Re: Environment.CommandLine Security Exception

From: Don Dumitru [MSFT] (dondu@online.microsoft.com)
Date: 02/27/03 

From: "Don Dumitru [MSFT]" <dondu@online.microsoft.com>
Date: Thu, 27 Feb 2003 13:37:59 -0800

The particular problem here is that the original poster wanted to run the
app from a *network* share. The default config for the CLR is to give
reduced priveleges to app's running from *network* shares - if the app is
instead running from the local hard disk, the app would have full rights
(under the default config).

The rationale behind this is that files on a network share are theoretically
more vulnerable to attack by hackers than are files installed on your local
hard disk.

For a commercial app that ships to customers, the app would get copied to
the local hard disk, and thus wouldn't need any changes to the security
config.

--Don 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Dave Ferguson" <support@ignitelogic.com> wrote in message
news:06cd01c2dea5$defeb600$3301280a@phx.gbl...
> Wow. I could be missing something here, but if I
> understand correctly: You can never ship a commercial
> product for network installation that is based on
> the .Net Framework without requiring users to understand
> security. That is a potentially huge support burden for a
> software company! Is MSOffice built on the .Net
> framework? It is able to be installed and run from a
> network drive without having to use the .Net Framework
> Configuration tool or CASPOL. Right?
>
> >-----Original Message-----
> >Not possible, unless you have control of group policy
> for all
> >the users machines (see also Enterprise Security Level
> in CAS).
> >
> >Don't forget that CAS is about protecting users from the
> code
> >itself, not about allowing users with specific
> permissions to
> >execute that code. Users need to be protected against
> code
> >which can't be properly "validated".
> >Also, keep in mind that there are probably hackers
> reading
> >these groups, looking for poor security practices, used
> by
> >developers .. waiting for their opportunity ... to
> subvert
> >poor implementations of an otherwise great .net security
> infrastructure.
> >
> >If you need transparency, you must deploy your
> application to
> >your users so it is installed locally, or deploy
> configuration
> >changes to all your users (hence group policy comment
> above).
> >
> >
> >- Mitch
> >
> >"Dave Ferguson" <support@ignitelogic.com> wrote in
> message
> >news:055801c2de8c$a5ec7500$3001280a@phx.gbl...
> >> But isn't CASPOL and the .Net Framework Configuration
> >> tool used to modify security policies on the machine? I
> >> need to be able to ship the program to many users -
> each
> >> of which should be able to run the program without
> >> worrying about security policies. As long as the user
> has
> >> the appropriate permissions, the program should run
> >> correctly from whatever location the user chooses.
> Isn't
> >> this possible?
> >>
> >>
> >> >-----Original Message-----
> >> >You can use caspol to set policy or use the .NET
> >> Framework Configuration
> >> >tools (under Administrative tools).  I prefer the
> >> latter.  You have a couple
> >> >of choices, creating a code group (in this case two,
> >> since you used two
> >> >different keys) using strong names as the membership
> >> condition and giving
> >> >both assemblies FullTrust (which I don't recommend),
> or,
> >> creating custom
> >> >named permission(s) first (also under the .NET
> Framework
> >> Configuration
> >> >tool), then using those custom named permission sets
> >> when you create your
> >> >code groups.  This is the most secure way of granting
> >> permissions, because
> >> >it will only give the permissions the assemblies need
> to
> >> run, helping to
> >> >prevent misuse.
> >> >
> >> >--
> >> >This posting is provided "AS IS" with no warranties,
> and
> >> confers no rights.
> >> >Use of included script samples are subject to the
> terms
> >> specified at
> >> >http://www.microsoft.com/info/cpyright.htm
> >> >
> >> >
> >> >"Michel Gallant (MVP)" <neutron@istar.ca> wrote in
> >> message
> >> >news:OF$SHpi3CHA.2324@TK2MSFTNGP10.phx.gbl...
> >> >> Since CAS is "Code Access Security", the code itself
> >> can't request
> >> >> more privileges than is available via your local
> >> policy file.
> >> >> Therefore, if an exception is thrown for code
> sourced
> >> from the
> >> >> Local Intranet, the only way you can get around this
> >> is to adjust
> >> >> your code policy (via caspol or .net config tool),
> in
> >> a SAFE way,
> >> >> to allow permissions to code that you deem is
> >> trustworthy, i.e. code
> >> >> that is digitally signed or Strong-Named.
> >> >>
> >> >> You can RESTRICT what your code can do, with
> >> declarative statements,
> >> >> so that you allow exactly and only the permissions
> you
> >> wish the code to
> >> >> have. This is a good "due diligence" strategy on the
> >> part of a programmer,
> >> >> particularly in more complex applications, to not
> >> expose your code to more
> >> >> privileges than what it needs to get the job done.
> >> >>
> >> >>  - Mitch
> >> >>
> >> >> "Dave Ferguson" <support@ignitelogic> wrote in
> message
> >> >> news:039a01c2de22$a93f0890$a501280a@phx.gbl...
> >> >> > Thank you for the help. I think I'm close, but I'm
> >> >> > missing a key concept or two.
> >> >> >
> >> >> > So...
> >> >> >
> >> >> > I have an exe with the namespace Main
> >> >> > It loads a dll with the namespace BaseFunctions
> >> (which
> >> >> > calls Environment.CommandLine)
> >> >> >
> >> >> > 1. I created Main.snk and BaseFunctions.snk
> >> >> > 2. I added the reference to these key pairs in
> their
> >> >> > respective assembly files.
> >> >> > 3. Now...I want the file to be able to run from a
> >> network
> >> >> > drive. Is using the caspol tool how you propose to
> >> grant
> >> >> > permissions? Or can I instead programmatically do
> >> this by
> >> >> > calling the EnvironmentPermission method?
> >> >> >
> >> >> > (The best help would be if there is sample code
> >> somewhere
