> Hey Dominick,
>
> I did indeed get this code running and was able to create the desired
> code
> groups and perm sets. Thanks a ton!
> However, I couldn't quite figure out exactly where to get this Install
> method that is overridden. All that I have worked with Setup projects,
> I have
> purely done with the GUI. I'm not sure where I can fit this code in
> the
> project. I believe I'll have to create an exe for this and put it in
> as a
> custom action during install, and put the code for removing it in a
> similar
> action during uninstall. Am I correct in this assumption?
> "Dominick Baier [DevelopMentor]" wrote:
>
>> hi,
>>
>> this is part of an msi installer project - and should get you
>> started...don't forget the uninstall action :)
>>
>> // this code will run when the MSI file is installed public override
>> void Install(IDictionary stateSaver) {
>>
>> // first need to find the machine policy,
>> // which is where we'll make our changes
>> PolicyLevel machinePolicy = _findPolicyLevel("Machine");
>> if (null == machinePolicy) {
>> // sanity check - this should never happen
>> throw new ApplicationException("Failed to find the machine policy
>> in the PolicyHierarchy");
>> }
>> // we need to add a named permission set
>> // that includes whatever permissions we're granting
>> NamedPermissionSet nps = new NamedPermissionSet(permissionSetName,
>> PermissionState.None);
>> nps.Description = permissionSetDesc;
>> // TODO: add the permissions AcmeExpense needs
>> nps.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read,
>> @"c:\acme\expenses"));
>> nps.AddPermission(new
>> EnvironmentPermission(EnvironmentPermissionAccess.Read,
>> "EXPENSE"));
>> nps.AddPermission(new
>> SqlClientPermission(PermissionState.Unrestricted));
>> nps.AddPermission(new
>> DataProtectionPermission(PermissionState.Unrestricted));
>> // add our named permission set to the machine policy level
>> // note that nothing is saved yet (we'll save at the end)
>> try {
>> machinePolicy.AddNamedPermissionSet(nps);
>> }
>> catch {
>> // duplicate name - update the existing one with the same name
>> machinePolicy.ChangeNamedPermissionSet(nps.Name, nps);
>> }
>> // now we need to create a code group that matches all assemblies
>> // that we ship with AcmeExpense - one way of doing this is to
>> // match the strong name we assign to that application (although
>> // depending on how you manage strong names, this might cover
>> // a wider set of assemblies)
>> CodeGroup cg = new UnionCodeGroup(
>> new StrongNameMembershipCondition(
>> new StrongNamePublicKeyBlob(acmePublicKey),
>> null, // match regardless of assembly's simple name
>> null), // match regardless of assembly's version
>> new PolicyStatement(nps,
>> PolicyStatementAttribute.Nothing) // no LevelFinal or Exclusive
>> attribute on this code group
>> );
>> cg.Name = codeGroupName;
>> cg.Description = codeGroupDesc;
>> // code groups with duplicate names are legal, but messy and
>> confusing,
>> // so we make sure to first remove any existing code groups with
>> our name
>> _removeCodeGroupsByName(machinePolicy.RootCodeGroup, cg.Name);
>> // add our new code group (note we've not saved yet).
>> machinePolicy.RootCodeGroup.AddChild(cg);
>>
>> // finally, save all changes atomically.
>> SecurityManager.SavePolicyLevel(machinePolicy);
>> }
>> PolicyLevel _findPolicyLevel(string labelWeWant) {
>> IEnumerator policyLevelEnumerator =
>> SecurityManager.PolicyHierarchy();
>> PolicyLevel found = null;
>> while (policyLevelEnumerator.MoveNext()) {
>> PolicyLevel lvl = (PolicyLevel)policyLevelEnumerator.Current;
>> if (labelWeWant == lvl.Label) {
>> found = lvl;
>> }
>> }
>> return found;
>> }
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hey,
>>>
>>> I'm not sure if this can be done, but here's what I require:
>>>
>>> I have a windows application that needs to be secured in a code
>>> group with limited permissions to write to a log folder, and to
>>> download certain files before startup. Issue is that this happens to
>>> be running on a restricted user login. And also, i need to prevent
>>> malicious files from accessing this application.
>>>
>>> The solution for the first issue is the cacls exe that I've managed
>>> to use and put together certain code that does the trick for me. Is
>>> there any other/better way to do it? I basically need write
>>> permission on a folder in the Program Files application directory to
>>> write some logs, and write permission on another folder to download
>>> some files through the application.
>>>
>>> The second issue needs to be addressed using CAS. I know we can use
>>> the configuration manager of the framework in administrative tools
>>> to create the desired permission set and code group and then import
>>> the application assemblies/components into it to sign it.
>>>
>>> My queries:
>>>
>>> 1. How can I do the same that I manage to achieve with the config
>>> manager through some framework classes? I would be required to do
>>> this as a custom action while installation of the application
>>> through a setup project that I have.
>>>
>>> 2. Which would be the best condition on the basis of which I should
>>> create my code group? There are 7 of them, and I do intend to strong
>>> name the app anyway. Would the strong name be a sufficient enought
>>> condition for the code group? Or would some other condition serve
>>> the purpose better and more smartly?
>>>
>>> Any pointers are gladly appreciated.
>>> Cheers!
>>> Nick

"Dominick Baier [DevelopMentor]" wrote:

> hi,
>
> add a class lib to the installer project - and include its primary output
>
> add a class to that project:
>
> [RunInstaller(true)]
> public class MyInstaller : System.Configuration.Install.Installer
>
> and override the install/unistall methods.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hey Dominick,
> >
> > I did indeed get this code running and was able to create the desired
> > code
> > groups and perm sets. Thanks a ton!
