Re: Use of Unrestricted flag ???

"serge calderara" <sergecalderara@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:06745F79-0C7F-4296-A233-7ED484A12A5B@xxxxxxxxxxxxxxxx
SOunds not so logic for me.
If we aply to an asembly a security permission that means that we would like
forcely to restrict from one way or an other.

Not always. For example, sometimes assembly-level permission attributes are used to communicate security information to machine administrators.


So why using that Unrestricted
flag then, why not simply skip it all if we want to restrict or simply remove
the assembly permission IO attribute if we want UNrestricted no ?

RestrictOptional has the additional property of implicitly rejecting all other permissions, so the attribute you gave as an example has more consequences than you seem to think.

Also, in the particular case of FileIOPermission, choosing an assembly-level permission attribute can be tricky since the path(s) the application needs to use may only be known at runtime. In such a scenario, a RequestOptional for unrestricted FileIOPermission may be the best of a less than ideal set of choices if one is attempting to develop a least CAS privilege application. It at least gives the administrator the option to set a CAS policy that restricts the application to only those paths it really needs to use.



"Nicole Calinoiu" wrote:

Unrestricted FileIOPermission confers the ability to read and write any file
on a local or remote drive. Since your particular example is an
assembly-level RequestOptional for unrestricted FileIOPermission, it
basically ends up causing your assembly to be granted whatever
FileIOPermission it is allowed under CAS policy. (Sort of a "I'd like
everything, but I'll run with whatever you're willing to give me" result.)


"serge calderara" <sergecalderara@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:7349EA91-D94C-4DF9-A6B4-D6D497E0D49A@xxxxxxxxxxxxxxxx
> Dear all,
>
> I have seen in samples following assembly atribute :
>
> <Assembly:
> Security.Permissions.FileIOPermission(Security.Permissions.SecurityAction.RequestOptional,
> Unrestricted:=True)>
>
> What does the Unrestricted Flag means ?
>
> regards
> serge



.

Relevant Pages

  • Re: use CAS demand or not?
    ... > FileIOPermission, then if the assembly attempts to do File IO, the .NET ... There's really no need to duplicate permission demands in this way. ... consider using assembly-level RequestMinimum permission attributes instead. ... one only makes CAS permission demands in code that makes ...
    (microsoft.public.dotnet.security)
  • Re: Securely Calling Unknown Assembly
    ... combination of PermitOnly and Deny to restrict permissions for called code. ... untrusted libraries that assert permissions they want, ... Just create a permission set that has all permissions but ... > I have a program for which I want to be able to load preset. ...
    (microsoft.public.dotnet.security)
  • Re: Limiting exe permissions
    ... Assembly-level permission rejections do protect the user. ... permission requests by running permview ... If you only want to change the permission grant for your main EXE, ...
    (microsoft.public.dotnet.security)
  • Re: Strange behaviour whith CAS UI tool ??
    ... attempting to troubleshoot problems with permission grants, ... PermView displays the results of the assembly-level permission attributes. ... This has nothing to do with CAS policy on any given machine. ... Okay for sure it will run from My Computer zone as I run it locally but, ...
    (microsoft.public.dotnet.security)
  • Re: Strange behaviour whith CAS UI tool ??
    ... attempting to troubleshoot problems with permission grants, ... PermView displays the results of the assembly-level permission attributes. ... This has nothing to do with CAS policy on any given machine. ... Okay for sure it will run from My Computer zone as I run it locally but, ...
    (microsoft.public.dotnet.security)