212.html

Tcl 语言的入门级图书

<HTML><TITLE>The Browser Plugin and Safe-Tcl: Combining Features into Policies</TITLE><BODY BGCOLOR="#FFF0E0" VLINK="#0FBD0F" TEXT="#101000" LINK="#0F0FDD">
<A NAME="top"><H1>Combining Features into Policies</H1></A>

<P> 
<P> Security policies add power to the Safe Base interpreter so that a tclet that
runs under them is not blind to the outside world.  The added power involves
access to files, to Web resources, to an electronic mail system, to a Web
browser, and to arbitrary TCP/IP connections.  These powers have been divided
into <CITE>security features</CITE>.

<P>  A feature is a Tcl script that runs in the plugin's master interpreter and
customizes the slave that executes a tclet.  Tclets cannot execute features
directly &#150; tclets cause them to be executed by requesting a security policy
with the <TT>policy</TT> command as described below in 
<A HREF="21.3.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.3.html">Writing Tclets</A>.

<P> Several features are shipped with version 2.0 of the plugin.  These are
configured in different ways to create all of the shipped security policies.
They can be configured in other ways for new policies.  For example, if you
want a policy that is something like the home policy but different, then give
it a name, <CITE>POLICY</CITE> and make a copy of <TT>home.cfg</TT> named
<CITE>POLICY</CITE><TT>.cfg</TT>.  Then edit <CITE>POLICY</CITE><TT>.cfg</TT> to create the desired
policy and <TT>plugin.cfg</TT> to enable <CITE>POLICY</CITE> for the desired tclets.
Do not change any of the configuration files for the home, javascript, or
trusted policies.

<P>  The inside and outside policies, however, are not fully configured as
shipped.  It is expected that you will edit their configuration files.  This
is discussed at the end of the section.


<P>  Security policies are configured by declaring which features they use and by
configuring those features. Each policy begins with a features section with
<TT>allow</TT> statements that enable the desired features.   For example,
the home policy begins with the following section.

<PRE>
section features
    allow url
    allow network
    allow persist unless {[string match {UNKNOWN *} [getattr originURL]]}
</PRE>

The final statement enables access to the persist feature only when the
originating URL could be determined.

<P>  A feature is configured much like a policy but it is configured in a
policy's configuration file.  Whereas a tclet can run only one policy per
execution, there is no limit on the way features may be combined in one
security policy.

<P>  Here are the features shipped with version 2.0 of the plugin.

<P><DL>
<P> <DT><PRE>persist</PRE><DD> The <NAME=#G21.2prsstftr>persist feature</A> enables access to persistent
storage.
<P> <DT><PRE>urls</PRE><DD> The <NAME=#G21.2urlsfeature>urls feature</A> enables the ability to download Web
resources.
<P> <DT><PRE>network</PRE><DD> The <NAME=#G21.2ntwrkftr>network feature</A> enables the ability to make
TCP/IP connections, that is, more general connections than required to download
Web pages.
<P> <DT><PRE>stream</PRE><DD> The <NAME=#G21.2strmftr>stream feature</A> enables the ability to send electronic
mail, read and write streams of various mime types, and invoke JavaScript
commands.
<P> <DT><PRE>unsafe</PRE><DD> The <NAME=#G21.2nsfftr>unsafe feature</A> restores the full power of Tcl/Tk.
</DL></P>

This section discusses some of the alternatives you have in configuring these
features and ends with a description of what must be done to configure the
inside and outside policies.

<A NAME="persist">
<H3>Persist</H3></A>


<P>  To use the persist feature, a security policy must have <TT>allow persist</TT>
in its features section.  To configure this policy, its configuration file
must have a section introduced with <TT>section persist</TT>.  Configuration
consists of setting some parameters.  Here, for example, is the way it is
configured in <TT>javascript.cfg</TT>.

