NAME
       interp - Create and manipulate Tcl interpreters

SYNOPSIS
       interp option ?arg arg ...?


DESCRIPTION
       This  command  makes it possible to create one or more new
       Tcl interpreters that co-exist with  the  creating  inter-
       preter  in the same application.  The creating interpreter
       is called the master and the new interpreter is  called  a
       slave.  A master can create any number of slaves, and each
       slave can itself create additional slaves for which it  is
       master, resulting in a hierarchy of interpreters.

       Each  interpreter  is  independent from the others: it has
       its own name space for commands,  procedures,  and  global
       variables.   A  master  interpreter may create connections
       between its slaves and itself using a mechanism called  an
       alias.   An  alias  is  a  command  in a slave interpreter
       which, when invoked, causes a command to be invoked in its
       master  interpreter  or in another slave interpreter.  The
       only other connections between  interpreters  are  through
       environment  variables  (the env variable), which are nor-
       mally shared among all interpreters  in  the  application.
       Note  that  the  name  space  for files (such as the names
       returned by the open command) is no longer shared  between
       interpreters.  Explicit  commands  are  provided  to share
       files and to transfer references to open  files  from  one
       interpreter to another.

       The  interp  command also provides support for safe inter-
       preters.  A safe interpreter is a  slave  whose  functions
       have  been  greatly restricted, so that it is safe to exe-
       cute untrusted scripts without fear of them damaging other
       interpreters  or  the application's environment. For exam-
       ple, all IO channel creation commands and subprocess  cre-
       ation commands are made inaccessible to safe interpreters.
       See SAFE INTERPRETERS below for more information  on  what
       features are present in a safe interpreter.  The dangerous
       functionality is not removed from  the  safe  interpreter;
       instead,  it  is hidden, so that only trusted interpreters
       can obtain access to it. For  a  detailed  explanation  of
       hidden  commands,  see  HIDDEN COMMANDS, below.  The alias
       mechanism can be used for protected communication  (analo-
       gous to a kernel call) between a slave interpreter and its
       master. See ALIAS INVOCATION, below, for more  details  on
       how the alias mechanism works.

       A  qualified  interpreter  name is a proper Tcl lists con-
       taining a subset of its ancestors in the interpreter hier-
       archy,  terminated by the string naming the interpreter in
       its immediate master. Interpreter names  are  relative  to
       the  interpreter in which they are used. For example, if a
       is a slave of the current interpreter and it has  a  slave
       a1,  which  in turn has a slave a11, the qualified name of
       a11 in a is the list a1 a11.

       The interp command,  described  below,  accepts  qualified
       interpreter  names  as arguments; the interpreter in which
       the command is being evaluated can always be  referred  to
       as {} (the empty list or string). Note that it is impossi-
       ble to refer to a master (ancestor) interpreter by name in
       a slave interpreter except through aliases. Also, there is
       no global name by which one can refer to the first  inter-
       preter  created  in an application.  Both restrictions are
       motivated by safety concerns.


THE INTERP COMMAND
       The interp command is used to create, delete, and  manipu-
       late slave interpreters, and to share or transfer channels
       between interpreters.  It can have any of  several  forms,
       depending on the option argument:

       interp alias srcPath srcCmd
              Returns a Tcl list whose elements are the targetCmd
              and args associated with  the  alias  named  srcCmd
              (all  of  these  are  the values specified when the
              alias was created; it is possible that  the  actual
              source  command in the slave is different from src-
              Cmd if it was renamed).

       interp alias srcPath srcCmd {}
              Deletes the alias for srcCmd in  the  slave  inter-
              preter identified by srcPath.  srcCmd refers to the
              name under which the alias  was  created;   if  the
              source  command  has been renamed, the renamed com-
              mand will be deleted.

