What to do when CasPol throws SecurityExceptions
CasPol is written in managed code, and as such is subject to the CLR's security policy system just like any other piece of managed code. Generally this is not a problem for it, since it is granted FullTrust by two separate code groups in the default policy, the MyComputer code group and the Microsoft strong name code group.
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607>caspol -rsg caspol.exe
Microsoft (R) .NET Framework CasPol 2.0.40607.16
Copyright (C) Microsoft Corporation. All rights reserved.
Level = Enterprise
Code Groups:
1. All code: FullTrust
Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
1.1.1. StrongName - 00240000048000009400000006020000002400005253413100040
0000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE
79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E82
1C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8
A12436518206DC093344D5AD293: FullTrust
Level = User
Code Groups:
1. All code: FullTrust
Success
Even if a local administrator has decided not to blindly grant FullTrust to all code living on the local machine, CasPol will still be given FullTrust via code group 1.1.1. But what if that code group were to also stop granting FullTrust? At that point, your managed apps would be in a world of hurt, including CasPol. In fact, depending on the final grant set, CasPol would be likely unable to work itself. Because of this issue, CasPol will actually resist any attempts to put the policy in this state:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607>caspol -cg 1.1 Internet -cg 1.1.1 Internet
Microsoft (R) .NET Framework CasPol 2.0.40607.16
Copyright (C) Microsoft Corporation. All rights reserved.
The operation you are performing will alter security policy.
Are you sure you want to perform this operation? (yes/no)
yes
Changed code group permission set to "Internet" in the Machine level.
This operation will make some or all caspol functionality cease to work. If you are sure you want to do this operation, use the '-force' option before the option you just executed. For example:
caspol -force -machine -remgroup 1.6
Policy save aborted.
However, if you do pass the -force switch to CasPol, or through your own code, or any other mechanism get the policy to a state where CasPol cannot recover it, don't worry ... there's still a way to get your machine into a valid state without reinstalling the framework.
All you need to do is delete the security policy from your disk. As an Administrator delete %WINDIR%\Microsoft.NET\Framework\<version directory>\config\Security.config and Security.config.cch. This will remove the machine level policy. Then, run caspol -all -reset in order to put back the default policy .... otherwise you'll be in a state where you grant FullTrust to all code (assuming you have no code groups on other policy levels).
Comments
- Anonymous
October 31, 2004
Another way to do this is to install a 3rd party membership condition, add a rule to policy that uses it, and then delete the assembly from the GAC. Things start to break at that point, for obvious reasons ;-) - Anonymous
October 31, 2004
The comment has been removed - Anonymous
November 01, 2004
Hi David,
The ACLs on the enterprise and machine policy levels (where all of the default policy is stored on NT based machines), are such that non-administrators do not have permission to edit or delete them.
If the user has administrative privileges on the machine, and you can trick them into deleting their security configuration files before running your code, then you've esentially already won. There are probably many other things that you could trick the user into doing at that point as well.
-Shawn - Anonymous
November 01, 2004
Good point Peter -- I've been planning on doing a piece on what the FullTrust list is and why its necessary ... this will be a good starting point for that.
-Shawn