Hi

Were in the process of moving a lot of our java web clients over to
..NET and a problem were facing is the fact of permissions on the
computers.  In the java world you can sign your classes, and be
prompted as to whether you trust the applets signing or not and give it
full permissions.

Obviously we would like to do a similar thing with our .NET clients,
because asking our customers to manually change their permissions on
every client machine is pretty much out of the question.

At the moment I've just got my system to have full permissions for
anything on the local intranet as I'm yet to find a way to solve this
problem.

Any ideas? Surely there has to be something similar to java's security
pop-up for .Net?

thanks

Hi

..Net does indeed have something similar to Java. If you go to the Microsoft
Security Developer Centre on MSDN, you can download a pdf file entitled
'Improving Web Application Security'. This gives very extensive details of
Code Access Security.

Here's a link:
http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/threatcounter.asp

Hope this helps

Chris Seary



Show quoteHide quote

..NET 2 ClickOnce has some similar capability to Java's popup
"thrust this signed code by Joe Hacker to do anything".
- Mitch

Show quoteHide quote

Hi,

thanks for link Chris, I'll have a thorough read through it, although
at first glance I can't see find the information I need.

Our control will need Full access so we can write to the EventLog and a
few other things, so basically if we don't have the right permissions
(which by default we wont) I just want it to pop up, ask them to grant
access and bingo our code can run.  But I can't find example code for
anything like that, I can find plenty about finding out what access we
do have, and how to specify what access we need.  But nothing about
requesting for more access.

Mitch, they're windows user/custom controls, so ClickOnce isn't
relevant for this (unfortunatly) they're just controls embedded into a
HTML page with <object> tags.

Kris Wragg

With plain CAS this is not possible without changing the client's security
policy (which require an administrator)

If you need that control inside of an browser you are stuck here.

If you want to convert it to a "standalone" application (which is really
the same, but not hosted in IE) - you can use ClickOnce in .NET 2.0

you can read more here:

http://www.leastprivilege.com/BewareBeAwareOfClickOnceDefaultSettings.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

Thanks for that Dominick, I'm just looking into policy's at the moment,
I'm trying to change the policy on my current system so that we can
just ask them to change their policy to give full trust to our strong
name and/or our Publisher Certificate.

But so far I'm not having any luck with that, my controls won't load in
IE once I remove my trust all for local intranet and then trust my
strong name, I also digitally signed my dll with our Thawte certificate
and tried to trust our publishing certificate, and yet again it didn't
work.

Are their problems with .Nets trusting policy's? surely if I give full
access for my strong name and certificate it shouldn't stop my control
from loading? Once I give full trust to everything in my local intranet
again it suddenly works...

any ideas why trusting strong names and publishers doesn't work?

Hi,

the config tool can be confusing -

starting from the default settings, all you have to do is to add a child
code group under

Machine/CodeGroups/All_Code/LocalIntranet_Zone

Use a URL or Publisher evidence and give assign the full trust permission
set for a start ...

does that work?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

URL works, Publisher doesn't.  I'd much prefer Publisher as who knows
where the end-users will host our product in their intranet.

It's quite strange how the same .dll's control can work fine with
fulltrust for everything, fulltrust for a URL, but not for strong name
and publisher which I would have thought would be the prefered choice
for most people as its more secure.

Very strange... any ideas why publisher and strong name don't work? =(
..Net is becoming a major thorn in my side... who said all these new
languages made things easier? I'll have to look for a job working in C
hehe

This is the expected behaviour for IE-hosted controls.  The permission grant
is evaluated before the control assembly is actually loaded, so evidence
"internal" to the assembly isn't used during code group membership
evaluation.  As you've already discovered, using a URL membership condition
for your extended permission code group is one workaround.  Assertion can
also be used if you would prefer to stick with signature evidence for your
code group (see http://blogs.msdn.com/shawnfa/archive/2003/06/26/57026.aspx
for details).



