Re: Adding permissions to predefined permission sets

From: Nicole Calinoiu (nicolec_at_somewhere.net)
Date: 08/27/04 

Date: Fri, 27 Aug 2004 08:00:42 -0400

"Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
news:80983036-DE07-47C2-BD1F-046108550E48@microsoft.com...
> Hey all, I've finally had a chance to start experimenting with caspol.exe
> and
> other things to test the security of .net.
>
> But I'm having some strange problems - for one I was told that you could
> go
> into the security policy files and manually edit the XML.

This is one way to modify policy.

>However, I have
> tried to give either the intranet and/or the internet permission set the
> ability to write files to my file system with no luck.

One may not modify the built-in named permission sets. See
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconnamedpermissionsets.asp
for the official word on this topic.

> Please understand it
> isn't that I would actually like this setup on my system - I just want to
> understand how this could be achieved so that I can better understand .net
> security.

If you're just trying to get a handle on how to adjust policy to reach a
given goal, perhaps using the GUI tool (mscorcfg.msc) would be a bit simpler
for you than XML edits or caspol. For information on how to launch and use
the tool, see
http://msdn.microsoft.com/library/en-us/cptools/html/cpconNETFrameworkAdministrationToolMscorcfgmsc.asp.
This page also contains links to specific policy alteration examples that
you can try.

> Anyway, I wrote a basic stand-alone application in .net that will attempt
> to
> write a file to your file system if you press a button. When I first
> created
> the application I put it on my webserver, loaded the application in IE and
> clicked the button - as expected I received the error (I've only included
> the
> top portion of the stack trace):
> System.Security.SecurityException: Request for the permission of type
> System.Security.Permissions.FileIOPermission, mscorlib,
> Version=1.0.5000.0,
> Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
>
> Then I tried manually editing the three security config files (enterprise,
> user, and machine) and then added the following tag to both the internet
> and
> intranet permission sets:
>
> <IPermission class="FileIOPermission"
> version="1"
> Unrestricted="true"/>
>
> However, this did nothing - even after I did an iisreset, I still get the
> security exception.

Like I mentioned before, you can't alter these named permission sets. You
need to copy the permission set, modify it, then change the permission set
association for the appropriate code group(s).

> My first question therefore is - is there a way to manually edit these
> security config files to allow internet or intranet applications to write
> files (or any other enhanced privileges)? If there is - what have I done
> wrong?
>
> My second question is - how can I use the caspol.exe program to let
> intranet
> or internet applications the permission to write files? I have found the
> following use of the command on the web:
> caspol -cg 1.2 FullTrust
>
> But the above apparently gives intranet applications full trust - I would
> just like to add the file IO permission or some other specific permission
> to
> the internet or intranet permission set.
>
> Thanks for any assistance,
> Novice

Quantcast