SafeBase man page on QNX

Man page or keyword search:  
man Server   4347 pages
apropos Keyword Search (all sections)
Output format
QNX logo
[printable version]

Safe Tcl(n)		     Tcl Built-In Commands		   Safe Tcl(n)

______________________________________________________________________________

NAME
       Safe Base  -  A	mechanism  for	creating  and manipulating safe inter‐
       preters.

SYNOPSIS
       ::safe::interpCreate ?slave? ?options...?

       ::safe::interpInit slave ?options...?

       ::safe::interpConfigure slave ?options...?

       ::safe::interpDelete slave

       ::safe::interpAddToAccessPath slave directory

       ::safe::interpFindInAccessPath slave directory

       ::safe::setLogCmd ?cmd arg...?

OPTIONS
       ?-accessPath pathList?  ?-statics boolean? ?-noStatics?	?-nested bool‐
       ean? ?-nestedLoadOk?  ?-deleteHook script?
_________________________________________________________________

DESCRIPTION
       Safe  Tcl is a mechanism for executing untrusted Tcl scripts safely and
       for providing mediated access by such scripts to potentially  dangerous
       functionality.

       The  Safe Base ensures that untrusted Tcl scripts cannot harm the host‐
       ing application.	 The Safe Base prevents integrity and privacy attacks.
       Untrusted  Tcl  scripts	are prevented from corrupting the state of the
       hosting application or computer. Untrusted scripts are  also  prevented
       from  disclosing	 information  stored on the hosting computer or in the
       hosting application to any party.

       The Safe Base allows a master interpreter to  create  safe,  restricted
       interpreters  that  contain a set of predefined aliases for the source,
       load, file, encoding, and exit commands and are able to use  the	 auto-
       loading and package mechanisms.

       No  knowledge of the file system structure is leaked to the safe inter‐
       preter, because it has access only to  a	 virtualized  path  containing
       tokens.	When  the  safe interpreter requests to source a file, it uses
       the token in the virtual path as part of the file name to  source;  the
       master  interpreter  transparently  translates  the  token  into a real
       directory name and executes the requested operation  (see  the  section
       SECURITY	 below	for  details).	 Different  levels  of security can be
       selected by using the optional flags of the commands described below.

       All commands provided in the master interpreter by the Safe Base reside
       in the safe namespace:

COMMANDS
       The following commands are provided in the master interpreter:

       ::safe::interpCreate ?slave? ?options...?
	      Creates  a  safe	interpreter, installs the aliases described in
	      the section ALIASES and initializes the auto-loading and package
	      mechanism as specified by the supplied options.  See the OPTIONS
	      section below for a description of the optional  arguments.   If
	      the  slave  argument  is	omitted,  a  name  will	 be generated.
	      ::safe::interpCreate always returns the interpreter name.

       ::safe::interpInit slave ?options...?
	      This command is similar to interpCreate except it that does  not
	      create  the  safe	 interpreter.  slave must have been created by
	      some other means, like interp create -safe.

       ::safe::interpConfigure slave ?options...?
	      If no options are given, returns the settings  for  all  options
	      for  the	named  safe interpreter as a list of options and their
	      current values for that slave.  If a single additional  argument
	      is  provided, it will return a list of 2 elements name and value
	      where name is the full name of that option and value the current
	      value  for  that	option	and the slave.	If more than two addi‐
	      tional arguments are provided,  it  will	reconfigure  the  safe
	      interpreter  and change each and only the provided options.  See
	      the section on OPTIONS below for options	description.   Example
	      of use:
		     # Create a new interp with the same configuration as "$i0" :
		     set i1 [eval safe::interpCreate [safe::interpConfigure $i0]]
		     # Get the current deleteHook
		     set dh [safe::interpConfigure $i0	-del]
		     # Change (only) the statics loading ok attribute of an interp
		     # and its deleteHook (leaving the rest unchanged) :
		     safe::interpConfigure $i0	-delete {foo bar} -statics 0 ;

       ::safe::interpDelete slave
	      Deletes  the  safe  interpreter  and cleans up the corresponding
	      master interpreter data structures.  If a deleteHook script  was
	      specified for this interpreter it is evaluated before the inter‐
	      preter is deleted, with the name of the interpreter as an	 addi‐
	      tional argument.

