Databases
StackOverflow2013
Postsdbo
POWhy is this Code Access Security example broken?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POWhy is this Code Access Security example broken?
    text
    copied!<p>I know that CAS is <a href="https://stackoverflow.com/questions/782020/is-it-necessary-to-learn-about-code-access-security-cas">of limited value</a>, but I want to learn about it anyway.</p> <p>I don't understand the behavior I'm seeing: Basic default CAS seems not to work at all in my fairly normal environment.</p> <p>Take this sample class:</p> <pre><code>using System; using System.Security; using System.Security.Permissions; namespace CASNotWorkingExample { class Program { static void Main(string[] args) { FileIOPermission perm = new FileIOPermission(PermissionState.Unrestricted); if (SecurityManager.IsGranted(perm)) Console.WriteLine("granted"); else Console.WriteLine("denied"); Console.ReadKey(); } } } </code></pre> <p>I build this and put the exe, <code>CASNotWorkingExample.exe</code>, onto another machine (IP is 192.168.1.101) on a file share "untrusted". I then run it from a nonadministrative command prompt using <code>\\192.168.1.101\untrusted\CASNotWorkingExample.exe</code>, expecting it to return "denied". It does not; it returns "granted".</p> <p>Windows knows it's dealing with a remote EXE of questionable security. When I run the same command from the start menu Run... dialog, I get the usual security warning "The publisher could not be verified. Are you sure etc. etc.". So it's not somehow mistakenly thinking the exe is running on the local machine and misassigning the zone.</p> <p>Furthermore, when I look at the very same exe using the .NET 2.0 Configuration Tool (right-click "Runtime Security Policy", choose "Evaluate Assembly..."), I see that .NET is only assigning Internet_Zone permissions to the assembly. These permissions do NOT include FileIOPermission (Isolated Storage is its own permission).</p> <p><a href="http://img5.imageshack.us/img5/2256/casperms.jpg" rel="nofollow noreferrer">alt text http://img5.imageshack.us/img5/2256/casperms.jpg</a></p> <p>Data that might be useful to someone else but hasn't been to me so far:</p> <ul> <li>I ran into this while working through the <a href="http://rads.stackoverflow.com/amzn/click/0735626197" rel="nofollow noreferrer">MS Press book</a> for the MCTS 70-536 exam. Chapter 11 is all about CAS; Lesson 1 / Example 1 fails for me, pretty much as described above. What you see here is a stripped-down variant of that.</li> <li>I have verified that an EXE such as this can actually write to disk, i.e. the IsGranted check is probably correct.</li> <li>The two machines are running Vista SP1 and WinXP. The behavior is the same regardless of which is the client and which is the fileserver, so it's not a Vista thing.</li> <li>The behavior is identical when running as a standard nonprivileged user and as an administrator.</li> <li>Not running in an AD domain.</li> <li>Same username and password on client and fileserver, so I can access the file without needing to use <code>net use</code> to supply credentials.</li> </ul> <p>I'm sure this is going to be one of those "arrrgh" moments... What am I missing?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload