RE: web application can not access event log

From: Joseph MCAD (JosephMCAD_at_discussions.microsoft.com)
Date: 04/06/05

Next message: Joseph MCAD: "RE: How to run aspnet with system account"
Previous message: chuck rudolph: "Solution: web application can not access event log"
In reply to: chuck rudolph: "RE: web application can not access event log"
Next in thread: chuck rudolph: "RE: web application can not access event log"
Reply: chuck rudolph: "RE: web application can not access event log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 5 Apr 2005 16:53:03 -0700

April 5, 2005

I see the permission set you mean. This confusion is well founded. What
is happening is when you demand the eventlogpermission.instrument it
succeeds, because you are granted that permission. BUT when you go to call
eventlog.createventsource, the CreateEventSource method secretly demands the
FullTrust permission set. It would be as if I created this following method
in a custom library for you to use:

<FileIoPermission(SecurityAction.Demand, all:="c:\myfolder")> _
Public Sub DoWorkForYou()

' Before doing work, secretly demand UNRESTRICTED access to file system,
EVEN Though the security attribute above only asks for c:\myfolder

dim permset as new FileIoPermission(PermissionState.Unrestricted)
permset.Demand 'Secretly Demands Unrestricted FileIOPermission

'Now do promised work
End Sub

If you ran permview to analyze the requested minimum permissions, then it
would look like you just have to be able to access c:\myfolder. You would be
granted access to this method. However, the method Secretly demands the
unrestricted FileIOPermission IN the method and therefore is not displayed by
permview. This causes the confusion and explains why some methods work and
some don't even though you Should be able to access them all. I hope this
makes sense and thanks for reporting the result of the experiment! :-)

Joseph MCAD

"chuck rudolph" wrote:

> Joesph, The reason I am confused is the code first "demanded" a permission
> set of EventLogPermissionAccess.Instrument. MSDN says "The EventLog can read
> or write to existing logs, and create event sources and logs." The demand
> succeeded. That to me says that I have the rights to (1) create event logs
> and (2) create event sources and (3) read and write logs. We both know that
> is not true, so what part of this don't I get. (The actual code that I ran is
> listed at the beginning of the first post. I start with "none", although the
> task is running with "full")
>
> Thanks. (BTW: the test worked, see the main line post.) ...Chuck
>
> "Joseph MCAD" wrote:
>
> >
> > April 5, 2005
> >
> > Hi Chuck,
> >
> > What permissions are in the permissionset that you are
> > demanding/asserting? If you talking about the Eventlogpermission, it is
> > working, because you are granted that permission. Just to let you know... If
> > you are granted FullTrust then NO permission demands will even be evaluated.
> > That permission set BYPASSES checks of all kinds, even if they are for custom
> > permissions that you have not granted that assembly. This could be why your
> > permissionset is completing, but you should be able to access the eventlog
> > without failing, so I don't think so. If you want to be granted all normal,
> > builtin permissions, while STILL evaluating demands/asserts/etc. then you
> > should run not under FullTrust but Everything. Everything will grant you all
> > normal, builtin permissions while still evaluating CAS. I hope this helps and
> > be sure to post about your custom log and the registry. Thanks, you are
> > saving me the experiment!
> >
> >
> > Joseph MCAD
> >
> >
> >
> > "chuck rudolph" wrote:
> >
> > > Joseph (& Nicole), Thanks. Joeseph's words on the application log do work. I
> > > need to attempt a like fix to my custom log file and see if I can make it
> > > work. I will post a solution if I find one.
> > >
> > > On the other side of the coin, does anyone know why the permissionSet.Demand
> > > (or Assert) complete normally -- leading me to believe that I can create the
> > > log and log source?
> > >
> > > Thanks...Chuck
> > >
> > >

Next message: Joseph MCAD: "RE: How to run aspnet with system account"
Previous message: chuck rudolph: "Solution: web application can not access event log"
In reply to: chuck rudolph: "RE: web application can not access event log"
Next in thread: chuck rudolph: "RE: web application can not access event log"
Reply: chuck rudolph: "RE: web application can not access event log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: web application can not access event log
... The reason I am confused is the code first "demanded" a permission ... MSDN says "The EventLog can read ... or write to existing logs, and create event sources and logs." ... The demand ...
(microsoft.public.dotnet.security)
Re: security exception for aspx page
... permission that is being demanded is. ... demand is called so that the stack walk is stopped (note, ... - Create your own assembly that goes in the GAC that wraps their assembly ...
(microsoft.public.dotnet.security)
about permissions
... Assert vs Demand ... With assert, the immediate caller must have permission to ...
(microsoft.public.cert.exam.mcad)
Re: Security Exception
... > the connecting users according to the Local Users and Groups on ... > permission = permission.Union(new PrincipalPermission(null, ... Demand() method does. ... or not the role and ID of the PrincipalPermission match ...
(microsoft.public.dotnet.framework.aspnet)
Re: When to explicitly check permission
... > SecurityException instead would there? ... Directory.GetCurrentDirectory method will implement a demand for ... > should I do an explicit check my self before I call the method? ... performing a preliminary demand for the same permission. ...
(microsoft.public.dotnet.security)