Re: Can an Assert issued following a Deny override it?

From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: 08/25/04 

Date: Wed, 25 Aug 2004 21:14:05 GMT

If you don't want an assembly to be able to Assert, use one of the tools you mention to create an Exclusive code group that matches the assembly
you want to restrict (most likley with a StrongNameMembershipCondition). Then create a permission set that contains all of the permissions you
do want that assembly to get, making sure not to include SecurityPermission.Assertion. Finally, assign that permission set to the code group you
created, which will prevent that assembly from getting Assertion permission.

-Shawn
http://blogs.msdn.com/shawnfa 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they 
originated.  
--------------------
>Thread-Topic: Can an Assert issued following a Deny override it?
>thread-index: AcSKIEJwo3jotMG7RhKoRoF+a9GC6w==
>X-WBNR-Posting-Host: 216.90.243.3
>From: =?Utf-8?B?Tm92aWNl?= <6tc1ATqlinkDOTqueensuDOTca>
>References:  <5BC8EC3A-26DF-41F0-A9B0-085D3ED2A3EA@microsoft.com> <A5D876B3-5AF5-4B84-943B-A6BF67C6E54E@microsoft.com> 
<OhblzwgiEHA.596@TK2MSFTNGP11.phx.gbl>
>Subject: Re: Can an Assert issued following a Deny override it?
>Date: Tue, 24 Aug 2004 14:21:03 -0700
>Lines: 73
>Message-ID: <5D859B29-AA57-4194-AC85-9B3779617C87@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
>	charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.security
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7220
>X-Tomcat-NG: microsoft.public.dotnet.security
>
>Actually I know of those tools:
>caspol and 
>mscorcfg.msc 
>
>But what I would like to know is how to specifically restrict an assembly's 
>ability to use the Assert method.
>
>I have used the above tools to do some basic security configuration things - 
>but I don't know how to specifically restrict an assembly's ability to use 
>the Assert method.
>
>Thanks,
>Novice
>
>"Nicole Calinoiu" wrote:
>
>> Permission to assert is granted via the Assertion flag on 
>> SecurityPermission.  It can be denied via policy as you would any other 
>> permission/sub-permission (e.g.: caspol.exe, .NET Framework Configuration 
>> manager, policy deployment package).
>> 
>> HTH,
>> Nicole
>> 
>> 
>> "Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message 
>> news:A5D876B3-5AF5-4B84-943B-A6BF67C6E54E@microsoft.com...
>> >I have tried this and it is the case, that a fully trusted assembly can use
>> > an assert after a fully trusted assembly (higher up in the call stack) has
>> > issued a Deny on a particular permission (like FileIO for example).
>> >
>> > However, I still don't know how to configure my security policy such that 
>> > I
>> > restrict the ability of an assembly to use the Assert method.
>> >
>> > Any suggestions???
>> >
>> > Thanks,
>> > Novice
>> >
>> > "Novice" wrote:
>> >
>> >> Another poster wrote:
>> >> ------------------
>> >> Additionally, assuming I have FullTrust, and I write the .dll that 
>> >> doesn't
>> >> have correct public key (so you try to block me from the file), all I 
>> >> have to
>> >> do is do an Assert on that permission, and the Assert will be found in 
>> >> the
>> >> callstack before your deny, allowing me access to the directory.
>> >> ------------------
>> >> Is it the case that you can override an existing Deny that my application 
>> >> has
>> >> already specified?
>> >>
>> >> I.E.  if I write an application and the first line of code I put is a 
>> >> "Deny"
>> >> on File IO to the C drive and then I invoke code (exp a method) in your
>> >> assembly - you can subsequently write an Assert that will override the 
>> >> Deny
>> >> that has already been processed (and yes this assumes your assembly has 
>> >> full
>> >> trust)?
>> >>
>> >> Thanks,
>> >> Novice
>> >>
>> >> PS If the above is true - what permission in .Net would stop someone from
>> >> being able to override a previously issued Deny? 
>> 
>> 
>> 
>

Relevant Pages

  • Re: security/strong name/zones clarification needed
    ... Does the Assert code go in its ... >>this AppDomain needs to be setup before your assembly can ... >>will recieve the permission grant you expect (in this ... All my assemblies are strong named. ...
    (microsoft.public.dotnet.security)
  • Re: Identity Permission and Code Access Permission classes
    ... do is do an Assert on that permission, and the Assert will be found in the ... Are you saying you can override an existing Deny that my application has ... Note also, that stack walk modifiers do not discriminate between different kinds of code, if you do a Deny for that FileIO permission, no ...
    (microsoft.public.dotnet.security)
  • Re: Identity Permission and Code Access Permission classes
    ... I'm working on a several-part blog series on Assert ... however a lot of the concepts will apply to the other stack modifiers as well. ... >Subject: Re: Identity Permission and Code Access Permission classes ... and you want to protect its contents from modification by ...
    (microsoft.public.dotnet.security)
  • Re: Can an Assert issued following a Deny override it?
    ... Permission to assert is granted via the Assertion flag on ... It can be denied via policy as you would any other ... > issued a Deny on a particular permission. ...
    (microsoft.public.dotnet.security)
  • Re: Code Acess Security
    ... Assert is used to prevent a stack walk. ... - My assembly is granted permission A as well as the permission to Assert ... Note that there are some major assemblies in the ...
    (microsoft.public.dotnet.security)