RE: Activator.CreateInstance & LinkDemand for custom permission
From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: 01/22/04
- Next message: Gabriela: "RE: How to alter the security permissions for a folder?"
- Previous message: Bruno van Dooren: "symmetric encryption class"
- In reply to: Ed: "RE: Activator.CreateInstance & LinkDemand for custom permission"
- Next in thread: Ed: "RE: Activator.CreateInstance & LinkDemand for custom permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Jan 2004 20:20:55 GMT
You are correct, the reason you're seeing that problem is that using a late-bound invocation of a method will turn any LinkDemands into full stack
walks. For your second question, there is no way for you to determine the grants of each assembly on the stack. However, I see no reason that
this should be necessary in your case. What you need to do is immediately before you use reflection to call your method, assert whatever
permissions are link demanded by that method. Then, when the method is done, immediately revoke the assertion using the RevertAssert
method of the permission set you Asserted in the first place.
Remember, asserting permissions is a dangerous activity, and you need to be very careful when doing it. Make sure that malicious code has no
way of tricking your method into doing a privileged operation for it. Revoking the assert immediately after you're done calling the method will help
to limit the time window that you are vouching for all of your callers, and limit the attack surface of this method.
-Shawn
http://blogs.msdn.com/shawnfa
-- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- >Thread-Topic: Activator.CreateInstance & LinkDemand for custom permission >thread-index: AcPhCgjA/Mny9UXFQzuFbxZvnKC49w== >X-Tomcat-NG: microsoft.public.dotnet.security >From: "=?Utf-8?B?RWQ=?=" <anonymous@discussions.microsoft.com> >References: <9A450504-AD94-419E-B857-93E2D45E403B@microsoft.com> >Subject: RE: Activator.CreateInstance & LinkDemand for custom permission >Date: Thu, 22 Jan 2004 09:06:10 -0800 >Lines: 2 >Message-ID: <1F235116-5FED-4C35-A348-32938D1B158D@microsoft.com> >MIME-Version: 1.0 >Content-Type: text/plain; > charset="Utf-8" >Content-Transfer-Encoding: 7bit >X-Newsreader: Microsoft CDO for Windows 2000 >Content-Class: urn:content-classes:message >Importance: normal >Priority: normal >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 >Newsgroups: microsoft.public.dotnet.security >Path: cpmsftngxa07.phx.gbl >Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.security:4570 >NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180 >X-Tomcat-NG: microsoft.public.dotnet.security > >Ok. I've found that Framework actually expands LinkDemant into full stack walk and therefore fails during Demand() upon some distant client code. In order to make it work I need to Assert appropriate permission to direct caller, so here is a question: How can I get the permission set of the caller from stack? Is there some way to walk through stack in order to get callers permissions? Thanks! >
- Next message: Gabriela: "RE: How to alter the security permissions for a folder?"
- Previous message: Bruno van Dooren: "symmetric encryption class"
- In reply to: Ed: "RE: Activator.CreateInstance & LinkDemand for custom permission"
- Next in thread: Ed: "RE: Activator.CreateInstance & LinkDemand for custom permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
