Problem with security

  • Thread starter Thread starter Pepe
  • Start date Start date
P

Pepe

I use the security tool mscorcfg.msc to configure a new policy level under
machine level

i set a condition type of URL with value file:///C:/testfolder/*

i create a new permission named myperm oly with UIpermission set to No
Windows

I assign this permission myperm to the level i created before

i move a simple windows form executable to c:/testfolder

It works normally, it should throw a security exception isn't it? or maybe i
forgot someting or misunderstood something?.

Can somebody help me to understand policy levels?

Thanks
 
The issue is that for a given policy level the assembly is evealuated against all matching Code Groups and takes the *union* of the permissions granted (the the permissions granted at each policy level - machine, user, enterprise and AppDOmain are intersected). So your assembly matches your new code group *and* the LocalMachine one and local machine grants FullTrust by default.

What you need to do is make your Code Group "exclusive". This means that only your code group will be used for matching assemblies. You can do this via the config tool by checking the "This policy level will only have permissions associated with this code group" checkbox.

Regards

Richard Blewett - DevelopMentor
http://staff.develop.com/richardb/weblog

I use the security tool mscorcfg.msc to configure a new policy level under
machine level

i set a condition type of URL with value file:///C:/testfolder/*

i create a new permission named myperm oly with UIpermission set to No
Windows

I assign this permission myperm to the level i created before

i move a simple windows form executable to c:/testfolder

It works normally, it should throw a security exception isn't it? or maybe i
forgot someting or misunderstood something?.

Can somebody help me to understand policy levels?

Thanks



---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.775 / Virus Database: 522 - Release Date: 08/10/2004



[microsoft.public.dotnet.framework]
 
Thanks but i set the exlusive attribute to the code group and it still
didn't throw any security exception.

I dont´t know what to do now.




Richard Blewett said:
The issue is that for a given policy level the assembly is evealuated
Click to expand...
against all matching Code Groups and takes the *union* of the permissions
granted (the the permissions granted at each policy level - machine, user,
enterprise and AppDOmain are intersected). So your assembly matches your new
code group *and* the LocalMachine one and local machine grants FullTrust by
default.
What you need to do is make your Code Group "exclusive". This means that
Click to expand...
only your code group will be used for matching assemblies. You can do this
via the config tool by checking the "This policy level will only have
permissions associated with this code group" checkbox.
Regards

Richard Blewett - DevelopMentor
http://staff.develop.com/richardb/weblog

I use the security tool mscorcfg.msc to configure a new policy level under
machine level

i set a condition type of URL with value file:///C:/testfolder/*

i create a new permission named myperm oly with UIpermission set to No
Windows

I assign this permission myperm to the level i created before

i move a simple windows form executable to c:/testfolder

It works normally, it should throw a security exception isn't it? or maybe i
forgot someting or misunderstood something?.

Can somebody help me to understand policy levels?

Thanks



---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.775 / Virus Database: 522 - Release Date: 08/10/2004



[microsoft.public.dotnet.framework]
Click to expand...
 
Right click on the root node of the CAS settings and select evaluate assembly. Select your assembly and see which code groups it matches (in other words, see it it matches your new one or whether your membership condition isn't quite right.

Regards

Richard Blewett - DevelopMentor
http://staff.develop.com/richardb/weblog

Thanks but i set the exlusive attribute to the code group and it still
didn't throw any security exception.

I dont?t know what to do now.
 
Thanks again but the membership condition works, i also check the permisions
teoricaly denied (UIinterface).

Maybe i forgot an attribute in assebly.cs?





Richard Blewett said:
Right click on the root node of the CAS settings and select evaluate
Click to expand...
assembly. Select your assembly and see which code groups it matches (in
other words, see it it matches your new one or whether your membership
condition isn't quite right.
 
Do you have both .NET 1.0 and 1.1 on the machine? You have to set up policy in the version of .NET that the running component was compiled against.

If you have both versions on the machine you should have 2 tools:
Microsoft .NET Framework Configuration
Microsoft .NET Framework 1.1 Configuration

Regards

Richard Blewett - DevelopMentor
http://staff.develop.com/richardb/weblog

Thanks again but the membership condition works, i also check the permisions
teoricaly denied (UIinterface).

Maybe i forgot an attribute in assebly.cs?
 
Yes, this is the solution
I change security permissions for version 1.0 also and now it works fine!

Thanks a lot mate, you solve my doubt and also teach me a lot about security


Richard Blewett said:
Do you have both .NET 1.0 and 1.1 on the machine? You have to set up
Click to expand...
policy in the version of .NET that the running component was compiled
against.
 
Back
Top