diff options
Diffstat (limited to 'contrib/tcl/doc/safe.n')
-rw-r--r-- | contrib/tcl/doc/safe.n | 529 |
1 files changed, 264 insertions, 265 deletions
diff --git a/contrib/tcl/doc/safe.n b/contrib/tcl/doc/safe.n index acc50ed..03adf0f 100644 --- a/contrib/tcl/doc/safe.n +++ b/contrib/tcl/doc/safe.n @@ -4,300 +4,299 @@ '\" See the file "license.terms" for information on usage and redistribution '\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\" -'\" SCCS: @(#) safe.n 1.10 97/03/24 09:21:12 +'\" SCCS: @(#) safe.n 1.3 97/08/13 12:44:45 '\" .so man.macros -.TH "Safe Tcl" n 7.7 Tcl "Tcl Built-In Commands" +.TH "Safe Tcl" n 8.0 Tcl "Tcl Built-In Commands" .BS '\" Note: do not modify the .SH NAME line immediately below! .SH NAME -Safe Tcl \- A mechanism for managing security policies. +Safe Base \- A mechanism for creating and manipulating safe interpreters. .SH SYNOPSIS -.nf -\fBtcl_safeCreateInterp\fR \fIslave\fR +.PP +\fB::safe::interpCreate\fR ?\fIslave\fR? ?\fIoptions...\fR? +.sp +\fB::safe::interpInit\fR \fIslave\fR ?\fIoptions...\fR? .sp -\fBtcl_safeInitInterp\fR \fIslave\fR +\fB::safe::interpConfigure\fR \fIslave\fR ?\fIoptions...\fR? .sp -\fBtcl_safeDeleteInterp\fR \fIslave\fR +\fB::safe::interpDelete\fR \fIslave\fR .sp -\fIpolicy\fB_policyInit\fR \fIslave\fR +\fB::safe::interpAddToAccessPath\fR \fIslave\fR \fIdirectory\fR .sp -\fIpolicy\fB_policyFinalize\fR \fIslave\fR -.fi +\fB::safe::interpFindInAccessPath\fR \fIslave\fR \fIdirectory\fR +.sp +\fB::safe::setLogCmd\fR ?\fIcmd arg...\fR? +.SH OPTIONS +.PP +?\fB\-accessPath\fR \fIpathList\fR? ?\fB\-noStatics\fR? ?\fB\-nestedLoadOk\fR? ?\fB\-deleteHook\fR \fIscript\fR? .BE .SH DESCRIPTION +Safe Tcl is a mechanism for executing untrusted Tcl scripts +safely and for providing mediated access by such scripts to +potentially dangerous functionality. .PP -This manual entry describes \fBSafe Tcl\fR, a mechanism and collection of -library procedures for managing security policies. \fBSafe Tcl\fR is used -in \fBapplications\fR that want to provide a flexible, extensible safe -hosting environment for untrusted guest scripts, \fBtclets\fR. It -provides a mechanism to ensure that tclets cannot harm the hosting -application, and a way to extend limited degrees of trust to such tclets, -to allow them to have access to unsafe features. +The Safe Base ensures that untrusted Tcl scripts cannot harm the +hosting application. +The Safe Base prevents integrity and privacy attacks. Untrusted Tcl +scripts are prevented from corrupting the state of the hosting +application or computer. Untrusted scripts are also prevented from +disclosing information stored on the hosting computer or in the +hosting application to any party. .PP -The content of this manual entry is of interest to four different -audiences: authors of tclets will primarily be interested in the sections -on the \fBSAFE BASE\fR and on \fBUSING SAFE TCL IN TCLETS\fR. -Application authors will find relevant information in the section on -\fBUSING SAFE TCL IN APPLICATIONS\fR. To create a new security -policy, e.g. to enable tclets to have access to a new feature, read the -section on \fBWRITING SECURITY POLICIES\fB. Finally, system administrators -and people installing \fBSafe Tcl\fR will find useful information in the -section on \fBINSTALLING SECURITY POLICIES\fR. +The Safe Base allows a master interpreter to create safe, restricted +interpreters that contain a set of predefined aliases for the \fBsource\fR, +\fBload\fR, \fBfile\fR and \fBexit\fR commands and +are able to use the auto-loading and package mechanisms. .PP -\fBSecurity policies\fR are collections of procedures, aliases, hidden -commands and variable settings that together implement a controlled way for -an application to allow a tclet to have restricted access to unsafe features. -For a complete description of aliases, hidden commands and how to use -multiple interpreters in an application, see the manual entry for the -\fBinterp\fR command. +No knowledge of the file system structure is leaked to the +safe interpreter, because it has access only to a virtualized path +containing tokens. When the safe interpreter requests to source a file, it +uses the token in the virtual path as part of the file name to source; the +master interpreter translates the token into a real directory name and +executes the requested operation. +Different levels of security can be selected by using the optional flags +of the commands described below. .PP -Packaging collections of features into security policies has several -advantages: First, it allows these collections to have names. This -facilitates the formation of a common, agreed upon, understanding of what -features are included in each policy. Second, it enables a reasoned -approach to developing extensions