Re: Can an Assert issued following a Deny override it?

From: Nicole Calinoiu (nicolec_at_somewhere.net)
Date: 08/24/04 

Date: Tue, 24 Aug 2004 14:42:17 -0400

Permission to assert is granted via the Assertion flag on
SecurityPermission. It can be denied via policy as you would any other
permission/sub-permission (e.g.: caspol.exe, .NET Framework Configuration
manager, policy deployment package).

HTH,
Nicole

"Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
news:A5D876B3-5AF5-4B84-943B-A6BF67C6E54E@microsoft.com...
>I have tried this and it is the case, that a fully trusted assembly can use
> an assert after a fully trusted assembly (higher up in the call stack) has
> issued a Deny on a particular permission (like FileIO for example).
>
> However, I still don't know how to configure my security policy such that
> I
> restrict the ability of an assembly to use the Assert method.
>
> Any suggestions???
>
> Thanks,
> Novice
>
> "Novice" wrote:
>
>> Another poster wrote:
>> ------------------
>> Additionally, assuming I have FullTrust, and I write the .dll that
>> doesn't
>> have correct public key (so you try to block me from the file), all I
>> have to
>> do is do an Assert on that permission, and the Assert will be found in
>> the
>> callstack before your deny, allowing me access to the directory.
>> ------------------
>> Is it the case that you can override an existing Deny that my application
>> has
>> already specified?
>>
>> I.E. if I write an application and the first line of code I put is a
>> "Deny"
>> on File IO to the C drive and then I invoke code (exp a method) in your
>> assembly - you can subsequently write an Assert that will override the
>> Deny
>> that has already been processed (and yes this assumes your assembly has
>> full
>> trust)?
>>
>> Thanks,
>> Novice
>>
>> PS If the above is true - what permission in .Net would stop someone from
>> being able to override a previously issued Deny?

Relevant Pages

  • Re: Identity Permission and Code Access Permission classes
    ... do is do an Assert on that permission, and the Assert will be found in the ... Are you saying you can override an existing Deny that my application has ... Note also, that stack walk modifiers do not discriminate between different kinds of code, if you do a Deny for that FileIO permission, no ...
    (microsoft.public.dotnet.security)
  • Re: Can an Assert issued following a Deny override it?
    ... If you don't want an assembly to be able to Assert, use one of the tools you mention to create an Exclusive code group that matches the assembly ... Then create a permission set that contains all of the permissions you ... Can an Assert issued following a Deny override it? ...
    (microsoft.public.dotnet.security)
  • Re: AppDomain and SecurityPermission
    ... In practice, Deny just stops the stackwalk, but it does not change the ... assembly grant set [and assembly can assert everything that it was granted]. ... So, if you want to create an AppDomain with restricted Security in it, you ... will need to create a permission set with all the permissions your ...
    (microsoft.public.dotnet.security)
  • Re: Lock down sign to one user
    ... Set the policy (e.g. ... this computer account resides). ... don't play too much with "Deny" permissions or you might lock your ... If you will e.g. give a user permission of Allow "Log on locally" but then ...
    (microsoft.public.security)
  • Re: using webpermissions
    ... permission from going further up (the Assert will fail if you try and assert ... then you can call Deny to deny the permission. ... Nicholas Paldino ...
    (microsoft.public.dotnet.languages.csharp)