NAME¶
Safe Base - A mechanism for creating and manipulating safe interpreters.
SYNOPSIS¶
::safe::interpCreate ?
slave? ?
options...?
::safe::interpInit slave ?
options...?
::safe::interpConfigure slave ?
options...?
::safe::interpDelete slave
::safe::interpAddToAccessPath slave directory
::safe::interpFindInAccessPath slave directory
::safe::setLogCmd ?
cmd arg...?
OPTIONS¶
?
-accessPath pathList? ?
-statics boolean?
?
-noStatics? ?
-nested boolean? ?
-nestedLoadOk? ?
-deleteHook script?
DESCRIPTION¶
Safe Tcl is a mechanism for executing untrusted Tcl scripts safely and for
providing mediated access by such scripts to potentially dangerous
functionality.
The Safe Base ensures that untrusted Tcl scripts cannot harm the hosting
application. The Safe Base prevents integrity and privacy attacks. Untrusted
Tcl scripts are prevented from corrupting the state of the hosting application
or computer. Untrusted scripts are also prevented from disclosing information
stored on the hosting computer or in the hosting application to any party.
The Safe Base allows a master interpreter to create safe, restricted
interpreters that contain a set of predefined aliases for the
source,
load,
file,
encoding, and
exit commands and are
able to use the auto-loading and package mechanisms.
No knowledge of the file system structure is leaked to the safe interpreter,
because it has access only to a virtualized path containing tokens. When the
safe interpreter requests to source a file, it uses the token in the virtual
path as part of the file name to source; the master interpreter transparently
translates the token into a real directory name and executes the requested
operation (see the section
SECURITY below for details). Different
levels of security can be selected by using the optional flags of the commands
described below.
All commands provided in the master interpreter by the Safe Base reside in the
safe namespace:
COMMANDS¶
The following commands are provided in the master interpreter:
- ::safe::interpCreate ?slave?
?options...?
- Creates a safe interpreter, installs the aliases described
in the section ALIASES and initializes the auto-loading and package
mechanism as specified by the supplied options. See the
OPTIONS section below for a description of the optional arguments.
If the slave argument is omitted, a name will be generated.
::safe::interpCreate always returns the interpreter name.
- ::safe::interpInit slave
?options...?
- This command is similar to interpCreate except it
that does not create the safe interpreter. slave must have been
created by some other means, like interp create -safe.
- ::safe::interpConfigure slave
?options...?
- If no options are given, returns the settings for
all options for the named safe interpreter as a list of options and their
current values for that slave. If a single additional argument is
provided, it will return a list of 2 elements name and value
where name is the full name of that option and value the
current value for that option and the slave. If more than two
additional arguments are provided, it will reconfigure the safe
interpreter and change each and only the provided options. See the section
on OPTIONS below for options description. Example of use:
# Create a new interp with the same configuration as "$i0" :
set i1 [eval safe::interpCreate [safe::interpConfigure $i0]]
# Get the current deleteHook
set dh [safe::interpConfigure $i0 -del]
# Change (only) the statics loading ok attribute of an interp
# and its deleteHook (leaving the rest unchanged) :
safe::interpConfigure $i0 -delete {foo bar} -statics 0 ;
- ::safe::interpDelete slave
- Deletes the safe interpreter and cleans up the
corresponding master interpreter data structures. If a deleteHook
script was specified for this interpreter it is evaluated before the
interpreter is deleted, with the name of the interpreter as an additional
argument.
- ::safe::interpFindInAccessPath slave
directory
- This command finds and returns the token for the real
directory directory in the safe interpreter's current virtual
access path. It generates an error if the directory is not found. Example
of use:
$slave eval [list set tk_library [::safe::interpFindInAccessPath $name $tk_library]]
- ::safe::interpAddToAccessPath slave
directory
- This command adds directory to the virtual path
maintained for the safe interpreter in the master, and returns the token
that can be used in the safe interpreter to obtain access to files in that
directory. If the directory is already in the virtual path, it only
returns the token without adding the directory to the virtual path again.
Example of use:
$slave eval [list set tk_library [::safe::interpAddToAccessPath $name $tk_library]]
- ::safe::setLogCmd ?cmd arg...?
- This command installs a script that will be called when
interesting life cycle events occur for a safe interpreter. When called
with no arguments, it returns the currently installed script. When called
with one argument, an empty string, the currently installed script is
removed and logging is turned off. The script will be invoked with one
additional argument, a string describing the event of interest. The main
purpose is to help in debugging safe interpreters. Using this facility you
can get complete error messages while the safe interpreter gets only
generic error messages. This prevents a safe interpreter from seeing
messages about failures and other events that might contain sensitive
information such as real directory names.
Example of use:
::safe::setLogCmd puts stderr
Below is the output of a sample session in which a safe interpreter attempted to
source a file not found in its virtual access path. Note that the safe
interpreter only received an error message saying that the file was not found:
NOTICE for slave interp10 : Created
NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=()
NOTICE for slave interp10 : auto_path in interp10 has been set to {$p(:0:)}
ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory
OPTIONS¶
The following options are common to
::safe::interpCreate,
::safe::interpInit, and
::safe::interpConfigure. Any option name
can be abbreviated to its minimal non-ambiguous name. Option names are not
case sensitive.
- -accessPath directoryList
- This option sets the list of directories from which the
safe interpreter can source and load files. If this option
is not specified, or if it is given as the empty list, the safe
interpreter will use the same directories as its master for auto-loading.
See the section SECURITY below for more detail about virtual paths,
tokens and access control.
- -statics boolean
- This option specifies if the safe interpreter will be
allowed to load statically linked packages (like load {} Tk). The
default value is true : safe interpreters are allowed to load
statically linked packages.