       interp alias srcPath srcCmd targetPath targetCmd ?arg arg
              ...?
              This command creates an alias between one slave and
              another (see the alias slave command below for cre-
              ating  aliases between a slave and its master).  In
              this command, either of the slave interpreters  may
              be  anywhere in the hierarchy of interpreters under
              the interpreter invoking the command.  SrcPath  and
              srcCmd  identify  the source of the alias.  SrcPath
              is a Tcl list whose elements  select  a  particular
              interpreter.   For  example,  ``a b'' identifies an
              interpreter b, which is a slave of  interpreter  a,
              which  is  a slave of the invoking interpreter.  An
              empty list specifies the interpreter  invoking  the
              command.   srcCmd  gives the name of a new command,
              which will be created in  the  source  interpreter.
              TargetPath   and   targetCmd   specify   a   target
              interpreter and command, and the arg arguments,  if
              any,  specify  additional  arguments  to  targetCmd
              which are prepended to any arguments  specified  in
              the  invocation  of srcCmd.  TargetCmd may be unde-
              fined at the time of this call, or it  may  already
              exist;  it  is  not  created  by this command.  The
              alias arranges for the given target command  to  be
              invoked  in  the  target  interpreter  whenever the
              given source  command  is  invoked  in  the  source
              interpreter.   See  ALIAS INVOCATION below for more
              details.

       interp aliases ?path?
              This command returns a Tcl list of the names of all
              the  source  commands  for  aliases  defined in the
              interpreter identified by path.

       interp create ?-safe? ?--? ?path?
              Creates a slave interpreter identified by path  and
              a  new command, called a slave command. The name of
              the slave command is the last  component  of  path.
              The new slave interpreter and the slave command are
              created in the interpreter identified by  the  path
              obtained  by removing the last component from path.
              For example, if path is a b  c  then  a  new  slave
              interpreter  and  slave command named c are created
              in the interpreter identified by the path a b.  The
              slave  command  may  be  used to manipulate the new
              interpreter as described below. If path is omitted,
              Tcl  creates  a  unique  name  of the form interpx,
              where x is an integer, and uses it for  the  inter-
              preter  and  the slave command. If the -safe switch
              is specified (or if the  master  interpreter  is  a
              safe  interpreter),  the new slave interpreter will
              be created as a safe interpreter with limited func-
              tionality;  otherwise  the  slave  will include the
              full set of Tcl built-in  commands  and  variables.
              The  --  switch  can  be  used  to  mark the end of
              switches;  it may be needed if path is  an  unusual
              value  such  as -safe. The result of the command is
              the name of the new  interpreter.  The  name  of  a
              slave  interpreter  must  be  unique  among all the
              slaves for its master;  an error occurs if a  slave
              interpreter  by  the  given  name already exists in
              this master.

       interp delete ?path ...?
              Deletes zero or  more  interpreters  given  by  the
              optional  path arguments, and for each interpreter,
              it  also  deletes  its  slaves.  The  command  also
              deletes  the  slave  command  for  each interpreter
              deleted.  For each path argument, if no interpreter
              by that name exists, the command raises an error.
       interp eval path arg ?arg ...?
              This  command concatenates all of the arg arguments
              in the same fashion as  the  concat  command,  then
              evaluates  the  resulting string as a Tcl script in
              the  slave  interpreter  identified  by  path.  The
              result of this evaluation (including error informa-
              tion such as the errorInfo and errorCode variables,
              if  an  error  occurs)  is returned to the invoking
              interpreter.

       interp exists path
              Returns  1 if a slave interpreter by the  specified
              path exists in this master, 0 otherwise. If path is
              omitted, the invoking interpreter is used.

       interp expose path hiddenName ?exposedCmdName?
              Makes the hidden command hiddenName exposed,  even-
              tually  bringing it back under a new exposedCmdName
              name (this name is currently accepted only if it is
              a  valid global name space name without any ::), in
              the interpreter denoted by  path.   If  an  exposed
              command  with  the  targetted  name already exists,
              this command fails.  Hidden commands are  explained
              in more detail in HIDDEN COMMANDS, below.

