| 1 | '\" |
| 2 | '\" Copyright (c) 1995-1996 Sun Microsystems, Inc. |
| 3 | '\" |
| 4 | '\" See the file "license.terms" for information on usage and redistribution |
| 5 | '\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. |
| 6 | '\" |
| 7 | '\" RCS: @(#) $Id: safe.n,v 1.4.2.1 2004/10/27 14:23:58 dkf Exp $ |
| 8 | '\" |
| 9 | '\" The definitions below are for supplemental macros used in Tcl/Tk |
| 10 | '\" manual entries. |
| 11 | '\" |
| 12 | '\" .AP type name in/out ?indent? |
| 13 | '\" Start paragraph describing an argument to a library procedure. |
| 14 | '\" type is type of argument (int, etc.), in/out is either "in", "out", |
| 15 | '\" or "in/out" to describe whether procedure reads or modifies arg, |
| 16 | '\" and indent is equivalent to second arg of .IP (shouldn't ever be |
| 17 | '\" needed; use .AS below instead) |
| 18 | '\" |
| 19 | '\" .AS ?type? ?name? |
| 20 | '\" Give maximum sizes of arguments for setting tab stops. Type and |
| 21 | '\" name are examples of largest possible arguments that will be passed |
| 22 | '\" to .AP later. If args are omitted, default tab stops are used. |
| 23 | '\" |
| 24 | '\" .BS |
| 25 | '\" Start box enclosure. From here until next .BE, everything will be |
| 26 | '\" enclosed in one large box. |
| 27 | '\" |
| 28 | '\" .BE |
| 29 | '\" End of box enclosure. |
| 30 | '\" |
| 31 | '\" .CS |
| 32 | '\" Begin code excerpt. |
| 33 | '\" |
| 34 | '\" .CE |
| 35 | '\" End code excerpt. |
| 36 | '\" |
| 37 | '\" .VS ?version? ?br? |
| 38 | '\" Begin vertical sidebar, for use in marking newly-changed parts |
| 39 | '\" of man pages. The first argument is ignored and used for recording |
| 40 | '\" the version when the .VS was added, so that the sidebars can be |
| 41 | '\" found and removed when they reach a certain age. If another argument |
| 42 | '\" is present, then a line break is forced before starting the sidebar. |
| 43 | '\" |
| 44 | '\" .VE |
| 45 | '\" End of vertical sidebar. |
| 46 | '\" |
| 47 | '\" .DS |
| 48 | '\" Begin an indented unfilled display. |
| 49 | '\" |
| 50 | '\" .DE |
| 51 | '\" End of indented unfilled display. |
| 52 | '\" |
| 53 | '\" .SO |
| 54 | '\" Start of list of standard options for a Tk widget. The |
| 55 | '\" options follow on successive lines, in four columns separated |
| 56 | '\" by tabs. |
| 57 | '\" |
| 58 | '\" .SE |
| 59 | '\" End of list of standard options for a Tk widget. |
| 60 | '\" |
| 61 | '\" .OP cmdName dbName dbClass |
| 62 | '\" Start of description of a specific option. cmdName gives the |
| 63 | '\" option's name as specified in the class command, dbName gives |
| 64 | '\" the option's name in the option database, and dbClass gives |
| 65 | '\" the option's class in the option database. |
| 66 | '\" |
| 67 | '\" .UL arg1 arg2 |
| 68 | '\" Print arg1 underlined, then print arg2 normally. |
| 69 | '\" |
| 70 | '\" RCS: @(#) $Id: man.macros,v 1.4 2000/08/25 06:18:32 ericm Exp $ |
| 71 | '\" |
| 72 | '\" # Set up traps and other miscellaneous stuff for Tcl/Tk man pages. |
| 73 | .if t .wh -1.3i ^B |
| 74 | .nr ^l \n(.l |
| 75 | .ad b |
| 76 | '\" # Start an argument description |
| 77 | .de AP |
| 78 | .ie !"\\$4"" .TP \\$4 |
| 79 | .el \{\ |
| 80 | . ie !"\\$2"" .TP \\n()Cu |
| 81 | . el .TP 15 |
| 82 | .\} |