<PRE>
# Number of allowed open files
constant openFilesLimit 4
# Number of allowed files in the persist storage directory
constant storedFilesLimit 6
# Max size of each file (in bytes): here we give 128K per file.
constant fileSizeLimit [expr 128*1024]
</PRE>

<P>  The method for choosing the persistent storage directory is 
complicated.  In the previous section under "Persistent Storage for 
Tclets", I described it as an injection
from  the set of pairs of URL paths
and policy names without bothering to describe the exact nature of 
the injection.  The directory for persistent storage is changed by
altering the input to this injection: the tclet writer has a little flexibility in
determining which URL path is used and the  system administrator has
complete flexibility in determining which policy name is used.
This declaration,  
<PRE>
constant storage <CITE>NAME</CITE>
</PRE>

will cause <CITE>NAME</CITE> to be the policy name used when determining
the directory for persistent storage.  Changing the name of a policy
for storage purposes enables a system administrator to
permit tclets running under different policies 
persistent storage.  Were I you, I would be quite 
leery of doing this.

<P> <STRONG>Remark</STRONG> <DL><DD>
<P>  Although not directly documented, this declaration,

<PRE>
constant storage <CITE>COMPLETE_DIR_NAME</CITE>
</PRE>

adds a new twist: all the persistent storage directories for this policy will
now be subdirectories of <CITE>COMPLETE_DIR_NAME</CITE>.  This is a way of moving
your persistent storage away from the directory chosen by the TEMP or TMP
environment variable.  If you include the policy name in
<CITE>COMPLETE_DIR_NAME</CITE>, you can still think of the storage directory for any
given execution of a tclet as being determined by policy name and URL path as
described in the previous section.  

<P> For example, if you add

<PRE>
section persist
   constant storage /usr/persist/home
</PRE>

to <TT>home.cfg</TT>, then a tclet from this url

<PRE>
http://www.MapFree.com/sbf/tcl/book/canvas.tcl
</PRE>

will be placed, by default, in a subdirectory of <TT>/usr/persist/home</TT> that
is unique to the path <TT>/tcl/book/canvas.tcl</TT>.  This means, of course,
that the subdirectory depends on both the policy name and the pathname.
<P>   Although this may be tempting, it requires that you alter configuration
files for standard policies, something that the on-line documentation advises
against, and it relies on behavior that is essentially undocumented.  </DL>


<A NAME="url">
<H3>Url</H3></A>

<P>  
<P>    To use the url feature, a security policy must have <TT>allow url</TT> in its
features section.  To configure this policy, its configuration file must have
a section introduced with <TT>section urls</TT>.  Configuration consists of some
enabling statements that define the URLs that a tclet can access.  Here is an
example.

<PRE>
section urls
  allow *
</PRE>

This section (or something very similar) is used to permit tclets running
under the home, javascript, and trusted policies to access any URL.

<P> <STRONG>Remark</STRONG> <DL><DD> The enabling statements in a urls section of a policy's
configuration file determine which URLs a tclet may access.  Do not confuse
them with the enabling statements in a new <TT>trusted...</TT> section of the
<TT>plugin.cfg</TT> file.  The latter determine which tclets are authorized to run
under a security policy.  </DL>

<A NAME="network">
<H3>Network</H3></A>


<P>    To use the network feature, a security policy must have <TT>allow
network</TT> in its features section.  To configure this policy, its configuration
file must have a section introduced with <TT>section hosts ports</TT>.
Configuration consists of enabling statements that define the hosts and ports
that may be used for a TCP/IP connection.  The home policy, for example, has
this section:

<PRE>
# What addresses can be used in a socket command?

section hosts ports
  # Expected format (by the network feature):
  # allow &#60;hostPattern&#62; &#60;portPattern&#62;
  allow $originSocketHost &#62;1024
  allow $originSocketHost 21
</PRE>

This permits access to ftp services at port 21 plus additional nonstandard
services that use ports numbered above 1024.  Either way, the only host whose
ports can be used is <TT>$originSocketHost</TT>, that is, the host identifier which
the plugin has determined you should use in connecting back to the server
from which the tclet was fetched.

