Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Wednesday, February 9, 2022

safe (1t)


safe - Creating and manipulating safe interpreters


::safe::interpCreate ?slave? ?options...?

::safe::interpInit slave ?options...?

::safe::interpConfigure slave ?options...?

::safe::interpDelete slave

::safe::interpAddToAccessPath slave directory

::safe::interpFindInAccessPath slave directory

::safe::setLogCmd ?cmd arg...?

?-accessPath pathList?  ?-statics boolean? ?-noStatics?  ?-nested bool-
ean? ?-nestedLoadOk?  ?-deleteHook script?


Safe Tcl(1t)                 Tcl Built-In Commands                Safe Tcl(1t)


       safe - Creating and manipulating safe interpreters

       ::safe::interpCreate ?slave? ?options...?

       ::safe::interpInit slave ?options...?

       ::safe::interpConfigure slave ?options...?

       ::safe::interpDelete slave

       ::safe::interpAddToAccessPath slave directory

       ::safe::interpFindInAccessPath slave directory

       ::safe::setLogCmd ?cmd arg...?

       ?-accessPath pathList?  ?-statics boolean? ?-noStatics?  ?-nested bool-
       ean? ?-nestedLoadOk?  ?-deleteHook script?

       Safe Tcl is a mechanism for executing untrusted Tcl scripts safely  and
       for  providing mediated access by such scripts to potentially dangerous

       Safe Tcl ensures that untrusted Tcl scripts  cannot  harm  the  hosting
       application.   It prevents integrity and privacy attacks. Untrusted Tcl
       scripts are prevented from corrupting the state of the hosting applica-
       tion  or computer. Untrusted scripts are also prevented from disclosing
       information stored on the hosting computer or in the  hosting  applica-
       tion to any party.

       Safe  Tcl allows a master interpreter to create safe, restricted inter-
       preters that contain a set of predefined aliases for the source,  load,
       file,  encoding, and exit commands and are able to use the auto-loading
       and package mechanisms.

       No knowledge of the file system structure is leaked to the safe  inter-
       preter,  because  it  has  access only to a virtualized path containing
       tokens. When the safe interpreter requests to source a  file,  it  uses
       the  token  in the virtual path as part of the file name to source; the
       master interpreter transparently  translates  the  token  into  a  real
       directory  name  and  executes the requested operation (see the section
       SECURITY below for details).   Different  levels  of  security  can  be
       selected by using the optional flags of the commands described below.

       All  commands  provided in the master interpreter by Safe Tcl reside in
       the safe namespace.

       The following commands are provided in the master interpreter:

       ::safe::interpCreate ?slave? ?options...?
              Creates a safe interpreter, installs the  aliases  described  in
              the section ALIASES and initializes the auto-loading and package
              mechanism as specified by the supplied options.  See the OPTIONS
              section  below  for a description of the optional arguments.  If
              the slave  argument  is  omitted,  a  name  will  be  generated.
              ::safe::interpCreate always returns the interpreter name.

       ::safe::interpInit slave ?options...?
              This  command is similar to interpCreate except it that does not
              create the safe interpreter. slave must  have  been  created  by
              some other means, like interp create -safe.

       ::safe::interpConfigure slave ?options...?
              If  no  options  are given, returns the settings for all options
              for the named safe interpreter as a list of  options  and  their
              current  values for that slave.  If a single additional argument
              is provided, it will return a list of 2 elements name and  value
              where name is the full name of that option and value the current
              value for that option and the slave.  If  more  than  two  addi-
              tional  arguments  are  provided,  it  will reconfigure the safe
              interpreter and change each and only the provided options.   See
              the  section  on OPTIONS below for options description.  Example
              of use:

                     # Create new interp with the same configuration as "$i0":
                     set i1 [safe::interpCreate {*}[safe::interpConfigure $i0]]

                     # Get the current deleteHook
                     set dh [safe::interpConfigure $i0  -del]

                     # Change (only) the statics loading ok attribute of an
                     # interp and its deleteHook (leaving the rest unchanged):
                     safe::interpConfigure $i0  -delete {foo bar} -statics 0

       ::safe::interpDelete slave
              Deletes the safe interpreter and  cleans  up  the  corresponding
              master  interpreter data structures.  If a deleteHook script was
              specified for this interpreter it is evaluated before the inter-
              preter  is deleted, with the name of the interpreter as an addi-
              tional argument.