> >> >> > that you recommend. I have found tons
> >> of 'literature' on
> >> >> > the security concepts, but no code...)
> >> >> >
> >> >> > Thank you again.
> >> >> >
> >> >> > >-----Original Message-----
> >> >> > >also, read this useful article:
> >> >> > >
> >> >> >
> >>
> http://msdn.microsoft.com/msdnmag/issues/02/07/netsmartcli
> >> >> > ents/default.aspx
> >> >> > > and look at the Intranet/Internet permissions
> >> chart:
> >> >> > >
> >> >> >
> >>
> http://msdn.microsoft.com/msdnmag/issues/02/07/netsmartcli
> >> >> > ents/figures.asp#fig4
> >> >> > >
> >> >> > > - Michel Gallant
> >> >> > >   MVP Security
> >> >> > >   http://www.jensign.com
> >> >> > >
> >> >> > >"Shel Blauman [MSFT]"
> >> <sheldonb@online.microsoft.com>
> >> >> > wrote in message
> >> >> > >news:e#qikYf3CHA.2472@TK2MSFTNGP11.phx.gbl...
> >> >> > >> You will need  EnvironmentPermission for the
> >> ability
> >> >> > to access the "Path"
> >> >> > >> environment variable. Associated enumeration:
> >> >> > >> EnvironmentPermissionAccess.Read .  What you
> are
> >> >> > running into is executables
> >> >> > >> from a share run under the Local Intranet zone,
> >> with
> >> >> > diminished permissions.
> >> >> > >> Here is a short article on running from a
> share:
> >> >> > >>
> >> >> > >> The following applies to a managed executable
> >> program
> >> >> > (.exe) that executes
> >> >> > >> with greater permissions than normally would be
> >> >> > granted to the zone to which
> >> >> > >> the assembly belongs.  For a program hosted on
> >> another
> >> >> > computer in a local
> >> >> > >> area network, this would be the Local Intranet
> >> zone.
> >> >> > Any file residing on a
> >> >> > >> mapped network drive is, by default, in the
> Local
> >> >> > Intranet zone and operates
> >> >> > >> under its permission set.  If the assembly to
> be
> >> run
> >> >> > does not require any
> >> >> > >> permissions other than those normally granted
> to
> >> >> > applications running in the
> >> >> > >> Local Intranet zone, signing and creating a
> custom
> >> >> > code group are not
> >> >> > >> required.  The below steps are only necessary
> >> when the
> >> >> > assembly causes a
> >> >> > >> security exception to be thrown when it is
> >> executed.
> >> >> > It is strongly
> >> >> > >> recommended that the permissions granted the
> Local
> >> >> > Intranet zone not be
> >> >> > >> changed to FullTrust as an alternative to the
> >> >> > following steps.
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >> Check that the following conditions have been
> met:
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >>   1.. The evidence identifying the executable
> is
> >> used
> >> >> > to set the membership
> >> >> > >> condition in a code group, using either
> the .NET
> >> >> > Configuration Tool
> >> >> > >> (Mscorcfg.msc) or caspol.exe.   Although other
> >> >> > membership conditions are
> >> >> > >> available, the recommended practice is to sign
> the
> >> >> > assembly with a strong
> >> >> > >> name or a certificate.
> >> >> > >>
> >> >> > >>
> >> >> > >> To create a strong name use sn.exe:
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >> sn -k keyPair.snk
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >> // This strong name key is used to create a
> code
> >> group
> >> >> > that gives //
> >> >> > >> permissions to this assembly.
> >> >> > >>
> >> >> > >> [assembly: AssemblyKeyFile("keyPair.snk")]
> >> >> > >>
> >> >> > >> namespace SignedAssembly
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >>   2.. The code group corresponding to the
> >> evidence of
> >> >> > the executable gives
> >> >> > >> the permissions the assembly requires.  If the
> >> >> > executable is identified by a
> >> >> > >> strong name, the code group will utilize the
> >> >> > StrongNameMembershipCondition.
> >> >> > >>
> >> >> > >>
> >> >> > >> caspol -machine -addgroup All_Code -strong -
> file
> >> >> > signedassembly.exe
> >> >> > >> FullTrust -name FouthCoffeeStrongName -
> >> >> > description "Code group granting
> >> >> > >> trust to code signed by FourthCoffee"
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >> Alternatively, the code group can be created
> >> using the
> >> >> > Microsoft .NET
> >> >> > >> Framework Configuration tool  (Mscorcfg.msc)
> found
> >> >> > under Administrative
> >> >> > >> Tools.
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >>   3.. The runtime version on the host computer
> is
> >> >> > compatible with the
> >> >> > >> runtime used to compile the assembly.
> >> >> > >>
> >> >> > >>
> >> >> > >>   4.. The code group created for the executable
> >> is in
> >> >> > the same runtime that
> >> >> > >> the executable uses.
> >> >> > >>
> >> >> > >>
> >> >> > >>  Hope this helps,
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >> Shel
> >> >> > >>
> >> >> > >>
> >> >> > >> --
> >> >> > >> This posting is provided "AS IS" with no
> >> warranties,
> >> >> > and confers no rights.
> >> >> > >> Use of included script samples are subject to
> the
> >> >> > terms specified at
> >> >> > >> http://www.microsoft.com/info/cpyright.htm
> >> >> > >>
> >> >> > >>
> >> >> > >> "Dave Ferguson" <support@ignitelogic.com>
> wrote in
> >> >> > message
> >> >> > >> news:076601c2ddec$dd75cb20$3001280a@phx.gbl...
> >> >> > >> > I have a C# application that uses the
> >> CommandLine
> >> >> > >> > property to get the name of the program. This
> >> works
> >> >> > fine
> >> >> > >> > when running from the local hard disk.
> >> >> > >> >
> >> >> > >> > If I try to run the program from a network
> >> drive I
> >> >> > get a
> >> >> > >> > SecurityException. I am running with
> >> administrator
> >> >> > >> > permissions and from Windows I can
> >> add/delete/create
> >> >> > >> > files and directories.
> >> >> > >> >
> >> >> > >> > What do I need to do to allow the program to
> be
> >> able
> >> >> > to
> >> >> > >> > get the Environment.CommandLine value?
> >> >> > >>
> >> >> > >>
> >> >> > >
> >> >> > >
> >> >> > >.
> >> >> > >
> >> >>
> >> >>
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