       ::safe::interpFindInAccessPath slave directory
	      This  command finds and returns the token for the real directory
	      directory in the safe interpreter's current virtual access path.
	      It generates an error if the directory is not found.  Example of
	      use:
		     $slave eval [list set tk_library [::safe::interpFindInAccessPath $name $tk_library]]

       ::safe::interpAddToAccessPath slave directory
	      This command adds directory to the virtual path  maintained  for
	      the  safe	 interpreter in the master, and returns the token that
	      can be used in the safe interpreter to obtain access to files in
	      that  directory.	 If  the  directory  is already in the virtual
	      path, it only returns the token without adding the directory  to
	      the virtual path again.  Example of use:
		     $slave eval [list set tk_library [::safe::interpAddToAccessPath $name $tk_library]]

       ::safe::setLogCmd ?cmd arg...?
	      This  command  installs a script that will be called when inter‐
	      esting life cycle events occur for  a  safe  interpreter.	  When
	      called  with  no	arguments,  it returns the currently installed
	      script.  When called with one argument,  an  empty  string,  the
	      currently installed script is removed and logging is turned off.
	      The script will be  invoked  with	 one  additional  argument,  a
	      string describing the event of interest.	The main purpose is to
	      help in debugging safe interpreters.  Using  this	 facility  you
	      can  get complete error messages while the safe interpreter gets
	      only generic error messages.  This prevents a  safe  interpreter
	      from  seeing messages about failures and other events that might
	      contain sensitive information such as real directory names.
	      Example of use:
		     ::safe::setLogCmd puts stderr
	      Below is the output of a sample session in which a  safe	inter‐
	      preter  attempted	 to  source  a	file  not found in its virtual
	      access path.  Note that the safe interpreter  only  received  an
	      error message saying that the file was not found:
		     NOTICE for slave interp10 : Created
		     NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=()
		     NOTICE for slave interp10 : auto_path in interp10 has been set to {$p(:0:)}
		     ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory

OPTIONS
       The    following	   options   are   common   to	 ::safe::interpCreate,
       ::safe::interpInit, and ::safe::interpConfigure.	 Any option  name  can
       be abbreviated to its minimal non-ambiguous name.  Option names are not
       case sensitive.

       -accessPath directoryList
	      This option sets the list of directories	from  which  the  safe
	      interpreter  can	source	and load files.	 If this option is not
	      specified, or if it is given as the empty list, the safe	inter‐
	      preter  will  use	 the  same directories as its master for auto-
	      loading.	See the section SECURITY below for more	 detail	 about
	      virtual paths, tokens and access control.

       -statics boolean
	      This option specifies if the safe interpreter will be allowed to
	      load statically linked packages (like load {} Tk).  The  default
	      value is true : safe interpreters are allowed to load statically
	      linked packages.

       -noStatics
	      This option is a convenience shortcut  for  -statics  false  and
	      thus  specifies that the safe interpreter will not be allowed to
	      load statically linked packages.

       -nested boolean
	      This option specifies if the safe interpreter will be allowed to
	      load  packages into its own sub-interpreters.  The default value
	      is false : safe interpreters are not allowed  to	load  packages
	      into their own sub-interpreters.

       -nestedLoadOk
	      This  option is a convenience shortcut for -nested true and thus
	      specifies the safe interpreter will be allowed to load  packages
	      into its own sub-interpreters.

       -deleteHook script
	      When  this option is given a non-empty script, it will be evalu‐
	      ated in the master with the name of the safe interpreter	as  an
	      additional  argument  just  before  actually  deleting  the safe
	      interpreter.   Giving  an	 empty	value  removes	any  currently
	      installed	 deletion  hook script for that safe interpreter.  The
	      default value ({}) is not to have any deletion call back.

ALIASES
       The following aliases are provided in a safe interpreter:

       source fileName
	      The requested file, a Tcl source file, is sourced into the  safe
	      interpreter  if  it  is found.  The source alias can only source
	      files from directories in the virtual path for the  safe	inter‐
	      preter.  The  source  alias requires the safe interpreter to use
	      one of the token names in its virtual path to denote the	direc‐
	      tory in which the file to be sourced can be found.  See the sec‐
	      tion on SECURITY for more discussion of  restrictions  on	 valid
	      filenames.

       load fileName
	      The  requested file, a shared object file, is dynamically loaded
	      into the safe interpreter if it is  found.   The	filename  must
	      contain  a token name mentioned in the virtual path for the safe
	      interpreter for it to be found successfully.  Additionally,  the
	      shared object file must contain a safe entry point; see the man‐
	      ual page for the load command for more details.

       file ?subCmd args...?
	      The file alias provides access to a safe subset of  the  subcom‐
	      mands  of the file command; it allows only dirname, join, exten‐
	      sion, root, tail,	 pathname  and	split  subcommands.  For  more
	      details on what these subcommands do see the manual page for the
	      file command.

       encoding ?subCmd args...?
	      The encoding alias provides access to a safe subset of the  sub‐
	      commands	of  the encoding command;  it disallows setting of the
	      system encoding, but allows all other subcommands including sys‐
	      tem to check the current encoding.

       exit   The  calling  interpreter	 is  deleted  and  its	computation is
	      stopped, but the Tcl process in which this interpreter exists is
	      not terminated.