| 83 | .ta \\n()Au \\n()Bu |
| 84 | .ie !"\\$3"" \{\ |
| 85 | \&\\$1 \\fI\\$2\\fP (\\$3) |
| 86 | .\".b |
| 87 | .\} |
| 88 | .el \{\ |
| 89 | .br |
| 90 | .ie !"\\$2"" \{\ |
| 91 | \&\\$1 \\fI\\$2\\fP |
| 92 | .\} |
| 93 | .el \{\ |
| 94 | \&\\fI\\$1\\fP |
| 95 | .\} |
| 96 | .\} |
| 97 | .. |
| 98 | '\" # define tabbing values for .AP |
| 99 | .de AS |
| 100 | .nr )A 10n |
| 101 | .if !"\\$1"" .nr )A \\w'\\$1'u+3n |
| 102 | .nr )B \\n()Au+15n |
| 103 | .\" |
| 104 | .if !"\\$2"" .nr )B \\w'\\$2'u+\\n()Au+3n |
| 105 | .nr )C \\n()Bu+\\w'(in/out)'u+2n |
| 106 | .. |
| 107 | .AS Tcl_Interp Tcl_CreateInterp in/out |
| 108 | '\" # BS - start boxed text |
| 109 | '\" # ^y = starting y location |
| 110 | '\" # ^b = 1 |
| 111 | .de BS |
| 112 | .br |
| 113 | .mk ^y |
| 114 | .nr ^b 1u |
| 115 | .if n .nf |
| 116 | .if n .ti 0 |
| 117 | .if n \l'\\n(.lu\(ul' |
| 118 | .if n .fi |
| 119 | .. |
| 120 | '\" # BE - end boxed text (draw box now) |
| 121 | .de BE |
| 122 | .nf |
| 123 | .ti 0 |
| 124 | .mk ^t |
| 125 | .ie n \l'\\n(^lu\(ul' |
| 126 | .el \{\ |
| 127 | .\" Draw four-sided box normally, but don't draw top of |
| 128 | .\" box if the box started on an earlier page. |
| 129 | .ie !\\n(^b-1 \{\ |
| 130 | \h'-1.5n'\L'|\\n(^yu-1v'\l'\\n(^lu+3n\(ul'\L'\\n(^tu+1v-\\n(^yu'\l'|0u-1.5n\(ul' |
| 131 | .\} |
| 132 | .el \}\ |
| 133 | \h'-1.5n'\L'|\\n(^yu-1v'\h'\\n(^lu+3n'\L'\\n(^tu+1v-\\n(^yu'\l'|0u-1.5n\(ul' |
| 134 | .\} |
| 135 | .\} |
| 136 | .fi |
| 137 | .br |
| 138 | .nr ^b 0 |
| 139 | .. |
| 140 | '\" # VS - start vertical sidebar |
| 141 | '\" # ^Y = starting y location |
| 142 | '\" # ^v = 1 (for troff; for nroff this doesn't matter) |
| 143 | .de VS |
| 144 | .if !"\\$2"" .br |
| 145 | .mk ^Y |
| 146 | .ie n 'mc \s12\(br\s0 |
| 147 | .el .nr ^v 1u |
| 148 | .. |
| 149 | '\" # VE - end of vertical sidebar |
| 150 | .de VE |
| 151 | .ie n 'mc |
| 152 | .el \{\ |
| 153 | .ev 2 |
| 154 | .nf |
| 155 | .ti 0 |
| 156 | .mk ^t |
| 157 | \h'|\\n(^lu+3n'\L'|\\n(^Yu-1v\(bv'\v'\\n(^tu+1v-\\n(^Yu'\h'-|\\n(^lu+3n' |
| 158 | .sp -1 |
| 159 | .fi |
| 160 | .ev |
| 161 | .\} |
| 162 | .nr ^v 0 |
| 163 | .. |
| 164 | '\" # Special macro to handle page bottom: finish off current |
| 165 | '\" # box/sidebar if in box/sidebar mode, then invoked standard |
| 166 | '\" # page bottom macro. |
| 167 | .de ^B |
| 168 | .ev 2 |
| 169 | 'ti 0 |
| 170 | 'nf |
| 171 | .mk ^t |
| 172 | .if \\n(^b \{\ |
| 173 | .\" Draw three-sided box if this is the box's first page, |
| 174 | .\" draw two sides but no top otherwise. |
| 175 | .ie !\\n(^b-1 \h'-1.5n'\L'|\\n(^yu-1v'\l'\\n(^lu+3n\(ul'\L'\\n(^tu+1v-\\n(^yu'\h'|0u'\c |
| 176 | .el \h'-1.5n'\L'|\\n(^yu-1v'\h'\\n(^lu+3n'\L'\\n(^tu+1v-\\n(^yu'\h'|0u'\c |
| 177 | .\} |
| 178 | .if \\n(^v \{\ |
| 179 | .nr ^x \\n(^tu+1v-\\n(^Yu |
| 180 | \kx\h'-\\nxu'\h'|\\n(^lu+3n'\ky\L'-\\n(^xu'\v'\\n(^xu'\h'|0u'\c |
| 181 | .\} |
| 182 | .bp |
| 183 | 'fi |
| 184 | .ev |
| 185 | .if \\n(^b \{\ |
| 186 | .mk ^y |
| 187 | .nr ^b 2 |
| 188 | .\} |
| 189 | .if \\n(^v \{\ |
| 190 | .mk ^Y |
| 191 | .\} |
| 192 | .. |
| 193 | '\" # DS - begin display |
| 194 | .de DS |
| 195 | .RS |
| 196 | .nf |
| 197 | .sp |
| 198 | .. |
| 199 | '\" # DE - end display |
| 200 | .de DE |
| 201 | .fi |
| 202 | .RE |
| 203 | .sp |