that make restricted features available -to untrusted tclets. -Third, because the feature set is delineated clearly, a security policy can -be subjected to analysis to determine what risks it exposes its user to. +All commands provided in the master interpreter by the Safe Base reside in +the \fBsafe\fR namespace. +\fB::safe::interpCreate\fR creates a new safe interpreter with options, +described in the section \fBOPTIONS\fR. +The return value is the name of the new safe interpreter created. +\fB::safe::interpInit\fR is similar to \fB::safe::interpCreate\fR except that +it requires as its first argument the name of a safe interpreter that was +previously created directly using the \fBinterp\fR command. +\fB::safe::interpDelete\fR deletes the interpreter named by its argument. +\fB::safe::interpConfigure\fR can be used to set or get options for the named +safe interpreters; the options are described in the section \fBOPTIONS\fR. .PP -The \fBSafe Tcl\fR approach to safe execution of untrusted code is further -discussed in \fBThe Safe\-Tcl Security Model\fR -(http://www.sunlabs.com/people/john.ousterhout/SafeTcl.ps). -This paper provides a detailed discussion of the underlying -motivations and philosophy, and compares the \fBSafe Tcl\fR model with -other current efforts. - -.SH "SAFE BASE" -.PP -This section describes the environment in which tclets start execution in -an application using \fBSafe Tcl\fR. This environment is known as the -\fBSafe Base\fR, as it provides the basis on which further security -policies are built. +A virtual path is maintained in the master interpreter for each safe +interpreter created by \fB::safe::interpCreate\fR or initialized by +\fB::safe::interpInit\fR. +The path maps tokens accessible in the safe interpreter into real path +names on the local file system. +This prevents safe interpreters from gaining knowledge about the +structure of the file system of the host on which the interpeter is +executing. +When a token is used in a safe interpreter in a request to source or +load a file, the token is translated to a real path name and the file to be +sourced or loaded is located on the file system. +The safe interpreter never gains knowledge of the actual path name under +which the file is stored on the file system. +Commands are provided in the master interpreter to manipulate the virtual +path for a safe interpreter. +\fB::safe::interpConfigure\fR can be used to set a new path for a safe +interpreter. +\fB::safe::interpAddToAccessPath\fR adds a directory to the virtual path for +the named safe interpreter and returns the token by which that directory +will be accessible in the safe interpreter. +\fB::safe::interpFindInAccessPath\fR finds the +requested directory in the virtual path for the named safe interpreter and +returns the token by which that directory can be accessed in the safe +interpreter. +If the path is not found, an error is raised. .PP -When a tclet starts execution in an environment using \fBSafe Tcl\fR, -its interpreter will contain aliases for the following commands: -.DS -.ta 1.2i 2.4i 3.6i -\fBexit file load source -tclPkgUnknown\fR -.DE -The \fBexit\fR alias terminates the execution of the -invoking slave. -\fBFile\fR allows access to a subset of the sub\-commands of the full -\fBfile\fR command. -\fBload\fR and \fBsource\fR make extensions available to the tclet in a -controlled manner. -The \fBtclPkgUnknown\fR alias allows the application to interpose on -\fBpackage require\fR invocations by the tclet. +\fB::safe::setLogCommand\fR installs a script to be called when interesting +life cycle events happen. +This script will be called with one argument, a string describing the event. +.SH ALIASES .PP -The following \fBTcl\fR commands are hidden in the Safe Base: -.DS -.ta 1.2i 2.4i 3.6i -\fBcd exec exit fconfigure -file glob load open -pwd socket source vwait\fR -.DE +The following aliases are provided in a safe interpreter: +.TP +\fBsource\fB \fIfileName\fR +The requested file, a Tcl source file, is sourced into the safe interpreter +if it is found. +The \fBsource\fR alias can only source files from directories in +the virtual path for the safe interpreter. The \fBsource\fR alias requires +the safe interpreter to +use one of the token names in its virtual path to denote the directory in +which the file to be sourced can be found. +See the section on \fBSECURITY\fR for more discussion of restrictions on +valid filenames. +.TP +\fBload\fR \fIfileName\fR +The requested file, a shared object file, in dynamically loaded into the +safe interpreter if it is found. +The filename must contain a token name mentioned in the virtual path for +the safe interpreter for it to be found successfully. +Additionally, the shared object file must contain a safe entry point; see +the manual page for the \fBload\fR command for more details. +.TP +\fBfile\fR ?