Get .NET to consider a specific network share to be fully trusted

Question

I have (only) Visual Studio 2010 installed. I'm trying to run my unit tests from a command-line build-system. All my development work is in my home directory on a Linux server that's shared out using Samba. When I try to run NUnit I get an error like this:

Unhandled Exception: System.TypeInitializationException: The type initializer for 'NUnit.ConsoleRunner.Runner' threw an exception. ---> System.Security.Security
Exception: That assembly does not allow partially trusted callers.
   at NUnit.ConsoleRunner.Runner..cctor()
The action that failed was:
LinkDemand
The assembly or AppDomain that failed was:
nunit-console-runner, Version=2.5.9.10305, Culture=neutral, PublicKeyToken=96d09a1eb7f44a77
The method that caused the failure was:
NUnit.Core.Logger GetLogger(System.Type)
The Zone of the assembly that failed was:
Intranet
The Url of the assembly that failed was:
file:///Z:/gitrepos/smarties/dependencies/Windows-x86/NUnit-2.5.9.10305/bin/net-2.0/lib/nunit-console-runner.DLL
   --- End of inner exception stack trace ---
   at NUnit.ConsoleRunner.Runner.Main(String[] args)
   at NUnit.ConsoleRunner.Class1.Main(String[] args)

I have tried using caspol.exe as described here: Edit and run .NET projects from network shares

>caspol -addgroup 1.2 -url file:///Z:/* FullTrust -name MyZShare
Microsoft (R) .NET Framework CasPol 4.0.30319.1
Copyright (c) Microsoft Corporation.  All rights reserved.

WARNING: The .NET Framework does not apply CAS policy by default. Any settings shown or modified by CasPol will only affect applications that opt into using
CAS policy.

Please see http://go.microsoft.com/fwlink/?LinkId=131738 for more information.


The operation you are performing will alter security policy.
Are you sure you want to perform this operation? (yes/no)
yes
Added union code group with "-url" membership condition to the Machine level.
Success

It has no obvious effect.

Other instructions tell me to find some Microsoft .NET Security Policy tool in Administrative Tools in the Control Panel, but I have no such tool available. (Is this because I only have Visual Studio 2010, not earlier versions? I'm running Windows 7 Pro 64-bit, if it makes a difference.)

I really just want .NET to believe that this directory is on my own machine and not part of the intranet. I don't want any of this code to run from a network share when deployed, only as part of development. I also don't want to blindly trust all network shares, although even that would be a more palatable workaround than copying everything onto a local drive every time I want to run a test.

I would rather not have to sign everything with strong names at this point in development. (And I'm not even sure if it would help, since NUnit is apparently failing before it has even loaded my assembly.)

---

EDIT - In the end it turned out I was trying to solve the wrong problem. While figuring out how to get NUnit to run .NET 4.0 tests without a subprocess, I found this:

http://frater.wordpress.com/2010/05/04/debugging-nunit-tests-under-visual-studio-2010/

It says:

According to this page you should also add this line under the runtime element [in nunit-console.exe.config]:

<loadFromRemoteSources enabled="true" />

This allows libraries downloaded from a remote site (such as a website) to be loaded with full trust. I’m not sure why this would be necessary and indeed, my application debugged NUnit just fine without it. However, if you have problems, you might want to give it a try.

This fixed my problem for me without having to muck about with caspol.

Answer 1

This is because in .NET 3.5 and below, all libraries located on network shares are treated as partial trust. It is possible to work around this by using a later version of the framework to run NUnit.

The NUnit runners target the v3.5 framework, presumably for legacy support. You can check this with the corflags tool that comes with Visual Studio

> corflags nunit-console.exe
Version   : v2.0.50727

This means if you run nunit-console.exe from the from command line and you have .NET 3.5 and .NET 4 installed, the v3.5 runtime will be used to run the executable. You can see this in the console output.

> nunit-console.exe
CLR Version: 2.0.50727.7905 ( Net 3.5 )

The config contains the <loadFromRemoteSources enabled="true"/> element, which causes .NET v4 to ignore the partially trusted caller error, but this setting is ignored in the older versions of the framework.

To force the application to run under .NET 4 or above, add the following line to the startup section of the application config file.

<supportedRuntime version="v4.0"/>

In my case, I had to add a step to the build server automation to make this config change before running the tests in a continuous integration environment.

desc 'run unit tests'
task :tests => :compile do
  runner_dir = FileList["packages/NUnit.Runners*/tools"].first
  runner_config = File.join(runner_dir, "nunit-console.exe.config")

  # running the tests from a network share fails due to code access policy if the 
  # runner is on framework v3.5 or lower. force the runner to use v4.0 or above 
  comment = %<!-- Comment out the next line to force use of .NET 4.0 -->
  runtime_version = %<supportedRuntime version="v4.0.30319"/>
  File.write(runner_config, File.read(runner_config).sub(comment, runtime_version))

  nunit! :actually_run_tests do |nunit|
    nunit.command = File.join(runner_dir, "nunit-console.exe")
    nunit.assemblies = FileList["out/**/*.Tests.dll"]
    nunit.log_level = :verbose
  end
end