| 204 | .. |
| 205 | '\" # SO - start of list of standard options |
| 206 | .de SO |
| 207 | .SH "STANDARD OPTIONS" |
| 208 | .LP |
| 209 | .nf |
| 210 | .ta 5.5c 11c |
| 211 | .ft B |
| 212 | .. |
| 213 | '\" # SE - end of list of standard options |
| 214 | .de SE |
| 215 | .fi |
| 216 | .ft R |
| 217 | .LP |
| 218 | See the \\fBoptions\\fR manual entry for details on the standard options. |
| 219 | .. |
| 220 | '\" # OP - start of full description for a single option |
| 221 | .de OP |
| 222 | .LP |
| 223 | .nf |
| 224 | .ta 4c |
| 225 | Command-Line Name: \\fB\\$1\\fR |
| 226 | Database Name: \\fB\\$2\\fR |
| 227 | Database Class: \\fB\\$3\\fR |
| 228 | .fi |
| 229 | .IP |
| 230 | .. |
| 231 | '\" # CS - begin code excerpt |
| 232 | .de CS |
| 233 | .RS |
| 234 | .nf |
| 235 | .ta .25i .5i .75i 1i |
| 236 | .. |
| 237 | '\" # CE - end code excerpt |
| 238 | .de CE |
| 239 | .fi |
| 240 | .RE |
| 241 | .. |
| 242 | .de UL |
| 243 | \\$1\l'|0\(ul'\\$2 |
| 244 | .. |
| 245 | .TH "Safe Tcl" n 8.0 Tcl "Tcl Built-In Commands" |
| 246 | .BS |
| 247 | '\" Note: do not modify the .SH NAME line immediately below! |
| 248 | .SH NAME |
| 249 | Safe\ Base \- A mechanism for creating and manipulating safe interpreters. |
| 250 | .SH SYNOPSIS |
| 251 | \fB::safe::interpCreate\fR ?\fIslave\fR? ?\fIoptions...\fR? |
| 252 | .sp |
| 253 | \fB::safe::interpInit\fR \fIslave\fR ?\fIoptions...\fR? |
| 254 | .sp |
| 255 | \fB::safe::interpConfigure\fR \fIslave\fR ?\fIoptions...\fR? |
| 256 | .sp |
| 257 | \fB::safe::interpDelete\fR \fIslave\fR |
| 258 | .sp |
| 259 | \fB::safe::interpAddToAccessPath\fR \fIslave\fR \fIdirectory\fR |
| 260 | .sp |
| 261 | \fB::safe::interpFindInAccessPath\fR \fIslave\fR \fIdirectory\fR |
| 262 | .sp |
| 263 | \fB::safe::setLogCmd\fR ?\fIcmd arg...\fR? |
| 264 | .SH OPTIONS |
| 265 | .PP |
| 266 | ?\fB\-accessPath\fR \fIpathList\fR? |
| 267 | ?\fB\-statics\fR \fIboolean\fR? ?\fB\-noStatics\fR? |
| 268 | ?\fB\-nested\fR \fIboolean\fR? ?\fB\-nestedLoadOk\fR? |
| 269 | ?\fB\-deleteHook\fR \fIscript\fR? |
| 270 | .BE |
| 271 | |
| 272 | .SH DESCRIPTION |
| 273 | Safe Tcl is a mechanism for executing untrusted Tcl scripts |
| 274 | safely and for providing mediated access by such scripts to |
| 275 | potentially dangerous functionality. |
| 276 | .PP |
| 277 | The Safe Base ensures that untrusted Tcl scripts cannot harm the |
| 278 | hosting application. |
| 279 | The Safe Base prevents integrity and privacy attacks. Untrusted Tcl |
| 280 | scripts are prevented from corrupting the state of the hosting |
| 281 | application or computer. Untrusted scripts are also prevented from |
| 282 | disclosing information stored on the hosting computer or in the |
| 283 | hosting application to any party. |
| 284 | .PP |
| 285 | The Safe Base allows a master interpreter to create safe, restricted |
| 286 | interpreters that contain a set of predefined aliases for the \fBsource\fR, |
| 287 | \fBload\fR, \fBfile\fR, \fBencoding\fR, and \fBexit\fR commands and |
| 288 | are able to use the auto-loading and package mechanisms. |
| 289 | .PP |
| 290 | No knowledge of the file system structure is leaked to the |
| 291 | safe interpreter, because it has access only to a virtualized path |
