214.html

Tcl 语言的入门级图书

<HTML><TITLE>The Browser Plugin and Safe-Tcl: Customizing Slave Interpreters</TITLE><BODY BGCOLOR="#FFF0E0" VLINK="#0FBD0F" TEXT="#101000" LINK="#0F0FDD">
<A NAME="top"><H1>Customizing Slave Interpreters</H1></A>


<P>  The plugin relies on a Tcl command, <TT>interp</TT>, that creates a new
interpreter that can be used to execute tclets.  This command is introduced
above in 
<A HREF="NotHere.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/NotHere.html">Executing Scripts from within Scripts</A>.  However, as shown there, <TT>interp</TT> only creates fully
powered slave interpreters.  What the plugin needs to do is create a slave
which has only powers consistent with some security policy.  

<P>  In fact, the command set of any slave has some properties that are different
than the master interpreter created by <TT>tclsh</TT>, <TT>wish</TT>, or the plugin.
The commands are divided into two categories: <CITE><NAME=#Wntrprtrhddn>hidden</A></CITE> and <CITE><NAME=#Wntrprtrxpsd>exposed</A></CITE>.  Hidden commands are not
executable from the slave but are executable from any master of the slave.
Exposed commands are executable either place as described above in 
<A HREF="NotHere.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/NotHere.html">Executing Scripts from within Scripts</A>.
No command may be both hidden and exposed.

If <TT>CI</TT> is a slave and <TT>Script</TT> contains a Tcl script, then

<PRE>
CI eval $Script
</PRE>

can be executed from the master provided <TT>Script</TT> makes use of only exposed
and alias commands.  If there are any hidden commands in <TT>Script</TT>, they
will not be executed.  Hidden commands must be invoked from the master
this way:

<PRE>
CI invokehidden ?-global? <CITE>HIDDEN_COMMAND_NAME ARGUMENTS</CITE>
</PRE>


<P>  Suppose the <TT>open</TT> command is hidden in a slave named <TT>S</TT>.  Here is an
example interactive session in the master which opens a file named
<TT>sample</TT> and puts its contents into a variable, <TT>Contents</TT>, of the
slave.

<PRE> 
% CI invokehidden open sample 
file5 
% CI eval {set Contents [read file5]; close file5} 
%
</PRE>

<P><A NAME="21.4a">
<STRONG>Exercise 21.4a</STRONG> </A><DL><DD>
 The following script will fail.  Fix it.

<PRE>
set F [CI invokehidden open sample]
CI eval "set Contents [read $F]; close $F"
</PRE>

Your solution will not produce anything useful, but it will give you some
insight into using <TT>invokehidden</TT> and <TT>eval</TT>.
<P>
<A HREF="21.6.html#Sol21.4a" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.6.html#Sol21.4a">Solution</A></DL>


<P>  As the last exercise helps to show, the <TT>invokehidden</TT> action is not
particularly useful taken in isolation.  Its value comes when it is used with
another unusual property of slaves.  This property permits the creation of
some procedures which appear to be commands in a slave but are actually
procedures in a master.  These procedures are called <CITE><NAME=#G21.4alias>alias</A>es</CITE>.
An alias may have the same name in a slave as a hidden command of that slave.

<P>  As an example of the usefulness of these features, suppose you want a
version of the <TT>open</TT> command in a slave that refuses to open pipes and
insists on opening files in one particular directory which cannot be chosen by
scripts in the slave.  You would accomplish this by hiding the slave's real
<TT>open</TT> command and creating an alias which enforces the rules before using
the hidden <TT>open</TT> command to actually open the file in the slave.

<P>  The next section discusses the <TT>-safe</TT> switch to the <TT>interp</TT> command
which creates a Safe Base Tcl interpreter.  This section continues with
explanations of how to hide commands and create aliases.

<P>  Two interpreter object commands are provided for hiding and exposing 
members of the an interpreter's command set.
<P><CENTER><TABLE BORDER><TR><TD><DL>
<DT><STRONG><PRE><CITE>interpreter_object</CITE> <NAME=#Chdntrprtrbjct>hide interpreter_object</A> <CITE>COMMAND_NAME</CITE></PRE></STRONG><DD>
hides the named command in <CITE>interpreter_object</CITE>'s command set.
<DT><STRONG><PRE><CITE>interpreter_object</CITE> <NAME=#Cxpsntrprtrbjct>expose interpreter_object</A> <CITE>COMMAND_NAME</CITE></PRE></STRONG><DD>
exposes the named command <CITE>interpreter_object</CITE>'s command set.
</DL></TD></TR></TABLE></CENTER></P>

<P> There are two substeps to creating an alias:

<OL>
<P> <P><LI> Implement a procedure <CITE>p</CITE> in the master which uses
the slave's hidden commands under suitable restrictions.  