\fIoptions\fR? +The \fBfile\fR alias provides access to a safe subset of the subcommands of +the \fBfile\fR command; it allows only \fBdirname\fR, \fBjoin\fR, +\fBextension\fR, \fBroot\fR, \fBtail\fR, \fBpathname\fR and \fBsplit\fR +subcommands. For more details on what these subcommands do see the manual +page for the \fBfile\fR command. +.TP +\fBexit\fR +The calling interpreter is deleted and its computation is stopped, but the +Tcl process in which this interpreter exists is not terminated. .PP -A tclet can also request to load packages using \fBpackage require\fR. -Please read the manual page on the \fBpackage\fR and \fBload\fR commands -for a discussion of package loading and special restrictions on loading -into safe interpreters. +.SH COMMANDS .PP -Tclets can use auto-loading to obtain the definitions for procedures as -needed. The auto-loading mechanism in the Safe Base supports tclIndex files -generated by \fBauto_mkindex\fR Version 2 and later. +The following commands are provided in the master interpreter: +.TP +\fB::safe::interpCreate\fR ?\fIslave\fR? ?\fIoptions...\fR? +Creates a safe interpreter, installs the aliases described in the section +\fBALIASES\fR and initializes the auto-loading and package mechanism as +specified by the supplied \fBoptions\fR. +See the \fBOPTIONS\fR section below for a description of the common +optional arguments. +If the \fIslave\fR argument is omitted, a name will be generated. +\fB::safe::interpCreate\fR always returns the interpreter name. +.TP +\fB::safe::interpInit\fR \fIslave\fR ?\fIoptions...\fR? +This command is similar to \fBinterpCreate\fR except it that does not +create the safe interpreter. \fIslave\fR must have been created by some +other means, like \fB::interp create \-safe\fR. +.TP +\fB::safe::interpConfigure\fR \fIslave\fR ?\fIoptions...\fR? +If no \fIoptions\fR are given, returns the settings for all options for the +named safe interpreter. +If \fIoptions\fR are supplied, sets the options for the named safe +interpreter. See the section on \fBOPTIONS\fR below. +.TP +\fB::safe::interpDelete\fR \fIslave\fR +Deletes the safe interpreter and cleans up the corresponding +master interpreter data structures. +If a \fIdeletehook\fR script was specified for this interpreter it is +evaluated before the interpreter is deleted, with the name of the +interpreter as an additional argument. +.TP +\fB::safe::interpFindInAccessPath\fR \fIslave\fR \fIdirectory\fR +This command finds and returns the token for the real directory +\fIdirectory\fR in the safe interpreter's current virtual access path. +It generates an error if the directory is not found. +Example of use: +.CS +$slave eval [list set tk_library [::safe::interpFindInAccessPath $name $tk_library]] +.CE +.TP +\fB::safe::interpAddToAccessPath\fR \fIslave\fR \fIdirectory\fR +This command adds \fIdirectory\fR to the virtual path maintained for the +safe interpreter in the master, and returns the token that can be used in +the safe interpreter to obtain access to files in that directory. +If the directory is already in the virtual path, it only returns the token +without adding the directory to the virtual path again. +Example of use: +.CS +$slave eval [list set tk_library [::safe::interpAddToAccessPath $name $tk_library]] +.CE +.TP +\fB::safe::setLogCmd\fR ?\fIcmd arg...\fR? +This command installs a script that will be called when interesting +lifecycle events occur for a safe interpreter. +When called with no arguments, it returns the currently installed script. +When called with one argument, an empty string, the currently installed +script is removed and logging is turned off. +The script will be invoked with one additional argument, a string +describing the event of interest. +The main purpose is to help in debugging safe interpreters. +Using this facility you can get complete error messages while the safe +interpreter gets only generic error messages. +This prevents a safe interpreter from seeing messages about failures +and other events that might contain sensitive information such as real +directory names. +.RS +Example of use: +.CS +::safe::setLogCmd puts stderr +.CE +Below is the output of a sample session in which a safe interpreter +attempted to source a file not found in its virtual access path. +Note that the safe interpreter only received an error message saying that +the file was not found: +.CS +NOTICE for slave interp10 : Created +NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=() +NOTICE for slave interp10 : auto_path in interp10 has been set to {$p(:0:)} +ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory +.CE +.RE -.SH "USING SAFE TCL IN TCLETS" -.PP -Tclets start executing in the