| 292 | containing tokens. When the safe interpreter requests to source a file, it |
| 293 | uses the token in the virtual path as part of the file name to source; the |
| 294 | master interpreter transparently |
| 295 | translates the token into a real directory name and executes the |
| 296 | requested operation (see the section \fBSECURITY\fR below for details). |
| 297 | Different levels of security can be selected by using the optional flags |
| 298 | of the commands described below. |
| 299 | .PP |
| 300 | All commands provided in the master interpreter by the Safe Base reside in |
| 301 | the \fBsafe\fR namespace: |
| 302 | |
| 303 | .SH COMMANDS |
| 304 | The following commands are provided in the master interpreter: |
| 305 | .TP |
| 306 | \fB::safe::interpCreate\fR ?\fIslave\fR? ?\fIoptions...\fR? |
| 307 | Creates a safe interpreter, installs the aliases described in the section |
| 308 | \fBALIASES\fR and initializes the auto-loading and package mechanism as |
| 309 | specified by the supplied \fBoptions\fR. |
| 310 | See the \fBOPTIONS\fR section below for a description of the |
| 311 | optional arguments. |
| 312 | If the \fIslave\fR argument is omitted, a name will be generated. |
| 313 | \fB::safe::interpCreate\fR always returns the interpreter name. |
| 314 | .TP |
| 315 | \fB::safe::interpInit\fR \fIslave\fR ?\fIoptions...\fR? |
| 316 | This command is similar to \fBinterpCreate\fR except it that does not |
| 317 | create the safe interpreter. \fIslave\fR must have been created by some |
| 318 | other means, like \fBinterp create \-safe\fR. |
| 319 | .TP |
| 320 | \fB::safe::interpConfigure\fR \fIslave\fR ?\fIoptions...\fR? |
| 321 | If no \fIoptions\fR are given, returns the settings for all options for the |
| 322 | named safe interpreter as a list of options and their current values |
| 323 | for that \fIslave\fR. |
| 324 | If a single additional argument is provided, |
| 325 | it will return a list of 2 elements \fIname\fR and \fIvalue\fR where |
| 326 | \fIname\fR is the full name of that option and \fIvalue\fR the current value |
| 327 | for that option and the \fIslave\fR. |
| 328 | If more than two additional arguments are provided, it will reconfigure the |
| 329 | safe interpreter and change each and only the provided options. |
| 330 | See the section on \fBOPTIONS\fR below for options description. |
| 331 | Example of use: |
| 332 | .RS |
| 333 | .CS |
| 334 | # Create a new interp with the same configuration as "$i0" : |
| 335 | set i1 [eval safe::interpCreate [safe::interpConfigure $i0]] |
| 336 | # Get the current deleteHook |
| 337 | set dh [safe::interpConfigure $i0 \-del] |
| 338 | # Change (only) the statics loading ok attribute of an interp |
| 339 | # and its deleteHook (leaving the rest unchanged) : |
| 340 | safe::interpConfigure $i0 \-delete {foo bar} \-statics 0 ; |
| 341 | .CE |
| 342 | .RE |
| 343 | .TP |
| 344 | \fB::safe::interpDelete\fR \fIslave\fR |
| 345 | Deletes the safe interpreter and cleans up the corresponding |
| 346 | master interpreter data structures. |
| 347 | If a \fIdeleteHook\fR script was specified for this interpreter it is |
| 348 | evaluated before the interpreter is deleted, with the name of the |
| 349 | interpreter as an additional argument. |
| 350 | .TP |