Show quoteHide quote

added benefit of grant based on publisher is that it works for all
assemblies signed by that "trusted" publisher.
Easy to spoof urls .. so publisher condition if better assuming you
really trust the person protecting the private key associated with
the publishers certificate.
- Mitch Gallant
    MVP Security

Show quoteHide quote

Thanks for your help so far :) what I dont understand is why my test
control wont load normally without full access... its just a windows
control with a textbox and a button, thats it, no other code... yet it
needs full access to work... i changed the "All Code" permissions under
LocalIntranet to Everything and it wouldn't work... which is very
strange...

All this policy stuff is very confusing, surely there aren't things in
a windows control that needs such high security? I want this to work so
we have access to event log and other access rights, but the fact a
test application won't even work is most irritating :(

What use is this assert if I need full access for it to work? I can't
find no FullAccessPermission...

Does your control assembly have any unverifiable (unsafe) code?  If not,
does it contain any assembly-level permission attributes?  If you're not
sure, could you please post the full code for the AssemblyInfo and control
class files from your control assembly?



Show quoteHide quote

Nicole Calinoiu wrote:
currently the only code in my control is in the constructor and it
looks like this:

new
System.Security.Permissions.UIPermission(PermissionState.Unrestricted).Assert();
InitializeComponent();

where InitializeComponent() just creates a textbox and a button and
assigns their text, size etc... it's basically just the simplist little
control you can knock up to test whether something shows or doesn't
show... and unless I'm giving everything full access, its not showing
;-)

I really don't understand why Microsoft have made such a simple thing
so difficult, didn't they make .Net and C# to try and make people move
away from Java? I've spent over a full day now working on something
that can be solved in a few minutes with Java =(

Show quote Hide quote Why are you asserting unrestricted UIPermission here if all your control is
doing is showing a text box and button?


Could you please provide the complete control code as well as that of  your
AssemblyInfo file?  I cannot reproduce the problem simply by adding a text
box and a button to a custom control.


Then there's something else at work.  Simply adding a text box and a button
is insufficient to prevent a custom control from loading under the default
intranet permission set.  Also, have you tried logging the control loading
progress as described at http://support.microsoft.com/kb/313892/?  If the
log output shows any errors, could you please post the details?



Perhaps because you're already familiar with the Java approach?  Climbing
the learning curve does take time for any product...

Nicole Calinoiu wrote:
Wow, thanks, I've been trying to find how to log the errors for quite a
while, debugging by attaching to the process is very un-productive and
doesn't give away much information...

I got this error in my log:

Microsoft.IE.SecureFactory: Trying to create instance of type
http://localhost/WebTesterWinControl.dll#WebTesterWinControl.UserControl1
Microsoft.IE.SecureFactory: System.IO.FileLoadException: Could not load
file or assembly 'WebTesterWinControl, Version=1.0.2259.27663,
Culture=neutral, PublicKeyToken=976427c386f67315' or one of its
dependencies. The located assembly's manifest definition does not match
the assembly reference. (Exception from HRESULT: 0x80131040)
File name: 'WebTesterWinControl, Version=1.0.2259.27663,
Culture=neutral, PublicKeyToken=976427c386f67315' --->
System.IO.FileLoadException: Could not load file or assembly
'http://localhost/WebTesterWinControl.dll' or one of its dependencies.
The located assembly's manifest definition does not match the assembly
reference. (Exception from HRESULT: 0x80131040)
File name: 'http://localhost/WebTesterWinControl.dll'

