RE: Adding permissions to predefined permission sets

From: Novice (6tc1ATqlinkDOTqueensuDOTca)
Date: 08/26/04

  • Next message: Kiran Kumar Pinjala: "DPAPI with User Profile" 
    Date: Thu, 26 Aug 2004 11:25:12 -0700

    Well I figured out the first question - I must have incorrectly set the File
    IO permissions for the two Permission Sets (InternetWithFileIO and
    IntranetWithFileIO) because as soon as I recopied the FileIO permission
    (unrestricted) from the "Everything" Permission Set and set the two
    aforementioned permission sets - everything worked just fine and then
    reassigned the two aforementioned permission sets to the respective code
    groups (Intranet and Trusted) it worked fine. Thefore, I did not have to
    assign everything to those two groups simply to get file IO access for .Net
    applications being run in my browser from the local intranet.

    So I hate beating poor defenseless dead horses - but I'm afraid I have to
    continue beating it - Can the security policy be set by simply making changes
    to the respective .config files for user, machine and enterprise?

    Thanks,
    Novice

    "Novice" wrote:

    > well I don't understand why - but if I just assign the code groups 1.2 and
    > 1.5 the permission sets Everything - it works - I can write to my file system
    > using a .Net application running within my browser.
    >
    > I still don't understand why my slightly enhanced versions of the original
    > permission sets didn't allow it - especially since the exception was still a
    > file IO exception. I will continue to look into that.
    >
    > However, my more pressing question for the moment is - can the security
    > policy on a system be changed by simply making changes to the:
    > security.config (in the .Net directory) - for the machine level
    > security.config (in the user's application data directory) - for the user
    > level
    > enterprisesec.config - for the enterprise level
    >
    > ????
    >
    > Thanks,
    > Novice
    >
    > files?
    >
    > "Novice" wrote:
    >
    > > I think I'm fairly close to understanding the issue now. Before I get into
    > > the explanation I should mention that I've made all changes at the machine
    > > level - since it seems that both the enterprise level and user level have
    > > full trust for everything.
    > >
    > > I've created a permission set called LocalIntranetWithFileIO (the
    > > specification can be found after my signature in this post). As the name
    > > implies it is exactly the same as the default Intranet permission set except
    > > with the added permission of unrestricted acess to the file system. I've
    > > done the same with the Internet permission set (this specification can also
    > > be found after the above specification).
    > >
    > > I've changed the code group 1.2 (Intranet) to have the permission set
    > > LocalIntranetWithFileIO at the machine level. I've done the same with the
    > > code group Internet. I did an iisreset and cleared my local browser cache -
    > > I still get the error. Then I even tried making both 1.4 and 1.5 (Untrusted
    > > and Trusted zones) set to the InternetWithFileIO permission set and it still
    > > failed.
    > >
    > > Am I going about this in the right way?
    > >
    > > Lastly, it appears that everytime I change the security at any level (using
    > > caspol) that the .config file for that level is changed accordingly - does
    > > that mean the .config files (for user, machine and enterprise) are not read
    > > by the .Net security policy? But instead that these files are only written
    > > to? I was under the impression you could change the security policy by just
    > > making changes to those files.
    > >
    > > Thanks,
    > > Novice
    > >
    > > -------------LocalIntranetWithFileIO--------------------
    > > <PermissionSet class="System.Security.NamedPermissionSet"
    > > version="1"
    > > Name="LocalIntranetWithFileIO"
    > > Description="Default rights PLUS File IO given to
    > > applications on the local intranet">
    > > <IPermission class="System.Security.Permissions.EnvironmentPermission,
    > > mscorlib, Version=1.0.5000.0, Culture=neutral,
    > > PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Read="USERNAME"/>
    > > <IPermission class="System.Security.Permissions.FileDialogPermission,
    > > mscorlib, Version=1.0.5000.0, Culture=neutral,
    > > PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Unrestricted="true"/>
    > > <IPermission
    > > class="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib,
    > > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Allowed="AssemblyIsolationByUser"
    > > UserQuota="9223372036854775807"
    > > Expiry="9223372036854775807"
    > > Permanent="True"/>
    > > <IPermission class="System.Security.Permissions.ReflectionPermission,
    > > mscorlib, Version=1.0.5000.0, Culture=neutral,
    > > PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Flags="ReflectionEmit"/>
    > > <IPermission class="System.Security.Permissions.SecurityPermission,
    > > mscorlib, Version=1.0.5000.0, Culture=neutral,
    > > PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Flags="Assertion, Execution, BindingRedirects"/>
