Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to deny Assert with CAS?

Tags:

.net

permissions

cas

In this code, I'd like the ReadFileSystem method to be forbidden to Assert a permission on the filesystem.

I expected this will throw at fileIo.Assert(), but it doesn't. Why?

using System.Security.Permissions;
static void Main(string[] args)
{
    var fileIo = new FileIOPermission(PermissionState.Unrestricted);
    var secuPerm = new SecurityPermission(SecurityPermissionFlag.Assertion);
    PermissionSet set = new PermissionSet(PermissionState.Unrestricted);
    set.AddPermission(fileIo);
    set.AddPermission(secuPerm);
    set.Deny();
    ReadFileSystem();
    Console.Read();
}

private static void ReadFileSystem()
{
    var fileIo = newFileIOPermission(PermissionState.Unrestricted);
    fileIo.Assert();

    DirectoryInfo dir = new DirectoryInfo("C:/");
    dir.GetDirectories();
}

Update

Great link here on CAS : http://blogs.msdn.com/shawnfa/archive/2004/08/25/220458.aspx

like image 433
Nicolas Dorier Avatar asked Dec 30 '22 04:12

Nicolas Dorier

2 Answers

The subsequent Assert negates the effects of the Deny.

The ability to assert FileIOPermission mainly depends on whether your assembly is trusted. It is not affected by a previous Deny of FileIOPermission. It turns out that it is also not affected by the previous Deny of the Assertion SecurityPermission. This is because SecurityPermissionFlag.Assertion is checked as a link time demand. This is not clearly documented; I found it here.

To force the CLR to not trust your assembly for FileIOPermission, you can use the following at the top of your file following the using statements. When you add this to your file, the assert will not take effect. This affects the entire assembly. There is no finer granularity.

[assembly:FileIOPermission(SecurityAction.RequestRefuse, Unrestricted=true)]
like image 73
Jason Kresowaty Avatar answered Jan 21 '23 07:01

Jason Kresowaty

I think you may misunderstand the purpose of Asserting permissions. When you Assert a permission set in CAS, you are effectively saying "I know what I'm doing... I don't care what the permissions are deeper in the stack." That's almost never what you want. You generally want to Demand a permission set. That causes a stack walk, which would find the Deny on the stack and then cause a security exception.

However, since .NET has virtually all the necessary Demands built-in, there's rarely a need to actually Demand anything unless you're doing Asserts (again, that's rare) or you've written your own custom Permission class.

like image 42
Andrew Arnott Avatar answered Jan 21 '23 06:01

Andrew Arnott
Sign in to Comment

Related questions

Using Microsoft's Application Blocks
How to rewrite or convert C# code in Java code?
What is a private assembly in .Net?
Focus on a Control When Switching Tabs
Test Data Builder pattern: more useful or more upkeep?
WCF - returning large images - your experience and tips on doing so
Turn on Description panel in the standard CollectionEditor
How do I match part of a string only if it is not preceded by certain characters?
Does .net SqlCommand.ExecuteReader close connection?
How can I rollback clickOnce if I have a minimum required version?
How do I create a subclass of TabPage that I can edit like a UserControl?
.Net Converting a number from one culture to another
Route www link to non-www link in .net mvc
How bad is it to store class and assembly names in the database?
How do i populate a POCO (child) IList property from a Linq2Sql query?
What are some good sample desktop application projects I could do in C# .NET
Unable to kill a worker thread in Silverlight
What does this compiler-generated enumerator mean?
To Form Load() or Not to Form Load()
How do I set the Font color of a label to the same as the caption color of a GroupBox?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!