System.Security.Permissions.FileIOPermission

Discussion in 'ASP .Net Security' started by Eric Phetteplace, Jun 11, 2004.

  1. Hello,

    This seems to be a common question, but all the posts I see do not have a
    clear answer.

    Here's an excerpt of my WebPart code:
    ************
    Imports System.IO

    Dim oFS As FileStream
    oFS = File.Open([PermPath], FileMode.Open)
    If Err.Number > 0 Then ...
    ************
    It compiles fine.

    The only way I can get this to work is by modifying the web.config file
    ************
    <trust level="Full" originUrl="" />
    ************

    EVERYTHING ELSE I TRIED DID NOT WORK, AS STATED BELOW:

    I tried asserting permissions, but this seems undesirable, and it doesn't
    work without trust level= "full"
    I would hope the .Net security wouldn't allow coders to automatically bypass
    security, as I think this is what happens here.
    *******************
    Dim f As System.Security.Permissions.FileIOPermission

    f = New
    System.Security.Permissions.FileIOPermission(Security.Permissions.Permission
    State.Unrestricted)

    f.AddPathList(Security.Permissions.FileIOPermissionAccess.Read,
    [PermPath])

    f.Assert()

    *******************

    I tried modifying the wss_mediumtrust.config policy file
    removing the Flags attribute and adding the Unrestricted attribute (I'm
    guessing this was the att name)
    I believe this is undesirable too, since it opens a gaping security hole.
    ***********************

    <IPermission
    class="SecurityPermission"
    version="1"
    Unrestricted = "true"
    />

    ***********************

    I saw another suggestion to use WPPackager and add the IPermission for the
    web part package. That sounds like the proper way.

    My questions are:

    1. How do I allow my Web part to have file access, without setting the
    trust level to "full?"
    2. Is the WPPackager the proper way to grant file access to this individual
    web part?

    Thanks,

    Eric
    Eric Phetteplace, Jun 11, 2004
    #1
    1. Advertising

  2. Eric Phetteplace

    Keith Brown Guest

    Hey Eric,

    You definitely do NOT want to make the SecurityPermission unrestricted. That has no effect at all on the FileIOPermission, which is what you really want to fix, but what it does do is grant all *sorts* of scary permissions (like ControlPolicy, which allows you to set SecurityManager.SecurityEnabled=false and turn off all of CAS!)

    You have a couple of choices: you can either move your functionality into an assembly in the GAC (where it will be fully trusted) and mark your assembly with the AllowPartiallyTrustedCallers attribute, or you can change policy like you were suggesting by adding an element for FileIOPermission, either making it unrestricted or (even better) specifying the exact directory and permission level you need to grant.

    Keith Brown, MVP
    http://www.pluralsight.com
    Keith Brown, Jun 12, 2004
    #2
    1. Advertising

  3. Hi Keith,

    Thanks for your help!

    I tried adding an IPermission element for FileIOPermission, right under the
    existing one in the wss_mediumtrust.config:
    <IPermission
    class="FileIOPermission"
    version="1"
    Read="G:\SpecialDir"
    PathDiscovery="G:\SpecialDir"
    />
    When I try to read g:\specialdir\test.txt, I receive the following error:
    The HelloWorldApp, Version=1.0.0.1, Culture=neutral,
    PublicKeyToken=dc2757a2b56c5017 assembly specified in a Register directive
    of this page could not be found

    Any suggestions?

    Eric

    "Keith Brown" <Keith > wrote in message
    news:...
    > Hey Eric,
    >
    > You definitely do NOT want to make the SecurityPermission unrestricted.

    That has no effect at all on the FileIOPermission, which is what you really
    want to fix, but what it does do is grant all *sorts* of scary permissions
    (like ControlPolicy, which allows you to set
    SecurityManager.SecurityEnabled=false and turn off all of CAS!)
    >
    > You have a couple of choices: you can either move your functionality into

    an assembly in the GAC (where it will be fully trusted) and mark your
    assembly with the AllowPartiallyTrustedCallers attribute, or you can change
    policy like you were suggesting by adding an element for FileIOPermission,
    either making it unrestricted or (even better) specifying the exact
    directory and permission level you need to grant.
    >
    > Keith Brown, MVP
    > http://www.pluralsight.com
    Eric Phetteplace, Jun 12, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?cGF1bA==?=

    System.Security.Permissions.FileIOPermission

    =?Utf-8?B?cGF1bA==?=, Oct 1, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    943
    =?Utf-8?B?cGF1bA==?=
    Oct 1, 2004
  2. Simon Cheng

    System.Security.Permissions.FileIOPermission

    Simon Cheng, Nov 25, 2005, in forum: ASP .Net Security
    Replies:
    3
    Views:
    289
    Dominick Baier [DevelopMentor]
    Nov 25, 2005
  3. Usman Ghani
    Replies:
    0
    Views:
    141
    Usman Ghani
    Apr 17, 2006
  4. Leyla
    Replies:
    2
    Views:
    661
    Leyla
    Aug 17, 2006
  5. Replies:
    0
    Views:
    302
Loading...

Share This Page