| 351 | \fB::safe::interpFindInAccessPath\fR \fIslave\fR \fIdirectory\fR |
| 352 | This command finds and returns the token for the real directory |
| 353 | \fIdirectory\fR in the safe interpreter's current virtual access path. |
| 354 | It generates an error if the directory is not found. |
| 355 | Example of use: |
| 356 | .RS |
| 357 | .CS |
| 358 | $slave eval [list set tk_library [::safe::interpFindInAccessPath $name $tk_library]] |
| 359 | .CE |
| 360 | .RE |
| 361 | .TP |
| 362 | \fB::safe::interpAddToAccessPath\fR \fIslave\fR \fIdirectory\fR |
| 363 | This command adds \fIdirectory\fR to the virtual path maintained for the |
| 364 | safe interpreter in the master, and returns the token that can be used in |
| 365 | the safe interpreter to obtain access to files in that directory. |
| 366 | If the directory is already in the virtual path, it only returns the token |
| 367 | without adding the directory to the virtual path again. |
| 368 | Example of use: |
| 369 | .RS |
| 370 | .CS |
| 371 | $slave eval [list set tk_library [::safe::interpAddToAccessPath $name $tk_library]] |
| 372 | .CE |
| 373 | .RE |
| 374 | .TP |
| 375 | \fB::safe::setLogCmd\fR ?\fIcmd arg...\fR? |
| 376 | This command installs a script that will be called when interesting |
| 377 | life cycle events occur for a safe interpreter. |
| 378 | When called with no arguments, it returns the currently installed script. |
| 379 | When called with one argument, an empty string, the currently installed |
| 380 | script is removed and logging is turned off. |
| 381 | The script will be invoked with one additional argument, a string |
| 382 | describing the event of interest. |
| 383 | The main purpose is to help in debugging safe interpreters. |
| 384 | Using this facility you can get complete error messages while the safe |
| 385 | interpreter gets only generic error messages. |
| 386 | This prevents a safe interpreter from seeing messages about failures |
| 387 | and other events that might contain sensitive information such as real |
| 388 | directory names. |
| 389 | .RS |
| 390 | Example of use: |
| 391 | .CS |
| 392 | ::safe::setLogCmd puts stderr |
| 393 | .CE |
| 394 | Below is the output of a sample session in which a safe interpreter |
| 395 | attempted to source a file not found in its virtual access path. |
| 396 | Note that the safe interpreter only received an error message saying that |
| 397 | the file was not found: |
| 398 | .CS |
| 399 | NOTICE for slave interp10 : Created |
| 400 | NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=() |
| 401 | NOTICE for slave interp10 : auto_path in interp10 has been set to {$p(:0:)} |
| 402 | ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory |
| 403 | .CE |
| 404 | .RE |
| 405 | |
| 406 | .SH OPTIONS |
| 407 | The following options are common to |
| 408 | \fB::safe::interpCreate\fR, \fB::safe::interpInit\fR, |
| 409 | and \fB::safe::interpConfigure\fR. |
| 410 | Any option name can be abbreviated to its minimal |
| 411 | non-ambiguous name. |
| 412 | Option names are not case sensitive. |
| 413 | .TP |
| 414 | \fB\-accessPath\fR \fIdirectoryList\fR |
| 415 | This option sets the list of directories from which the safe interpreter |
| 416 | can \fBsource\fR and \fBload\fR files. |