       interp hide path exposedCmdName ?hiddenCmdName?
              Makes  the  exposed  command exposedCmdName hidden,
              renaming it to the hidden command hiddenCmdName, or
              keeping  the  same  name  if  hiddenCmdName  is not
              given, in the interpreter denoted by  path.   If  a
              hidden  command  with  the  targetted  name already
              exists,  this  command   fails.    Currently   both
              exposedCmdName  and  hiddenCmdName  can not contain
              namespace qualifiers, or an error is raised.   Com-
              mands  to be hidden by interp hide are looked up in
              the global namespace even if the current  namespace
              is  not  the  global one. This prevents slaves from
              fooling a master interpreter into hiding the  wrong
              command, by making the current namespace be differ-
              ent from  the  global  one.   Hidden  commands  are
              explained in more detail in HIDDEN COMMANDS, below.

       interp hidden path
              Returns a list of the names of all hidden  commands
              in the interpreter identified by path.

       interp invokehidden path ?-global? hiddenCmdName ?arg ...?
              Invokes the hidden command hiddenCmdName  with  the
              arguments  supplied  in  the interpreter denoted by
              path. No substitutions or evaluation are applied to
              the arguments.  If the -global flag is present, the
              hidden command is invoked at the  global  level  in
              the  target interpreter; otherwise it is invoked at
              the  current  call  frame  and  can  access   local
              variables  in  that  and outer call frames.  Hidden
              commands are explained in  more  detail  in  HIDDEN
              COMMANDS, below.

       interp issafe ?path?
              Returns  1  if  the  interpreter  identified by the
              specified path is safe, 0 otherwise.

       interp marktrusted path
              Marks  the  interpreter  identified  by   path   as
              trusted.  Does not expose the hidden commands. This
              command can only be invoked from a  trusted  inter-
              preter.   The  command  has no effect if the inter-
              preter identified by path is already trusted.

       interp share srcPath channelId destPath
              Causes the IO channel identified  by  channelId  to
              become shared between the interpreter identified by
              srcPath and the interpreter identified by destPath.
              Both  interpreters have the same permissions on the
              IO channel.  Both interpreters  must  close  it  to
              close the underlying IO channel; IO channels acces-
              sible in an interpreter  are  automatically  closed
              when an interpreter is destroyed.

       interp slaves ?path?
              Returns  a  Tcl  list of the names of all the slave
              interpreters associated with the interpreter  iden-
              tified  by  path.  If path is omitted, the invoking
              interpreter is used.

       interp target path alias
              Returns a Tcl list  describing  the  target  inter-
              preter for an alias. The alias is specified with an
              interpreter path and source command name,  just  as
              in  interp  alias  above.  The  name  of the target
              interpreter is returned  as  an  interpreter  path,
              relative  to the invoking interpreter.  If the tar-
              get interpreter  for  the  alias  is  the  invoking
              interpreter  then an empty list is returned. If the
              target interpreter for the alias is not the  invok-
              ing  interpreter  or one of its descendants then an
              error is generated.  The target  command  does  not
              have  to be defined at the time of this invocation.

       interp transfer srcPath channelId destPath
              Causes the IO channel identified  by  channelId  to
              become  available  in the interpreter identified by
              destPath and unavailable in the interpreter identi-
              fied by srcPath.


SLAVE COMMAND
       For   each  slave  interpreter  created  with  the  interp
       command, a new Tcl command is created in the master inter-
       preter  with  the  same  name as the new interpreter. This
       command may be used to invoke various  operations  on  the
       interpreter.  It has the following general form:
              slave command ?arg arg ...?
       Slave  is the name of the interpreter, and command and the
       args determine the exact behavior  of  the  command.   The
       valid forms of this command are:

       slave aliases
              Returns  a Tcl list whose elements are the names of
              all the aliases in slave.  The names  returned  are
              the  srcCmd  values used when the aliases were cre-
              ated (which may not be  the  same  as  the  current
              names  of the commands, if they have been renamed).