   at System.Reflection.Assembly.nLoad(AssemblyName fileName, String
codeBase, Evidence assemblySecurity, Assembly locationHint,
StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean
forIntrospection)
   at System.Reflection.Assembly.InternalLoad(AssemblyName assemblyRef,
Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean
forIntrospection)
   at System.Reflection.Assembly.InternalLoadFrom(String assemblyFile,
Evidence securityEvidence, Byte[] hashValue, AssemblyHashAlgorithm
hashAlgorithm, Boolean forIntrospection, StackCrawlMark& stackMark)
   at System.Reflection.Assembly.LoadFrom(String assemblyFile, Evidence
securityEvidence, Byte[] hashValue, AssemblyHashAlgorithm
hashAlgorithm)
   at System.Activator.CreateComInstanceFrom(String assemblyName,
String typeName, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm)
   at System.AppDomain.CreateComInstanceFrom(String assemblyFile,
String typeName, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm)
   at System.AppDomain.CreateComInstanceFrom(String assemblyFile,
String typeName, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm)
   at Microsoft.IE.SecureFactory.CreateInstanceWithSecurity(Int32
dwFlag, Int32 dwZone, String pURL, String uniqueIdString, String link,
String licenses)
Microsoft.IE.SecureFactory: LOG exception

(not sure how thats going to turn out)

my app.config looks like this:

using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;

// General Information about an assembly is controlled through the
following
// set of attributes. Change these attribute values to modify the
information
// associated with an assembly.
[assembly: AssemblyTitle("WebTesterWinControl")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("WebTesterWinControl")]
[assembly: AssemblyCopyright("Copyright ©  2006")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]

// Setting ComVisible to false makes the types in this assembly not
visible
// to COM components.  If you need to access a type in this assembly
from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]

// The following GUID is for the ID of the typelib if this project is
exposed to COM
[assembly: Guid("a77e7c1b-710c-4092-af66-fc4d72f56c1d")]

// Version information for an assembly consists of the following four
values:
//
//      Major Version
//      Minor Version
//      Build Number
//      Revision
//
// You can specify all the values or you can default the Revision and
Build Numbers
// by using the '*' as shown below:
[assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyFileVersion("1.0.0.0")]

as for the full code... I'll find another way to upload it, but
basically as I said i just created a control and added a textbox and
button...

Sorry if i'm being a royal pain in the rear :) I'm just having a hard
time here... i'm only a placement student for a company and I need to
solve this problem because we go live with a .Net product for VISA by
the end of the month =\

thanks a lot for your help so far

Certainly.  Personally, I would probably use both URL and publisher evidence
together (within deployment zone only), but then I'm a bit of a hard-ass
when it comes to "narrow" policy changes... ;)  That said, using publisher
evidence in the control case means making assertions, and those are
potentially risky as well.  For someone who isn't familiar with mitigating
assertion risks, using URL evidence within the intranet zone might actually
be a somewhat safer choice.


Show quoteHide quote

Well, after some tinkering around I've managed to get my tester control
to load with no extra permissions so long as I don't assign a strong
name to it... which is very odd... if I give it a strong name the exact
same code gives this error in my IEHost error log:

Microsoft.IE.SecureFactory: Trying to create instance of type
http://localhost/WebTesterWinControl.dll#WebTesterWinControl.UserControl1
Microsoft.IE.SecureFactory: System.Security.SecurityException: That
assembly does not allow partially trusted callers.
   at
System.Security.CodeAccessSecurityEngine.ThrowSecurityException(Assembly
asm, PermissionSet granted, PermissionSet refused, RuntimeMethodHandle
rmh, SecurityAction action, Object demand, IPermission permThatFailed)
   at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean
publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandle&
ctor, Boolean& bNeedSecurityCheck)
   at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean
fillCache)
   at System.RuntimeType.CreateInstanceImpl(Boolean publicOnly, Boolean
skipVisibilityChecks, Boolean fillCache)
   at System.Activator.CreateInstance(Type type, Boolean nonPublic)
   at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr,
Binder binder, Object[] args, CultureInfo culture, Object[]
activationAttributes)
   at System.Activator.CreateInstance(Type type, BindingFlags
bindingAttr, Binder binder, Object[] args, CultureInfo culture,
Object[] activationAttributes)
   at System.Activator.CreateComInstanceFrom(String assemblyName,
String typeName, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm)
   at System.AppDomain.CreateComInstanceFrom(String assemblyFile,
String typeName, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm)
   at System.AppDomain.CreateComInstanceFrom(String assemblyFile,
String typeName, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm)
   at Microsoft.IE.SecureFactory.CreateInstanceWithSecurity(Int32
dwFlag, Int32 dwZone, String pURL, String uniqueIdString, String link,
String licenses)
The action that failed was:
LinkDemand
Microsoft.IE.SecureFactory: LOG exception
Microsoft.IE.SecureFactory: Creating log entry
?FusionBindError!name=WebTesterWinControl.dll
WebTesterWinControl.UserControl1