environment described in the previous -section, on the \fBSAFE BASE\fR. If they need access to unsafe features, -tclets can request to use a named security policy by invoking \fBpackage -require\fR with the policy name. If the request is denied by the -application's master interpreter, an error is returned. -A tclet can \fBcatch\fR the error and request to use a different named -policy, until a request is granted. -.PP -A tclet can only use one security policy during its lifetime. Once an -invocation of \fBpackage require\fR to load a security policy succeeds, -Safe Tcl prevents subsequent invocations of \fBpackage require\fR from -succeeding if the requested package is a security policy. There is also no -mechanism for a tclet to stop using a security policy, once it is loaded. -Invocations of \fBpackage require\fR to load other packages unrelated to -security policies will still succeed. -.PP -These restrictions are designed to prevent a tclet from composing security -policies either concurrently or sequentially, in ways not supported or -forseen by the authors of the policies. Allowing such composition would -expose the application to unknown security risks, because a security policy -that is safe in isolation is not necessarily safe when used in conjunction -with other security policies. -For example, a security policy that allows read\-only access to the local -file system can not disclose private data belonging to the application if -it does not have access to network communication commands such as -\fBsocket\fR. However, when used in conjunction with another security -policy that enables the \fBsocket\fR command, this policy is no longer -safe. +.SH OPTIONS +The following options are common to +\fB::safe::interpCreate\fR, \fB::safe::interpInit\fR, +and \fB::safe::interpConfigure\fR. +Any option name can be abbreviated to its minimal +non-ambiguous name. +Option names are not case sensitive. +.TP +\fB\-accessPath\fR ?\fIdirectoryList\fR? +This option sets the list of directories from which the safe interpreter +can \fBsource\fR and \fBload\fR files, and returns a list of tokens that +will allow the safe interpreter access to these directories. +If a value for \fBdirectoryList\fR is not given, or if it is given as the +empty list, the safe interpreter will use the same directories than its +master for auto-loading. +See the section \fBSECURITY\fR below for more detail about virtual paths, +tokens and access control. +.TP +\fB\-noStatics\fR +This option specifies that the safe interpreter will not be allowed +to load statically linked packages (like \fBload {} Tk\fR). +The default is that safe interpreters are allowed to load statically linked +packages. +.TP +\fB\-nestedLoadOk\fR +This option specifies that the safe interpreter will be allowed +to load packages into its own subinterpreters. +The default is that safe interpreters are not allowed to load packages into +their own subinterpreters. +.TP +\fB\-deleteHook\fR ?\fIscript\fR? +If \fIscript\fR is given, it is evaluated in the master with the name of +the safe interpreter as an additional argument just before deleting the +safe interpreter. +If no value is given for \fIscript\fR any currently installed deletion hook +script for that safe interpreter is removed; it will no longer be called +when the interpreter is deleted. +There is no deletion hook script installed by default. -.SH "USING SAFE TCL IN APPLICATIONS" -.PP -An application using Safe Tcl is usually structured as one or more unsafe -interpreters in which trusted code belonging to the application is -executed. Each such \fBmaster interpreter\fR controls one or more safe -\fBslave interpreters\fR in which tclets are executed. -Tclets communicate with their master interpreter via the aliases provided -by the Safe Base and via additional mechanisms installed by each security -policy. -This section describes the procedures an application invokes to use Safe -Tcl and to manage slave interpreters. -.PP -An application invokes \fBtcl_safeCreateInterp\fR \fIslave\fR to create a -new slave interpreter; this new interpreter will contain the aliases -provided by the Safe Base. A new command named \fBslave\fR is also created -in the invoking interpreter, to allow the application to manipulate the new -slave interpreter. -.PP -An application can use \fBtcl_safeInitInterp\fR \fIslave\fR to initialize -an existing slave interpreter with the Safe-Tcl security policy mechanism. -This procedure is useful when an application already has a safe slave -interpreter created with \fBinterp create -safe\fR and wishes to enable it -to use security policies. -.PP -An application should invoke \fBtcl_safeDeleteInterp\fR \fIslave\fR to -delete an interpreter previously created by \fBtcl_safeCreateInterp\fR. This -procedure terminates the execution of the tclet in the \fIslave\fR -interpreter and cleans up associated state maintained by the Safe Tcl -mechanism. -.PP -Security policies are installed on the file system of the system on which -the application is executing. Security policies are found in the -\fIpolicies\fR sub-directories of directories mentioned in the -application's \fBauto_path\fR, and in sub-directories of these -\fIpolicies\fR directories. +.SH SECURITY .PP -Safe Tcl will invoke, on behalf of an application, additional procedures -provided by individual security policies to manage the lifecycle of those -policies. These additional procedures are described in the next section. +The Safe Base does not attempt to completely prevent annoyance and +denial of service attacks. These forms of attack prevent the +application or user from temporarily using the computer to perform +useful work, for example by consuming all available CPU time or +all available screen real estate. +These attacks, while agravating, are deemed to be of lesser importance +in general than integrity and privacy attacks that the Safe Base +is to prevent. -.SH "WRITING SECURITY POLICIES" +The commands available in a safe interpreter, in addition to +the safe set as defined in \fBinterp\fR manual page, are mediated aliases +for \fBsource\fR, \fBload\fR, \fBexit\fR, and a safe subset of \fBfile\fR. +The safe interpreter can also auto-load code and it can request to load +packages. +Because some of these commands access the local file system, there is a +potential for information leakage about its directory structure. +To prevent this, commands which take file names as arguments in a safe +interpreter use tokens instead of the real directory names. +These tokens are translated to the real directory name while a request to, +e.g., source a file is mediated by the master interpreter. .PP -Writing a security policy is a complex effort that should not be undertaken -lightly. It involves careful design, exhaustive testing, public review and -analysis and continuous debugging. -In addition to considering what features a security policy should provide, -the implementer has to constantly keep in mind the security risks to which -an application using the policy may be exposed. -Actively considering each feature to see if it can be used to compromise an -application will help to minimize the chance of a security mishap later on. +To further prevent potential information leakage from sensitive files that +are accidentally included in the set of files that can be sourced by a safe +interpreter, the \fBsource\fR alias is restricted so that it can only +source files with names that have the extension \fB.tcl\fR, that contain +only one dot and that are forteen characters long or shorter. .PP -A security policy is a Tcl script or a shared library that is loaded into -an unsafe master interpreter. -A security policy consists of two parts: a \fBmanagement\fR part, concerned -with installing the policy into safe slaves and cleaning up after a slave -is destroyed, and a \fBruntime\fR part, concerned with actually -implementing the features of the policy. -.PP -The management part of a security policy consists of two Tcl procedures or -commands, one for installing the security policy features into a safe -slave, and the other for cleaning up any associated state when a slave is -destroyed. -The names of these procedures or commands are \fIpolicy\fB_policyInit\fR -and \fIpolicy\fB_policyFinalize, where \fIpolicy\fR is the name of the -policy as used by the slave interpreter in the \fBpackage require\fR -invocation. -.PP -The policy initialization procedure \fIpolicy\fB_policyInit\fR called in -the master interpreter with one argument, the name of the slave -interpreter, when a slave requests to use the \fIpolicy\fR security policy. -Error returns indicate that the slave was denied permission to use this -policy; the error is propagated back to the slave interpreter. Successful -return indicates that the policy is now available in the requesting slave. -If it decides to allow the slave to use the requested policy, -\fIpolicy\fB_policyInit\fR should install new aliases and command into the -slave, initialize variables both in the master interpreter and in the -slave, and do any other initialization work to make the policy features -available in the slave. -Policy initialization procedures may also perform other tasks, such as -creating policy specific state data for the new slave using this policy. -.PP -Policy initialization procedures should be careful to leave a clean state -in the slave interpreter if a failure occurs during initialization; the -rule is that if an error is returned, no changes in any variables, -procedures or aliases should be