       ::safe::interpFindInAccessPath slave directory
              This command finds and returns the token for the real  directory
              directory in the safe interpreter's current virtual access path.
              It generates an error if the directory is not found.  Example of

                     $slave eval [list set tk_library \
                           [::safe::interpFindInAccessPath $name $tk_library]]

       ::safe::interpAddToAccessPath slave directory
              This  command  adds directory to the virtual path maintained for
              the safe interpreter in the master, and returns the  token  that
              can be used in the safe interpreter to obtain access to files in
              that directory.  If the directory  is  already  in  the  virtual
              path,  it only returns the token without adding the directory to
              the virtual path again.  Example of use:

                     $slave eval [list set tk_library \
                           [::safe::interpAddToAccessPath $name $tk_library]]

       ::safe::setLogCmd ?cmd arg...?
              This command installs a script that will be called  when  inter-
              esting  life  cycle  events  occur for a safe interpreter.  When
              called with no arguments, it  returns  the  currently  installed
              script.   When  called  with  one argument, an empty string, the
              currently installed script is removed and logging is turned off.
              The  script  will  be  invoked  with  one additional argument, a
              string describing the event of interest.  The main purpose is to
              help  in  debugging  safe interpreters.  Using this facility you
              can get complete error messages while the safe interpreter  gets
              only  generic  error messages.  This prevents a safe interpreter
              from seeing messages about failures and other events that  might
              contain sensitive information such as real directory names.

              Example of use:

                     ::safe::setLogCmd puts stderr

              Below  is  the output of a sample session in which a safe inter-
              preter attempted to source a  file  not  found  in  its  virtual
              access  path.   Note  that the safe interpreter only received an
              error message saying that the file was not found:

                     NOTICE for slave interp10 : Created
                     NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=()
                     NOTICE for slave interp10 : auto_path in interp10 has been set to {$p(:0:)}
                     ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory

       The   following   options   are   common    to    ::safe::interpCreate,
       ::safe::interpInit,  and  ::safe::interpConfigure.  Any option name can
       be abbreviated to its minimal non-ambiguous name.  Option names are not
       case sensitive.

       -accessPath directoryList
              This  option  sets  the  list of directories from which the safe
              interpreter can source and load files.  If this  option  is  not
              specified,  or if it is given as the empty list, the safe inter-
              preter will use the same directories as  its  master  for  auto-
              loading.   See  the section SECURITY below for more detail about
              virtual paths, tokens and access control.

       -statics boolean
              This option specifies if the safe interpreter will be allowed to
              load  statically linked packages (like load {} Tk).  The default
              value is true : safe interpreters are allowed to load statically
              linked packages.

              This  option  is  a  convenience shortcut for -statics false and
              thus specifies that the safe interpreter will not be allowed  to
              load statically linked packages.

       -nested boolean
              This option specifies if the safe interpreter will be allowed to
              load packages into its own sub-interpreters.  The default  value
              is  false  :  safe interpreters are not allowed to load packages
              into their own sub-interpreters.

              This option is a convenience shortcut for -nested true and  thus
              specifies  the safe interpreter will be allowed to load packages
              into its own sub-interpreters.

       -deleteHook script
              When this option is given a non-empty script, it will be  evalu-
              ated  in  the master with the name of the safe interpreter as an
              additional argument  just  before  actually  deleting  the  safe
              interpreter.   Giving  an  empty  value  removes  any  currently
              installed deletion hook script for that safe  interpreter.   The
              default value ({}) is not to have any deletion call back.

       The following aliases are provided in a safe interpreter:

       source fileName
              The  requested file, a Tcl source file, is sourced into the safe
              interpreter if it is found.  The source alias  can  only  source
              files  from  directories in the virtual path for the safe inter-
              preter. The source alias requires the safe  interpreter  to  use
              one  of the token names in its virtual path to denote the direc-
              tory in which the file to be sourced can be found.  See the sec-
              tion  on  SECURITY  for more discussion of restrictions on valid

       load fileName
              The requested file, a shared object file, is dynamically  loaded
              into  the  safe  interpreter  if it is found.  The filename must
              contain a token name mentioned in the virtual path for the  safe
              interpreter  for it to be found successfully.  Additionally, the
              shared object file must contain a safe entry point; see the man-
              ual page for the load command for more details.

       file ?subCmd args...?
              The  file  alias provides access to a safe subset of the subcom-
              mands of the file command; it allows only dirname, join,  exten-
              sion,  root,  tail,  pathname  and  split  subcommands. For more
              details on what these subcommands do see the manual page for the
              file command.

       encoding ?subCmd args...?
              The  encoding alias provides access to a safe subset of the sub-
              commands of the encoding command;  it disallows setting  of  the
              system encoding, but allows all other subcommands including sys-
              tem to check the current encoding.

       exit   The calling  interpreter  is  deleted  and  its  computation  is
              stopped, but the Tcl process in which this interpreter exists is
              not terminated.