Any ideas why strong naming would cause an error? strong naming is the
only difference between the two builds

As soon as you SN an assembly, it can be potentially installed in the GAC
and can be called by partially trusted code. Your code may not be ready to
be called from partial trust, thats why the compiler shields you by putting
LinkDemands for FullTrust on every public member.

To allow assemblies to be called from partial trust - add the following to
your assemblyinfo.cs

[assembly: AllowPartiallyTrustedCallers]

the above mentioned precautions apply.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

I would just like to thank all of you for your time and help in this
problem, I have finally managed to get my test application working
without giving full trust to all code, and I have successfully managed
to write to the EventLog also :)

Just a few quick questions:

1) if I do new
EventLogPermission(PermissionState.Unrestricted).Assert(); in my
constructor will that mean I have EventLog access throughout that class
or just in the public procedure it's called in?

ie, will I need to Assert permissions for every procedure something I
don't have access to under localintranet is called in?

2) whats the best method to assert multiple permissions?

3) I understand there are various security issues with the methods
we've had to employ, could anyone provide (if you have links at hand)
details to what we should do to make things as secure as possible and
what risks are involved.

Again, thanks a lot for all your help, you've been fantastic, this is
probably one of the hardest tasks to get information on since I started
with C# and .Net 9 months ago.  Information on all this is very spread
out and hard to find, googling alone I don't think I'd have solved
this... thank the lord for newsgroups!

Kris Wrag

cool. glad you figured it out.

None of the above - CAS is stack based. If you assert in the ctor - only
code that gets called by the ctor will have the assert in effect.

to give your whole class EventLog permission, you can put a an attribute
on top of your class declaration, e.g.

[EventLogPermission(SecurityAction.Assert, Unrestricted=true)]
class foo {}

Personally i think you should design your class in a way that event log access
is consolidated in a few methods, and assert the permission there.

programmatically: construct a PermissionSet, e.g.

PermissionSet ps = PermissionSet(PermissionState.None);
ps.AddPermision(new EventLogPermission...);
ps.AddPermision(new FooPermission...);

ps.Assert();

declaratively:

just stack multiple attributes

HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

Thanks Dominick, well now I have most of the information I need I've
passed this on to the main developer working on the controls, currently
now writing up details regarding this issue for if/when anyone else in
the company needs to do anything similar.

At least this experiance has allowed me to get away from being a code
monkey for a few days, it's always nice to do something different
whilst working on a placement.  Can get tiresome doing the same sort of
thing every day... how nice to realise I have another 40+ years of this
yet haha

thanks a lot
Kris Wragg

PS. by chance is there a list of what things need specific permissions?
it would be interesting to be able to look at a list instead of looking
each individual procedure/class on MSDN.

HttpWebRequest using Certificates
ClickOnce problem - different computed hash specified in manifest
Client Authentication
.NET 1.1 security policies broke after installing .NET 2.0
Can't access Process.Modules from my win form.
Can't find CryptImportKey in .NET !!!!!
File IO Permissions
Security Error over LAN
Need a secure web based database application setup recommendation.
Repost: How to protect ADO.NET connection string under WindowsForm