RE: Adding permissions to predefined permission sets

From: Novice (6tc1ATqlinkDOTqueensuDOTca)
Date: 08/26/04 

Date: Thu, 26 Aug 2004 10:49:14 -0700

I think I'm fairly close to understanding the issue now. Before I get into
the explanation I should mention that I've made all changes at the machine
level - since it seems that both the enterprise level and user level have
full trust for everything.

I've created a permission set called LocalIntranetWithFileIO (the
specification can be found after my signature in this post). As the name
implies it is exactly the same as the default Intranet permission set except
with the added permission of unrestricted acess to the file system. I've
done the same with the Internet permission set (this specification can also
be found after the above specification).

I've changed the code group 1.2 (Intranet) to have the permission set
LocalIntranetWithFileIO at the machine level. I've done the same with the
code group Internet. I did an iisreset and cleared my local browser cache -
I still get the error. Then I even tried making both 1.4 and 1.5 (Untrusted
and Trusted zones) set to the InternetWithFileIO permission set and it still
failed.

Am I going about this in the right way?

Lastly, it appears that everytime I change the security at any level (using
caspol) that the .config file for that level is changed accordingly - does
that mean the .config files (for user, machine and enterprise) are not read
by the .Net security policy? But instead that these files are only written
to? I was under the impression you could change the security policy by just
making changes to those files.

Thanks,
Novice

-------------LocalIntranetWithFileIO--------------------
<PermissionSet class="System.Security.NamedPermissionSet"
               version="1"
               Name="LocalIntranetWithFileIO"
               Description="Default rights PLUS File IO given to
applications on the local intranet">
   <IPermission class="System.Security.Permissions.EnvironmentPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
                version="1"
                Read="USERNAME"/>
   <IPermission class="System.Security.Permissions.FileDialogPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
                version="1"
                Unrestricted="true"/>
   <IPermission
class="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                version="1"
                Allowed="AssemblyIsolationByUser"
                UserQuota="9223372036854775807"
                Expiry="9223372036854775807"
                Permanent="True"/>
   <IPermission class="System.Security.Permissions.ReflectionPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
                version="1"
                Flags="ReflectionEmit"/>
   <IPermission class="System.Security.Permissions.SecurityPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
                version="1"
                Flags="Assertion, Execution, BindingRedirects"/>
   <IPermission class="System.Security.Permissions.UIPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                version="1"
                Unrestricted="true"/>
   <IPermission class="System.Net.DnsPermission, System, Version=1.0.5000.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089"
                version="1"
                Unrestricted="true"/>
   <IPermission class="System.Drawing.Printing.PrintingPermission,
System.Drawing, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
                version="1"
                Level="DefaultPrinting"/>
   <IPermission class="System.Diagnostics.EventLogPermission, System,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                version="1">
      <Machine name="."
               access="Instrument"/>
   </IPermission>

   <Permission class="System.Security.Permissions.FileIOPermission,
mscorlib, Ver=2000.14.1812.10, SN=03689116d3a4ae33" version="1">
      <Unrestricted/>
   </Permission>
</PermissionSet>

-------------InternetWithFileIO--------------------
<PermissionSet class="System.Security.NamedPermissionSet"
               version="1"
               Name="InternetWithFileIO"
               Description="Default rights PLUS FileIO given to internet
applications">
   <IPermission class="System.Security.Permissions.FileDialogPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
                version="1"
                Access="Open"/>
   <IPermission
class="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                version="1"
                Allowed="DomainIsolationByUser"
                UserQuota="10240"/>
   <IPermission class="System.Security.Permissions.SecurityPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
                version="1"
                Flags="Execution"/>
   <IPermission class="System.Security.Permissions.UIPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                version="1"
                Window="SafeTopLevelWindows"
                Clipboard="OwnClipboard"/>
   <IPermission class="System.Drawing.Printing.PrintingPermission,
System.Drawing, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
                version="1"
                Level="SafePrinting"/>

   <IPermission class="System.Security.Permissions.FileIOPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
                version="1"/>

</PermissionSet>
------------------------

"Novice" wrote:

> Hey all, I've finally had a chance to start experimenting with caspol.exe and
> other things to test the security of .net.
>
> But I'm having some strange problems - for one I was told that you could go
> into the security policy files and manually edit the XML. However, I have
> tried to give either the intranet and/or the internet permission set the
> ability to write files to my file system with no luck. Please understand it
> isn't that I would actually like this setup on my system - I just want to
> understand how this could be achieved so that I can better understand .net
> security.
>
> Anyway, I wrote a basic stand-alone application in .net that will attempt to
> write a file to your file system if you press a button. When I first created
> the application I put it on my webserver, loaded the application in IE and
> clicked the button - as expected I received the error (I've only included the
> top portion of the stack trace):
> System.Security.SecurityException: Request for the permission of type
> System.Security.Permissions.FileIOPermission, mscorlib, Version=1.0.5000.0,
> Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
>
> Then I tried manually editing the three security config files (enterprise,
> user, and machine) and then added the following tag to both the internet and
> intranet permission sets:
>
> <IPermission class="FileIOPermission"
> version="1"
> Unrestricted="true"/>
>
> However, this did nothing - even after I did an iisreset, I still get the
> security exception.
>
> My first question therefore is - is there a way to manually edit these
> security config files to allow internet or intranet applications to write
> files (or any other enhanced privileges)? If there is - what have I done
> wrong?
>
> My second question is - how can I use the caspol.exe program to let intranet
> or internet applications the permission to write files? I have found the
> following use of the command on the web:
> caspol -cg 1.2 FullTrust
>
> But the above apparently gives intranet applications full trust - I would
> just like to add the file IO permission or some other specific permission to
> the internet or intranet permission set.
>
> Thanks for any assistance,
> Novice

Quantcast