<P> <P><LI> Create an
alias <CITE>a</CITE> in the slave for <CITE>p</CITE>.
</OL>

<P>  As an example, these two steps can permit <CITE>a</CITE> to open a file through
<CITE>p</CITE> which checks to make sure the file being opened is acceptable for the
current security policy.  The procedure <CITE>p</CITE> runs in the master as it checks
for authorization but it uses the hidden <TT>open</TT> procedure in the slave
interpreter.  Because it uses the slave's <TT>open</TT> command, the file is
opened in the slave and not its master.

<P>  The first substep in this method involves executing a hidden command <CITE>h</CITE>
of a slave <CITE>S</CITE> from a procedure <CITE>p</CITE> in the master.  Here is
an example.

<PRE>
proc limited_open {Intrp Path Name {Mode r}} { 
   $Intrp invokehidden open [file join $Path [file tail $Name]] $Mode 
}
</PRE>

This procedure will either open a file in the interpreter <TT>$Intrp</TT> and
return its file identifier or generate an error.  The directory in which the
file must appear is determined by <TT>$Path</TT>.  It may seem silly to separate
the directory from the file name this way when both are parameters to
<TT>limited_open</TT>.  The reason it is not silly is that the alias which causes
<TT>limited_open</TT> to execute will accept only arguments for the last two
parameters.  The first two arguments expected by <TT>limited_open</TT> will
be fixed at the time the alias is created.

<P>  The second substep involves creating an alias in a slave for a
procedure in a master.  To make a procedure <CITE>p</CITE> in the master available in
the slave <CITE>S</CITE> under the name <CITE>a</CITE>, use the
<TT><NAME=#Wntrprtrls>alias</A></TT> action this way.

<PRE>
<CITE>S</CITE> alias <CITE>a p ?CON1 CON2 ... CONn?</CITE>
</PRE>

This will cause <CITE>p</CITE> to be invoked whenever a command line executed by the
slave uses the command name <CITE>a</CITE>.  For example, suppose the following
command is executed in the slave.

<PRE>
<CITE>a ARG1 ARG2 ... ARGm</CITE>
</PRE>

The effect will be to execute the following in the master.

<PRE>
<CITE>p ?SUBST_ARGS? SUBST_CON1 ... SUBST_CONn?  ?SUBST_ARG1 ... SUBST_ARGm</CITE>
</PRE>
<P>  
Here <CITE>SUBST_</CITE> indicates the substituted version of the argument it
prefixes.  It is important to note that the <CITE>CON??</CITE> arguments
are substituted in the master at the time the <TT>alias</TT> command
is executed and the <CITE>ARG??</CITE> arguments are substituted in the
slave at the time <CITE>a</CITE> is executed.

<P>  As <CITE>p</CITE> executes in the master interpreter, over in the slave interpreter
the namespace is unchanged from what it was when the command line containing
<CITE>a</CITE> was executed.  When the execution of <CITE>p</CITE> is finished, the return
string is passed back to the slave as if it had come from <CITE>a</CITE>.

<P>  Returning to the example in which a slave is given limited power to open
files, let the slave be create this way:

<PRE>
% interp create S
S
% S hide open
</PRE>

Assuming <TT>DIRECTORY_FOR_S</TT> is a variable with the path name of the 
directory where scripts running in <TT>S</TT> are permitted to open files
and that <TT>limited_open</TT> is a procedure as described above,
the permission is given this way:

<PRE>
% S alias open limited_open S $DIRECTORY_FOR_S
open
</PRE>

After the <TT>alias</TT> action has executed, <TT>open</TT> is an alias in <CITE>S</CITE>'s command
set.  When it is executed, the procedure which actually executes is
<TT>limited_open</TT> and the first two arguments of <TT>limited_open</TT> are <CITE>S</CITE>
and <TT>$DIRECTORY_FOR_S</TT>.  These two arguments are fixed at the time
<TT>alias open</TT> is executed. The value of <TT>DIRECTORY_FOR_S</TT> comes
from the master interpreter at this time, there is no way for the slave
to change it. The last two arguments of <TT>limited_open</TT> are taken
from any command line executing <TT>open</TT> in the slave. 

<P>   Assuming the value of <TT>$DIRECTORY_FOR_S</TT> was <TT>/users/jazimmer</TT>, this
command in the slave,

<PRE>
open MyFile
</PRE>

actually causes this command,

<PRE>
limited_open S /users/jazimmer MyFile
</PRE> 

to be executed in the master.  This is like opening
<TT>/users/jazimmer/MyFile</TT> for reading.

<P>  The limitations of <TT>open</TT> in the slave become more apparent with two
more examples.  In the slave this command,

<PRE>
set F [open "| pico"]
</PRE>

would attempt to open a file named "| pico" in <TT>/users/jazimmer</TT>.  The
normal behavior of opening a pipe named "pico" is suppressed.  In the
slave this command,

<PRE>
set F [open "/etc/passwd" w]
</PRE>

would attempt to open <TT>/users/jazimmer/passwd</TT> for writing.