    > > <IPermission class="System.Security.Permissions.UIPermission, mscorlib,
    > > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Unrestricted="true"/>
    > > <IPermission class="System.Net.DnsPermission, System, Version=1.0.5000.0,
    > > Culture=neutral, PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Unrestricted="true"/>
    > > <IPermission class="System.Drawing.Printing.PrintingPermission,
    > > System.Drawing, Version=1.0.5000.0, Culture=neutral,
    > > PublicKeyToken=b03f5f7f11d50a3a"
    > > version="1"
    > > Level="DefaultPrinting"/>
    > > <IPermission class="System.Diagnostics.EventLogPermission, System,
    > > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    > > version="1">
    > > <Machine name="."
    > > access="Instrument"/>
    > > </IPermission>
    > >
    > > <Permission class="System.Security.Permissions.FileIOPermission,
    > > mscorlib, Ver=2000.14.1812.10, SN=03689116d3a4ae33" version="1">
    > > <Unrestricted/>
    > > </Permission>
    > > </PermissionSet>
    > >
    > > -------------InternetWithFileIO--------------------
    > > <PermissionSet class="System.Security.NamedPermissionSet"
    > > version="1"
    > > Name="InternetWithFileIO"
    > > Description="Default rights PLUS FileIO given to internet
    > > applications">
    > > <IPermission class="System.Security.Permissions.FileDialogPermission,
    > > mscorlib, Version=1.0.5000.0, Culture=neutral,
    > > PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Access="Open"/>
    > > <IPermission
    > > class="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib,
    > > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Allowed="DomainIsolationByUser"
    > > UserQuota="10240"/>
    > > <IPermission class="System.Security.Permissions.SecurityPermission,
    > > mscorlib, Version=1.0.5000.0, Culture=neutral,
    > > PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Flags="Execution"/>
    > > <IPermission class="System.Security.Permissions.UIPermission, mscorlib,
    > > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    > > version="1"
    > > Window="SafeTopLevelWindows"
    > > Clipboard="OwnClipboard"/>
    > > <IPermission class="System.Drawing.Printing.PrintingPermission,
    > > System.Drawing, Version=1.0.5000.0, Culture=neutral,
    > > PublicKeyToken=b03f5f7f11d50a3a"
    > > version="1"
    > > Level="SafePrinting"/>
    > >
    > > <IPermission class="System.Security.Permissions.FileIOPermission,
    > > mscorlib, Version=1.0.5000.0, Culture=neutral,
    > > PublicKeyToken=b77a5c561934e089"
    > > version="1"/>
    > >
    > > </PermissionSet>
    > > ------------------------
    > >
    > > "Novice" wrote:
    > >
    > > > Hey all, I've finally had a chance to start experimenting with caspol.exe and
    > > > other things to test the security of .net.
    > > >
    > > > But I'm having some strange problems - for one I was told that you could go
    > > > into the security policy files and manually edit the XML. However, I have
    > > > tried to give either the intranet and/or the internet permission set the
    > > > ability to write files to my file system with no luck. Please understand it
    > > > isn't that I would actually like this setup on my system - I just want to
    > > > understand how this could be achieved so that I can better understand .net
    > > > security.
    > > >
    > > > Anyway, I wrote a basic stand-alone application in .net that will attempt to
    > > > write a file to your file system if you press a button. When I first created
    > > > the application I put it on my webserver, loaded the application in IE and
    > > > clicked the button - as expected I received the error (I've only included the
    > > > top portion of the stack trace):
    > > > System.Security.SecurityException: Request for the permission of type
    > > > System.Security.Permissions.FileIOPermission, mscorlib, Version=1.0.5000.0,
    > > > Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
    > > >
    > > > Then I tried manually editing the three security config files (enterprise,
    > > > user, and machine) and then added the following tag to both the internet and
    > > > intranet permission sets:
    > > >
    > > > <IPermission class="FileIOPermission"
    > > > version="1"
    > > > Unrestricted="true"/>
    > > >
    > > > However, this did nothing - even after I did an iisreset, I still get the
    > > > security exception.
    > > >
    > > > My first question therefore is - is there a way to manually edit these
    > > > security config files to allow internet or intranet applications to write
    > > > files (or any other enhanced privileges)? If there is - what have I done
    > > > wrong?
    > > >
    > > > My second question is - how can I use the caspol.exe program to let intranet
    > > > or internet applications the permission to write files? I have found the
    > > > following use of the command on the web:
    > > > caspol -cg 1.2 FullTrust
    > > >
    > > > But the above apparently gives intranet applications full trust - I would
    > > > just like to add the file IO permission or some other specific permission to
    > > > the internet or intranet permission set.
    > > >
    > > > Thanks for any assistance,
    > > > Novice

  • Next message: Kiran Kumar Pinjala: "DPAPI with User Profile"
    • Quantcast