|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
SecurityPermission problemI'm trying to understand how to use CAS, and found something strange. I'm trying to deny my program of a few permissions to see what happens. I created a small program that creates the file c:\hello.txt and exits: [assembly: FileIOPermission(SecurityAction.RequestRefuse, ViewAndModify="c:\\")] namespace CodeAccessSecurity { class Program { static void Main(string[] args) { FileIOPermission fip = new FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); fip.Demand(); FileStream fw = new FileStream("c:\\hello.txt", FileMode.Create); } } } When I run it, I see a SecurityException thrown, as can be expected. However, it is thrown when I create the FileStream and not when I Demand the FileIOPermission. When running from the local intranet zone (I changed the debugger's security settings), the exception is thrown on the Demand - as I expected in the first place. What's going on here? Thanks, Itay. The Demand method skips the call stack frame for the method from which it is
called. In order to have your assembly included in the stack walk initiated by Demand, you'll need to move it into a separate method since the Main method has no within-assembly callers. e.g.: static void Main(string[] args) { DemandFileIOPermission(); FileStream fw = new FileStream("c:\\hello.txt", FileMode.Create); } private static void DemandFileIOPermission() { FileIOPermission fip = new FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); fip.Demand(); } Show quoteHide quote "Itay Sandbank" <ItaySandb***@discussions.microsoft.com> wrote in message news:B50075F7-3042-45F6-901E-3B295B5D191A@microsoft.com... > Hi. > > I'm trying to understand how to use CAS, and found something strange. I'm > trying to deny my program of a few permissions to see what happens. I > created > a small program that creates the file c:\hello.txt and exits: > > [assembly: FileIOPermission(SecurityAction.RequestRefuse, > ViewAndModify="c:\\")] > namespace CodeAccessSecurity > { > class Program > { > static void Main(string[] args) > { > FileIOPermission fip = new > FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); > fip.Demand(); > FileStream fw = new FileStream("c:\\hello.txt", > FileMode.Create); > } > } > } > > When I run it, I see a SecurityException thrown, as can be expected. > However, it is thrown when I create the FileStream and not when I Demand > the > FileIOPermission. > > When running from the local intranet zone (I changed the debugger's > security settings), the exception is thrown on the Demand - as I expected > in > the first place. > > What's going on here? > > Thanks, > Itay. I get it, thanks.
This is confusing behavior - having Demand check ALMOST everything. Is there a reason for it or is it a bug? Itay. Show quoteHide quote "Nicole Calinoiu" wrote: > The Demand method skips the call stack frame for the method from which it is > called. In order to have your assembly included in the stack walk initiated > by Demand, you'll need to move it into a separate method since the Main > method has no within-assembly callers. e.g.: > > static void Main(string[] args) > { > DemandFileIOPermission(); > FileStream fw = new FileStream("c:\\hello.txt", FileMode.Create); > } > > private static void DemandFileIOPermission() > { > FileIOPermission fip = new > FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); > fip.Demand(); > } > > > "Itay Sandbank" <ItaySandb***@discussions.microsoft.com> wrote in message > news:B50075F7-3042-45F6-901E-3B295B5D191A@microsoft.com... > > Hi. > > > > I'm trying to understand how to use CAS, and found something strange. I'm > > trying to deny my program of a few permissions to see what happens. I > > created > > a small program that creates the file c:\hello.txt and exits: > > > > [assembly: FileIOPermission(SecurityAction.RequestRefuse, > > ViewAndModify="c:\\")] > > namespace CodeAccessSecurity > > { > > class Program > > { > > static void Main(string[] args) > > { > > FileIOPermission fip = new > > FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); > > fip.Demand(); > > FileStream fw = new FileStream("c:\\hello.txt", > > FileMode.Create); > > } > > } > > } > > > > When I run it, I see a SecurityException thrown, as can be expected. > > However, it is thrown when I create the FileStream and not when I Demand > > the > > FileIOPermission. > > > > When running from the local intranet zone (I changed the debugger's > > security settings), the exception is thrown on the Demand - as I expected > > in > > the first place. > > > > What's going on here? > > > > Thanks, > > Itay. > > This is by design (see the remarks section at
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemsecuritycodeaccesspermissionclassdemandtopic.asp for details). Demands are intended to be made by code defining resources that require protection. Their purpose is to determine whether code attempting to use a resource possess the necessary permission(s), not whether the code defining the resource has those same permissions. For example, the FileStream code that actually accesses a file on disk makes a FileIOPermission demand. It defines the resource, so it makes the demand. Since it's calling into unmanaged code, it gets subjected to a different demand. However, there's no point in asking it to fulfill the FileIOPermission demand that it invokes since it can obviously bypass that same demand simply by not making it in the first place. Show quoteHide quote "Itay Sandbank" <ItaySandb***@discussions.microsoft.com> wrote in message news:2D68C4F7-E524-46A8-B62D-4BB2FCB0C0C0@microsoft.com... > I get it, thanks. > > This is confusing behavior - having Demand check ALMOST everything. Is > there a reason for it or is it a bug? > > Itay. > > "Nicole Calinoiu" wrote: > >> The Demand method skips the call stack frame for the method from which it >> is >> called. In order to have your assembly included in the stack walk >> initiated >> by Demand, you'll need to move it into a separate method since the Main >> method has no within-assembly callers. e.g.: >> >> static void Main(string[] args) >> { >> DemandFileIOPermission(); >> FileStream fw = new FileStream("c:\\hello.txt", FileMode.Create); >> } >> >> private static void DemandFileIOPermission() >> { >> FileIOPermission fip = new >> FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); >> fip.Demand(); >> } >> >> >> "Itay Sandbank" <ItaySandb***@discussions.microsoft.com> wrote in message >> news:B50075F7-3042-45F6-901E-3B295B5D191A@microsoft.com... >> > Hi. >> > >> > I'm trying to understand how to use CAS, and found something strange. >> > I'm >> > trying to deny my program of a few permissions to see what happens. I >> > created >> > a small program that creates the file c:\hello.txt and exits: >> > >> > [assembly: FileIOPermission(SecurityAction.RequestRefuse, >> > ViewAndModify="c:\\")] >> > namespace CodeAccessSecurity >> > { >> > class Program >> > { >> > static void Main(string[] args) >> > { >> > FileIOPermission fip = new >> > FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); >> > fip.Demand(); >> > FileStream fw = new FileStream("c:\\hello.txt", >> > FileMode.Create); >> > } >> > } >> > } >> > >> > When I run it, I see a SecurityException thrown, as can be expected. >> > However, it is thrown when I create the FileStream and not when I >> > Demand >> > the >> > FileIOPermission. >> > >> > When running from the local intranet zone (I changed the debugger's >> > security settings), the exception is thrown on the Demand - as I >> > expected >> > in >> > the first place. >> > >> > What's going on here? >> > >> > Thanks, >> > Itay. >> >> 
Other interesting topics
How to troubleshoot 401 error when connecting using NetworkCredent
.NET app on a shared directory. if I encrypt key data why do I want or need SSL? ClickOnce and remembering permissions granted Tightening the default CAS policy Strange problem with X509Certificate2 on Windows 2003 Security issue running unmanaged code in a win form ctrl hosted in How to encrypt a string with ProtectedData (.NET 2.0) JavaScience CD versus book Trying to grant full trust..... (.NET 2.0) |
|||||||||||||||||||||||
