Manual Pages for UNIX Darwin command on man SafeBase

Safe Tcl(n) Tcl Built-In Commands Safe Tcl(n)

NAME

Safe Base - A mechanism for creating and manipulating safe inter-

preters.

SYNOPSIS

::::ssaaffee::::iinntteerrppCCrreeaattee ?slave? ?options...? ::::ssaaffee::::iinntteerrppIInniitt slave ?options...? ::::ssaaffee::::iinntteerrppCCoonnffiigguurree slave ?options...? ::::ssaaffee::::iinntteerrppDDeelleettee slave ::::ssaaffee::::iinntteerrppAAddddTTooAAcccceessssPPaatthh slave directory ::::ssaaffee::::iinntteerrppFFiinnddIInnAAcccceessssPPaatthh slave directory ::::ssaaffee::::sseettLLooggCCmmdd ?cmd arg...? OOPPTTIIOONNSS

?-aacccceessssPPaatthh pathList? ?-ssttaattiiccss boolean? ?-nnooSSttaattiiccss? ?-nneesstteedd

boolean? ?-nneesstteeddLLooaaddOOkk? ?-ddeelleetteeHHooookk script?

DESCRIPTION

Safe Tcl is a mechanism for executing untrusted Tcl scripts safely and for providing mediated access by such scripts to potentially dangerous functionality.

The Safe Base ensures that untrusted Tcl scripts cannot harm the host-

ing application. The Safe Base prevents integrity and privacy attacks. Untrusted Tcl scripts are prevented from corrupting the state of the hosting application or computer. Untrusted scripts are also prevented from disclosing information stored on the hosting computer or in the hosting application to any party. The Safe Base allows a master interpreter to create safe, restricted interpreters that contain a set of predefined aliases for the ssoouurrccee,

llooaadd, ffiillee, eennccooddiinngg, and eexxiitt commands and are able to use the auto-

loading and package mechanisms.

No knowledge of the file system structure is leaked to the safe inter-

preter, because it has access only to a virtualized path containing tokens. When the safe interpreter requests to source a file, it uses the token in the virtual path as part of the file name to source; the master interpreter transparently translates the token into a real directory name and executes the requested operation (see the section SSEECCUURRIITTYY below for details). Different levels of security can be selected by using the optional flags of the commands described below. All commands provided in the master interpreter by the Safe Base reside in the ssaaffee namespace: CCOOMMMMAANNDDSS The following commands are provided in the master interpreter: ::::ssaaffee::::iinntteerrppCCrreeaattee ?slave? ?options...? Creates a safe interpreter, installs the aliases described in

the section AALLIIAASSEESS and initializes the auto-loading and package

mechanism as specified by the supplied ooppttiioonnss. See the OOPPTTIIOONNSS section below for a description of the optional arguments. If the slave argument is omitted, a name will be generated. ::::ssaaffee::::iinntteerrppCCrreeaattee always returns the interpreter name. ::::ssaaffee::::iinntteerrppIInniitt slave ?options...? This command is similar to iinntteerrppCCrreeaattee except it that does not create the safe interpreter. slave must have been created by

some other means, like iinntteerrpp ccrreeaattee -ssaaffee.

::::ssaaffee::::iinntteerrppCCoonnffiigguurree slave ?options...? If no options are given, returns the settings for all options for the named safe interpreter as a list of options and their current values for that slave. If a single additional argument is provided, it will return a list of 2 elements name and value where name is the full name of that option and value the current

value for that option and the slave. If more than two addi-

tional arguments are provided, it will reconfigure the safe interpreter and change each and only the provided options. See the section on OOPPTTIIOONNSS below for options description. Example of use:

# Create a new interp with the same configuration as "$i0" :

set i1 [eval safe::interpCreate [safe::interpConfigure $i0]]

# Get the current deleteHook

set dh [safe::interpConfigure $i0 -del]

# Change (only) the statics loading ok attribute of an interp

# and its deleteHook (leaving the rest unchanged) :

safe::interpConfigure $i0 -delete {foo bar} -statics 0 ;

::::ssaaffee::::iinntteerrppDDeelleettee slave Deletes the safe interpreter and cleans up the corresponding master interpreter data structures. If a deleteHook script was

specified for this interpreter it is evaluated before the inter-

preter is deleted, with the name of the interpreter as an addi-

tional argument. ::::ssaaffee::::iinntteerrppFFiinnddIInnAAcccceessssPPaatthh slave directory This command finds and returns the token for the real directory directory in the safe interpreter's current virtual access path. It generates an error if the directory is not found. Example of use:

