.NET security

[Guest]

I am having problems working with .net security. I have been attempting to
use the Microsoft .Net Framework 2.0 Configuration tool (version
2.0.50727.42), but it won't work for me. I have a simple test application
that works, when I run to Manage Applications - View Assembly Dependencies, I
get an error that says:

Unfortunately, the .NET Framework Configuration tool cannot show this list
of assembly dependencies for this application due to an error during the
generation of the list.

This does not really tell me anything. I would appreciate any input from
anyone might know how to fix it. Thanks.

 

[Steven Cheng[MSFT]]

Hello Richard,

Thank you for posting in the MSDN newsgroup.

From your description, I understand you're using the .net framework sdk
2.0's "mscorcfg.msc" utility to view an existing .ent application's
assembly dependencies, however, you got the following error when try
viewing the dependencies,correct?
=========
Unfortunately, the .NET Framework Configuration tool cannot show this list
of assembly dependencies for this application due to an error during the
generation of the list.
========

Based on my understanding, the mscorcfg.msc utility can perform assembly
dependencies list exploring on .net managed applications and there is not
particular or known issue on this configuration tool. I think this problem
could be specific to the certain application you're evaluating against.
Have you tried the view dependencies fuction on some other application
images? Also, is this application compiled with many unmanaged components
or anything else different from a normal managed application?

If you feel it convenient, you can provide me a simplified one of that
application so that I can perform some test on myside. Meanwhile, if you
have any other finding, please feel free to post here also.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Thank you Steven. Yes, your assumptions are correct. It runs properly on the
dll that is part of the project, but not on the exe. There is no unmanaged
code as far as I know. Here is the application source code:

#include <stdio.h>
#include <string.h>
#include <struct.h>
#include <malloc.h>
#include <mbsfun.h>
#include <stdlib.h>

using namespace System;

#using <csfu.dll>

void main(void)
{
printf("In Mancfu\n");

MBSFu::AClass::AFun(); // this function is in csfu.dll.
}

Here is the code for csfu.dll:

using System;
using System.Windows.Forms;

namespace MBSFu
{
public class AClass
{
public static void AFun()
{
Console.WriteLine("In CSFU");
MessageBox.Show("Message Box in DLL");
}
}
}

Here is my build file:

csc /t:module csfu.cs
if errorlevel 1 goto error
al csfu.netmodule /platform:x86 /target:lib /out:csfu.dll /keyfile:signkey.snk
if errorlevel 1 goto error
cl /clrldsyntax /I\mbs7\sys\include mancfu.cpp /link /KEYFILE:signkey.snk
if errorlevel 1 goto error

Let me know if it would be more convenient for me to email you the binary
output or anything like that. Thanks.

 

[Guest]

I have done some more testing, and determined that any of my test
applications that call a dll that I have made, fail when I use mscorcfg. Any
test applications that do not have a dll, the tool works properly. Is it not
capable of handling dll calls, or am I doing something wrong? Thanks.

 

[Steven Cheng[MSFT]]

Thank you for the response Richard,

As you mentioned that

===============
I have done some more testing, and determined that any of my test
applications that call a dll that I have made, fail when I use mscorcfg
=============

so the problem is focus on this dll. Is it an unmanaged dll or mixed code
assembly? As for the mscorcfg, it generally use the managed assembly's
metadata header to lookup referenced assemblies and it'll recursively
inspect from main app assembly to other referenced dependencies. I think it
is likely some data in that dll's header is not recognizable to it so that
make it report the failure message.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Thanks. As far as I know, it is a standard C# dll with nothing special about
it. I included the source code and build batch file for the dll in my
posting. The only thing that might be unusual is that it is a C# dll being
called by a C++ program.

 

[Guest]

I have made an even simpler test case, that does not involve using a dll.
Here is the program mancfu3.cpp:

#include <stdio.h>

void main(void)
{
printf("In Mancfu3 003\n");
}

Here is the batch file to build it:

cl /clr mancfu3.cpp

It runs fine on c:, but when I copy mancfu3.exe and mancfu3.exe.manifest to
my network i: drive, it fails with a security exception. If I build it
without the /clr it works properly on i:. When I try and run the security
tool on the mancfu3.exe on c:, it says that it can not provide the
information due to a loading error.

Is there some security attribute that I have to put in my program to make it
run on i:? Thanks.

 

[Steven Cheng[MSFT]]

Thanks for your response and the further description.

Regarding on the further issue description and comments, here are some of
my understanding:

It runs fine on c:, but when I copy mancfu3.exe and mancfu3.exe.manifest to
my network i: drive, it fails with a security exception. If I build it
without the /clr it works properly on i:
==================================
So the "i:" is a network drive on a remote machine(just like a UNC share),
correct? If so, this behavior can be explained by the .NET framework's Code
Access security feature. First, when you use " /clr" switch, that means the
output application is a managed .net application when not use the " /clr"
switch, the output exe is a pure unmanaged (win32) application. And only
.net managed application(assembly) will utlize the CAS (code access
security). And CAS is a security restriction based on code( unlike the
win32 OS security whch based on user/role). So CAS will grant different
code different permissions and privileges. For your case, when you put the
application on a local drive, it is considered a local application (in
CAS), so it have fulltrust permision to run. While you put it on the
remote/network drive, it is considered from remote location(in CAS) which
doesn't have FullTrust as local code, so any accessing to local computer's
protecetd resource(such as file, registry ... ) will fail. For a general
introduction on CAS in .net client applcation, you can have a look at the
following msdn article:

#Code Access Security and Distribution Features in .NET Enhance Client-Side
Apps
http://msdn.microsoft.com/msdnmag/issues/02/06/rich/default.aspx



. When I try and run the security
tool on the mancfu3.exe on c:, it says that it can not provide the
information due to a loading error.
============================
Well, as for this issue(we've started discussing from the begining of the
thread), since I found that this is a cpp application compiled with "/clr"
option, this could be the cause of the issue because cpp application is not
.net's natural/intrinsic language, such library like <stdio.h> is not
managed library, so the compiled output (exe) is not a pure managed
application. While the .net configuration tool is concentrating on pure
managed application (does not contains any unstandard extensions like c++
extension).

Anyway, I'll also perform some test on my local side according to your
description and let you know the further results.

Thanks for your continual understanding and patience.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Ok, Thanks. Yes, the problem is that it runs on the local PC with full trust,
but on the network it has Intranet access, which is not sufficient. I have
tried using caspol.exe to give it full trust, things like that, but without
success. I will continue to work through the .NET security documentation
until I can make it work. Thanks again.

 

[Steven Cheng[MSFT]]

Hi Richard,

Just in case you didn't try this. The following command can help
temperarily turn off CAS on the machine.

caspol.exe -s off

You can run the app from remove drive when turning off CAS. This can help
confirm that this is a CAS specific issue. And for your case, you can add
a new codegroup by specifying the network drive path of the Url
Condition(and grant it FullTrust permission).

Anyway, if anything unclear or we can help on this, please don't hesitate
to post here.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Steven Cheng[MSFT]]

Hello Richard,

Any further progress on this? Please feel free to let me know if there is
anything we can do for you or if you got any new results.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)