SECURITY
       The  Safe  Base	does  not  attempt to completely prevent annoyance and
       denial of service attacks. These forms of attack prevent	 the  applica‐
       tion  or	 user  from  temporarily  using the computer to perform useful
       work, for example by consuming all available CPU time or all  available
       screen real estate.  These attacks, while aggravating, are deemed to be
       of lesser importance in general than integrity and privacy attacks that
       the Safe Base is to prevent.

       The  commands  available in a safe interpreter, in addition to the safe
       set as defined in interp manual page, are mediated aliases for  source,
       load, exit, and safe subsets of file and encoding. The safe interpreter
       can also auto-load code and it can request that packages be loaded.

       Because some of these commands access the local file system, there is a
       potential  for  information  leakage about its directory structure.  To
       prevent this, commands that take file names  as	arguments  in  a  safe
       interpreter  use	 tokens	 instead  of  the real directory names.	 These
       tokens are translated to the real directory name while  a  request  to,
       e.g.,  source  a file is mediated by the master interpreter.  This vir‐
       tual path system is maintained in the master interpreter for each  safe
       interpreter   created   by   ::safe::interpCreate   or  initialized  by
       ::safe::interpInit and the path maps  tokens  accessible	 in  the  safe
       interpreter into real path names on the local file system thus prevent‐
       ing safe interpreters from gaining knowledge about the structure of the
       file  system  of	 the  host on which the interpreter is executing.  The
       only valid file names arguments for the source and  load	 aliases  pro‐
       vided  to  the slave are path in the form of [file join token filename]
       (i.e. when using the native file path formats: token/filename on	 Unix,
       token\filename  on Windows, and token:filename on the Mac), where token
       is representing one of the directories of the accessPath list and file‐
       name  is	 one  file  in	that  directory (no sub directories access are
       allowed).

       When a token is used in a safe interpreter in a request	to  source  or
       load  a	file,  the token is checked and translated to a real path name
       and the file to be sourced or loaded is located	on  the	 file  system.
       The  safe  interpreter  never  gains  knowledge of the actual path name
       under which the file is stored on the file system.

       To further prevent potential information leakage from  sensitive	 files
       that  are accidentally included in the set of files that can be sourced
       by a safe interpreter, the source alias restricts access to files meet‐
       ing  the	 following constraints: the file name must fourteen characters
       or shorter, must not contain more than one dot ("."), must end up  with
       the extension .tcl or be called tclIndex.

       Each  element  of the initial access path list will be assigned a token
       that will be set in the slave auto_path and the first element  of  that
       list will be set as the tcl_library for that slave.

       If  the	access	path  argument	is not given or is the empty list, the
       default behavior is to let the slave access the same  packages  as  the
       master  has  access to (Or to be more precise: only packages written in
       Tcl (which by definition can't be dangerous as they run	in  the	 slave
       interpreter)  and  C extensions that provides a Safe_Init entry point).
       For that purpose, the master's auto_path will be used to construct  the
       slave  access path.  In order that the slave successfully loads the Tcl
       library files (which includes the auto-loading  mechanism  itself)  the
       tcl_library  will be added or moved to the first position if necessary,
       in the slave access path, so the slave tcl_library will be the same  as
       the  master's  (its  real  path	will  still  be invisible to the slave
       though).	 In order that auto-loading works the same for the  slave  and
       the  master in this by default case, the first-level sub directories of
       each directory in the master auto_path  will  also  be  added  (if  not
       already	included)  to the slave access path.  You can always specify a
       more restrictive path for which sub directories will never be  searched
       by  explicitly specifying your directory list with the -accessPath flag
       instead of relying on this default mechanism.

       When the accessPath is changed after the first creation or  initializa‐
       tion  (i.e. through interpConfigure -accessPath list), an auto_reset is
       automatically evaluated in the  safe  interpreter  to  synchronize  its
       auto_index with the new token list.

SEE ALSO
       interp(n), library(n), load(n), package(n), source(n), unknown(n)

KEYWORDS
       alias,  auto-loading,  auto_mkindex,  load,  master  interpreter,  safe
       interpreter, slave interpreter, source

Tcl				      8.0			   Safe Tcl(n)
[top]
                             _         _         _ 
                            | |       | |       | |     
                            | |       | |       | |     
                         __ | | __ __ | | __ __ | | __  
                         \ \| |/ / \ \| |/ / \ \| |/ /  
                          \ \ / /   \ \ / /   \ \ / /   
                           \   /     \   /     \   /    
                            \_/       \_/       \_/ 
More information is available in HTML format for server QNX

List of man pages available for QNX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net