> > However, I couldn't quite figure out exactly where to get this Install
> > method that is overridden. All that I have worked with Setup projects,
> > I have
> > purely done with the GUI. I'm not sure where I can fit this code in
> > the
> > project. I believe I'll have to create an exe for this and put it in
> > as a
> > custom action during install, and put the code for removing it in a
> > similar
> > action during uninstall. Am I correct in this assumption?
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> hi,
> >>
> >> this is part of an msi installer project - and should get you
> >> started...don't forget the uninstall action :)
> >>
> >> // this code will run when the MSI file is installed public override
> >> void Install(IDictionary stateSaver) {
> >>
> >> // first need to find the machine policy,
> >> // which is where we'll make our changes
> >> PolicyLevel machinePolicy = _findPolicyLevel("Machine");
> >> if (null == machinePolicy) {
> >> // sanity check - this should never happen
> >> throw new ApplicationException("Failed to find the machine policy
> >> in the PolicyHierarchy");
> >> }
> >> // we need to add a named permission set
> >> // that includes whatever permissions we're granting
> >> NamedPermissionSet nps = new NamedPermissionSet(permissionSetName,
> >> PermissionState.None);
> >> nps.Description = permissionSetDesc;
> >> // TODO: add the permissions AcmeExpense needs
> >> nps.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read,
> >> @"c:\acme\expenses"));
> >> nps.AddPermission(new
> >> EnvironmentPermission(EnvironmentPermissionAccess.Read,
> >> "EXPENSE"));
> >> nps.AddPermission(new
> >> SqlClientPermission(PermissionState.Unrestricted));
> >> nps.AddPermission(new
> >> DataProtectionPermission(PermissionState.Unrestricted));
> >> // add our named permission set to the machine policy level
> >> // note that nothing is saved yet (we'll save at the end)
> >> try {
> >> machinePolicy.AddNamedPermissionSet(nps);
> >> }
> >> catch {
> >> // duplicate name - update the existing one with the same name
> >> machinePolicy.ChangeNamedPermissionSet(nps.Name, nps);
> >> }
> >> // now we need to create a code group that matches all assemblies
> >> // that we ship with AcmeExpense - one way of doing this is to
> >> // match the strong name we assign to that application (although
> >> // depending on how you manage strong names, this might cover
> >> // a wider set of assemblies)
> >> CodeGroup cg = new UnionCodeGroup(
> >> new StrongNameMembershipCondition(
> >> new StrongNamePublicKeyBlob(acmePublicKey),
> >> null, // match regardless of assembly's simple name
> >> null), // match regardless of assembly's version
> >> new PolicyStatement(nps,
> >> PolicyStatementAttribute.Nothing) // no LevelFinal or Exclusive
> >> attribute on this code group
> >> );
> >> cg.Name = codeGroupName;
> >> cg.Description = codeGroupDesc;
> >> // code groups with duplicate names are legal, but messy and
> >> confusing,
> >> // so we make sure to first remove any existing code groups with
> >> our name
> >> _removeCodeGroupsByName(machinePolicy.RootCodeGroup, cg.Name);
> >> // add our new code group (note we've not saved yet).
> >> machinePolicy.RootCodeGroup.AddChild(cg);
> >>
> >> // finally, save all changes atomically.
> >> SecurityManager.SavePolicyLevel(machinePolicy);
> >> }
> >> PolicyLevel _findPolicyLevel(string labelWeWant) {
> >> IEnumerator policyLevelEnumerator =
> >> SecurityManager.PolicyHierarchy();
> >> PolicyLevel found = null;
> >> while (policyLevelEnumerator.MoveNext()) {
> >> PolicyLevel lvl = (PolicyLevel)policyLevelEnumerator.Current;
> >> if (labelWeWant == lvl.Label) {
> >> found = lvl;
> >> }
> >> }
> >> return found;
> >> }
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Hey,
> >>>
> >>> I'm not sure if this can be done, but here's what I require:
> >>>
> >>> I have a windows application that needs to be secured in a code
> >>> group with limited permissions to write to a log folder, and to
> >>> download certain files before startup. Issue is that this happens to
> >>> be running on a restricted user login. And also, i need to prevent
> >>> malicious files from accessing this application.
> >>>
> >>> The solution for the first issue is the cacls exe that I've managed
> >>> to use and put together certain code that does the trick for me. Is
> >>> there any other/better way to do it? I basically need write
> >>> permission on a folder in the Program Files application directory to
> >>> write some logs, and write permission on another folder to download
> >>> some files through the application.
> >>>
> >>> The second issue needs to be addressed using CAS. I know we can use
> >>> the configuration manager of the framework in administrative tools
> >>> to create the desired permission set and code group and then import
> >>> the application assemblies/components into it to sign it.
> >>>
> >>> My queries:
> >>>
> >>> 1. How can I do the same that I manage to achieve with the config
> >>> manager through some framework classes? I would be required to do
> >>> this as a custom action while installation of the application
> >>> through a setup project that I have.
> >>>
> >>> 2. Which would be the best condition on the basis of which I should
> >>> create my code group? There are 7 of them, and I do intend to strong
> >>> name the app anyway. Would the strong name be a sufficient enought
> >>> condition for the code group? Or would some other condition serve
> >>> the purpose better and more smartly?
> >>>
> >>> Any pointers are gladly appreciated.
> >>> Cheers!
> >>> Nick
>
>