User guide
5-40 ExtremeWare EPICenter Software Installation and User Guide
The EPICenter Alarm System
variables, access alarm instance data, access event log data, and access other EPICenter
server-side data. In order to protect the EPICenter server from malicious or erroneous
alarm action scripts, the alarm script execution environment uses the “safe interpreter”
ability of the Tcl system.
The safe interpreter is a slave of the main EPICenter server-side Tcl interpreter (master
interpreter). The functions of the safe interpreter are restricted so that it cannot do harm to
the overall EPICenter server. A safe interpreter creates a private “sandbox” in which the
alarm action scripts executes. The master interpreter hides certain functions from the
scriptsinsidethesandbox.Themasterinterpreterperformssomeotherfunctionsonbehalf
of the slave interpreter. By performing functions for the slave, the master has a chance to
check to see if the slave’s request is valid. If not, the master rejects the slave’s request.
The following table summarizes the Tcl commands that are deemed dangerous for use by
a Tcl alarm action script. Some of these commands are removed entirely from the Alarm
Tcl environment. Others are aliases so that the master interpreter can intercept the
command call to provide restricted operations.
Table 5-2: Command Restrictions in EPICenter Tcl Safe Interpreter
Tcl
Command
Hiddenin
Safe
Interp
Explicit
Hide by
EPICenter
Alias in
Master
Description
cd
✔
Not allowed
file
✔ ✔
Only allow: attime, attributes (read-only),
dirname, executable, exists, extension,
isdirectory, isfile, join, lstat, mtime,
nativename, owned, pathtype, readable,
readlink, rootname, size, split, stat, tail, type,
volume, writable
pwd
✔
Not allowed
exec
✔
Not allowed
glob
✔ ✔
Full functions
socket
✔ ✔
No server-side socket, client socket is opened
in async mode; the opened client socket is
placed in nonblocking mode using the default
buffer size; the number of open socket is
restricted
exit
✔
Not allowed
load
✔
Not allowed