Provided by: tcl8.5-doc_8.5.15-2ubuntu1_all bug


       Safe Base - A mechanism for creating and manipulating safe interpreters


       ::safe::interpCreate ?slave? ?options...?

       ::safe::interpInit slave ?options...?

       ::safe::interpConfigure slave ?options...?

       ::safe::interpDelete slave

       ::safe::interpAddToAccessPath slave directory

       ::safe::interpFindInAccessPath slave directory

       ::safe::setLogCmd ?cmd arg...?

       ?-accessPath pathList?  ?-statics boolean? ?-noStatics?  ?-nested boolean? ?-nestedLoadOk?
       ?-deleteHook script?


       Safe Tcl is a mechanism for executing untrusted  Tcl  scripts  safely  and  for  providing
       mediated access by such scripts to potentially dangerous functionality.

       The Safe Base ensures that untrusted Tcl scripts cannot harm the hosting application.  The
       Safe Base prevents integrity and privacy attacks. Untrusted Tcl scripts are prevented from
       corrupting  the  state  of the hosting application or computer. Untrusted scripts are also
       prevented from disclosing information stored on the hosting computer  or  in  the  hosting
       application to any party.

       The  Safe  Base  allows  a master interpreter to create safe, restricted interpreters that
       contain a set of predefined aliases  for  the  source,  load,  file,  encoding,  and  exit
       commands and are able to use the auto-loading and package mechanisms.

       No  knowledge  of  the file system structure is leaked to the safe interpreter, because it
       has access only to a  virtualized  path  containing  tokens.  When  the  safe  interpreter
       requests  to source a file, it uses the token in the virtual path as part of the file name
       to source; the master interpreter transparently translates the token into a real directory
       name  and  executes  the requested operation (see the section SECURITY below for details).
       Different levels of security can be selected by using the optional flags of  the  commands
       described below.

       All  commands  provided  in  the  master  interpreter  by the Safe Base reside in the safe


       The following commands are provided in the master interpreter:

       ::safe::interpCreate ?slave? ?options...?
              Creates a safe interpreter, installs the aliases described in the  section  ALIASES
              and initializes the auto-loading and package mechanism as specified by the supplied
              options.  See  the  OPTIONS  section  below  for  a  description  of  the  optional
              arguments.    If  the  slave  argument  is  omitted,  a  name  will  be  generated.
              ::safe::interpCreate always returns the interpreter name.

       ::safe::interpInit slave ?options...?
              This command is similar to interpCreate except it that does  not  create  the  safe
              interpreter.  slave  must have been created by some other means, like interp create

       ::safe::interpConfigure slave ?options...?
              If no options are given, returns the settings for all options for  the  named  safe
              interpreter  as  a  list  of options and their current values for that slave.  If a
              single additional argument is provided, it will return a list of  2  elements  name
              and  value  where  name is the full name of that option and value the current value
              for that option and the slave.  If more than two additional arguments are provided,
              it  will  reconfigure  the  safe  interpreter and change each and only the provided
              options.  See the section on OPTIONS below for  options  description.   Example  of

                     # Create new interp with the same configuration as "$i0":
                     set i1 [safe::interpCreate {*}[safe::interpConfigure $i0]]

                     # Get the current deleteHook
                     set dh [safe::interpConfigure $i0  -del]

                     # Change (only) the statics loading ok attribute of an
                     # interp and its deleteHook (leaving the rest unchanged):
                     safe::interpConfigure $i0  -delete {foo bar} -statics 0

       ::safe::interpDelete slave
              Deletes  the  safe  interpreter  and cleans up the corresponding master interpreter
              data structures.  If a deleteHook script was specified for this interpreter  it  is
              evaluated before the interpreter is deleted, with the name of the interpreter as an
              additional argument.