| 417 | If this option is not specified, or if it is given as the |
| 418 | empty list, the safe interpreter will use the same directories as its |
| 419 | master for auto-loading. |
| 420 | See the section \fBSECURITY\fR below for more detail about virtual paths, |
| 421 | tokens and access control. |
| 422 | .TP |
| 423 | \fB\-statics\fR \fIboolean\fR |
| 424 | This option specifies if the safe interpreter will be allowed |
| 425 | to load statically linked packages (like \fBload {} Tk\fR). |
| 426 | The default value is \fBtrue\fR : |
| 427 | safe interpreters are allowed to load statically linked packages. |
| 428 | .TP |
| 429 | \fB\-noStatics\fR |
| 430 | This option is a convenience shortcut for \fB-statics false\fR and |
| 431 | thus specifies that the safe interpreter will not be allowed |
| 432 | to load statically linked packages. |
| 433 | .TP |
| 434 | \fB\-nested\fR \fIboolean\fR |
| 435 | This option specifies if the safe interpreter will be allowed |
| 436 | to load packages into its own sub-interpreters. |
| 437 | The default value is \fBfalse\fR : |
| 438 | safe interpreters are not allowed to load packages into |
| 439 | their own sub-interpreters. |
| 440 | .TP |
| 441 | \fB\-nestedLoadOk\fR |
| 442 | This option is a convenience shortcut for \fB-nested true\fR and |
| 443 | thus specifies the safe interpreter will be allowed |
| 444 | to load packages into its own sub-interpreters. |
| 445 | .TP |
| 446 | \fB\-deleteHook\fR \fIscript\fR |
| 447 | When this option is given a non-empty \fIscript\fR, it will be |
| 448 | evaluated in the master with the name of |
| 449 | the safe interpreter as an additional argument |
| 450 | just before actually deleting the safe interpreter. |
| 451 | Giving an empty value removes any currently installed deletion hook |
| 452 | script for that safe interpreter. |
| 453 | The default value (\fB{}\fR) is not to have any deletion call back. |
| 454 | .SH ALIASES |
| 455 | The following aliases are provided in a safe interpreter: |
| 456 | .TP |
| 457 | \fBsource\fR \fIfileName\fR |
| 458 | The requested file, a Tcl source file, is sourced into the safe interpreter |
| 459 | if it is found. |
| 460 | The \fBsource\fR alias can only source files from directories in |
| 461 | the virtual path for the safe interpreter. The \fBsource\fR alias requires |
| 462 | the safe interpreter to |
| 463 | use one of the token names in its virtual path to denote the directory in |
| 464 | which the file to be sourced can be found. |
| 465 | See the section on \fBSECURITY\fR for more discussion of restrictions on |
| 466 | valid filenames. |
| 467 | .TP |
| 468 | \fBload\fR \fIfileName\fR |
| 469 | The requested file, a shared object file, is dynamically loaded into the |
| 470 | safe interpreter if it is found. |
| 471 | The filename must contain a token name mentioned in the virtual path for |
| 472 | the safe interpreter for it to be found successfully. |
| 473 | Additionally, the shared object file must contain a safe entry point; see |
| 474 | the manual page for the \fBload\fR command for more details. |
| 475 | .TP |
| 476 | \fBfile\fR ?\fIsubCmd args...\fR? |
| 477 | The \fBfile\fR alias provides access to a safe subset of the subcommands of |
| 478 | the \fBfile\fR command; it allows only \fBdirname\fR, \fBjoin\fR, |