detectable in the slave. -For example, if use of a security policy requires creation -of a socket to a remote host at initialization time, and if that host is -not accessible, all aliases created in the slave to use the policy -should be removed. Otherwise, these aliases might open security holes when -used in conjunction with another security policy subsequently requested by -the slave. Without this, a malicious tclet could purposely cause a failure -during initialization in one security policy and compose features provided -by that policy in an unsafe manner with another security policy requested -later. -.PP -When an application invokes \fBtcl_safeDeleteInterp\fR to delete a slave -interpreter, the policy finalization procedure -\fIpolicy\fB_policyFinalize\fR for the policy in use by the slave is called. -It receives one argument, the name of the slave interpreter being deleted. -This procedure should ensure that subsequently if a slave by the -same name is re\-created, the new slave will be able to use this policy. -It may also wish to remove any policy specific state data created by -\fIpolicy\fB_policyInit\fR. -.PP -During initialization, a number of aliases may be created in the slave; -when these aliases are invoke, they cause commands defined in the master to -execute. The runtime part of a security policy consists of implementations -of all the target commands that handle the invocation of aliases in the -slave. Because these commands execute in a trusted interpreter, they have -full access to all the capabilities of Tcl and any extensions loaded into -the master interpreter. -.PP -A security policy must provide a \fBtclIndex\fR file in addition to files -containing Tcl procedures and shared libraries implementing the policy. -To generate a \fBtclIndex\fR file, use the Tcl command \fBauto_mkindex\fR -which is described in the manual page for the Tcl library. - -.SH "INSTALLING SECURITY POLICIES" -.PP -Safe Tcl uses a platform dependent mechanism for obtaining the initial -setting for the search path for finding security policies. -On \fBUnix\fR, the environment variable \fBTCL_POLICY_PATH\fR is consulted. -On \fBWin32\fR systems and on \fBMacOS\fR there is currently no mechanism -provided to obtain the initial value; each application should provide its -own mechanism for obtaining the initial search path. Such mechanisms will -be provided shortly. -.PP -The search path is searched in reverse order of the order in which entries -appear. Thus, if two or more policies by the same name occur in the path, -the last policy by that name will be used by Safe Tcl. -This enable system administrators to install system wide security policies -in a centralized directory and then require users to include that directory -as the last component in the search path. Doing so will ensure that system -wide policies are used in preference of policies installed by individual -users. -.PP -To install a policy, create a sub\-directory of one of the directories -mentioned in the policy search path, and copy all the files comprising the -policy into the new directory. -Applications should be able, in most situations, to use the newly available -policy immediately, without having to restart. -If a security policy uses the same name as a regular package, a \fBpackage -require\fR invocation in a slave interpreter will preferentially use the -security policy over the regular package. -However, if a security policy is installed after the first invocation of -\fBpackage require\fR in an application, and a regular package exists by -the same name, the security policy will not be available for use in that -application. In this case you must restart the application for the policy -to become available. - -.SH CREDITS -.PP -The security policy mechanism extends and expands on the Safe-Tcl prototype -first implemented by Nathaniel Borenstein and Marshall Rose. +The default value of the Tcl variable \fBauto_path\fR in a safe interpreter +is a virtualized token list for the directories in the value of its +master's \fBauto_path\fR variable and their immediate subdirectories. +The first token in this list is also assigned to the Tcl varibale +\fBtcl_library\fR in the safe interpreter. +You can always specify a more +restrictive path for which sub directories will never be searched by +explicitly specifying your directory list with the \fB\-accessPath\fR flag +instead of relying on this default mechanism. .SH "SEE ALSO" interp(n), library(n), load(n), package(n), source(n), unknown(n) - + .SH KEYWORDS -alias, auto\-loading, auto_mkindex, load, master interpreter, security -policy, safe interpreter, slave interpreter, source +alias, auto\-loading, auto_mkindex, load, master interpreter, safe +interpreter, slave interpreter, source |