       slave alias srcCmd
              Returns a Tcl list whose elements are the targetCmd
              and  args  associated  with  the alias named srcCmd
              (all of these are the  values  specified  when  the
              alias  was  created; it is possible that the actual
              source command in the slave is different from  src-
              Cmd if it was renamed).

       slave alias srcCmd {}
              Deletes  the  alias  for srcCmd in the slave inter-
              preter.  srcCmd refers to the name under which  the
              alias  was created;  if the source command has been
              renamed, the renamed command will be deleted.

       slave alias srcCmd targetCmd ?arg ..?
              Creates an  alias  such  that  whenever  srcCmd  is
              invoked  in slave, targetCmd is invoked in the mas-
              ter.  The arg arguments will be passed to targetCmd
              as additional arguments, prepended before any argu-
              ments passed in  the  invocation  of  srcCmd.   See
              ALIAS INVOCATION below for details.

       slave eval arg ?arg ..?
              This  command concatenates all of the arg arguments
              in the same fashion as  the  concat  command,  then
              evaluates  the  resulting string as a Tcl script in
              slave.  The result of  this  evaluation  (including
              error  information such as the errorInfo and error-
              Code variables, if an error occurs) is returned  to
              the invoking interpreter.

       slave expose hiddenName ?exposedCmdName?
              This command exposes the hidden command hiddenName,
              eventually bringing it back under a new exposedCmd-
              Name  name (this name is currently accepted only if
              it is a valid global name space  name  without  any
              ::), in slave.  If an exposed command with the tar-
              getted name already  exists,  this  command  fails.
              For  more  details  on  hidden commands, see HIDDEN
              COMMANDS, below.

       slave hide exposedCmdName ?hiddenCmdName?
              This command hides the exposed command  exposedCmd-
              Name,  renaming it to the hidden command hiddenCmd-
              Name, or keeping the same name if the the  argument
              is  not given, in the slave interpreter.  If a hid-
              den command with the targetted name already exists,
              this  command fails.  Currently both exposedCmdName
              and hiddenCmdName can not contain namespace  quali-
              fiers,  or an error is raised.  Commands to be hid-
              den are looked up in the global namespace  even  if
              the  current  namespace is not the global one. This
              prevents slaves from fooling a  master  interpreter
              into  hiding  the wrong command, by making the cur-
              rent namespace be different from  the  global  one.
              For  more  details  on  hidden commands, see HIDDEN
              COMMANDS, below.

       slave hidden
              Returns a list of the names of all hidden  commands
              in slave.

       slave invokehidden ?-global hiddenName ?arg ..?
              This  command invokes the hidden command hiddenName
              with the supplied arguments, in slave. No substitu-
              tions  or evaluations are applied to the arguments.
              If the  -global  flag  is  given,  the  command  is
              invoked at the global level in the slave; otherwise
              it is invoked at the current  call  frame  and  can
              access  local  variables  in  that  or  outer  call
              frames.  For more details on hidden  commands,  see
              HIDDEN COMMANDS, below.

       slave issafe
              Returns  1 if the slave interpreter is safe, 0 oth-
              erwise.

       slave marktrusted
              Marks the slave interpreter as trusted. Can only be
              invoked by a trusted interpreter. This command does
              not expose any hidden commands in the slave  inter-
              preter.  The  command has no effect if the slave is
              already trusted.


SAFE INTERPRETERS
       A safe interpreter is one with  restricted  functionality,
       so  that  is safe to execute an arbitrary script from your
       worst enemy without  fear  of  that  script  damaging  the
       enclosing  application or the rest of your computing envi-
       ronment.  In order to make an  interpreter  safe,  certain
       commands  and  variables are removed from the interpreter.
       For example, commands to create files on disk are removed,
       and the exec command is removed, since it could be used to
       cause damage  through  subprocesses.   Limited  access  to
       these  facilities  can be provided, by creating aliases to
       the master interpreter which check their  arguments  care-
       fully  and  provide  restricted access to a safe subset of
       facilities.  For example, file creation might  be  allowed
       in  a  particular  subdirectory  and subprocess invocation
       might be allowed for a carefully selected and fixed set of
       programs.

