CASPOL Tool in .NET

Suppose a developer creates an assembly that requires access to a resource or action that is typically available to users or clients requesting that assembly. Sometimes, for maintenance or other purposes, the administrator may need to restrict the action or resource required by the developer's assembly. This restriction could cause the assembly to function improperly or fail altogether when security exceptions are thrown. Viewing the requirements of the assembly could help you identify the problem and determine whether security issues are involved. 

CASPOL (Caspol.exe), a command-line tool included with the .NET runtime SDK, is used to administer policy changes as well as to view existing permissions and the code group hierarchy. Let's look at a few examples of viewing code groups and permissions with CASPOL. 

Your default view in CASPOL is determined by your current access permissions (enterprise, machine, or user). If you do not currently have administrative permissions, your default view is the Users view. The examples below explicitly specify either the machine or the user policy level. When code groups from both levels should be displayed together, as in the first example, the -all option is used. 

Running the following command from the command line shows the code groups to which a specific assembly file belongs. 

CASPol-all-resolvegroup hello.dll 

Although this example uses a library called hello.dll, the library could be replaced with any assembly-even caspol.exe itself. Assuming that the hello.dll assembly has no custom or added restrictions, the command output from the example is as shown in Listing 22.8. 

Microsoft (R) .NET Framework CasPol 1.0.2204.21

Copyright (c) Microsoft Corp 1999-2000. All rights reserved.

Level = Machine

Code Groups:

1. All code: Nothing

1.1. Zone - MyComputer: FullTrust

Level = User

Code Groups:

1. All code: FullTrust

Success

While brief and simple, this output is sufficient to demonstrate what you can expect to see when viewing code groups. The first item is one of the policy levels, the machine policy, followed by a list of the code groups that the code belongs to. At the machine level, the code belongs to the All Code group, which uses the built-in permission set called Nothing. (Other nonmodifiable built-in permission sets include Execution and FullTrust). The Nothing permission set prohibits all resources, including the right to execute code. However, the All Code group has a subgroup called Zone. The Zone subgroup requires that any code within that subgroup meet the MyComputer membership condition. For any code that meets that condition, the FullTrust permission set is used to allow full access to all resources. At the next policy level listed, the user level, we have FullTrust permissions to run all code. In the final line of output, the program displays that it has run successfully. 

If you plan to view an assembly's permission sets for diagnostic reasons, you may want to use the - all option so that you can be sure you're seeing all the relevant information. After all, when the assembly is run, it's being spawned by a user account, in which case the machine, user policies, and the application domain's policy(if it exists) are combined to produce the total permissions granted to that assembly. Using the-all option lets you see both the user and machine permission sets at the same time. Note that the -all option can also be abbreviated to just -a in the command. 

The following command shows the permission sets to which a specific assembly file belongs. 

CASPol -all -resolveperm hello.dll 

Again, the hello.dll library could be replaced with any assembly. An example of the command's output appears in Listing 22.9. 

The first item in the example output is the policy levels. The output combines both the machine and user policies to display what permissions have been granted to the code. 

The PermissionSet itself is set to unrestricted, allowing all permissions to be available. Next, three specific sets of permissions are being demanded:

CASPol -list 

The output from this command is for your entire current configuration, not just for a single assembly. If the output is too long for your shell window, then try using the following command, which saves the output to text file called output.txt: 

CASPol -list > output.txt 

To shorten the output further, you could use the following command to list just the code groups for your current configuration: 

CASPol -listgroups 

This command produces output similar to that in Listing 22.10. 

As you might expect, the following command functions in much the same way, except that it displays only the permission sets for your current configuration. 

CASPol -listpset 

Although this hello.dll example had very few restricted permissions, you can see how using the CASPOL utility to view restrictions for a specific assembly allows you to discover which permissions your assembly needs to run. Similarly, using the CASPol -list command reveals the permissions available to you as a user or administrator. 

Hope this article would have helped you in understanding the CASPOL Tool. See other articles on the website on .NET and C#.