Hi Gustaf,
Is there a safe interp for xotcl, or does xotcl work with the safe interp in Tcl?
Thanks,
Ben
Ben,
i have not done anything with safe interps until now. But try the following: Add these lines to the end of xotcl*/generic/xotcl.c and recompile: ============================================ extern int Xotcl_SafeInit(Tcl_Interp *interp) { /*** dummy for now **/ return Xotcl_Init(interp); } ============================================
then you should be able to do the following:
============================================ ~rlwrap /usr/bin/tclsh % package req XOTcl 1.3.7 % interp create -safe slave slave % load "" xotcl slave % slave eval ::xotcl::Object o1 ::o1 ============================================
Since xotcl uses ordinary tcl interps, i would assume, it inherits the safetiness of save tcl interps. Since xotcl does not do any socket handling, file-i/o, exec's, etc., i would think, this is a good start. If you see commands that we should deactivate in safe interps, please let me know.
If nobody objects, i will add these lines to 1.3.7....
best regards -gustaf neumann
Ben Thomasson schrieb:
Hi Gustaf,
Is there a safe interp for xotcl, or does xotcl work with the safe interp in Tcl?
Thanks,
Ben
Gustaf Neumann wrote:
Since xotcl uses ordinary tcl interps, i would assume, it inherits the safetiness of save tcl interps. Since xotcl does not do any socket handling, file-i/o, exec's, etc., i would think, this is a good start. If you see commands that we should deactivate in safe interps, please let me know.
You have to be careful with anything you add at the C level for safe interps. Whatever you create in Tcl in safe interps is by definition safe (if you aren't aliasing into the master), because of the model. However, in C you can expose anything. While you might not directly expose exec, IO, etc., you have to consider how you might indirectly expose that functionality and how a user might exploit that. I'm not saying that xotcl does, but you should just consider the implications of each C-based command individually. You also have the Tcl_IsSafeInterp C API for variant behavior in safe interps.
Jeff Hobbs, The Tcl Guy http://www.ActiveState.com/, a division of Sophos
Jeff,
Considering there is a safe interp in Tcl, there should be extensive unit testing that can be run in regression to make sure any new functionality like this does not break the security model. Does Tcl have regression tests (tcltest or other) that exercise the ability of safe interp to stop dangerous code? If there is, then these tests could be run in at least Object eval to whether this simple approach would work. If not, there should be. Or is the security model based on proving the safety of an interp by analysis of the code? If you take this second approach them much more work must be done before xotcl includes this code for the safe interp.
Ben
ps ( In open source projects, is it the person who comes up with the idea who is the person to implement it? Dang. )
On Apr 4, 2005 1:13 PM, Jeff Hobbs jeffh@activestate.com wrote:
Gustaf Neumann wrote:
Since xotcl uses ordinary tcl interps, i would assume, it inherits the safetiness of save tcl interps. Since xotcl does not do any socket handling, file-i/o, exec's, etc., i would think, this is a good start. If you see commands that we should deactivate in safe interps, please let me know.
You have to be careful with anything you add at the C level for safe interps. Whatever you create in Tcl in safe interps is by definition safe (if you aren't aliasing into the master), because of the model. However, in C you can expose anything. While you might not directly expose exec, IO, etc., you have to consider how you might indirectly expose that functionality and how a user might exploit that. I'm not saying that xotcl does, but you should just consider the implications of each C-based command individually. You also have the Tcl_IsSafeInterp C API for variant behavior in safe interps.
Jeff Hobbs, The Tcl Guy http://www.ActiveState.com/, a division of Sophos
Ben Thomasson wrote:
Considering there is a safe interp in Tcl, there should be extensive unit testing that can be run in regression to make sure any new functionality like this does not break the security model. Does Tcl have regression tests (tcltest or other) that exercise the ability of safe interp to stop
Yes, Tcl has testing for its core safe functionality, as does Tk.
dangerous code? If there is, then these tests could be run in at least Object eval to whether this simple approach would work. If not, there should be. Or is the security model based on proving the safety of an interp by analysis of the code? If you take this second approach them much more work must be done before xotcl includes this code for the safe interp.
The point is that xotcl could expose its own set of unsafe functionality - like a completely alternative FS API. How would that ever be covered by the Tcl test suite?
ps ( In open source projects, is it the person who comes up with the idea who is the person to implement it? Dang. )
You betcha - you're hired! ;) I don't think it is actually that much work in xotcl's case, I'm just saying that it should not be rubber-stamped.
Jeff
-
Ben Thomasson -
Gustaf Neumann -
Jeff Hobbs