RE: Adding permissions to predefined permission sets

From: Novice (6tc1ATqlinkDOTqueensuDOTca)
Date: 08/26/04 

Date: Thu, 26 Aug 2004 11:01:05 -0700

well I don't understand why - but if I just assign the code groups 1.2 and
1.5 the permission sets Everything - it works - I can write to my file system
using a .Net application running within my browser.

I still don't understand why my slightly enhanced versions of the original
permission sets didn't allow it - especially since the exception was still a
file IO exception. I will continue to look into that.

However, my more pressing question for the moment is - can the security
policy on a system be changed by simply making changes to the:
security.config (in the .Net directory) - for the machine level
security.config (in the user's application data directory) - for the user
level
enterprisesec.config - for the enterprise level

????

Thanks,
Novice

files?

"Novice" wrote:

> I think I'm fairly close to understanding the issue now. Before I get into
> the explanation I should mention that I've made all changes at the machine
> level - since it seems that both the enterprise level and user level have
> full trust for everything.
>
> I've created a permission set called LocalIntranetWithFileIO (the
> specification can be found after my signature in this post). As the name
> implies it is exactly the same as the default Intranet permission set except
> with the added permission of unrestricted acess to the file system. I've
> done the same with the Internet permission set (this specification can also
> be found after the above specification).
>
> I've changed the code group 1.2 (Intranet) to have the permission set
> LocalIntranetWithFileIO at the machine level. I've done the same with the
> code group Internet. I did an iisreset and cleared my local browser cache -
> I still get the error. Then I even tried making both 1.4 and 1.5 (Untrusted
> and Trusted zones) set to the InternetWithFileIO permission set and it still
> failed.
>
> Am I going about this in the right way?
>
> Lastly, it appears that everytime I change the security at any level (using
> caspol) that the .config file for that level is changed accordingly - does
> that mean the .config files (for user, machine and enterprise) are not read
> by the .Net security policy? But instead that these files are only written
> to? I was under the impression you could change the security policy by just
> making changes to those files.
>
> Thanks,
> Novice
>
> -------------LocalIntranetWithFileIO--------------------
> <PermissionSet class="System.Security.NamedPermissionSet"
> version="1"
> Name="LocalIntranetWithFileIO"
> Description="Default rights PLUS File IO given to
> applications on the local intranet">
> <IPermission class="System.Security.Permissions.EnvironmentPermission,
> mscorlib, Version=1.0.5000.0, Culture=neutral,
> PublicKeyToken=b77a5c561934e089"
> version="1"
> Read="USERNAME"/>
> <IPermission class="System.Security.Permissions.FileDialogPermission,
> mscorlib, Version=1.0.5000.0, Culture=neutral,
> PublicKeyToken=b77a5c561934e089"
> version="1"
> Unrestricted="true"/>
> <IPermission
> class="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib,
> Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> version="1"
> Allowed="AssemblyIsolationByUser"
> UserQuota="9223372036854775807"
> Expiry="9223372036854775807"
> Permanent="True"/>
> <IPermission class="System.Security.Permissions.ReflectionPermission,
> mscorlib, Version=1.0.5000.0, Culture=neutral,
> PublicKeyToken=b77a5c561934e089"
> version="1"
> Flags="ReflectionEmit"/>
> <IPermission class="System.Security.Permissions.SecurityPermission,
> mscorlib, Version=1.0.5000.0, Culture=neutral,
> PublicKeyToken=b77a5c561934e089"
> version="1"
> Flags="Assertion, Execution, BindingRedirects"/>
> <IPermission class="System.Security.Permissions.UIPermission, mscorlib,
> Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> version="1"
> Unrestricted="true"/>
> <IPermission class="System.Net.DnsPermission, System, Version=1.0.5000.0,
> Culture=neutral, PublicKeyToken=b77a5c561934e089"
> version="1"
> Unrestricted="true"/>
> <IPermission class="System.Drawing.Printing.PrintingPermission,
> System.Drawing, Version=1.0.5000.0, Culture=neutral,