       A  safe  interpreter  is  created  by specifying the -safe
       switch to the interp  create  command.   Furthermore,  any
       slave created by a safe interpreter will also be safe.

       A  safe  interpreter is created with exactly the following
       set of built-in commands:

              after       append      array       break
              case        catch       clock       close
              concat      continue    eof         error
              eval        expr        fblocked    fileevent
              flush       for         foreach     format
              gets        global      history     if
              incr        info        interp      join
              lappend     lindex      linsert     list
              llength     lower       lrange      lreplace
              lsearch     lsort       package     pid
              proc        puts        read        rename
              return      scan        seek        set
              split       string      subst       switch
              tell        trace       unset       update
              uplevel     upvar       vwait       while

       The following commands are hidden by interp create when it
       creates a safe interpreter:

              cd          exec        exit        fconfigure
              file        glob        load        open
              pwd         socket      source      vwait

       These commands can be recreated later as Tcl procedures or
       aliases, or re-exposed by interp expose.

       In addition, the env variable is not  present  in  a  safe
       interpreter, so it cannot share environment variables with
       other interpreters. The  env  variable  poses  a  security
       risk,  because users can store sensitive information in an
       environment variable. For example, the PGP  manual  recom-
       mends  storing  the PGP private key protection password in
       the environment variable  PGPPASS.  Making  this  variable
       available  to  untrusted  code  executing in a safe inter-
       preter would incur a security risk.
       If extensions are loaded into a safe interpreter, they may
       also  restrict their own functionality to eliminate unsafe
       commands. For a discussion of management of extensions for
       safety  see  the  manual entries for Safe-Tcl and the load
       Tcl command.


ALIAS INVOCATION
       The alias mechanism has been carefully designed so that it
       can  be  used safely when an untrusted script is executing
       in a safe slave and the target of the alias is  a  trusted
       master.   The  most important thing in guaranteeing safety
       is to ensure that information passed from the slave to the
       master  is  never  evaluated or substituted in the master;
       if this were to occur, it would enable an evil  script  in
       the  slave  to  invoke  arbitrary functions in the master,
       which would compromise security.

       When the source for an  alias  is  invoked  in  the  slave
       interpreter,  the  usual  Tcl  substitutions are performed
       when parsing that command.  These substitutions  are  car-
       ried  out  in the source interpreter just as they would be
       for any other command invoked in  that  interpreter.   The
       command  procedure  for the source command takes its argu-
       ments and merges them with the targetCmd and args for  the
       alias to create a new array of arguments.  If the words of
       srcCmd were ``srcCmd arg1 arg2 ... argN'', the new set  of
       words  will  be  ``targetCmd arg arg ... arg arg1 arg2 ...
       argN'', where targetCmd and args are the  values  supplied
       when  the  alias  was  created.  TargetCmd is then used to
       locate a command procedure in the target interpreter,  and
       that  command  procedure  is  invoked  with the new set of
       arguments.  An error occurs if there is no  command  named
       targetCmd  in  the target interpreter.  No additional sub-
       stitutions are performed on the words:  the target command
       procedure  is  invoked directly, without going through the
       normal Tcl evaluation mechanism.  Substitutions  are  thus
       performed  on  each  word exactly once: targetCmd and args
       were substituted when parsing the command that created the
       alias,  and  arg1  - argN are substituted when the alias's
       source command is parsed in the source interpreter.

       When writing the targetCmds for  aliases  in  safe  inter-
       preters,  it  is very important that the arguments to that
       command never be  evaluated  or  substituted,  since  this
       would provide an escape mechanism whereby the slave inter-
       preter could execute arbitrary code in the  master.   This
       in turn would compromise the security of the system.