$slave eval [list set tklibrary [::safe::interpFindInAccessPath $name $tklibrary]]

::::ssaaffee::::iinntteerrppAAddddTTooAAcccceessssPPaatthh slave directory This command adds directory to the virtual path maintained for the safe interpreter in the master, and returns the token that can be used in the safe interpreter to obtain access to files in that directory. If the directory is already in the virtual path, it only returns the token without adding the directory to the virtual path again. Example of use:

$slave eval [list set tklibrary [::safe::interpAddToAccessPath $name $tklibrary]]

::::ssaaffee::::sseettLLooggCCmmdd ?cmd arg...?

This command installs a script that will be called when inter-

esting life cycle events occur for a safe interpreter. When called with no arguments, it returns the currently installed script. When called with one argument, an empty string, the currently installed script is removed and logging is turned off. The script will be invoked with one additional argument, a string describing the event of interest. The main purpose is to help in debugging safe interpreters. Using this facility you can get complete error messages while the safe interpreter gets only generic error messages. This prevents a safe interpreter from seeing messages about failures and other events that might contain sensitive information such as real directory names. Example of use: ::safe::setLogCmd puts stderr

Below is the output of a sample session in which a safe inter-

preter attempted to source a file not found in its virtual access path. Note that the safe interpreter only received an error message saying that the file was not found: NOTICE for slave interp10 : Created NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=()

NOTICE for slave interp10 : autopath in interp10 has been set to {$p(:0:)}

ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory

OOPPTTIIOONNSS The following options are common to ::::ssaaffee::::iinntteerrppCCrreeaattee, ::::ssaaffee::::iinntteerrppIInniitt, and ::::ssaaffee::::iinntteerrppCCoonnffiigguurree. Any option name can

be abbreviated to its minimal non-ambiguous name. Option names are not

case sensitive.

-aacccceessssPPaatthh directoryList

This option sets the list of directories from which the safe interpreter can ssoouurrccee and llooaadd files. If this option is not

specified, or if it is given as the empty list, the safe inter-

preter will use the same directories as its master for auto-

loading. See the section SSEECCUURRIITTYY below for more detail about virtual paths, tokens and access control.

-ssttaattiiccss boolean

This option specifies if the safe interpreter will be allowed to load statically linked packages (like llooaadd {{}} TTkk). The default value is ttrruuee : safe interpreters are allowed to load statically linked packages.

-nnooSSttaattiiccss

This option is a convenience shortcut for -ssttaattiiccss ffaallssee and

thus specifies that the safe interpreter will not be allowed to load statically linked packages.

-nneesstteedd boolean

This option specifies if the safe interpreter will be allowed to

load packages into its own sub-interpreters. The default value

is ffaallssee : safe interpreters are not allowed to load packages

into their own sub-interpreters.

-nneesstteeddLLooaaddOOkk

This option is a convenience shortcut for -nneesstteedd ttrruuee and thus

specifies the safe interpreter will be allowed to load packages

into its own sub-interpreters.

-ddeelleetteeHHooookk script

When this option is given an non empty script, it will be evalu-

ated in the master with the name of the safe interpreter as an additional argument just before actually deleting the safe interpreter. Giving an empty value removes any currently installed deletion hook script for that safe interpreter. The default value ({{}}) is not to have any deletion call back. AALLIIAASSEESS The following aliases are provided in a safe interpreter: ssoouurrccee fileName The requested file, a Tcl source file, is sourced into the safe interpreter if it is found. The ssoouurrccee alias can only source

files from directories in the virtual path for the safe inter-

preter. The ssoouurrccee alias requires the safe interpreter to use

one of the token names in its virtual path to denote the direc-

tory in which the file to be sourced can be found. See the sec-

tion on SSEECCUURRIITTYY for more discussion of restrictions on valid filenames. llooaadd fileName The requested file, a shared object file, is dynamically loaded into the safe interpreter if it is found. The filename must contain a token name mentioned in the virtual path for the safe interpreter for it to be found successfully. Additionally, the

shared object file must contain a safe entry point; see the man-

ual page for the llooaadd command for more details. ffiillee ?subCmd args...?

