dotnet distributed apps:
Hey Guys,
Today we are going to look at Code Access Security.
Code access security is a feature of .NET that manages code depending on its
trust level. If the CLS trusts the code enough to allow it ro run then it
will execute, the code execution depends on the permission provided to the
assembly. If the code is not trusted wnough to run or it attempts to perform
an action which doe not have the required permissions then its execution is
stop and the application exits.
Code access security is primarily about protecting resources like your
local disk,netwoek, user interface from malicious code and not a tool for
protecting software from users which is a general misbelief.
Code access security is based upon Code Groups and Permissions.
Code Groups :- In windows we have user groups and every user belongs to a
group. We do not give permissions to users on indiviual basis but rather it
is more convient to create a group and give permissions to this group. In
the same way we have code groups bring code that has similar characteristics
and execution permissions togather.
E.g. One of the predefined code groups is Internet. If we say that this code
belongs to Internet code group this code has only those permissions which
are defined by this group. Like the Internet code group does not have access
to your local access hence all the applications executing under this code
group will not have permissions to access the local hard disk.
Permissions :- They are actions that each code group is allowed to perform
e.g. Permissions to access the user interface. This permission management
can be done at 3 levels Enterprise,Machine and User level.
"All Code" code group is the root group. All the code groups is under this
code group. If an assembly does not match a code group in the hierarchy code
groups below it are not searched.
For an assembly to be a member of any code group it need to fulfill its
membership condition.Each code group has one and only one membership
condition. This is the list of membership conditions in which "All code"
membership condition is at the root.
Let us view all the available code group membership conditions :
1) Go to Visual Studio Command promt and type caspol /help
2) Scroll at the bottom and you will see the following membership or "mship"
options
where "<mship>" can be:
-allcode All code
-appdir Application directory
-custom <xml_file> Custom membership condition
-hash <hashAlg> {-hex <hashValue>|-file <assembly_name>} Assembly hash
-pub {-cert <cert_file_name> | -file <signed_file_name> | -hex
<hex_string>} Software publisher
-site <website> Site
-strong -file <assemblyfile_name> {<name> | -noname}{<version>
| -noversion} Strong name
-url <url> URL
-zone <zone_name> Zone, where zone can be: (MyComputer,
Intranet,Trusted,Internet,Untrusted)
Zone is the most commonly used membersip condition.These zones are managed
from IE using the security options
3) Go to IE. ... Tools ... Options ... Security Tab ... And you will see all
these options.
Note :- These options are set from IE they apply to the whole machine.
4) Type caspol.exe - lg. This command will list all the code groups without
the descriptions. If you want to see the desriptions
Type caspol.exe -ld.
5) To view the code groups of an assembly e.g. Type caspol -resolvegroups
<DLLName>.dll. It will show a similar output
Level = Enterprise
Code Groups:
1. All code: FullTrust
Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
Level = User
Code Groups:
1. All code: FullTrust
Success
6) In order to understand code access security completely we need to
understand Permission sets very well.
Type caspol -lp | more.
You will see an entire list of permissions in the form of xml tags.
We will look a few most frequently used permission sets :
SQLCLientPermission :-- Permission to access SQL Database.
UIPermission :- Permission to access user interface.
FileIOPermission : - Permission to read,writing or append to file as well as
creating folders.
Printing Permission :- Permission to print
WebPermission :- Prmission to make or accept connetions to/from the web.
..Net has provided us with predefined permission sets a.k.a. named permssion
sets. They are :-
FullTrust
Execution
Nothing
LocalIntranet
Internet
Everything
Note : Only the last 3 can be modified the first three cannot altered.
You can also view assembly premissions with caspol :-
caspil.exe -rp <Your Assembly>.dll
Note :- In one of my previous articles we had seen hoow to view assembly
permissions with permview.exe.
Now lets view the current permission sets for each code groups at various
policy levels.
CAS policy levels exists either at enterprise, user or machine level.
By deffault when you listgroups using caspol machine level policy details
are displayed to you. If you want to see user and enterprise policy details
type -u or -en as follows :-
caspol -u -lg // for user
caspol -en -lg // for enterprise
By Default .Net gives FullTrust permissions to "ALL Code " Code group at
enterprise and user level.
The question now is ow we determine which policy level will be used. Well
CAS takes an intersection of all the 3 policy levels i.e. user enterprise
and machine. Hence if you have made any changes on your machine's policy you
administrator can easily override it by changing the user or enterprise
policy.
Today we have seen the code access groups, permission sets and the
different policy levels. In my tommorrow's article we will create a sample
app and see how we can manage security policy.
-- Please post your queries and comments for my articles in the usergroup
for the benefit of all. I hope this step from my end is helpful to all of
us.
Regards,
Namratha (Nasha)