HIDDEN COMMANDS
       Safe   interpreters  greatly  restrict  the  functionality
       available to Tcl programs executing within them.  Allowing
       the  untrusted  Tcl  program to have direct access to this
       functionality is unsafe, because it  can  be  used  for  a
       variety of attacks on the environment.  However, there are
       times when there is a legitimate need to use the dangerous
       functionality  in the context of the safe interpreter. For
       example, sometimes a program  must  be  sourced  into  the
       interpreter.   Another  example  is  Tk, where windows are
       bound to the hierarchy of windows for  a  specific  inter-
       preter; some potentially dangerous functions, e.g.  window
       management, must be performed on these windows within  the
       interpreter context.

       The  interp command provides a solution to this problem in
       the form of hidden commands. Instead of removing the  dan-
       gerous  commands  entirely  from a safe interpreter, these
       commands are hidden so  they  become  unavailable  to  Tcl
       scripts executing in the interpreter. However, such hidden
       commands can be invoked by any  trusted  ancestor  of  the
       safe  interpreter, in the context of the safe interpreter,
       using interp invoke. Hidden commands and exposed  commands
       reside in separate name spaces. It is possible to define a
       hidden command and an exposed command  by  the  same  name
       within one interpreter.

       Hidden  commands  in a slave interpreter can be invoked in
       the body of procedures called in the master  during  alias
       invocation. For example, an alias for source could be cre-
       ated in a slave interpreter. When it  is  invoked  in  the
       slave  interpreter,  a  procedure  is called in the master
       interpreter to check that the operation is allowable (e.g.
       it  asks  to  source  a file that the slave interpreter is
       allowed to access). The procedure then it invokes the hid-
       den  source  command  in the slave interpreter to actually
       source in the contents of the file. Note that two commands
       named  source  exist  in the slave interpreter: the alias,
       and the hidden command.

       Because a master interpreter may invoke a  hidden  command
       as  part  of handling an alias invocation, great care must
       be taken to  avoid  evaluating  any  arguments  passed  in
       through  the alias invocation.  Otherwise, malicious slave
       interpreters could cause a trusted master  interpreter  to
       execute  dangerous  commands on their behalf. See the sec-
       tion on ALIAS INVOCATION for a more complete discussion of
       this  topic.  To help avoid this problem, no substitutions
       or evaluations are applied to arguments of interp  invoke-
       hidden.

       Safe  interpreters  are  not allowed to invoke hidden com-
       mands in themselves or in their descendants. This prevents
       safe slaves from gaining access to hidden functionality in
       themselves or their descendants.

       The set of hidden commands in an interpreter can be manip-
       ulated  by  a  trusted interpreter using interp expose and
       interp hide. The interp expose command moves a hidden com-
       mand  to  the  set  of exposed commands in the interpreter
       identified by path, potentially renaming  the  command  in
       the  process.  If an exposed command by the targetted name
       already exists, the  operation  fails.  Similarly,  interp
       hide  moves  an  exposed command to the set of hidden com-
       mands in  that  interpreter.  Safe  interpreters  are  not
       allowed  to  move  commands  between the set of hidden and
       exposed commands, in either themselves  or  their  descen-
       dants.

       Currently,  the  names  of  hidden commands cannot contain
       namespace qualifiers, and you must first rename a  command
       in a namespace to the global namespace before you can hide
       it.  Commands to be hidden by interp hide are looked up in
       the  global namespace even if the current namespace is not
       the global one. This prevents slaves from fooling a master
       interpreter  into  hiding the wrong command, by making the
       current namespace be different from the global one.

CREDITS
       This mechanism is based on the Safe-Tcl  prototype  imple-
       mented by Nathaniel Borenstein and Marshall Rose.


SEE ALSO
       load(n), safe(n), Tcl_CreateSlave(3)


KEYWORDS
       alias,  master interpreter, safe interpreter, slave inter-
       preter