       ::safe::interpFindInAccessPath slave directory
              This command finds and returns the token for the real directory  directory  in  the
              safe  interpreter's  current  virtual  access  path.   It generates an error if the
              directory is not found.  Example of use:

                     $slave eval [list set tk_library \
                           [::safe::interpFindInAccessPath $name $tk_library]]

       ::safe::interpAddToAccessPath slave directory
              This command adds directory to the virtual path maintained for the safe interpreter
              in  the  master,  and returns the token that can be used in the safe interpreter to
              obtain access to files in that directory.  If  the  directory  is  already  in  the
              virtual path, it only returns the token without adding the directory to the virtual
              path again.  Example of use:

                     $slave eval [list set tk_library \
                           [::safe::interpAddToAccessPath $name $tk_library]]

       ::safe::setLogCmd ?cmd arg...?
              This command installs a script that will be  called  when  interesting  life  cycle
              events occur for a safe interpreter.  When called with no arguments, it returns the
              currently installed script.  When called with one argument, an  empty  string,  the
              currently  installed  script is removed and logging is turned off.  The script will
              be invoked with one additional argument, a string describing the event of interest.
              The  main  purpose  is to help in debugging safe interpreters.  Using this facility
              you can get complete error messages while the safe interpreter  gets  only  generic
              error  messages.   This  prevents  a  safe  interpreter  from seeing messages about
              failures and other events that might contain sensitive  information  such  as  real
              directory names.

              Example of use:

                     ::safe::setLogCmd puts stderr

              Below  is  the  output of a sample session in which a safe interpreter attempted to
              source a file not found in its virtual access path.  Note that the safe interpreter
              only received an error message saying that the file was not found:

                     NOTICE for slave interp10 : Created
                     NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=()
                     NOTICE for slave interp10 : auto_path in interp10 has been set to {$p(:0:)}
                     ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory

       The   following  options  are  common  to  ::safe::interpCreate,  ::safe::interpInit,  and
       ::safe::interpConfigure.  Any option name can be abbreviated to its minimal  non-ambiguous
       name.  Option names are not case sensitive.

       -accessPath directoryList
              This option sets the list of directories from which the safe interpreter can source
              and load files.  If this option is not specified, or if it is given  as  the  empty
              list,  the  safe  interpreter will use the same directories as its master for auto-
              loading.  See the section SECURITY below  for  more  detail  about  virtual  paths,
              tokens and access control.

       -statics boolean
              This  option  specifies  if the safe interpreter will be allowed to load statically
              linked packages (like load {} Tk).  The default value is true :  safe  interpreters
              are allowed to load statically linked packages.

              This  option  is  a convenience shortcut for -statics false and thus specifies that
              the safe interpreter will not be allowed to load statically linked packages.

       -nested boolean
              This option specifies if the safe interpreter will be allowed to load packages into
              its  own  sub-interpreters.  The default value is false : safe interpreters are not
              allowed to load packages into their own sub-interpreters.

              This option is a convenience shortcut for -nested true and thus specifies the  safe
              interpreter will be allowed to load packages into its own sub-interpreters.

       -deleteHook script
              When  this  option  is given a non-empty script, it will be evaluated in the master
              with the name of the  safe  interpreter  as  an  additional  argument  just  before
              actually  deleting  the  safe  interpreter.   Giving  an  empty  value  removes any
              currently installed deletion hook script for that safe  interpreter.   The  default
              value ({}) is not to have any deletion call back.


       The following aliases are provided in a safe interpreter:

       source fileName
              The  requested  file, a Tcl source file, is sourced into the safe interpreter if it
              is found.  The source alias can only source files from directories in  the  virtual
              path  for  the  safe interpreter. The source alias requires the safe interpreter to
              use one of the token names in its virtual path to denote the directory in which the
              file  to  be sourced can be found.  See the section on SECURITY for more discussion
              of restrictions on valid filenames.

       load fileName
              The requested file, a shared object file,  is  dynamically  loaded  into  the  safe
              interpreter  if  it  is found.  The filename must contain a token name mentioned in
              the virtual path for  the  safe  interpreter  for  it  to  be  found  successfully.
              Additionally,  the  shared  object  file  must  contain a safe entry point; see the
              manual page for the load command for more details.

       file ?subCmd args...?
              The file alias provides access to a safe subset of  the  subcommands  of  the  file
              command;  it  allows  only dirname, join, extension, root, tail, pathname and split
              subcommands. For more details on what these subcommands do see the manual page  for
              the file command.

       encoding ?subCmd args...?
              The  encoding  alias  provides  access  to  a safe subset of the subcommands of the
              encoding command;  it disallows setting of the  system  encoding,  but  allows  all
              other subcommands including system to check the current encoding.

       exit   The  calling  interpreter  is  deleted  and its computation is stopped, but the Tcl
              process in which this interpreter exists is not terminated.