| 479 | \fBextension\fR, \fBroot\fR, \fBtail\fR, \fBpathname\fR and \fBsplit\fR |
| 480 | subcommands. For more details on what these subcommands do see the manual |
| 481 | page for the \fBfile\fR command. |
| 482 | .TP |
| 483 | \fBencoding\fR ?\fIsubCmd args...\fR? |
| 484 | The \fBencoding\fR alias provides access to a safe subset of the |
| 485 | subcommands of the \fBencoding\fR command; it disallows setting of |
| 486 | the system encoding, but allows all other subcommands including |
| 487 | \fBsystem\fR to check the current encoding. |
| 488 | .TP |
| 489 | \fBexit\fR |
| 490 | The calling interpreter is deleted and its computation is stopped, but the |
| 491 | Tcl process in which this interpreter exists is not terminated. |
| 492 | |
| 493 | .SH SECURITY |
| 494 | The Safe Base does not attempt to completely prevent annoyance and |
| 495 | denial of service attacks. These forms of attack prevent the |
| 496 | application or user from temporarily using the computer to perform |
| 497 | useful work, for example by consuming all available CPU time or |
| 498 | all available screen real estate. |
| 499 | These attacks, while aggravating, are deemed to be of lesser importance |
| 500 | in general than integrity and privacy attacks that the Safe Base |
| 501 | is to prevent. |
| 502 | .PP |
| 503 | The commands available in a safe interpreter, in addition to |
| 504 | the safe set as defined in \fBinterp\fR manual page, are mediated aliases |
| 505 | for \fBsource\fR, \fBload\fR, \fBexit\fR, and safe subsets of |
| 506 | \fBfile\fR and \fBencoding\fR. The safe interpreter can also auto-load |
| 507 | code and it can request that packages be loaded. |
| 508 | .PP |
| 509 | Because some of these commands access the local file system, there is a |
| 510 | potential for information leakage about its directory structure. |
| 511 | To prevent this, commands that take file names as arguments in a safe |
| 512 | interpreter use tokens instead of the real directory names. |
| 513 | These tokens are translated to the real directory name while a request to, |
| 514 | e.g., source a file is mediated by the master interpreter. |
| 515 | This virtual path system is maintained in the master interpreter for each safe |
| 516 | interpreter created by \fB::safe::interpCreate\fR or initialized by |
| 517 | \fB::safe::interpInit\fR and |
| 518 | the path maps tokens accessible in the safe interpreter into real path |
| 519 | names on the local file system thus preventing safe interpreters |
| 520 | from gaining knowledge about the |
| 521 | structure of the file system of the host on which the interpreter is |
| 522 | executing. |
| 523 | The only valid file names arguments |
| 524 | for the \fBsource\fR and \fBload\fR aliases provided to the slave |
| 525 | are path in the form of |
| 526 | \fB[file join \fR\fItoken filename\fR\fB]\fR (i.e. when using the |
| 527 | native file path formats: \fItoken\fR\fB/\fR\fIfilename\fR |
| 528 | on Unix, \fItoken\fR\fB\\\fIfilename\fR on Windows, |
| 529 | and \fItoken\fR\fB:\fR\fIfilename\fR on the Mac), |
| 530 | where \fItoken\fR is representing one of the directories |
| 531 | of the \fIaccessPath\fR list and \fIfilename\fR is |