The ffiillee alias provides access to a safe subset of the subcom-

mands of the ffiillee command; it allows only ddiirrnnaammee, jjooiinn, eexxtteenn-

ssiioonn, rroooott, ttaaiill, ppaatthhnnaammee and sspplliitt subcommands. For more details on what these subcommands do see the manual page for the ffiillee command. eennccooddiinngg ?subCmd args...?

The eennccooddiinngg alias provides access to a safe subset of the sub-

commands of the eennccooddiinngg command; it disallows setting of the

system encoding, but allows all other subcommands including ssyyss-

tteemm to check the current encoding. eexxiitt The calling interpreter is deleted and its computation is stopped, but the Tcl process in which this interpreter exists is not terminated. SSEECCUURRIITTYY The Safe Base does not attempt to completely prevent annoyance and

denial of service attacks. These forms of attack prevent the applica-

tion or user from temporarily using the computer to perform useful work, for example by consuming all available CPU time or all available screen real estate. These attacks, while aggravating, are deemed to be of lesser importance in general than integrity and privacy attacks that the Safe Base is to prevent. The commands available in a safe interpreter, in addition to the safe set as defined in iinntteerrpp manual page, are mediated aliases for ssoouurrccee, llooaadd, eexxiitt, and safe subsets of ffiillee and eennccooddiinngg. The safe interpreter

can also auto-load code and it can request that packages be loaded.

Because some of these commands access the local file system, there is a potential for information leakage about its directory structure. To prevent this, commands that take file names as arguments in a safe interpreter use tokens instead of the real directory names. These tokens are translated to the real directory name while a request to,

e.g., source a file is mediated by the master interpreter. This vir-

tual path system is maintained in the master interpreter for each safe interpreter created by ::::ssaaffee::::iinntteerrppCCrreeaattee or initialized by ::::ssaaffee::::iinntteerrppIInniitt and the path maps tokens accessible in the safe

interpreter into real path names on the local file system thus prevent-

ing safe interpreters from gaining knowledge about the structure of the file system of the host on which the interpreter is executing. The

only valid file names arguments for the ssoouurrccee and llooaadd aliases pro-

vided to the slave are path in the form of [[ffiillee jjooiinn token filename]] (ie, when using the native file path formats: token//filename on Unix, token\\filename on Windows, and token::filename on the Mac), where token

is representing one of the directories of the accessPath list and file-

name is one file in that directory (no sub directories access are allowed). When a token is used in a safe interpreter in a request to source or load a file, the token is checked and translated to a real path name and the file to be sourced or loaded is located on the file system. The safe interpreter never gains knowledge of the actual path name under which the file is stored on the file system. To further prevent potential information leakage from sensitive files that are accidentally included in the set of files that can be sourced

by a safe interpreter, the ssoouurrccee alias restricts access to files meet-

ing the following constraints: the file name must fourteen characters or shorter, must not contain more than one dot (".."), must end up with the extension ..ttccll or be called ttccllIInnddeexx. Each element of the initial access path list will be assigned a token that will be set in the slave aauuttooppaatthh and the first element of that list will be set as the ttcclllliibbrraarryy for that slave. If the access path argument is not given or is the empty list, the default behavior is to let the slave access the same packages as the master has access to (Or to be more precise: only packages written in Tcl (which by definition can't be dangerous as they run in the slave interpreter) and C extensions that provides a SafeInit entry point). For that purpose, the master's aauuttooppaatthh will be used to construct the slave access path. In order that the slave successfully loads the Tcl

library files (which includes the auto-loading mechanism itself) the

ttcclllliibbrraarryy will be added or moved to the first position if necessary, in the slave access path, so the slave ttcclllliibbrraarryy will be the same as the master's (its real path will still be invisible to the slave

though). In order that auto-loading works the same for the slave and

the master in this by default case, the first-level sub directories of

each directory in the master aauuttooppaatthh will also be added (if not already included) to the slave access path. You can always specify a more restrictive path for which sub directories will never be searched

by explicitly specifying your directory list with the -aacccceessssPPaatthh flag

instead of relying on this default mechanism.

When the accessPath is changed after the first creation or initializa-

tion (ie through iinntteerrppCCoonnffiigguurree -aacccceessssPPaatthh list), an aauuttoorreesseett is

automatically evaluated in the safe interpreter to synchronize its aauuttooiinnddeexx with the new token list.