Reason behind implicit FullTrust LinkDemand?

From: kv (kv_at_daimi[)
Date: 08/01/04

  • Next message: Valery Pryamikov: "Re: Reason behind implicit FullTrust LinkDemand?" 
    Date: Sun, 1 Aug 2004 19:52:51 +0200

    Hi.

    I have a simple request: can someone please explain to me, the reasoning
    behind strong naming an assembly also implies a FullTrust LinkDemand?

    The .NET Framework assemblies (mscorlib.dll, System.*) all have the APTC
    Attribute making them useful in scenarios where assemblies have limited
    trust (plug-ins etc.); however, in my experience most other assemblies (3rd
    party such as log4net, nunit, and many more, and even most of Microsoft's
    own non-Framework assemblies, such as Microsoft.mshtml) does not have the
    APTCA.

    Is it "just to be safe"? One may counter argue that the implicit FullTrust
    LinkDemand just forces users to grant full trust to code that doesn't really
    need it, thus introducing unnecessary security concerns on the part of the
    user?
    Hypothetical case in point: I've bought a product from a guy over the
    internet. I find it very useful; however, I don't completely trust that it's
    not a Trojan, so I limit its access to the network using CAS. It stops
    working claiming it does not have sufficient permissions to run. Calling up
    the guy accusing him of selling be a Trojan, he assures me that it's just
    because it uses log4net or that it uses the HTML component to render the
    about box or some other such harmless actions. Now I *have* to grant it
    FullTrust and I have absolutely no way of knowing if it's a Trojan (even if
    I can see that it never references a System.Net or System.Web class, I could
    be sure it didn't do unsavory things by means of unsafe or unmanaged code or
    through reflection). What are my options now? What are his options?

    The reason I'm asking is that I've lately become very frustrated trying to
    employ a security scheme based on CAS in a project of ours, with custom
    permissions describing custom actions allowed or not in the system. We
    wanted simply to develop permission types PermissionX, PermissionY, and
    PermissionZ, and grant some (not all) of these permissions to some
    assemblies and some to others, based on a custom scheme. Now, we've long ago
    chosen to use a certain 3rd party product for logging throughout our
    product. This product consists of an assembly that is strong named (as it
    should be), but does not have the APTCA (as many don't). This forces us to
    give all our assemblies FullTrust, including(!!!) granting them Permissions
    X, Y, and Z, in turn completely foiling our otherwise beautiful scheme.

    Not only am I frustrated that so many (very likely harmless) assemblies
    LinkDemands FullTrust, I am also frustrated by the mere existence of a
    special FullTrust permission set that includes any permissions I may chose
    to develop. Why should anyone be made to care if their assembly has been
    granted my custom permission (which is included in FullTrust)? Why not just
    have a more specific StrongNameLinkPermission that was implicitly
    LinkDemanded by strong named assemblies? In the hypothetical case, I could
    then choose to grant that permission to the product without granting it
    permissions to use sockets. This is in a way the problem in a nutshell: I
    can't, as a response to the guys claim that it uses log4net, grant it some
    permission that would allow it to use log4net, without also granting it
    permission to read stuff from my harddisk and sending them back home over
    the internet. (Please note that I am not at all bashing log4net here; as I
    mentioned, they are not the only ones not using the APTCA. In fact it's open
    source, so a problem with log4net can always be solved quickly).

    After having stared at this issue for awhile, I can no longer avoid thinking
    that the .NET Framework designers *intended* for the internet guy's product
    to be granted all access to umanaged code private class members, and even my
    custom permissions. But it makes absolutely no sense to me. What am I
    missing?? Am I going nuts?

    Thanks
    /kv

  • Next message: Valery Pryamikov: "Re: Reason behind implicit FullTrust LinkDemand?"

    Relevant Pages

    • Re: Reason behind implicit FullTrust LinkDemand?
      ... The removal of permissions from the Internet Zone or the ... time to protect the System* assemblies from this attack. ... the security holes are patched. ... The knew the LinkDemand would be a fix. ...
      (microsoft.public.dotnet.security)
    • FullTrust Assemblies
      ... some applications that reside on the intranet, a local share, but are ... The CLR will determine permissions a .NET assembly has when the ... any assembly loaded from a local share is given FullTrust ... For our local utility applications we decided to sign all assemblies ...
      (microsoft.public.dotnet.security)
    • Re: FullTrust Assemblies
      ... some applications that reside on the intranet, a local share, but are ... The CLR will determine permissions a .NET assembly has when the ... any assembly loaded from a local share is given FullTrust ... For our local utility applications we decided to sign all assemblies ...
      (microsoft.public.dotnet.security)
    • Is full trust required to use the System.Runtime.Remoting.dll?
      ... then a LinkDemand is ... System.Runtime.Remoting is not on the list of assemblies that are marked ... et al. can't be used outside of the fullTrust environment? ... I get a SecurityException as soon I enter SomeMethodleading me to believe ...
      (microsoft.public.dotnet.security)
    • Re: Reason behind implicit FullTrust LinkDemand?
      ... > behind strong naming an assembly also implies a FullTrust LinkDemand? ... > own non-Framework assemblies, such as Microsoft.mshtml) does not have the ... > permissions describing custom actions allowed or not in the system. ...
      (microsoft.public.dotnet.security)