<P> <P><A NAME="21.4b">
<STRONG>Exercise 21.4b</STRONG> </A><DL><DD>
 Implement a procedure <TT>create_nonet_interp</TT> which
creates a slave interpreter that cannot access networks and cannot itself
create slaves.  The <TT>socket</TT> command is not the only way to access networks.
You will also need to prohibit the execution of other programs through the
operating system and the creation of pipes with the <TT>open</TT> command.
Prohibit the former by simply hiding the relevant commands.  Prohibit the
latter by creating a suitable alias for the <TT>open</TT> command.

<P> You can test this with a sequence of commands similar to

<PRE>
% create_nonet_interp N
N
% N eval {open "| executable"}
cannot open a pipeline
% N eval { set F [open sample]; puts [read $F]; close $F }
hellow orld
% Safe eval {interp create New}
invalid command name "interp"
</PRE>

<P>
<A HREF="21.6.html#Sol21.4b" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.6.html#Sol21.4b">Solution</A></DL>


<P><A NAME="21.4c">
<STRONG>Exercise 21.4c</STRONG> </A><DL><DD>
 Skip this exercise unless you have worked through the
optional section, 
<A HREF="NotHere.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/NotHere.html"><CITE>A New Command Window</CITE></A> above. 
<P>  Combine ES20.5a and ES21.4b so that the slave interpreter created
by ES21.4b is the interpreter which executes in the command window of
ES20.5a.
<P>
<A HREF="21.6.html#Sol21.4c" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.6.html#Sol21.4c">Solution</A></DL>




<P>  The <TT>alias</TT> action can be used to delete aliases.  Use this pattern.

<PRE>
<CITE>interpreter_object</CITE> alias <CITE>ALIAS_NAME</CITE> {}
</PRE>

<P>  Deleting the alias does not delete the
target command, only the ability to execute it from the subordinate
interpreter.

<P>  There is another method for customizing a slave which is almost archaic.  I
think its main usefulness lies in adding <TT>stdin</TT>, <TT>stdout</TT>, and
<TT>stderr</TT> back to Safe Base slaves.  I/O channels can be transferred to or
shared among interpreters as explained in the following table.

<P><CENTER><TABLE BORDER><TR><TD><DL>

<P> <DT><STRONG><PRE>interp transfer <CITE>SOURCE CHANNEL_ID TARGET</CITE></PRE></STRONG><DD> causes <CITE>CHANNEL_ID</CITE>
(the name of an existing I/O channel) to be transferred to 
<CITE>TARGET</CITE> from <CITE>SOURCE</CITE>.  Use this when files for <CITE>TARGET</CITE> are opened
in <CITE>SOURCE</CITE> and then not needed by <CITE>SOURCE</CITE>.

<P> Both <CITE>SOURCE</CITE> and <CITE>TARGET</CITE> must already exist.

<P> For example, this command line,

<PRE>
interp transfer {} stdout <CITE>S</CITE>
</PRE>

will make the stdout channel available for use by commands executing in
the <CITE>S</CITE> interpreter &#150; provided it was available in the master
interpreter before the transfer.  The empty string is the name of the
current interpreter.

<P> <DT><STRONG><PRE>interp share <CITE>SOURCE CHANNEL_ID TARGET</CITE></PRE></STRONG><DD> causes <CITE>CHANNEL_ID</CITE> (the
name of an existing I/O channel) to be available in the subordinate
<CITE>TARGET</CITE> interpreter as well as in the <CITE>SOURCE</CITE> interpreter.  If
<CITE>CHANNEL_ID</CITE> is later to be closed, it must be closed in both interpreters.

<P> Both <CITE>SOURCE</CITE> and <CITE>TARGET</CITE> must already exist.

</DL></TD></TR></TABLE></CENTER></P>

<!-- Linkbar -->
<P><CENTER><FONT SIZE=2><NOBR>
<STRONG>From</STRONG>
<A HREF="javascript:if(confirm('http://www.mapfree.com/sbf/tcl/book/home.html  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.mapfree.com/sbf/tcl/book/home.html'" tppabs="http://www.mapfree.com/sbf/tcl/book/home.html">Tcl/Tk For Programmers</A><WBR>
<STRONG>Previous</STRONG>
<A HREF="21.3.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.3.html">section</A><WBR>
<STRONG>Next</STRONG>
<A HREF="21.5.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.5.html">section</A><WBR>
<STRONG>All</STRONG>
<A HREF="21.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.html">sections</A><WBR>
<STRONG>Author</STRONG>
<A HREF="javascript:if(confirm('http://www.mapfree.com/mp/jaz/home.html  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.mapfree.com/mp/jaz/home.html'" tppabs="http://www.mapfree.com/mp/jaz/home.html">J. A. Zimmer</A><WBR>
<STRONG>Copyright</STRONG>
<A HREF="copyright.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/copyright.html">Notice</A><WBR>
<P>
<I>Jun 17, 1998</I>
 </NOBR></FONT></CENTER></BODY></HTML>