Re: code access security, local application

From: Michel Gallant \(MVP\) (neutron_at_istar.ca)
Date: 05/06/03

  • Next message: Matthew Holton: "NTLMSSP - Conversation"
    Date: Tue, 6 May 2003 11:53:54 -0400
    
    

    Wiktor,

    First off, remember that if you add a child code-group, the resultant
    permission set is a *union* of all permissions granted by code-groups
    that match the membership condition for that level (Machine in your case).

    Since the Machine/All Code by default has full permissions, if you
    want to restrict permissions for a local machine file sandbox, you need
    to make it exculsive. Here is one way to do it:

     - create child group under Machine/All Code (as you have done)
        I call it netSandbox
     - set the Membership Condition for this new code group to "URL"
        and assign the sandboxed folder as a wildcarded file URL, e.g.
         file://C:/netsandbox/*
     - under Permission Set, assign the restricting permissions (e.g. Internet if
        you wish to simulate code originating from the Internet)
     - most importantly, in the General tab, check the box:
        "This policy level will only have the permissions from the permission set associated
           associated with this code group"
    The last step makes this matching condition mask out the Machine/All Code group
    permissions, which as I said are full.

    Cheers,
     - Michel Gallant
        MVP Security
        http://pages.istar.ca/~neutron

    "Wiktor Zychla" <ieUser@microsoft.com.no.spam> wrote in message
    news:OCwmrR7EDHA.2204@TK2MSFTNGP10.phx.gbl...
    > [also posted to donet.framework]
    >
    > Hi there,
    >
    > I've read several docs about .net security. I am interested in code
    > access security. I've experimented with .NET framework Configuration tool.
    >
    > However, there's one thing I do not understand (or I do not know how to
    > do). Suppose I get an application from someone, I put it in C:\000 but I do
    > not trust this application. I would like to "sandbox" it, i.e. give it only
    > a fixed set of permissions.
    >
    > So, I bring .NET Framework Configuration tool, I add new code group
    > under "Machine/All Code", I associate the group with new permission set and
    > I set the membership condition to Application Directory (is it ok?). I call
    > my new code group "XYZ".
    >
    > Then I wish the application, C:\000\myApplication.exe, to be in the group
    > XYZ to force my custom permission set. But I do not know how to do this! I
    > have no idea how to add particular application, located on my hard disk, to
    > my own code group with my own permissions.
    >
    > Is it possible? Do I miss something? I suppose this should be possible
    > but at the moment I have no idea how to do it. Remember that my primary goal
    > is to "sanbox" a local application, i.e. define my own permission set and
    > run my application against the set. Maybe there are other ways to accomplish
    > this goal.
    >
    > Big thanks for help,
    >
    > Regards
    > Wiktor Zychla
    >
    >
    >
    >


  • Next message: Matthew Holton: "NTLMSSP - Conversation"