<P> <STRONG>Remark</STRONG> <DL><DD> For a security policy that provides the power to do
something you would not like, you should be very leery of providing access to
ports on machines you do not control.  For example, port 21 is reserved for the
<TT>ftp</TT> program.  But what is to say it is actually used that way on another
organization's computer?
<P>  A script from a trusted source, written by an untrustworthy person could
look benign, but because of its ability to access a port whose purpose is not
what it ought to be, the script might be able to act in a malicious fashion.
</DL>

<A NAME="thrftrs">
<H3>Other Features</H3></A>


<P>   The unsafe feature needs no additional configuration &#150; it simply permits
everything to be done.  The stream feature can be reconfigured but a
description of how to do so would take us far from the subject matter of this book
into mime types and browser characteristics.

<P>   There is also a "browser policy" which is misnamed and is really a
feature.  This feature has been adopted from an earlier version of the plugin
to give access to the browser.  I do not discuss this feature because the
discussion would take us far from the subject matter of this book and also because
it would take us into something that seems unfinished and therefore
likely to change.

<P> <A NAME="nsdndtsdplcs">
<H3>Inside and Outside Policies</H3></A>


<P>  The point of these policies is to draw a line between tclets that deal with
your organization's internal data and those that deal with the rest of the
world.  These policies need to be configured by a system administrator.  The
first step is to partition the world of Internet resources into those
<CITE>internal</CITE> to your organization, those <CITE>external</CITE> to your organization,
and those that are <CITE>forbidden</CITE>.  Make your own decision as to why something
should be forbidden.  There is no a priori reason why this category should not
contain resources that might otherwise be called internal or external.

<P>  Remember to think in terms of all Internet resources, not just Web
resources.  If there is too much to think about, then place resources you
do not need in the forbidden category.  You can reclassify them on a case by
case basis later when you have time to think about them.

<P>   Once you have the world of Internet resources safely partitioned, you can
start configuring the inside and outside policies and determining which tclets
can run under them.

<P> <STRONG>Remark</STRONG> <DL><DD>
<P>  One problem that does not arise is transmission of internal data to the
outside by means of a tclet running as an insider that leaves data in
persistent storage for a tclet running as an outsider.  Even if both tclets
come from the same host, i.e even if some host contains both inside and
outside resources, persistent storage cannot be used for transfer of internal
data to the outside because a tclet having access to internal data will run
under the inside policy and a tclet having access to the external world
will run under the outside policy.  Unless you have done something
stupid with the <TT>storage</TT> parameter, the use of different policies
will force the use of different directories for persistent storage.
</DL>

<P>   You determine which Internet resources a policy can use by editing the url
and network sections.  Those in <TT>inside.cfg</TT> should be limited to internal
resources and those in <TT>outside.cfg</TT> should be limited to external
resources.

<P>   You determine which tclets can run under a policy by editing
<TT>policy.cfg</TT>.  Create a <TT>trustedInsideURLs</TT> section and authorize only
tclets that come from internal resources. Create a <TT>trustedOutsideURLs</TT>
section and authorize only tclets that come from external resources.  Of
course, you must also change the statements that disallow the inside and
outside policies to appropriate <TT>allow</TT> statements as explained in the
previous section.

<P> <!-- Linkbar -->
<P><CENTER><FONT SIZE=2><NOBR>
<STRONG>From</STRONG>
<A HREF="javascript:if(confirm('http://www.mapfree.com/sbf/tcl/book/home.html  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.mapfree.com/sbf/tcl/book/home.html'" tppabs="http://www.mapfree.com/sbf/tcl/book/home.html">Tcl/Tk For Programmers</A><WBR>
<STRONG>Previous</STRONG>
<A HREF="21.1.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.1.html">section</A><WBR>
<STRONG>Next</STRONG>
<A HREF="21.3.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.3.html">section</A><WBR>
<STRONG>All</STRONG>
<A HREF="21.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.html">sections</A><WBR>
<STRONG>Author</STRONG>
<A HREF="javascript:if(confirm('http://www.mapfree.com/mp/jaz/home.html  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.mapfree.com/mp/jaz/home.html'" tppabs="http://www.mapfree.com/mp/jaz/home.html">J. A. Zimmer</A><WBR>
<STRONG>Copyright</STRONG>
<A HREF="copyright.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/copyright.html">Notice</A><WBR>
<P>
<I>Jun 17, 1998</I>
 </NOBR></FONT></CENTER></BODY></HTML>