trying to figure out code permissions

D

David Thielen

Hi;

I assumed the following code would not load. And if it loaded, would throw
an exception on the OpenText. However it runs fine.

AssemblyInfo.cs:
// only permission - set to cause all other to be disallowed
[assembly: RegistryPermission(SecurityAction.RequestMinimum)]

Program.cs:
class Program
{
static void Main(string[] args)
{
MyObj obj = new MyObj();
string str = obj.ToString();
File.OpenText(str);
}
}

class MyObj
{
public override string ToString()
{
return "dave.txt";
}
}


Why does this work?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm
 
D

Dominick Baier

RequestMinimum makes sure you have this permission. Not that all others are
disabled.

Try RequestOptional instead.
 
D

David Thielen

Hi;

I'm still not getting something. I now have:
[assembly: UIPermission(SecurityAction.RequestOptional, Window =
UIPermissionWindow.AllWindows)]

And am getting this on startup:
System.Security.SecurityException was unhandled
Message="Request for the permission of type
'System.Security.Permissions.UIPermission, mscorlib, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."
Source="mscorlib"
GrantedSet="<PermissionSet
class=\"System.Security.PermissionSet\"\r\nversion=\"1\">\r\n<IPermission
class=\"System.Security.Permissions.SecurityPermission, mscorlib,
Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089\"\r\nversion=\"1\"\r\nFlags=\"Execution\"/>\r\n<IPermission
class=\"System.Security.Permissions.UIPermission, mscorlib, Version=2.0.0.0,
Culture=neutral,
PublicKeyToken=b77a5c561934e089\"\r\nversion=\"1\"\r\nWindow=\"AllWindows\"/>\r\n</PermissionSet>\r\n"
PermissionState="<IPermission
class=\"System.Security.Permissions.UIPermission, mscorlib, Version=2.0.0.0,
Culture=neutral,
PublicKeyToken=b77a5c561934e089\"\r\nversion=\"1\"\r\nUnrestricted=\"true\"/>\r\n"
RefusedSet=""
Url="file:///C:/src/TestPerm/TestPerm/bin/Debug/TestPerm.EXE"
StackTrace:
at System.AppDomain.nExecuteAssembly(Assembly assembly, String[] args)
at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence
assemblySecurity, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.runTryCode(Object userData)
at
System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext
executionContext, ContextCallback callback, Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext
executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()

One of the choices in the debugger prompt was "Add Permission to the
project" - I clicked on that, exited VS2005, started it again, and still get
this.

What am I missing?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm




Dominick Baier said:
RequestMinimum makes sure you have this permission. Not that all others are
disabled.

Try RequestOptional instead.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Hi;

I assumed the following code would not load. And if it loaded, would
throw an exception on the OpenText. However it runs fine.

AssemblyInfo.cs:
// only permission - set to cause all other to be disallowed
[assembly: RegistryPermission(SecurityAction.RequestMinimum)]
Program.cs:
class Program
{
static void Main(string[] args)
{
MyObj obj = new MyObj();
string str = obj.ToString();
File.OpenText(str);
}
}
class MyObj
{
public override string ToString()
{
return "dave.txt";
}
}
Why does this work?

Cubicle Wars - http://www.windwardreports.com/film.htm
 
D

Dominick Baier

i meant put the registry permission into the request optional - then run
without a debugger.

[assembly: RegistryPermission(SecurityAction.RequestOptional)]


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Hi;

I'm still not getting something. I now have:
[assembly: UIPermission(SecurityAction.RequestOptional, Window =
UIPermissionWindow.AllWindows)]
And am getting this on startup:
System.Security.SecurityException was unhandled
Message="Request for the permission of type
'System.Security.Permissions.UIPermission, mscorlib, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."
Source="mscorlib"
GrantedSet="<PermissionSet
class=\"System.Security.PermissionSet\"\r\nversion=\"1\">\r\n<IPermiss
ion
class=\"System.Security.Permissions.SecurityPermission, mscorlib,
Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089\"\r\nversion=\"1\"\r\nFlags=\"Executio
n\"/>\r\n<IPermission
class=\"System.Security.Permissions.UIPermission, mscorlib,
Version=2.0.0.0,
Culture=neutral,
PublicKeyToken=b77a5c561934e089\"\r\nversion=\"1\"\r\nWindow=\"AllWind
ows\"/>\r\n</PermissionSet>\r\n"
PermissionState="<IPermission
class=\"System.Security.Permissions.UIPermission, mscorlib,
Version=2.0.0.0,
Culture=neutral,
PublicKeyToken=b77a5c561934e089\"\r\nversion=\"1\"\r\nUnrestricted=\"t
rue\"/>\r\n"
RefusedSet=""
Url="file:///C:/src/TestPerm/TestPerm/bin/Debug/TestPerm.EXE"
StackTrace:
at System.AppDomain.nExecuteAssembly(Assembly assembly,
String[] args)
at System.AppDomain.ExecuteAssembly(String assemblyFile,
Evidence
assemblySecurity, String[] args)
at
Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ThreadHelper.ThreadStart_Context(Object
state)
at System.Threading.ExecutionContext.runTryCode(Object
userData)
at
System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuarante
edCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at
System.Threading.ExecutionContext.RunInternal(ExecutionContext
executionContext, ContextCallback callback, Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext
executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
One of the choices in the debugger prompt was "Add Permission to the
project" - I clicked on that, exited VS2005, started it again, and
still get this.

What am I missing?

Cubicle Wars - http://www.windwardreports.com/film.htm

Dominick Baier said:
RequestMinimum makes sure you have this permission. Not that all
others are disabled.

Try RequestOptional instead.

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Hi;

I assumed the following code would not load. And if it loaded, would
throw an exception on the OpenText. However it runs fine.

AssemblyInfo.cs:
// only permission - set to cause all other to be disallowed
[assembly: RegistryPermission(SecurityAction.RequestMinimum)]
Program.cs:
class Program
{
static void Main(string[] args)
{
MyObj obj = new MyObj();
string str = obj.ToString();
File.OpenText(str);
}
}
class MyObj
{
public override string ToString()
{
return "dave.txt";
}
}
Why does this work?
Cubicle Wars - http://www.windwardreports.com/film.htm
 
S

Steven Cheng[MSFT]

Hi Dave,

What's the exact CAS behavior you want to achieve in your application? For
assembly level security requesting, there are three requesting types:

** Minimum
**Optional
**Refusing

For Optional, you need to take care when using it becaue it will only grant
those CAS permissions you have declared through the "Optional" request
flag, but refuse all other CAS permissions even if the runtime origionally
can grant your application host. Here are some MSDN reference that can
help you better understand this:

#Requesting Optional Permissions
http://msdn2.microsoft.com/en-us/library/ea5yat38(vs.71).aspx

#How to: Request Optional Permissions by Using the RequestOptional Flag
http://msdn2.microsoft.com/en-us/library/ea5yat38.aspx

Please feel free to let me know if you have any particualr requirement here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 
D

Dominick Baier

in addition it turns out that declarative requests are not flexible enough
in most situations...

If you want to have complete controls over the permissions you want to grant
yourself, construct a PermissionSet object and add the permissions you need/don't
want. Then call Deny/PermitOnly on it. Do that in your main so that all stack
walks can find the marker.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,898
Latest member
BlairH7607

Latest Threads

Top