- -noStatics
- This option is a convenience shortcut for -statics
false and thus specifies that the safe interpreter will not be allowed
to load statically linked packages.
- -nested boolean
- This option specifies if the safe interpreter will be
allowed to load packages into its own sub-interpreters. The default value
is false : safe interpreters are not allowed to load packages into
their own sub-interpreters.
- -nestedLoadOk
- This option is a convenience shortcut for -nested
true and thus specifies the safe interpreter will be allowed to load
packages into its own sub-interpreters.
- -deleteHook script
- When this option is given a non-empty script, it
will be evaluated in the master with the name of the safe interpreter as
an additional argument just before actually deleting the safe interpreter.
Giving an empty value removes any currently installed deletion hook script
for that safe interpreter. The default value ( {}) is not to have
any deletion call back.
ALIASES¶
The following aliases are provided in a safe interpreter:
- source fileName
- The requested file, a Tcl source file, is sourced into the
safe interpreter if it is found. The source alias can only source
files from directories in the virtual path for the safe interpreter. The
source alias requires the safe interpreter to use one of the token
names in its virtual path to denote the directory in which the file to be
sourced can be found. See the section on SECURITY for more
discussion of restrictions on valid filenames.
- load fileName
- The requested file, a shared object file, is dynamically
loaded into the safe interpreter if it is found. The filename must contain
a token name mentioned in the virtual path for the safe interpreter for it
to be found successfully. Additionally, the shared object file must
contain a safe entry point; see the manual page for the load
command for more details.
- file ?subCmd args...?
- The file alias provides access to a safe subset of
the subcommands of the file command; it allows only dirname,
join, extension, root, tail, pathname
and split subcommands. For more details on what these subcommands
do see the manual page for the file command.
- encoding ?subCmd args...?
- The encoding alias provides access to a safe subset
of the subcommands of the encoding command; it disallows setting of
the system encoding, but allows all other subcommands including
system to check the current encoding.
- exit
- The calling interpreter is deleted and its computation is
stopped, but the Tcl process in which this interpreter exists is not
terminated.
SECURITY¶
The Safe Base does not attempt to completely prevent annoyance and denial of
service attacks. These forms of attack prevent the application or user from
temporarily using the computer to perform useful work, for example by
consuming all available CPU time or all available screen real estate. These
attacks, while aggravating, are deemed to be of lesser importance in general
than integrity and privacy attacks that the Safe Base is to prevent.
The commands available in a safe interpreter, in addition to the safe set as
defined in
interp manual page, are mediated aliases for
source,
load,
exit, and safe subsets of
file and
encoding.
The safe interpreter can also auto-load code and it can request that packages
be loaded.
Because some of these commands access the local file system, there is a
potential for information leakage about its directory structure. To prevent
this, commands that take file names as arguments in a safe interpreter use
tokens instead of the real directory names. These tokens are translated to the
real directory name while a request to, e.g., source a file is mediated by the
master interpreter. This virtual path system is maintained in the master
interpreter for each safe interpreter created by
::safe::interpCreate
or initialized by
::safe::interpInit and the path maps tokens
accessible in the safe interpreter into real path names on the local file
system thus preventing safe interpreters from gaining knowledge about the
structure of the file system of the host on which the interpreter is
executing. The only valid file names arguments for the
source and
load aliases provided to the slave are path in the form of
[file
join token filename] (i.e. when using the native file path
formats:
token/filename on Unix,
token\filename on Windows, and
token:filename on the Mac), where
token is
representing one of the directories of the
accessPath list and
filename is one file in that directory (no sub directories access are
allowed).
When a token is used in a safe interpreter in a request to source or load a
file, the token is checked and translated to a real path name and the file to
be sourced or loaded is located on the file system. The safe interpreter never
gains knowledge of the actual path name under which the file is stored on the
file system.
To further prevent potential information leakage from sensitive files that are
accidentally included in the set of files that can be sourced by a safe
interpreter, the
source alias restricts access to files meeting the
following constraints: the file name must fourteen characters or shorter, must
not contain more than one dot ("
."), must end up with the
extension
.tcl or be called
tclIndex.
Each element of the initial access path list will be assigned a token that will
be set in the slave
auto_path and the first element of that list will
be set as the
tcl_library for that slave.
If the access path argument is not given or is the empty list, the default
behavior is to let the slave access the same packages as the master has access
to (Or to be more precise: only packages written in Tcl (which by definition
can't be dangerous as they run in the slave interpreter) and C extensions that
provides a Safe_Init entry point). For that purpose, the master's
auto_path will be used to construct the slave access path. In order
that the slave successfully loads the Tcl library files (which includes the
auto-loading mechanism itself) the
tcl_library will be added or moved
to the first position if necessary, in the slave access path, so the slave
tcl_library will be the same as the master's (its real path will still
be invisible to the slave though). In order that auto-loading works the same
for the slave and the master in this by default case, the first-level sub
directories of each directory in the master
auto_path will also be
added (if not already included) to the slave access path. You can always
specify a more restrictive path for which sub directories will never be
searched by explicitly specifying your directory list with the
-accessPath flag instead of relying on this default mechanism.
When the
accessPath is changed after the first creation or initialization
(i.e. through
interpConfigure -accessPath list), an
auto_reset is automatically evaluated in the safe interpreter to
synchronize its
auto_index with the new token list.
SEE ALSO¶
interp(3tcl), library(3tcl), load(3tcl), package(3tcl), source(3tcl),
unknown(3tcl)
KEYWORDS¶
alias, auto-loading, auto_mkindex, load, master interpreter, safe interpreter,
slave interpreter, source
