.NET technology FAQ (7) ----- Code Access Security

xiaoxiao2021-03-06  64

7. Code Access Security 7.1 What is Code Access Security (CAS)? CAS is part of the .NET security model, which determines if a code is allowed to be run, and what resources can be used when it runs. For example, CAS can prevent a .NET's web applet to format your hard drive. 7.2 How does Cas work? CAS Security Policy Design Two Key Concepts - Code Groups and Permissions. Each .NET component is a member of a particular code group, and each code group is granted by the permissions specified by the listing set. For example, when using the default security policy, a control downloaded from the Web site belongs to the "Zone - Internet" code group that keeps the permissions defined by the "Internet" by the Amissive Right Set Set. (Nature, the name "Internet" indicates a group of privileges that are strictly limited.) 7.3 Who defines the CAS code group? Microsoft defines some default code groups, but you can change these even created your own code group. To see the code group defined in your system, you can run the "Caspol -l" command from the command. I look like these in my system: level = Machine

Code Groups:

1. All code: Nothing 1.1 Zone - MyComputer:.. FullTrust 1.1.1 Honor SkipVerification requests: SkipVerification 1.2 Zone - Intranet:. LocalIntranet 1.3 Zone - Internet:. Internet 1.4 Zone - Untrusted:.. Nothing 1.5 Zone - Trusted: Internet . 1.6 StrongName - 0024000004800000940000000602000000240000525341310004000003000000CFCB3291AA715FE99D40D49040336F9056D7886FED46775BC7BB5430BA4444FEF8348EBD06F962F39776AE4DC3B7B04A7FE6F49F25F740423EBF2C0B89698D8D08AC48D69CED0FC8F83B465E0807AC11EC1DCC7D054E807A43336DDE408A5393A48556123272CEEEE72F1660B71927D38561AABF5CAC1DF1734633C602F8F2D5: Everything

Attention to the level of the code group

-

Top

('All code')

It is most common, which is then divided into several groups, each of which can also be divided. At the same time, the subgroups can be given a wider permission set than its superiors.

7.4

How to define your own code group?

use

Caspol

. For example, suppose you trust from

Www.mydomain.com

The code, and I hope it has a complete access to your system, but I hope to others.

Internet

Site maintains the default limit. To achieve these, you can

Zone - Internet

Increase a subgroup in the group, just like the following:

Caspol -AG 1.3 -site www.mydomain.com FullTrust

Now if you run

Caspol -lg

You can see that the new code group is added to

1.3.1

group:

... 1.3. ZONE - Internet: Internet 1.3.1. Site - www.mydomain.com: FullTrust ...

Note numeric label

(1.3.1)

just

Caspol

Early in order to easily manipulate the code group from the command line. The bottom of the running library will never see it. 7.5

How to change the authority set of code group?

use

Caspol

. If you are an administrator of the machine, you can

'Machine'

Level

-

This not only means that what you do will become the default setting of the machine, but the user cannot reform more widely. If you are an ordinary user

(

Not an administrator

)

You can still modify the permissions, but you can only make them more stringent. For example, in order

intranet

The code can do what they want, you may need this:

Caspol -cg 1.2 FullTrust

Pay attention because

(

In standard system

)

This is greater than the default security policy permissions, you should

Machine

Hierarchical

-

in

User

This does not work in this level.

7.6

Can you create your own authority set?

Yes it is. use

CASPOL -AP

Specify all permissions including permissions set

Xml

file. Here

Is a designation

'Everything'

Sample file of the authority set

-

Modify it to accommodate your needs, so you can save some time. After the modification is complete, use the following method to add it to the available permissions:

Caspol -ap SamplepermSet.xml

Then, use the following method to apply this permission set to a code group:

Caspol -cg 1.3 SamplepermSet

by default,

1.3

Yes

'Internet'

Code group

7.7 CAS

How to diagnose your own procedure when there is a problem?

Caspol

There is a group of possible options. First, use

Caspol -RSG

You can let

Caspol

Tell you which code group belongs to a component. Similarly, use

Caspol -RSP

You can ask what permissions apply on specific components.

7.8

I can't stand it.

CAS

Can you turn off it?

Yes, as long as you are a system administrator. Just run:

Caspol -s off

转载请注明原文地址:https://www.9cbs.com/read-119083.html

New Post(0)