Re: code access security, local application

From: Michel Gallant \(MVP\) (
Date: 05/06/03

  • Next message: Matthew Holton: "NTLMSSP - Conversation"
    Date: Tue, 6 May 2003 11:53:54 -0400


    First off, remember that if you add a child code-group, the resultant
    permission set is a *union* of all permissions granted by code-groups
    that match the membership condition for that level (Machine in your case).

    Since the Machine/All Code by default has full permissions, if you
    want to restrict permissions for a local machine file sandbox, you need
    to make it exculsive. Here is one way to do it:

     - create child group under Machine/All Code (as you have done)
        I call it netSandbox
     - set the Membership Condition for this new code group to "URL"
        and assign the sandboxed folder as a wildcarded file URL, e.g.
     - under Permission Set, assign the restricting permissions (e.g. Internet if
        you wish to simulate code originating from the Internet)
     - most importantly, in the General tab, check the box:
        "This policy level will only have the permissions from the permission set associated
           associated with this code group"
    The last step makes this matching condition mask out the Machine/All Code group
    permissions, which as I said are full.

     - Michel Gallant
        MVP Security

    "Wiktor Zychla" <> wrote in message
    > [also posted to donet.framework]
    > Hi there,
    > I've read several docs about .net security. I am interested in code
    > access security. I've experimented with .NET framework Configuration tool.
    > However, there's one thing I do not understand (or I do not know how to
    > do). Suppose I get an application from someone, I put it in C:\000 but I do
    > not trust this application. I would like to "sandbox" it, i.e. give it only
    > a fixed set of permissions.
    > So, I bring .NET Framework Configuration tool, I add new code group
    > under "Machine/All Code", I associate the group with new permission set and
    > I set the membership condition to Application Directory (is it ok?). I call
    > my new code group "XYZ".
    > Then I wish the application, C:\000\myApplication.exe, to be in the group
    > XYZ to force my custom permission set. But I do not know how to do this! I
    > have no idea how to add particular application, located on my hard disk, to
    > my own code group with my own permissions.
    > Is it possible? Do I miss something? I suppose this should be possible
    > but at the moment I have no idea how to do it. Remember that my primary goal
    > is to "sanbox" a local application, i.e. define my own permission set and
    > run my application against the set. Maybe there are other ways to accomplish
    > this goal.
    > Big thanks for help,
    > Regards
    > Wiktor Zychla

  • Next message: Matthew Holton: "NTLMSSP - Conversation"