The  safe interpreter never gains knowledge of the actual path name un-
       der which the file is stored on the file	system.

       To further prevent potential information	leakage	from  sensitive	 files
       that  are accidentally included in the set of files that	can be sourced
       by a safe interpreter, the source alias restricts access	to files meet-
       ing  the	 following constraints:	the file name must fourteen characters
       or shorter, must	not contain more than one dot ("."), must end up  with
       the extension (".tcl") or be called ("tclIndex".)

       Each  element  of the initial access path list will be assigned a token
       that will be set	in the slave auto_path and the first element  of  that
       list will be set	as the tcl_library for that slave.

       If  the access path argument is not given or is the empty list, the de-
       fault behavior is to let	the slave access the same packages as the mas-
       ter  has	access to (Or to be more precise: only packages	written	in Tcl
       (which by definition cannot be dangerous	as they	run in the  slave  in-
       terpreter) and C	extensions that	provides a _SafeInit entry point). For
       that purpose, the master's auto_path will  be  used  to	construct  the
       slave  access path.  In order that the slave successfully loads the Tcl
       library files (which includes the auto-loading  mechanism  itself)  the
       tcl_library  will be added or moved to the first	position if necessary,
       in the slave access path, so the	slave tcl_library will be the same  as
       the  master's  (its  real  path	will  still  be	invisible to the slave
       though).	 In order that auto-loading works the same for the  slave  and
       the  master in this by default case, the	first-level sub	directories of
       each directory in the master auto_path will also	be added (if  not  al-
       ready  included)	 to  the  slave	access path.  You can always specify a
       more restrictive	path for which sub directories will never be  searched
       by  explicitly specifying your directory	list with the -accessPath flag
       instead of relying on this default mechanism.

       When the	accessPath is changed after the	first creation or  initializa-
       tion  (i.e. through interpConfigure -accessPath list), an auto_reset is
       automatically evaluated in the  safe  interpreter  to  synchronize  its
       auto_index with the new token list.

SEE ALSO
       interp(n), library(n), load(n), package(n), source(n), unknown(n)

KEYWORDS
       alias,  auto-loading,  auto_mkindex, load, master interpreter, safe in-
       terpreter, slave	interpreter, source

Tcl				      8.0			   Safe	Tcl(n)

NAME | SYNOPSIS | DESCRIPTION | COMMANDS | ALIASES | SECURITY | SEE ALSO | KEYWORDS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=SafeBase.tcl85&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help