| Groups | Blog | Home |
dotnet security : SecurityPermission problem
Hi.
I'm trying to understand how to use CAS, and found something strange. I'm trying to deny my program of a few permissions to see what happens. I created a small program that creates the file c:\hello.txt and exits: [assembly: FileIOPermission(SecurityAction.RequestRefuse, ViewAndModify="c:\\")] namespace CodeAccessSecurity { class Program { static void Main(string[] args) { FileIOPermission fip = new FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); fip.Demand(); FileStream fw = new FileStream("c:\\hello.txt", FileMode.Create); } } } When I run it, I see a SecurityException thrown, as can be expected. However, it is thrown when I create the FileStream and not when I Demand the FileIOPermission. When running from the local intranet zone (I changed the debugger's security settings), the exception is thrown on the Demand - as I expected in the first place. What's going on here? Thanks,
I get it, thanks.
This is confusing behavior - having Demand check ALMOST everything. Is there a reason for it or is it a bug? Itay. [quoted text, click to view] "Nicole Calinoiu" wrote:
> The Demand method skips the call stack frame for the method from which it is > called. In order to have your assembly included in the stack walk initiated > by Demand, you'll need to move it into a separate method since the Main > method has no within-assembly callers. e.g.: > > static void Main(string[] args) > { > DemandFileIOPermission(); > FileStream fw = new FileStream("c:\\hello.txt", FileMode.Create); > } > > private static void DemandFileIOPermission() > { > FileIOPermission fip = new > FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); > fip.Demand(); > } > > > "Itay Sandbank" <ItaySandbank@discussions.microsoft.com> wrote in message > news:B50075F7-3042-45F6-901E-3B295B5D191A@microsoft.com... > > Hi. > > > > I'm trying to understand how to use CAS, and found something strange. I'm > > trying to deny my program of a few permissions to see what happens. I > > created > > a small program that creates the file c:\hello.txt and exits: > > > > [assembly: FileIOPermission(SecurityAction.RequestRefuse, > > ViewAndModify="c:\\")] > > namespace CodeAccessSecurity > > { > > class Program > > { > > static void Main(string[] args) > > { > > FileIOPermission fip = new > > FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); > > fip.Demand(); > > FileStream fw = new FileStream("c:\\hello.txt", > > FileMode.Create); > > } > > } > > } > > > > When I run it, I see a SecurityException thrown, as can be expected. > > However, it is thrown when I create the FileStream and not when I Demand > > the > > FileIOPermission. > > > > When running from the local intranet zone (I changed the debugger's > > security settings), the exception is thrown on the Demand - as I expected > > in > > the first place. > > > > What's going on here? > > > > Thanks, > > Itay. >
The Demand method skips the call stack frame for the method from which it is
called. In order to have your assembly included in the stack walk initiated by Demand, you'll need to move it into a separate method since the Main method has no within-assembly callers. e.g.: static void Main(string[] args) { DemandFileIOPermission(); FileStream fw = new FileStream("c:\\hello.txt", FileMode.Create); } private static void DemandFileIOPermission() { FileIOPermission fip = new FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); fip.Demand(); } [quoted text, click to view] "Itay Sandbank" <ItaySandbank@discussions.microsoft.com> wrote in message
news:B50075F7-3042-45F6-901E-3B295B5D191A@microsoft.com... > Hi. > > I'm trying to understand how to use CAS, and found something strange. I'm > trying to deny my program of a few permissions to see what happens. I > created > a small program that creates the file c:\hello.txt and exits: > > [assembly: FileIOPermission(SecurityAction.RequestRefuse, > ViewAndModify="c:\\")] > namespace CodeAccessSecurity > { > class Program > { > static void Main(string[] args) > { > FileIOPermission fip = new > FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); > fip.Demand(); > FileStream fw = new FileStream("c:\\hello.txt", > FileMode.Create); > } > } > } > > When I run it, I see a SecurityException thrown, as can be expected. > However, it is thrown when I create the FileStream and not when I Demand > the > FileIOPermission. > > When running from the local intranet zone (I changed the debugger's > security settings), the exception is thrown on the Demand - as I expected > in > the first place. > > What's going on here? > > Thanks, > Itay.
This is by design (see the remarks section at
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemsecuritycodeaccesspermissionclassdemandtopic.asp for details). Demands are intended to be made by code defining resources that require protection. Their purpose is to determine whether code attempting to use a resource possess the necessary permission(s), not whether the code defining the resource has those same permissions. For example, the FileStream code that actually accesses a file on disk makes a FileIOPermission demand. It defines the resource, so it makes the demand. Since it's calling into unmanaged code, it gets subjected to a different demand. However, there's no point in asking it to fulfill the FileIOPermission demand that it invokes since it can obviously bypass that same demand simply by not making it in the first place. [quoted text, click to view] "Itay Sandbank" <ItaySandbank@discussions.microsoft.com> wrote in message
news:2D68C4F7-E524-46A8-B62D-4BB2FCB0C0C0@microsoft.com... > I get it, thanks. > > This is confusing behavior - having Demand check ALMOST everything. Is > there a reason for it or is it a bug? > > Itay. > > "Nicole Calinoiu" wrote: > >> The Demand method skips the call stack frame for the method from which it >> is >> called. In order to have your assembly included in the stack walk >> initiated >> by Demand, you'll need to move it into a separate method since the Main >> method has no within-assembly callers. e.g.: >> >> static void Main(string[] args) >> { >> DemandFileIOPermission(); >> FileStream fw = new FileStream("c:\\hello.txt", FileMode.Create); >> } >> >> private static void DemandFileIOPermission() >> { >> FileIOPermission fip = new >> FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); >> fip.Demand(); >> } >> >> >> "Itay Sandbank" <ItaySandbank@discussions.microsoft.com> wrote in message >> news:B50075F7-3042-45F6-901E-3B295B5D191A@microsoft.com... >> > Hi. >> > >> > I'm trying to understand how to use CAS, and found something strange. >> > I'm >> > trying to deny my program of a few permissions to see what happens. I >> > created >> > a small program that creates the file c:\hello.txt and exits: >> > >> > [assembly: FileIOPermission(SecurityAction.RequestRefuse, >> > ViewAndModify="c:\\")] >> > namespace CodeAccessSecurity >> > { >> > class Program >> > { >> > static void Main(string[] args) >> > { >> > FileIOPermission fip = new >> > FileIOPermission(FileIOPermissionAccess.AllAccess, "c:\\hello.txt"); >> > fip.Demand(); >> > FileStream fw = new FileStream("c:\\hello.txt", >> > FileMode.Create); >> > } >> > } >> > } >> > >> > When I run it, I see a SecurityException thrown, as can be expected. >> > However, it is thrown when I create the FileStream and not when I >> > Demand >> > the >> > FileIOPermission. >> > >> > When running from the local intranet zone (I changed the debugger's >> > security settings), the exception is thrown on the Demand - as I >> > expected >> > in >> > the first place. >> > >> > What's going on here? >> > >> > Thanks, >> > Itay. >> >>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |