Re: enumerate runtime permissions
From: Jas (Jas_at_discussions.microsoft.com)
Date: 09/28/05
- Next message: Dominick Baier [DevelopMentor]: "Re: Prevent access to advapi32.dll RevertToSelf()"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Prevent access to advapi32.dll RevertToSelf()"
- In reply to: Nicole Calinoiu: "Re: enumerate runtime permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Sep 2005 19:55:04 -0700
Nicole,
That's a creative way to figure out my permissions! I'll try it out.
Additionally, when I mentioned using asserts in try catch blocks, I was
going to try to assert all permissions, and obviously the runtime would not
let me assert permissions I don't have, so I could figure out by trial and
error which permissions I do and don't have based on which asserts pass and
which fail.
"Nicole Calinoiu" wrote:
> "Jas" <Jas@discussions.microsoft.com> wrote in message
> news:2903D28B-C4C6-4220-8EE6-AC2761264D35@microsoft.com...
> > In the process of learning how application domains work within .NET CLR I
> > was
> > writing test code which instantiated a new application domain with
> > manually
> > specificed evidence set during runtime. And, I loaded an assembly into
> > this
> > new application domain and wanted for it to print out its grant set,
> > literally every permission granted to it.
>
> In that case, you could definitely call into a fully trusted assembly to get
> the grant set. The easiest approach to determining a caller's permissions
> in this sort of scenario is to demand full trust, then read the actual grant
> set from the SecurityException that will result if the caller is not fully
> trusted. To do this, add the following method in an assembly that will be
> fully trusted, then call it from within the assembly whose permissions you
> wish to test:
>
> public string ReadPermissionGrant()
> {
> PermissionSet fullTrust = new
> PermissionSet(PermissionState.Unrestricted);
> string grantedSet = null;
>
> try
> {
> fullTrust.Demand();
> grantedSet = fullTrust.ToString();
> }
> catch (SecurityException ex)
> {
> fullTrust.Assert();
> try
> {
> grantedSet = ex.GrantedSet;
> }
> finally
> {
> CodeAccessPermission.RevertAll();
> }
> }
>
> return grantedSet;
> }
>
> While the above will work for your exploratory scenario, it is not suitable
> for production use for at least a few reasons:
>
> 1. The demand may fail due to any assembly on the call stack, so it's only
> suitable for use when you can control the call stack being tested.
> 2. The demand may be affected by call stack modifiers, so it's only
> suitable for use when you can ensure that none have been applied.
> 3. Since the method may return the permission grant of an assembly other
> than the direct caller's, the assertion of permissions required to read that
> grant may open up new security holes, so the method shouldn't be used in a
> production application unless additional protections are added to prevent
> potential misuse of the method.
>
>
>
> > I could use imperative syntax to
> > assert permissions in try catch block,
>
> Assertions won't help you figure out what permissions were granted. They'll
> only help you run code despite the fact that caller(s) don't possess the
> permission(s) being asserted.
>
>
>
> > but I was wondering if there is a more
> > elegant way to do this with support from the runtime.
> >
> > "Nicole Calinoiu" wrote:
> >
> >> Yes and no. There are ways to read the permission grant, but they all
> >> require at least one "dangerous" permission, so they tend to be somewhat
> >> useless for reading the permission grant of a limited-permission assembly
> >> from within the target assembly itself. However, if you can somehow
> >> involve
> >> a highly privileged assembly in the process, one of these may work for
> >> you.
> >>
> >> There are also some other options for detecting whether a specific
> >> permission (or set of permissions) has been granted to a given assembly
> >> which, depending on what you're trying to do, may be a better approach.
> >> So... In what scenario do you need this information, and what would you
> >> do
> >> with it once you've got it?
> >>
> >>
>
>
>
- Next message: Dominick Baier [DevelopMentor]: "Re: Prevent access to advapi32.dll RevertToSelf()"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Prevent access to advapi32.dll RevertToSelf()"
- In reply to: Nicole Calinoiu: "Re: enumerate runtime permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
