Introduction
In this Article I Will show you how you can view the code groups That An assembly belongs to and what permissions belong to the assembly. I will demonstrate the caspol utility support with the .net SDK.
WHEN WOULD You NEED TO VIEW Access Rights?
When a developer creates an assembly, he or she may require access to a resource or action that may usually be available to an assembly used by most users or clients. There may be times when the Administrator of a host for his or her own reasons has restricted the action or resource required by the developer's assembly. This restriction could cause the assembly to function improperly or fail all together when the security exception (s) is thrown. Viewing the requirements of the assembly could help you narrow down the problem and determine if The Problems Are Security Issues.
Code Groups and Permission Sets
Code Groups - Security Policies have several levels such as the Machine policy level, the User Policy level or the Application Domain Policy level Within these policy levels is a hierarchy of code groups The Code Groups then break down into child nodes of other groups (.. strong name, URL, App directory, etc.). The condition of each code Group is called the Membership Condition. each Membership Condition must be met in order for an assembly 's code to be part that code Group. each code Group contains a Permission set.
Permission sets - Each of the policy levels Mentioned Above: Machine, User, And Application Domain, Supply The assembly with the assembly..
What is caspol?
CASPol is a command line utility that is included with the .NET run time SDK. CASPol stands for Code Access Security Policy. It is used to administer policy changes as well as view existing permissions and Code Group hierarchy.Your default view will be determined by your current access permissions (machine or user). your default view if you do not currently have administrative permissions will be the Users view. In the samples below, I will explicitly specify either the Machine policy level or the User policy level. When both should Be Displayed Together, The -all Option Will BE.
Viewing the code groups
To View The CASPOL Utility. Using the..
Caspol -all -resolvegroup hello.dll
The above command will show the code groups that a specific assembly file belongs to. In the above example I used a library called hello.dll. This could however be replaced with any assembly, even caspol.exe itself. The hello.dll is the Module That WAS Used in My Article "Assemblies: The Ins and Outs - Part 2". There Are No Custom OR ADDED RESTRICTIONS in The Hello.dll Assembly. AN Example of The Commands Output Looks Like:
Microsoft (R) .NET Framework CasPol 1.0.2204.21Copyright (c) Microsoft Corp 1999-2000 All rights reserved.Level = MachineCode Groups: 1 All code: Nothing 1.1 Zone - MyComputer:.... FullTrustLevel = UserCode Groups: 1 All FullTrustSuccess
The output above is brief and simple but is sufficient to demonstrate what you can expect to see when viewing the groups. In the example above, the first item we see is one of the policy levels. The first policy listed is the Machine policy. Then the code Groups that our code belongs to are listed. At the Machine level our code belongs to the All code group which uses the built-in permission set called Nothing, (Other non modifiable built-in permission sets include Execution, and FullTrust). The permission set called "Nothing", prohibits all resources, including the right to execute code. However, the All code group has a subgroup called Zone. The Zone group requires that I meet the MyComputer Membership Condition, and if I do then the FullTrust Permission set is buy. FullTrust Allows Full Access To All Resources.The Next Policy Level Listed Is The User Level. The User Level Specifies That I Have FullTrust Permissions To Run All Code.
Finally The Program Displays That It Ran SuccessFully.
Viewing the permissions
If you are viewing an assembly's permission sets for diagnostic reasons than you may want to use the -all option with CASPol. You would want to do this because when the assembly is run, its being run by a user. When a user runs a program ................... ..
Caspol -all -resolveperm hello.dll
The above command shows the Permission Sets that a specific assembly file belongs to Again I used the library called hello.dll This could however be replaced with any assembly An example of the commands output looks like...:
Microsoft (R) .NET Framework CasPol 1.0.2204.21Copyright (c) Microsoft Corp 1999-2000. All rights reserved.Resolving permissions for level = MachineResolving permissions for level = UserGrant =
The permission set itself is set to unrestricted allowing all permissions to be available. Next There through the specific sets of permissions being demanded:
StrongNameIdentityPermission - The hello.dll library contains a strong name (it is a Shared Assembly using public key cryptography) This permission contains the public key that must be matched for other code to make valid calls to this assembly I shortened the cryptographic number for.. display URLIdentityPermission -. This is the URL of where the code originated If you are viewing one of your own assemblies, you will most likely see the path that you compiled to ZoneIdentityPermission -.. This permission determines if the calling code is from a specific zone .
Worth Menting
Another option that can be used with the CASPol utility is the -list option. The -list option shows the list of code groups followed by a list of named permission sets available in the most recent displayed policy. The output from the command below is for Your Entire Current Configuration, And NOT JUST for a Single Assembly. so command is good for getting an Overall Look at Your Permissions.
Caspol -list
IF The Output from the Above Command IS TOO Long for your shell window, then, then, then will save the output to text file caled output.txt.
Caspol -list> Output.txt
To Shorten The Output Further You Could Use The Following Command To List All Code Groups for your Current Configuration:
Caspol -listgroups
THIS WOULD Display Just The Code Groups and Product An Output Similar To The Following:
Security is ONExecution checking is OFFPolicy change prompt is ONLevel = MachineCode Groups: 1 All code:.. Nothing 1.1 Zone - MyComputer: FullTrust 1.1.1 Honor SkipVerification requests: SkipVerification 1.2 Zone - Intranet:... LocalIntranet 1.2.1 All code: Same site Socket and Web 1.3 Zone - Internet:.. Internet 1.4 Zone - Untrusted:. Nothing 1.5 Zone - Trusted:.. Internet 1.6 StrongName - 0024000004800000940000000 EverythingSuccessCASPol -listpset would also do the same as the previous command except that only the permission? Sets would be displayed.
Summary
The output from the hello.dll module was a very short example with very few restricted permissions. Using the CASPol utility to view restrictions for a specific assembly will allow you to discover what permissions your assembly needs to run. Using the CASPol -list command will Allow you to get familiar with what permissions are availaile to you as a user or administrator.
