Safe Tcl(n) | Tcl Built-In Commands | Safe Tcl(n) |
Safe Base - A mechanism for creating and manipulating safe interpreters
::safe::interpCreate ?slave? ?options...?
::safe::interpInit slave ?options...?
::safe::interpConfigure slave ?options...?
::safe::interpDelete slave
::safe::interpAddToAccessPath slave directory
::safe::interpFindInAccessPath slave directory
::safe::setLogCmd ?cmd arg...?
?-accessPath pathList? ?-statics boolean? ?-noStatics? ?-nested boolean? ?-nestedLoadOk? ?-deleteHook script?
Safe Tcl is a mechanism for executing untrusted Tcl scripts safely and for providing mediated access by such scripts to potentially dangerous functionality.
The Safe Base ensures that untrusted Tcl scripts cannot harm the hosting application. The Safe Base prevents integrity and privacy attacks. Untrusted Tcl scripts are prevented from corrupting the state of the hosting application or computer. Untrusted scripts are also prevented from disclosing information stored on the hosting computer or in the hosting application to any party.
The Safe Base allows a master interpreter to create safe, restricted interpreters that contain a set of predefined aliases for the source, load, file, encoding, and exit commands and are able to use the auto-loading and package mechanisms.
No knowledge of the file system structure is leaked to the safe interpreter, because it has access only to a virtualized path containing tokens. When the safe interpreter requests to source a file, it uses the token in the virtual path as part of the file name to source; the master interpreter transparently translates the token into a real directory name and executes the requested operation (see the section SECURITY below for details). Different levels of security can be selected by using the optional flags of the commands described below.
All commands provided in the master interpreter by the Safe Base reside in the safe namespace.
The following commands are provided in the master interpreter:
# Create new interp with the same configuration as "$i0": set i1 [safe::interpCreate {*}[safe::interpConfigure $i0]] # Get the current deleteHook set dh [safe::interpConfigure $i0 -del] # Change (only) the statics loading ok attribute of an # interp and its deleteHook (leaving the rest unchanged): safe::interpConfigure $i0 -delete {foo bar} -statics 0
$slave eval [list set tk_library \ [::safe::interpFindInAccessPath $name $tk_library]]
$slave eval [list set tk_library \ [::safe::interpAddToAccessPath $name $tk_library]]
Example of use:
::safe::setLogCmd puts stderr
Below is the output of a sample session in which a safe interpreter attempted to source a file not found in its virtual access path. Note that the safe interpreter only received an error message saying that the file was not found:
NOTICE for slave interp10 : Created NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=() NOTICE for slave interp10 : auto_path in interp10 has been set to {$p(:0:)} ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory
The following options are common to ::safe::interpCreate, ::safe::interpInit, and ::safe::interpConfigure. Any option name can be abbreviated to its minimal non-ambiguous name. Option names are not case sensitive.
The following aliases are provided in a safe interpreter:
The Safe Base does not attempt to completely prevent annoyance and denial of service attacks. These forms of attack prevent the application or user from temporarily using the computer to perform useful work, for example by consuming all available CPU time or all available screen real estate. These attacks, while aggravating, are deemed to be of lesser importance in general than integrity and privacy attacks that the Safe Base is to prevent.
The commands available in a safe interpreter, in addition to the safe set as defined in interp manual page, are mediated aliases for source, load, exit, and safe subsets of file and encoding. The safe interpreter can also auto-load code and it can request that packages be loaded.
Because some of these commands access the local file system, there is a potential for information leakage about its directory structure. To prevent this, commands that take file names as arguments in a safe interpreter use tokens instead of the real directory names. These tokens are translated to the real directory name while a request to, e.g., source a file is mediated by the master interpreter. This virtual path system is maintained in the master interpreter for each safe interpreter created by ::safe::interpCreate or initialized by ::safe::interpInit and the path maps tokens accessible in the safe interpreter into real path names on the local file system thus preventing safe interpreters from gaining knowledge about the structure of the file system of the host on which the interpreter is executing. The only valid file names arguments for the source and load aliases provided to the slave are path in the form of [file join token filename] (i.e. when using the native file path formats: token/filename on Unix and token\filename on Windows), where token is representing one of the directories of the accessPath list and filename is one file in that directory (no sub directories access are allowed).
When a token is used in a safe interpreter in a request to source or load a file, the token is checked and translated to a real path name and the file to be sourced or loaded is located on the file system. The safe interpreter never gains knowledge of the actual path name under which the file is stored on the file system.
To further prevent potential information leakage from sensitive files that are accidentally included in the set of files that can be sourced by a safe interpreter, the source alias restricts access to files meeting the following constraints: the file name must fourteen characters or shorter, must not contain more than one dot (“.”), must end up with the extension (“.tcl”) or be called (“tclIndex”.)
Each element of the initial access path list will be assigned a token that will be set in the slave auto_path and the first element of that list will be set as the tcl_library for that slave.
If the access path argument is not given or is the empty list, the default behavior is to let the slave access the same packages as the master has access to (Or to be more precise: only packages written in Tcl (which by definition cannot be dangerous as they run in the slave interpreter) and C extensions that provides a _SafeInit entry point). For that purpose, the master's auto_path will be used to construct the slave access path. In order that the slave successfully loads the Tcl library files (which includes the auto-loading mechanism itself) the tcl_library will be added or moved to the first position if necessary, in the slave access path, so the slave tcl_library will be the same as the master's (its real path will still be invisible to the slave though). In order that auto-loading works the same for the slave and the master in this by default case, the first-level sub directories of each directory in the master auto_path will also be added (if not already included) to the slave access path. You can always specify a more restrictive path for which sub directories will never be searched by explicitly specifying your directory list with the -accessPath flag instead of relying on this default mechanism.
When the accessPath is changed after the first creation or initialization (i.e. through interpConfigure -accessPath list), an auto_reset is automatically evaluated in the safe interpreter to synchronize its auto_index with the new token list.
interp(n), library(n), load(n), package(n), source(n), unknown(n)
alias, auto-loading, auto_mkindex, load, master interpreter, safe interpreter, slave interpreter, source
8.0 | Tcl |