all groups > dotnet security > august 2005 >
You're in the

dotnet security

group:

CAS Permission Sets


Re: CAS Permission Sets Jeppe Dige Jespersen
8/12/2005 12:00:00 AM
dotnet security: Nice. Thank you so much.

Jeppe D. Jespersen
Denmark

Re: CAS Permission Sets Nicole Calinoiu
8/12/2005 7:20:27 AM
[quoted text, click to view]

The biggest difference is that FullTrust isn't really set of defined
permissions. Instead, it's essentially a marker that the assembly should
pass any permission demand. On the other hand, Everything is a normal
permission set that defines a list of permissions that happens to contain
essentially all of permissions included in the core .NET Framework, with the
exception of SecurityPermission\SkipVerification. Any additional
permissions that might happen to be installed on the machine (say, a custom
permission that you might create) will not be included in the Everthing
group.


[quoted text, click to view]

This is not correct. Assemblies with a FullTrust grant are subjected to
permission checking. They simply pass any permission demand (with the
exception of demands for identity permissions in the v. 1.x framework).


[quoted text, click to view]

You can't bypass permission verification by granting FullTrust, so this
isn't a good reason for a FullTrust grant. There are, however, several
potentially valid reasons for choosing an Everything grant over a FullTrust
grant, including:

1. You don't want to grant the assembly
SecurityPermission\SkipVerification.

2. You don't want to automatically grant the assembly potentially unknown
custom permissions that might have been installed by other software.

3. You don't want the assembly to pass demands for FullTrust (including the
LinkDemands generated when attempting to call into a strongly named
assembly not marked by AllowPartiallyTrustedCallersAttribute).

That said, there are several "dangerous" permissions included in the
Everything set that you might also want to deny to assemblies that meet any
of these criteria. However, as a built-in permission set, Everything is not
modifiable. Therefore, in practice, one might prefer to assign a custom
permission set that includes a few less permissions than Everything.


[quoted text, click to view]

CAS Permission Sets Jeppe Dige Jespersen
8/12/2005 9:06:15 AM
Hi,

Can someone clarify the difference between the FullTrust and the Everything
permission sets? I know that a FullTrust assembly will not undergo
permission checking, but why give an assembly Everything permissions, when
you could omit checking altogether with the FullTrust set?

Thanks,
Jeppe D. Jespersen
Denmark


Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages in the dotnet security group.
AddThis Social Bookmark Button
View Other Months
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
home · blog · groups Questions? Comments? Contact the dn