Re: Adding permissions to predefined permission sets

From: Nicole Calinoiu (nicolec_at_somewhere.net)
Date: 08/27/04 

Date: Fri, 27 Aug 2004 08:29:04 -0400

You can alter security policy by direct edits of the appropriate .config
files, but you have to stick within the rules and use valid XML. Here's a
simple example for you to try:

1. Create a simple test executable (e.g.: just write some bogus string to
the console in a little console app) and put a compiled copy on some other
machine on your local network.

On your client, not the machine that is hosting the compiled executable:
2. Under default policy, ensure that you can run the test application from
a share on that machine.
3. Create a backup copy of security.config. (security.config, not
machine.config, is used for the machine security policy).
4. Open security.config for editing.
5. Locate the
configuration/mscorlib/security/policy/PolicyLevel/All_Code/LocalIntranet_Zone
node in the security.config file. The opening tag should look something
like this:

<CodeGroup class="UnionCodeGroup"
        version="1"
        PermissionSetName="LocalIntranet"
        Name="LocalIntranet_Zone"
        Description="Code group grants the intranet permission set to ...">

6. Change the permission set for the LocalIntranet zone from LocalIntranet
to Nothing by editing the PermissionSetName attribute. e.g.:

<CodeGroup class="UnionCodeGroup"
        version="1"
        PermissionSetName="Nothing"
        Name="LocalIntranet_Zone"
        Description="Code group grants the intranet permission set to ...">

7. Save the edited security.config file.
8. Attempt to run your test assembly from the other machine as you did in
step #1. This should fail with a PolicyException since the Nothing named
permission set does not permit execution.
9. Revert your security policy changes by undoing the edit or rolling back
to the backup copy of security.config.