| 532 | one file in that directory (no sub directories access are allowed). |
| 533 | .PP |
| 534 | When a token is used in a safe interpreter in a request to source or |
| 535 | load a file, the token is checked and |
| 536 | translated to a real path name and the file to be |
| 537 | sourced or loaded is located on the file system. |
| 538 | The safe interpreter never gains knowledge of the actual path name under |
| 539 | which the file is stored on the file system. |
| 540 | .PP |
| 541 | To further prevent potential information leakage from sensitive files that |
| 542 | are accidentally included in the set of files that can be sourced by a safe |
| 543 | interpreter, the \fBsource\fR alias restricts access to files |
| 544 | meeting the following constraints: the file name must |
| 545 | fourteen characters or shorter, must not contain more than one dot ("\fB.\fR"), |
| 546 | must end up with the extension \fB.tcl\fR or be called \fBtclIndex\fR. |
| 547 | .PP |
| 548 | Each element of the initial access path |
| 549 | list will be assigned a token that will be set in |
| 550 | the slave \fBauto_path\fR and the first element of that list will be set as |
| 551 | the \fBtcl_library\fR for that slave. |
| 552 | .PP |
| 553 | If the access path argument is not given or is the empty list, |
| 554 | the default behavior is to let the slave access the same packages |
| 555 | as the master has access to (Or to be more precise: |
| 556 | only packages written in Tcl (which by definition can't be dangerous |
| 557 | as they run in the slave interpreter) and C extensions that |
| 558 | provides a Safe_Init entry point). For that purpose, the master's |
| 559 | \fBauto_path\fR will be used to construct the slave access path. |
| 560 | In order that the slave successfully loads the Tcl library files |
| 561 | (which includes the auto-loading mechanism itself) the \fBtcl_library\fR will be |
| 562 | added or moved to the first position if necessary, in the |
| 563 | slave access path, so the slave |
| 564 | \fBtcl_library\fR will be the same as the master's (its real |
| 565 | path will still be invisible to the slave though). |
| 566 | In order that auto-loading works the same for the slave and |
| 567 | the master in this by default case, the first-level |
| 568 | sub directories of each directory in the master \fBauto_path\fR will |
| 569 | also be added (if not already included) to the slave access path. |
| 570 | You can always specify a more |
| 571 | restrictive path for which sub directories will never be searched by |
| 572 | explicitly specifying your directory list with the \fB\-accessPath\fR flag |
| 573 | instead of relying on this default mechanism. |
| 574 | .PP |
| 575 | When the \fIaccessPath\fR is changed after the first creation or |
| 576 | initialization (i.e. through \fBinterpConfigure -accessPath \fR\fIlist\fR), |
| 577 | an \fBauto_reset\fR is automatically evaluated in the safe interpreter |
| 578 | to synchronize its \fBauto_index\fR with the new token list. |
| 579 | |
| 580 | .SH "SEE ALSO" |
| 581 | interp(n), library(n), load(n), package(n), source(n), unknown(n) |
| 582 | |
| 583 | .SH KEYWORDS |
| 584 | alias, auto\-loading, auto_mkindex, load, master interpreter, safe |
| 585 | interpreter, slave interpreter, source |