> PublicKeyToken=b03f5f7f11d50a3a"
> version="1"
> Level="DefaultPrinting"/>
> <IPermission class="System.Diagnostics.EventLogPermission, System,
> Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> version="1">
> <Machine name="."
> access="Instrument"/>
> </IPermission>
>
> <Permission class="System.Security.Permissions.FileIOPermission,
> mscorlib, Ver=2000.14.1812.10, SN=03689116d3a4ae33" version="1">
> <Unrestricted/>
> </Permission>
> </PermissionSet>
>
> -------------InternetWithFileIO--------------------
> <PermissionSet class="System.Security.NamedPermissionSet"
> version="1"
> Name="InternetWithFileIO"
> Description="Default rights PLUS FileIO given to internet
> applications">
> <IPermission class="System.Security.Permissions.FileDialogPermission,
> mscorlib, Version=1.0.5000.0, Culture=neutral,
> PublicKeyToken=b77a5c561934e089"
> version="1"
> Access="Open"/>
> <IPermission
> class="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib,
> Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> version="1"
> Allowed="DomainIsolationByUser"
> UserQuota="10240"/>
> <IPermission class="System.Security.Permissions.SecurityPermission,
> mscorlib, Version=1.0.5000.0, Culture=neutral,
> PublicKeyToken=b77a5c561934e089"
> version="1"
> Flags="Execution"/>
> <IPermission class="System.Security.Permissions.UIPermission, mscorlib,
> Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> version="1"
> Window="SafeTopLevelWindows"
> Clipboard="OwnClipboard"/>
> <IPermission class="System.Drawing.Printing.PrintingPermission,
> System.Drawing, Version=1.0.5000.0, Culture=neutral,
> PublicKeyToken=b03f5f7f11d50a3a"
> version="1"
> Level="SafePrinting"/>
>
> <IPermission class="System.Security.Permissions.FileIOPermission,
> mscorlib, Version=1.0.5000.0, Culture=neutral,
> PublicKeyToken=b77a5c561934e089"
> version="1"/>
>
> </PermissionSet>
> ------------------------
>
> "Novice" wrote:
>
> > Hey all, I've finally had a chance to start experimenting with caspol.exe and
> > other things to test the security of .net.
> >
> > But I'm having some strange problems - for one I was told that you could go
> > into the security policy files and manually edit the XML. However, I have
> > tried to give either the intranet and/or the internet permission set the
> > ability to write files to my file system with no luck. Please understand it
> > isn't that I would actually like this setup on my system - I just want to
> > understand how this could be achieved so that I can better understand .net
> > security.
> >
> > Anyway, I wrote a basic stand-alone application in .net that will attempt to
> > write a file to your file system if you press a button. When I first created
> > the application I put it on my webserver, loaded the application in IE and
> > clicked the button - as expected I received the error (I've only included the
> > top portion of the stack trace):
> > System.Security.SecurityException: Request for the permission of type
> > System.Security.Permissions.FileIOPermission, mscorlib, Version=1.0.5000.0,
> > Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
> >
> > Then I tried manually editing the three security config files (enterprise,
> > user, and machine) and then added the following tag to both the internet and
> > intranet permission sets:
> >
> > <IPermission class="FileIOPermission"
> > version="1"
> > Unrestricted="true"/>
> >
> > However, this did nothing - even after I did an iisreset, I still get the
> > security exception.
> >
> > My first question therefore is - is there a way to manually edit these
> > security config files to allow internet or intranet applications to write
> > files (or any other enhanced privileges)? If there is - what have I done
> > wrong?
> >
> > My second question is - how can I use the caspol.exe program to let intranet
> > or internet applications the permission to write files? I have found the
> > following use of the command on the web:
> > caspol -cg 1.2 FullTrust
> >
> > But the above apparently gives intranet applications full trust - I would
> > just like to add the file IO permission or some other specific permission to
> > the internet or intranet permission set.
> >
> > Thanks for any assistance,
> > Novice

Quantcast