       Safe Tcl does not attempt to completely prevent annoyance and denial of
       service  attacks. These forms of attack prevent the application or user
       from temporarily using the computer to perform useful work, for example
       by  consuming  all  available  CPU  time  or  all available screen real
       estate.  These attacks, while aggravating, are deemed to be  of  lesser
       importance  in general than integrity and privacy attacks that Safe Tcl
       is to prevent.

       The commands available in a safe interpreter, in addition to  the  safe
       set  as defined in interp manual page, are mediated aliases for source,
       load, exit, and safe subsets of file and encoding. The safe interpreter
       can also auto-load code and it can request that packages be loaded.

       Because some of these commands access the local file system, there is a
       potential for information leakage about its  directory  structure.   To
       prevent  this,  commands  that  take  file names as arguments in a safe
       interpreter use tokens instead of  the  real  directory  names.   These
       tokens  are  translated  to the real directory name while a request to,
       e.g., source a file is mediated by the master interpreter.   This  vir-
       tual  path system is maintained in the master interpreter for each safe
       interpreter  created  by   ::safe::interpCreate   or   initialized   by
       ::safe::interpInit  and  the  path  maps  tokens accessible in the safe
       interpreter into real path names on the local file system thus prevent-
       ing safe interpreters from gaining knowledge about the structure of the
       file system of the host on which the  interpreter  is  executing.   The
       only  valid  file  names arguments for the source and load aliases pro-
       vided to the slave are path in the form of [file join  token  filename]
       (i.e.  when  using the native file path formats: token/filename on Unix
       and token\filename on Windows), where token is representing one of  the
       directories  of  the  accessPath  list and filename is one file in that
       directory (no sub directories access are allowed).

       When a token is used in a safe interpreter in a request  to  source  or
       load  a  file,  the token is checked and translated to a real path name
       and the file to be sourced or loaded is located  on  the  file  system.
       The  safe  interpreter  never  gains  knowledge of the actual path name
       under which the file is stored on the file system.

       To further prevent potential information leakage from  sensitive  files
       that  are accidentally included in the set of files that can be sourced
       by a safe interpreter, the source alias restricts access to files meet-
       ing  the  following constraints: the file name must fourteen characters
       or shorter, must not contain more than one dot ("."), must end up  with
       the extension (".tcl") or be called ("tclIndex".)

       Each  element  of the initial access path list will be assigned a token
       that will be set in the slave auto_path and the first element  of  that
       list will be set as the tcl_library for that slave.

       If  the  access  path  argument  is not given or is the empty list, the
       default behavior is to let the slave access the same  packages  as  the
       master  has  access to (Or to be more precise: only packages written in
       Tcl (which by definition cannot be dangerous as they run in  the  slave
       interpreter)  and  C extensions that provides a _SafeInit entry point).
       For that purpose, the master's auto_path will be used to construct  the
       slave  access path.  In order that the slave successfully loads the Tcl
       library files (which includes the auto-loading  mechanism  itself)  the
       tcl_library  will be added or moved to the first position if necessary,
       in the slave access path, so the slave tcl_library will be the same  as
       the  master's  (its  real  path  will  still  be invisible to the slave
       though).  In order that auto-loading works the same for the  slave  and
       the  master in this by default case, the first-level sub directories of
       each directory in the master auto_path  will  also  be  added  (if  not
       already  included)  to the slave access path.  You can always specify a
       more restrictive path for which sub directories will never be  searched
       by  explicitly specifying your directory list with the -accessPath flag
       instead of relying on this default mechanism.

       When the accessPath is changed after the first creation or  initializa-
       tion  (i.e. through interpConfigure -accessPath list), an auto_reset is
       automatically evaluated in the  safe  interpreter  to  synchronize  its
       auto_index with the new token list.

       See attributes(7) for descriptions of the following attributes:

       |Availability   | runtime/tcl-8    |
       |Stability      | Uncommitted      |

       interp(n), library(n), load(n), package(n), source(n), unknown(n)

       alias,  auto-loading,  auto_mkindex,  load,  master  interpreter,  safe
       interpreter, slave interpreter, source

       Source code for open source software components in Oracle  Solaris  can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-

       This    software    was    built    from    source     available     at
       https://github.com/oracle/solaris-userland.    The  original  community
       source was downloaded from  http://prdownloads.sourceforge.net/tcl/tcl-

       Further information about this software can be found on the open source
       community website at https://www.tcl.tk/.

Tcl                                   8.0                         Safe Tcl(1t)