       The Safe Base does not attempt to completely  prevent  annoyance  and  denial  of  service
       attacks.  These forms of attack prevent the application or user from temporarily using the
       computer to perform useful work, for example by consuming all available CPU  time  or  all
       available  screen  real  estate.   These  attacks,  while aggravating, are deemed to be of
       lesser importance in general than integrity and privacy attacks that the Safe Base  is  to

       The  commands  available  in a safe interpreter, in addition to the safe set as defined in
       interp manual page, are mediated aliases for source, load, exit, and safe subsets of  file
       and  encoding.  The  safe  interpreter  can  also  auto-load  code and it can request that
       packages be loaded.

       Because some of these commands access the local file system,  there  is  a  potential  for
       information  leakage  about  its directory structure.  To prevent this, commands that take
       file names as arguments in a safe interpreter use tokens instead  of  the  real  directory
       names.   These  tokens are translated to the real directory name while a request to, e.g.,
       source a file is mediated  by  the  master  interpreter.   This  virtual  path  system  is
       maintained   in   the   master   interpreter   for   each   safe  interpreter  created  by
       ::safe::interpCreate or  initialized  by  ::safe::interpInit  and  the  path  maps  tokens
       accessible  in  the  safe  interpreter  into real path names on the local file system thus
       preventing safe interpreters from gaining knowledge about the structure of the file system
       of  the  host  on which the interpreter is executing.  The only valid file names arguments
       for the source and load aliases provided to the slave are path in the form of  [file  join
       token  filename] (i.e. when using the native file path formats: token/filename on Unix and
       token\filename on Windows), where token is representing one  of  the  directories  of  the
       accessPath  list and filename is one file in that directory (no sub directories access are

       When a token is used in a safe interpreter in a request to source  or  load  a  file,  the
       token  is  checked and translated to a real path name and the file to be sourced or loaded
       is located on the file system.  The safe interpreter never gains knowledge of  the  actual
       path name under which the file is stored on the file system.

       To   further   prevent  potential  information  leakage  from  sensitive  files  that  are
       accidentally included in the set of files that can be sourced by a safe  interpreter,  the
       source  alias  restricts  access to files meeting the following constraints: the file name
       must fourteen characters or shorter, must not contain more than one dot (“.”), must end up
       with the extension (“.tcl”) or be called (“tclIndex”.)

       Each  element of the initial access path list will be assigned a token that will be set in
       the slave auto_path and the first element of that list will be set as the tcl_library  for
       that slave.

       If  the access path argument is not given or is the empty list, the default behavior is to
       let the slave access the same packages as the master has access to (Or to be more precise:
       only  packages  written in Tcl (which by definition cannot be dangerous as they run in the
       slave interpreter) and C extensions that provides  a  _SafeInit  entry  point).  For  that
       purpose, the master's auto_path will be used to construct the slave access path.  In order
       that the slave successfully loads the Tcl library files (which includes  the  auto-loading
       mechanism  itself)  the  tcl_library  will  be  added  or  moved  to the first position if
       necessary, in the slave access path, so the slave tcl_library will  be  the  same  as  the
       master's (its real path will still be invisible to the slave though).  In order that auto-
       loading works the same for the slave and the master in this by default  case,  the  first-
       level sub directories of each directory in the master auto_path will also be added (if not
       already included) to the slave access path.  You can always  specify  a  more  restrictive
       path  for  which  sub  directories  will  never  be searched by explicitly specifying your
       directory list with the -accessPath flag instead of relying on this default mechanism.

       When the accessPath is changed after the first creation or  initialization  (i.e.  through
       interpConfigure  -accessPath  list),  an auto_reset is automatically evaluated in the safe
       interpreter to synchronize its auto_index with the new token list.


       interp(3tcl), library(3tcl), load(3tcl), package(3tcl), source(3tcl), unknown(3tcl)


       alias, auto-loading, auto_mkindex,  load,  master  interpreter,  safe  interpreter,  slave
       interpreter, source