Relevant Pages

  • Re: Sharing resources with another home computer
    ... that they obtain their proper IP configuration from the router. ... command line can be used to see what IP configuration a computer is obtaining. ... Be careful in that default share permissions give everyone full control. ... > only to network access while ntfs file permissions apply to network and local ...
    (microsoft.public.win2000.networking)
  • Re: Problems with MS Access data source
    ... > Same on both systems or correct for Server 2003? ... The NTFS permissions are the same on both systems, ... Web app does not use ISAPI ... which part in its configuration can be the ...
    (microsoft.public.inetserver.iis.security)
  • Bandwidth constraint causing IIS/ASP.NET problem
    ... which also reveals a flaw in our ASP.NET configuration that we do ... that part of the network could consume the responses. ... Our app then did fine. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Problem Debugging Web App
    ... your app cannot find or cannot read the ... An error occurred during the processing of a configuration ... details below and modify your configuration file appropriately. ... Required permissions cannot be acquired. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: MS ADAM/AD: Absolute simplest repl/sync solution for MS ADAM on 2 or more WinXP machines?
    ... synch the db either on schedule or automated depending on the app. ... I'm not sure I'd go with a single configuration set but rather I'd ... On wake-up check which network you're on ... sync at will according to configuration settings. ...
    (microsoft.public.windows.server.active_directory)