HTH,
Nicole

"Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
news:A870ABA0-E1EE-4A2A-A874-C8B73C959175@microsoft.com...
> Well I figured out the first question - I must have incorrectly set the
> File
> IO permissions for the two Permission Sets (InternetWithFileIO and
> IntranetWithFileIO) because as soon as I recopied the FileIO permission
> (unrestricted) from the "Everything" Permission Set and set the two
> aforementioned permission sets - everything worked just fine and then
> reassigned the two aforementioned permission sets to the respective code
> groups (Intranet and Trusted) it worked fine. Thefore, I did not have to
> assign everything to those two groups simply to get file IO access for
> .Net
> applications being run in my browser from the local intranet.
>
> So I hate beating poor defenseless dead horses - but I'm afraid I have to
> continue beating it - Can the security policy be set by simply making
> changes
> to the respective .config files for user, machine and enterprise?
>
> Thanks,
> Novice
>
> "Novice" wrote:
>
>> well I don't understand why - but if I just assign the code groups 1.2
>> and
>> 1.5 the permission sets Everything - it works - I can write to my file
>> system
>> using a .Net application running within my browser.
>>
>> I still don't understand why my slightly enhanced versions of the
>> original
>> permission sets didn't allow it - especially since the exception was
>> still a
>> file IO exception. I will continue to look into that.
>>
>> However, my more pressing question for the moment is - can the security
>> policy on a system be changed by simply making changes to the:
>> security.config (in the .Net directory) - for the machine level
>> security.config (in the user's application data directory) - for the user
>> level
>> enterprisesec.config - for the enterprise level
>>
>> ????
>>
>> Thanks,
>> Novice
>>
>> files?
>>
>> "Novice" wrote:
>>
>> > I think I'm fairly close to understanding the issue now. Before I get
>> > into
>> > the explanation I should mention that I've made all changes at the
>> > machine
>> > level - since it seems that both the enterprise level and user level
>> > have
>> > full trust for everything.
>> >
>> > I've created a permission set called LocalIntranetWithFileIO (the
>> > specification can be found after my signature in this post). As the
>> > name
>> > implies it is exactly the same as the default Intranet permission set
>> > except
>> > with the added permission of unrestricted acess to the file system.
>> > I've
>> > done the same with the Internet permission set (this specification can
>> > also
>> > be found after the above specification).
>> >
>> > I've changed the code group 1.2 (Intranet) to have the permission set
>> > LocalIntranetWithFileIO at the machine level. I've done the same with
>> > the
>> > code group Internet. I did an iisreset and cleared my local browser
>> > cache -
>> > I still get the error. Then I even tried making both 1.4 and 1.5
>> > (Untrusted
>> > and Trusted zones) set to the InternetWithFileIO permission set and it
>> > still
>> > failed.
>> >
>> > Am I going about this in the right way?
>> >
>> > Lastly, it appears that everytime I change the security at any level
>> > (using
>> > caspol) that the .config file for that level is changed accordingly -
>> > does
>> > that mean the .config files (for user, machine and enterprise) are not
>> > read
>> > by the .Net security policy? But instead that these files are only
>> > written
>> > to? I was under the impression you could change the security policy by
>> > just
>> > making changes to those files.
>> >
>> > Thanks,
>> > Novice
>> >
>> > -------------LocalIntranetWithFileIO--------------------
>> > <PermissionSet class="System.Security.NamedPermissionSet"
>> > version="1"
>> > Name="LocalIntranetWithFileIO"
>> > Description="Default rights PLUS File IO given to
>> > applications on the local intranet">
>> > <IPermission
>> > class="System.Security.Permissions.EnvironmentPermission,
>> > mscorlib, Version=1.0.5000.0, Culture=neutral,
>> > PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Read="USERNAME"/>
>> > <IPermission
>> > class="System.Security.Permissions.FileDialogPermission,
>> > mscorlib, Version=1.0.5000.0, Culture=neutral,
>> > PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Unrestricted="true"/>
>> > <IPermission
>> > class="System.Security.Permissions.IsolatedStorageFilePermission,
>> > mscorlib,
>> > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Allowed="AssemblyIsolationByUser"
>> > UserQuota="9223372036854775807"
>> > Expiry="9223372036854775807"
>> > Permanent="True"/>
>> > <IPermission
>> > class="System.Security.Permissions.ReflectionPermission,
>> > mscorlib, Version=1.0.5000.0, Culture=neutral,
>> > PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Flags="ReflectionEmit"/>
>> > <IPermission class="System.Security.Permissions.SecurityPermission,
>> > mscorlib, Version=1.0.5000.0, Culture=neutral,
>> > PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Flags="Assertion, Execution, BindingRedirects"/>
>> > <IPermission class="System.Security.Permissions.UIPermission,
>> > mscorlib,
>> > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Unrestricted="true"/>
>> > <IPermission class="System.Net.DnsPermission, System,
>> > Version=1.0.5000.0,
>> > Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Unrestricted="true"/>
>> > <IPermission class="System.Drawing.Printing.PrintingPermission,
>> > System.Drawing, Version=1.0.5000.0, Culture=neutral,
>> > PublicKeyToken=b03f5f7f11d50a3a"
>> > version="1"
>> > Level="DefaultPrinting"/>
>> > <IPermission class="System.Diagnostics.EventLogPermission, System,
>> > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> > version="1">
>> > <Machine name="."
>> > access="Instrument"/>
>> > </IPermission>
>> >
>> > <Permission class="System.Security.Permissions.FileIOPermission,
>> > mscorlib, Ver=2000.14.1812.10, SN=03689116d3a4ae33" version="1">
>> > <Unrestricted/>
>> > </Permission>
>> > </PermissionSet>
>> >
>> > -------------InternetWithFileIO--------------------
>> > <PermissionSet class="System.Security.NamedPermissionSet"
>> > version="1"
>> > Name="InternetWithFileIO"
>> > Description="Default rights PLUS FileIO given to
>> > internet
>> > applications">
>> > <IPermission
>> > class="System.Security.Permissions.FileDialogPermission,
>> > mscorlib, Version=1.0.5000.0, Culture=neutral,
>> > PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Access="Open"/>
>> > <IPermission
>> > class="System.Security.Permissions.IsolatedStorageFilePermission,
>> > mscorlib,
>> > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Allowed="DomainIsolationByUser"
>> > UserQuota="10240"/>
>> > <IPermission class="System.Security.Permissions.SecurityPermission,
>> > mscorlib, Version=1.0.5000.0, Culture=neutral,
>> > PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Flags="Execution"/>
>> > <IPermission class="System.Security.Permissions.UIPermission,
>> > mscorlib,
>> > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> > version="1"
>> > Window="SafeTopLevelWindows"
>> > Clipboard="OwnClipboard"/>
>> > <IPermission class="System.Drawing.Printing.PrintingPermission,
>> > System.Drawing, Version=1.0.5000.0, Culture=neutral,
>> > PublicKeyToken=b03f5f7f11d50a3a"
>> > version="1"
>> > Level="SafePrinting"/>
>> >
>> > <IPermission class="System.Security.Permissions.FileIOPermission,
>> > mscorlib, Version=1.0.5000.0, Culture=neutral,
>> > PublicKeyToken=b77a5c561934e089"
>> > version="1"/>
>> >
>> > </PermissionSet>
>> > ------------------------
>> >
>> > "Novice" wrote:
>> >
>> > > Hey all, I've finally had a chance to start experimenting with
>> > > caspol.exe and
>> > > other things to test the security of .net.
>> > >
>> > > But I'm having some strange problems - for one I was told that you
>> > > could go
>> > > into the security policy files and manually edit the XML. However, I
>> > > have
>> > > tried to give either the intranet and/or the internet permission set
>> > > the
>> > > ability to write files to my file system with no luck. Please
>> > > understand it
>> > > isn't that I would actually like this setup on my system - I just
>> > > want to
>> > > understand how this could be achieved so that I can better understand
>> > > .net
>> > > security.
>> > >
>> > > Anyway, I wrote a basic stand-alone application in .net that will
>> > > attempt to
>> > > write a file to your file system if you press a button. When I first
>> > > created
>> > > the application I put it on my webserver, loaded the application in
>> > > IE and
>> > > clicked the button - as expected I received the error (I've only
>> > > included the
>> > > top portion of the stack trace):
>> > > System.Security.SecurityException: Request for the permission of type
>> > > System.Security.Permissions.FileIOPermission, mscorlib,
>> > > Version=1.0.5000.0,
>> > > Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
>> > >
>> > > Then I tried manually editing the three security config files
>> > > (enterprise,
>> > > user, and machine) and then added the following tag to both the
>> > > internet and
>> > > intranet permission sets:
>> > >
>> > > <IPermission class="FileIOPermission"
>> > > version="1"
>> > > Unrestricted="true"/>
>> > >
>> > > However, this did nothing - even after I did an iisreset, I still get
>> > > the
>> > > security exception.
>> > >
>> > > My first question therefore is - is there a way to manually edit
>> > > these
>> > > security config files to allow internet or intranet applications to
>> > > write
>> > > files (or any other enhanced privileges)? If there is - what have I
>> > > done
>> > > wrong?
>> > >
>> > > My second question is - how can I use the caspol.exe program to let
>> > > intranet
>> > > or internet applications the permission to write files? I have found
>> > > the
>> > > following use of the command on the web:
>> > > caspol -cg 1.2 FullTrust
>> > >
>> > > But the above apparently gives intranet applications full trust - I
>> > > would
>> > > just like to add the file IO permission or some other specific
>> > > permission to
>> > > the internet or intranet permission set.
>> > >
>> > > Thanks for any assistance,
>> > > Novice

Quantcast