Re: code access security, local application

From: Michel Gallant \(MVP\) (neutron_at_istar.ca)
Date: 05/06/03

  • Next message: Matthew Holton: "NTLMSSP - Conversation"
    Date: Tue, 6 May 2003 11:53:54 -0400
    
    

    Wiktor,

    First off, remember that if you add a child code-group, the resultant
    permission set is a *union* of all permissions granted by code-groups
    that match the membership condition for that level (Machine in your case).

    Since the Machine/All Code by default has full permissions, if you
    want to restrict permissions for a local machine file sandbox, you need
    to make it exculsive. Here is one way to do it:

     - create child group under Machine/All Code (as you have done)
        I call it netSandbox
     - set the Membership Condition for this new code group to "URL"
        and assign the sandboxed folder as a wildcarded file URL, e.g.
         file://C:/netsandbox/*
     - under Permission Set, assign the restricting permissions (e.g. Internet if
        you wish to simulate code originating from the Internet)
     - most importantly, in the General tab, check the box:
        "This policy level will only have the permissions from the permission set associated
           associated with this code group"
    The last step makes this matching condition mask out the Machine/All Code group
    permissions, which as I said are full.

    Cheers,
     - Michel Gallant
        MVP Security
        http://pages.istar.ca/~neutron

    "Wiktor Zychla" <ieUser@microsoft.com.no.spam> wrote in message
    news:OCwmrR7EDHA.2204@TK2MSFTNGP10.phx.gbl...
    > [also posted to donet.framework]
    >
    > Hi there,
    >
    > I've read several docs about .net security. I am interested in code
    > access security. I've experimented with .NET framework Configuration tool.
    >
    > However, there's one thing I do not understand (or I do not know how to
    > do). Suppose I get an application from someone, I put it in C:\000 but I do
    > not trust this application. I would like to "sandbox" it, i.e. give it only
    > a fixed set of permissions.
    >
    > So, I bring .NET Framework Configuration tool, I add new code group
    > under "Machine/All Code", I associate the group with new permission set and
    > I set the membership condition to Application Directory (is it ok?). I call
    > my new code group "XYZ".
    >
    > Then I wish the application, C:\000\myApplication.exe, to be in the group
    > XYZ to force my custom permission set. But I do not know how to do this! I
    > have no idea how to add particular application, located on my hard disk, to
    > my own code group with my own permissions.
    >
    > Is it possible? Do I miss something? I suppose this should be possible
    > but at the moment I have no idea how to do it. Remember that my primary goal
    > is to "sanbox" a local application, i.e. define my own permission set and
    > run my application against the set. Maybe there are other ways to accomplish
    > this goal.
    >
    > Big thanks for help,
    >
    > Regards
    > Wiktor Zychla
    >
    >
    >
    >


  • Next message: Matthew Holton: "NTLMSSP - Conversation"

    Relevant Pages

    • Re: Excel : System.Security.Permissions.SecurityPermission
      ... > The following applies to a managed executable program that executes ... > permissions other than those normally granted to applications running in the ... > condition in a code group, using either the .NET Configuration Tool ... > use of the existing FullTrust permission set; however, ...
      (microsoft.public.dotnet.security)
    • Compile assembly in runtime and execute in sandbox
      ... I.e. "Internet" set of permissions. ... When I create code group for this special key, ... permission set besides "Full trust" gives me ... understand something about security model? ...
      (microsoft.public.dotnet.framework.clr)
    • Compile assembly in runtime and execute in sandbox
      ... I.e. "Internet" set of permissions. ... When I create code group for this special key, ... permission set besides "Full trust" gives me ... understand something about security model? ...
      (microsoft.public.dotnet.security)
    • Re: Cannot run .Net app from network drive (System.Security.Policy.PolicyException)
      ... mapped network drive is, by default, in the Local Intranet zone and operates ... permissions other than those normally granted to applications running in the ... signing and creating a custom code group are not ... use of the existing FullTrust permission set; however, ...
      (microsoft.public.dotnet.security)
    • Re: security and code groups
      ... The following applies to a managed executable program that executes ... permissions other than those normally granted to applications running in the ... signing and creating a custom code group are not ... use of the existing FullTrust permission set; however, ...
      (microsoft.public.dotnet.security)