This article has been
excerpted from book "The Complete Visual C# Programmer's Guide" from the Authors
of C# Corner.
Suppose a developer creates an assembly that requires access to a resource or
action that is typically available to users or clients requesting that assembly.
Sometimes, for maintenance or other purposes, the administrator may need to
restrict the action or resource required by the developer's assembly. This
restriction could cause the assembly to function improperly or fail altogether
when security exceptions are thrown. Viewing the requirements of the assembly
could help you identify the problem and determine whether security issues are
involved.
CASPOL (Caspol.exe), a command-line tool included with the .NET runtime SDK, is
used to administer policy changes as well as to view existing permissions and
the code group hierarchy. Let's look at a few examples of viewing code groups
and permissions with CASPOL.
Your default view in CASPOL is determined by your current access permissions
(enterprise, machine, or user). If you do not currently have administrative
permissions, your default view is the Users view. The examples below explicitly
specify either the machine or the user policy level. When code groups from both
levels should be displayed together, as in the first example, the -all option is
used.
Running the following command from the command line shows the code groups to
which a specific assembly file belongs.
CASPol-all-resolvegroup hello.dll
Although this example uses a library called hello.dll, the library could be
replaced with any assembly-even caspol.exe itself. Assuming that the hello.dll
assembly has no custom or added restrictions, the command output from the
example is as shown in Listing 22.8.
Listing 22.8: Output from CASPOL Command to View Code Groups
Microsoft (R) .NET Framework CasPol 1.0.2204.21
Copyright (c) Microsoft Corp 1999-2000. All rights reserved.
Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
Level = User
Code Groups:
1. All code: FullTrust
Success
While brief and simple, this output is sufficient to demonstrate what you can
expect to see when viewing code groups. The first item is one of the policy
levels, the machine policy, followed by a list of the code groups that the code
belongs to. At the machine level, the code belongs to the All Code group, which
uses the built-in permission set called Nothing. (Other nonmodifiable built-in
permission sets include Execution and FullTrust). The Nothing permission set
prohibits all resources, including the right to execute code. However, the All
Code group has a subgroup called Zone. The Zone subgroup requires that any code
within that subgroup meet the MyComputer membership condition. For any code that
meets that condition, the FullTrust permission set is used to allow full access
to all resources. At the next policy level listed, the user level, we have
FullTrust permissions to run all code. In the final line of output, the program
displays that it has run successfully.
If you plan to view an assembly's permission sets for diagnostic reasons, you
may want to use the - all option so that you can be sure you're seeing all the
relevant information. After all, when the assembly is run, it's being spawned by
a user account, in which case the machine, user policies, and the application
domain's policy(if it exists) are combined to produce the total permissions
granted to that assembly. Using the-all option lets you see both the user and
machine permission sets at the same time. Note that the -all option can also be
abbreviated to just -a in the command.
The following command shows the permission sets to which a specific assembly
file belongs.
CASPol -all -resolveperm hello.dll
Again, the hello.dll library could be replaced with any assembly. An example of
the command's output appears in Listing 22.9.
Listing 22.9: Output from CASPOL Command to View Permission Sets
Microsoft (R) .NET Framework CasPol 1.0.2204.21
Copyright (c) Microsoft Corp 1999-2000. All rights reserved.
Resolving permissions for level = Machine
Resolving permissions for level = User
Grant =
<PermissionSet class="System.Security.PermissionSet"
version="1">
<Unrestricted/>
<Permission
class="System.Security.Permissions.StrongNameIdentityPermission,
mscorlib, Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33"
version="1"><PublicKeyBlob>
<Key>00240000048000009400000006020000002400005…</Key>
</PublicKeyBlob>
<Name>hello</Name>
<Version>1.0.444.35256</Version>
</Permission>
<Permission class="System.Security.Permissions.URLIdentityPermission,
mscorlib,
Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33"
version="1">
<Url>file:///D:/Projects/hello.dll</Url>
</Permission>
<Permission class="System.Security.Permissions.ZoneIdentityPermission,
mscorlib,
Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33"
version="1">
<Zone>MyComputer</Zone>
</Permission>
</PermissionSet>
Success
The first item in the example output is the policy levels. The output combines
both the machine and user policies to display what permissions have been granted
to the code.
The PermissionSet itself is set to unrestricted, allowing all permissions to be
available. Next, three specific sets of permissions are being demanded:
- StrongNameIdentityPermission -indicates
that the hello.dll library contains a strong name (a shared assembly using
public-key cryptography). This permission contains the public key that must
be matched for other code to make valid calls to this assembly. The
cryptographic number has been shortened in this example for display.
- URLIdentityPermission -lists the URL where
the code originated. If you are viewing one of your own assemblies, you will
most likely see the path that you compiled to.
- ZoneIdentityPermission -determines if the
calling code is from a specific zone (a specific caller region, such as
Intranet_Zone or Internet_Zone). Only exact zone matches can be defined for
this permission, and a URL can only belong to a single zone.
Another option that can be used with the CASPOL
utility is the -list option. The -list option shows the list of code groups
followed by a list of named permission sets available in the most recently
displayed policy. The following command enlists the -list option to provide you
with an overall look at your permissions:
CASPol -list
The output from this command is for your entire current configuration, not just
for a single assembly. If the output is too long for your shell window, then try
using the following command, which saves the output to text file called
output.txt:
CASPol -list > output.txt
To shorten the output further, you could use the following command to list just
the code groups for your current configuration:
CASPol -listgroups
This command produces output similar to that in Listing 22.10.
Listing 22.10: Output from CASPOL Command to List Code Groups Only
Security is ON
Execution checking is OFF
Policy change prompt is ON
Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
1.1.1. Honor SkipVerification requests: SkipVerification
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Socket and Web.
1.3. Zone - Internet: Internet
1.4. Zone - Untrusted: Nothing
1.5. Zone - Trusted: Internet
1.6. StrongName - 0024000004800000940000000: Everything
As you might expect, the following command functions in much the same way,
except that it displays only the permission sets for your current configuration.
CASPol -listpset
Although this hello.dll example had very few restricted permissions, you can see
how using the CASPOL utility to view restrictions for a specific assembly allows
you to discover which permissions your assembly needs to run. Similarly, using
the CASPol -list command reveals the permissions available to you as a user or
administrator.
Conclusion
Hope this article would have helped you in understanding the
CASPOL Tool. See other articles on the website on .NET and C#.
|
The Complete Visual
C# Programmer's Guide covers most of the major components that make
up C# and the .net environment. The book is geared toward the
intermediate programmer, but contains enough material to satisfy the
advanced developer. |