Re: Adding permissions to predefined permission sets

From: Novice (6tc1ATqlinkDOTqueensuDOTca)
Date: 08/27/04 

Date: Fri, 27 Aug 2004 08:23:05 -0700

The information concerning an inability to modify the predefined permission
sets is very useful to me. I had read previous documents that said that you
could modify security policy directly by changing those files and was
surprised to see that nothing changed when I modified them.

I also thank you for your other response concerning the steps to make the
changes to the security policy file. I feel very comfortable with the caspol
application now and I think I definitely prefer it to the "mscorcfg.msc"
application.

I think I feel comfortable with making changes either directly to the file
or using the caspol application.

Thanks so much,
Novice

"Nicole Calinoiu" wrote:

> "Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
> news:80983036-DE07-47C2-BD1F-046108550E48@microsoft.com...
> > Hey all, I've finally had a chance to start experimenting with caspol.exe
> > and
> > other things to test the security of .net.
> >
> > But I'm having some strange problems - for one I was told that you could
> > go
> > into the security policy files and manually edit the XML.
>
> This is one way to modify policy.
>
> >However, I have
> > tried to give either the intranet and/or the internet permission set the
> > ability to write files to my file system with no luck.
>
> One may not modify the built-in named permission sets. See
> http://msdn.microsoft.com/library/en-us/cpguide/html/cpconnamedpermissionsets.asp
> for the official word on this topic.
>
>
> > Please understand it
> > isn't that I would actually like this setup on my system - I just want to
> > understand how this could be achieved so that I can better understand .net
> > security.
>
> If you're just trying to get a handle on how to adjust policy to reach a
> given goal, perhaps using the GUI tool (mscorcfg.msc) would be a bit simpler
> for you than XML edits or caspol. For information on how to launch and use
> the tool, see
> http://msdn.microsoft.com/library/en-us/cptools/html/cpconNETFrameworkAdministrationToolMscorcfgmsc.asp.
> This page also contains links to specific policy alteration examples that
> you can try.
>
>
> > Anyway, I wrote a basic stand-alone application in .net that will attempt
> > to
> > write a file to your file system if you press a button. When I first
> > created
> > the application I put it on my webserver, loaded the application in IE and
> > clicked the button - as expected I received the error (I've only included
> > the
> > top portion of the stack trace):
> > System.Security.SecurityException: Request for the permission of type
> > System.Security.Permissions.FileIOPermission, mscorlib,
> > Version=1.0.5000.0,
> > Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
> >
> > Then I tried manually editing the three security config files (enterprise,
> > user, and machine) and then added the following tag to both the internet
> > and
> > intranet permission sets:
> >
> > <IPermission class="FileIOPermission"
> > version="1"
> > Unrestricted="true"/>
> >
> > However, this did nothing - even after I did an iisreset, I still get the
> > security exception.
>
> Like I mentioned before, you can't alter these named permission sets. You
> need to copy the permission set, modify it, then change the permission set
> association for the appropriate code group(s).
>
>
> > My first question therefore is - is there a way to manually edit these
> > security config files to allow internet or intranet applications to write
> > files (or any other enhanced privileges)? If there is - what have I done
> > wrong?
> >
> > My second question is - how can I use the caspol.exe program to let
> > intranet
> > or internet applications the permission to write files? I have found the
> > following use of the command on the web:
> > caspol -cg 1.2 FullTrust
> >
> > But the above apparently gives intranet applications full trust - I would
> > just like to add the file IO permission or some other specific permission
> > to
> > the internet or intranet permission set.
> >
> > Thanks for any assistance,
> > Novice
>
>
>

Quantcast