Re: code access security, local application
From: Michel Gallant \(MVP\) (neutron_at_istar.ca)
Date: 05/06/03
- Previous message: J-P Meunier: "Help : XML Signature with private key in smart card"
- In reply to: Wiktor Zychla: "code access security, local application"
- Next in thread: Wiktor Zychla: "Re: code access security, local application"
- Reply: Wiktor Zychla: "Re: code access security, local application"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 6 May 2003 11:53:54 -0400
Wiktor,
First off, remember that if you add a child code-group, the resultant
permission set is a *union* of all permissions granted by code-groups
that match the membership condition for that level (Machine in your case).
Since the Machine/All Code by default has full permissions, if you
want to restrict permissions for a local machine file sandbox, you need
to make it exculsive. Here is one way to do it:
- create child group under Machine/All Code (as you have done)
I call it netSandbox
- set the Membership Condition for this new code group to "URL"
and assign the sandboxed folder as a wildcarded file URL, e.g.
file://C:/netsandbox/*
- under Permission Set, assign the restricting permissions (e.g. Internet if
you wish to simulate code originating from the Internet)
- most importantly, in the General tab, check the box:
"This policy level will only have the permissions from the permission set associated
associated with this code group"
The last step makes this matching condition mask out the Machine/All Code group
permissions, which as I said are full.
Cheers,
- Michel Gallant
MVP Security
http://pages.istar.ca/~neutron
"Wiktor Zychla" <ieUser@microsoft.com.no.spam> wrote in message
news:OCwmrR7EDHA.2204@TK2MSFTNGP10.phx.gbl...
> [also posted to donet.framework]
>
> Hi there,
>
> I've read several docs about .net security. I am interested in code
> access security. I've experimented with .NET framework Configuration tool.
>
> However, there's one thing I do not understand (or I do not know how to
> do). Suppose I get an application from someone, I put it in C:\000 but I do
> not trust this application. I would like to "sandbox" it, i.e. give it only
> a fixed set of permissions.
>
> So, I bring .NET Framework Configuration tool, I add new code group
> under "Machine/All Code", I associate the group with new permission set and
> I set the membership condition to Application Directory (is it ok?). I call
> my new code group "XYZ".
>
> Then I wish the application, C:\000\myApplication.exe, to be in the group
> XYZ to force my custom permission set. But I do not know how to do this! I
> have no idea how to add particular application, located on my hard disk, to
> my own code group with my own permissions.
>
> Is it possible? Do I miss something? I suppose this should be possible
> but at the moment I have no idea how to do it. Remember that my primary goal
> is to "sanbox" a local application, i.e. define my own permission set and
> run my application against the set. Maybe there are other ways to accomplish
> this goal.
>
> Big thanks for help,
>
> Regards
> Wiktor Zychla
>
>
>
>
- Previous message: J-P Meunier: "Help : XML Signature with private key in smart card"
- In reply to: Wiktor Zychla: "code access security, local application"
- Next in thread: Wiktor Zychla: "Re: code access security, local application"
- Reply: Wiktor Zychla: "Re: code access security, local application"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
