Re: Can an Assert issued following a Deny override it?

From: Nicole Calinoiu (nicolec_at_somewhere.net)
Date: 08/26/04 

Date: Thu, 26 Aug 2004 09:50:55 -0400

Is Shawn's description detailed enough, or do you need step-by-step
instructions?

"Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
news:5D859B29-AA57-4194-AC85-9B3779617C87@microsoft.com...
> Actually I know of those tools:
> caspol and
> mscorcfg.msc
>
> But what I would like to know is how to specifically restrict an
> assembly's
> ability to use the Assert method.
>
> I have used the above tools to do some basic security configuration
> things -
> but I don't know how to specifically restrict an assembly's ability to use
> the Assert method.
>
> Thanks,
> Novice
>
> "Nicole Calinoiu" wrote:
>
>> Permission to assert is granted via the Assertion flag on
>> SecurityPermission. It can be denied via policy as you would any other
>> permission/sub-permission (e.g.: caspol.exe, .NET Framework Configuration
>> manager, policy deployment package).
>>
>> HTH,
>> Nicole
>>
>>
>> "Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
>> news:A5D876B3-5AF5-4B84-943B-A6BF67C6E54E@microsoft.com...
>> >I have tried this and it is the case, that a fully trusted assembly can
>> >use
>> > an assert after a fully trusted assembly (higher up in the call stack)
>> > has
>> > issued a Deny on a particular permission (like FileIO for example).
>> >
>> > However, I still don't know how to configure my security policy such
>> > that
>> > I
>> > restrict the ability of an assembly to use the Assert method.
>> >
>> > Any suggestions???
>> >
>> > Thanks,
>> > Novice
>> >
>> > "Novice" wrote:
>> >
>> >> Another poster wrote:
>> >> ------------------
>> >> Additionally, assuming I have FullTrust, and I write the .dll that
>> >> doesn't
>> >> have correct public key (so you try to block me from the file), all I
>> >> have to
>> >> do is do an Assert on that permission, and the Assert will be found in
>> >> the
>> >> callstack before your deny, allowing me access to the directory.
>> >> ------------------
>> >> Is it the case that you can override an existing Deny that my
>> >> application
>> >> has
>> >> already specified?
>> >>
>> >> I.E. if I write an application and the first line of code I put is a
>> >> "Deny"
>> >> on File IO to the C drive and then I invoke code (exp a method) in
>> >> your
>> >> assembly - you can subsequently write an Assert that will override the
>> >> Deny
>> >> that has already been processed (and yes this assumes your assembly
>> >> has
>> >> full
>> >> trust)?
>> >>
>> >> Thanks,
>> >> Novice
>> >>
>> >> PS If the above is true - what permission in .Net would stop someone
>> >> from
>> >> being able to override a previously issued Deny?
>>
>>
>>