NAME

unsafe - Restore a Safe-Tcl interpreter to a trusted, unsafe state.

DESCRIPTION

The unsafe feature is added to a Safe-Tcl interpreter by a security policy that allows the feature. This policy is called the controlling security policy, below. The unsafe feature restores a Safe-Tcl interpreter to a trusted, unsafe state. It re-enables all commands that were previously disabled, and restores important variables that were previously removed. After it is installed in an interpreter, a Tclet executing in that interpreter has complete access to all facilities provided by the Tcl language.

The section FEATURES describes exactly what is restored. The section CONFIGURATION explains how access to the feature can be managed by settings in the configuration for the controlling policy, and by settings in the application's master configuration. The section SECURITY discusses the security risks incurred by installing this feature and how to manage these risks by proper configuration.

FEATURES

The unsafe feature restores a Safe-Tcl interpreter to a completely trusted, unsafe state:

The Safe-Tcl interpreter is marked as unsafe, so future calls to interp issafe will return 0. The interp manual page that is included in the Tcl 8.0 distribution describes the interp command and how to use multiple interpreters.

Hidden commands are exposed and aliases by the same name are removed, if allowed by the controlling security policy. Hidden commands are explained in the interp manual page.

The global variables whose name appears in the value of ::cfg::RestoreVariables are copied from the master interpreter into the Safe-Tcl interpreter, if allowed by the controlling policy. By default, the variables auto_path, tcl_library, tk_library, tcl_pkgPath, argc, argv and argv0 are copied.

The global arrays whose name appears in the value of ::cfg::RestoreArrayVariables are copied from the master interpreter into the Safe-Tcl interpreter, if allowed by the controlling policy. By default, the arrays env, auto_index and tcl_platform are copied.

The Tcl command auto_reset is evaluated in the Safe-Tcl interpreter, to force it to notice the new values for auto_path and other variables. This command is explained in the library manual page that comes with the Tcl 8.0 distribution.

CONFIGURATION

The unsafe feature is installed by a security policy if the features section of the configuration for the policy allows it. The trusted policy allows this feature, so it will be installed into Tclets using the trusted policy.

The variables ::cfg::RestoreVariables and ::cfg::RestoreArrayVariables determine which global variables are copied from the master interpreter into a Tclet's interpreter when the unsafe feature is installed. These variables can be set in the application's master configuration, or you can rely on the default lists used if they are not set, as explained above. For the Tcl plugin, the variables are left unset, and the plugin relies on the defaults.

The restoreCommands section controls which hidden commands are re-exposed. If the name of a hidden command is allowed in this section, it is re-exposed when this feature is installed into a Safe-Tcl interpreter.

The restoreVariables section controls which global variables are copied from the master interpreter into a Tclet. If the name of a global variable is allowed in this section, it is copied.

The restoreArrayVariables section controls which global array variables are copied from the master interpreter into a Tclet. If the name is allowed by this section, the array is copied when the feature is installed into a Safe-Tcl interpreter.

The markTrusted section defines the markTrusted constant. If this is set to 1, when the feature is installed, the Tclet interpreter will be marked as trusted. This disables hard-wired safety checks in Tcl 8.0 and Tk 8.0 which would otherwise prevent the Tclet from using some features.

SECURITY

This feature restores a Safe-Tcl interpreter to a state where a Tclet can do anything an ordinary Tcl program can do. This exposes the user to all of the security risks explained in the policy manual page. Allowing access to this feature to untrusted Tclets is dangerous; some level of trust should be established before a Tclet is given access to the unsafe feature. In a controlled setting such as a company's Intranet, it may be safe to give access to selected Tclets loaded from well known sites on the Intranet.

This feature is allowed only by the trusted security policy, and in the Tcl plugin, that security policy is disallowed by settings in the policies section in the plugin's master configuration.

SEE ALSO

plugin, safe, policy, config, feature, interp(n).

KEYWORDS

Safe Base, restoring, unsafe, trusted, alias, hidden command