Faillure to run .NET 2.0 app from UNC

[Guest]

I've built an localised .NET 2.0 application, which runs fine on my
development machine. But when I deploy the app, it fails to run from an UNC
path. I've already used CASPOL to add FullTrust to the UNC.

The error that occurs us the following:
System.InvalidOperationException was unhandled
Message="An error occurred creating the form. See Exception.InnerException
for details. The error is: Request for the permission of type
'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."
Source="TMD"
StackTrace:
at TMD.My.MyProject.MyForms.Create__Instance__[T](T Instance)
at TMD.My.MyApplication.OnCreateSplashScreen()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.ShowSplashScreen()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnInitialize(ReadOnlyCollection`1 commandLineArgs)
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.DoApplicationModel()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[] commandLine)
at TMD.My.MyApplication.Main(String[] Args)

It seems to happen when the app tries to show the SplashScreen

 

[Norman Yuan]

It is obviously the security/permission issue. In order to run .NET code
from a network share, you need to

1. Give user necessary file access permission, read and execute, whether it
is .NET file or not;
2. Allow .NET code from outside computer to run with CASPOL tool.

Are you sure you have done both correctly? I do not see there is other
reasons.

 

[Guest]

Hi Norman,

The user (myself) has full access (on OS level) to the UNC share.

The CASPOL call is:
caspol -q -m -ag 1.2. -url file://SERVER/Share/* FullTrust

--
Adri
Programmers do it Bit by Bit

It is obviously the security/permission issue. In order to run .NET code
from a network share, you need to

1. Give user necessary file access permission, read and execute, whether it
is .NET file or not;
2. Allow .NET code from outside computer to run with CASPOL tool.

Are you sure you have done both correctly? I do not see there is other
reasons.

I've built an localised .NET 2.0 application, which runs fine on my
development machine. But when I deploy the app, it fails to run from an
UNC
path. I've already used CASPOL to add FullTrust to the UNC.

The error that occurs us the following:
System.InvalidOperationException was unhandled
Message="An error occurred creating the form. See
Exception.InnerException
for details. The error is: Request for the permission of type
'System.Security.Permissions.SecurityPermission, mscorlib,
Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."
Source="TMD"
StackTrace:
at TMD.My.MyProject.MyForms.Create__Instance__[T](T Instance)
at TMD.My.MyApplication.OnCreateSplashScreen()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.ShowSplashScreen()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnInitialize(ReadOnlyCollection`1
commandLineArgs)
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.DoApplicationModel()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[]
commandLine)
at TMD.My.MyApplication.Main(String[] Args)

It seems to happen when the app tries to show the SplashScreen

 

[Norman Yuan]

I usually do this (to give permission to run .NET code from a network share
on our LAN) by using .NET Framework Configuration console in "Control
Panel->Administrative Tools" and it always workd. Can you try that, instead
of CASPOL.exe at command line? (Although the result should be the same, if
you do it correctly.) Just give it a try to prove you did it correctly with
caspol.exe command line.

If you have not done that in .NET framework configuration console, following
these steps:

1. Open "Control Panel->Administrative Tools->.NET Framework 2.0
Configuration";
2. Select node "Console Root->.Net Framework 2.0 Configuration->My
Computer->Runtime Security Policy->Machine->Code Groups->All_Code" and
right-click, select "New...";
3. Select "Create a new code group" radio button and enter code group name
of your choice; click "Next";
4. In dropdown list, choose "URL" and enter URL (such as
file://theserver/theshare/myCodeFolder/*); click "Next";
5. Select a existing permission set, such as "FullTrust"; click "Next" and
then "Finish".

Now test your app. It should work (It work on a few of my Win form apps,
including .NET1.1 and 2.0 apps)

Hi Norman,

The user (myself) has full access (on OS level) to the UNC share.

The CASPOL call is:
caspol -q -m -ag 1.2. -url file://SERVER/Share/* FullTrust

--
Adri
Programmers do it Bit by Bit

It is obviously the security/permission issue. In order to run .NET code
from a network share, you need to

1. Give user necessary file access permission, read and execute, whether
it
is .NET file or not;
2. Allow .NET code from outside computer to run with CASPOL tool.

Are you sure you have done both correctly? I do not see there is other
reasons.

I've built an localised .NET 2.0 application, which runs fine on my
development machine. But when I deploy the app, it fails to run from an
UNC
path. I've already used CASPOL to add FullTrust to the UNC.

The error that occurs us the following:
System.InvalidOperationException was unhandled
Message="An error occurred creating the form. See
Exception.InnerException
for details. The error is: Request for the permission of type
'System.Security.Permissions.SecurityPermission, mscorlib,
Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."
Source="TMD"
StackTrace:
at TMD.My.MyProject.MyForms.Create__Instance__[T](T Instance)
at TMD.My.MyApplication.OnCreateSplashScreen()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.ShowSplashScreen()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnInitialize(ReadOnlyCollection`1
commandLineArgs)
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.DoApplicationModel()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[]
commandLine)
at TMD.My.MyApplication.Main(String[] Args)

It seems to happen when the app tries to show the SplashScreen

 

[Guest]

Hi Norman,

The target machine has only the .NET 2.0 Runtime installed, and therefor
there is no ".NET Framework 2.0 Configuration" available on the
"Administrative Tools". That's why I used CASPOL

--
Adri
Programmers do it Bit by Bit

I usually do this (to give permission to run .NET code from a network share
on our LAN) by using .NET Framework Configuration console in "Control
Panel->Administrative Tools" and it always workd. Can you try that, instead
of CASPOL.exe at command line? (Although the result should be the same, if
you do it correctly.) Just give it a try to prove you did it correctly with
caspol.exe command line.

If you have not done that in .NET framework configuration console, following
these steps:

1. Open "Control Panel->Administrative Tools->.NET Framework 2.0
Configuration";
2. Select node "Console Root->.Net Framework 2.0 Configuration->My
Computer->Runtime Security Policy->Machine->Code Groups->All_Code" and
right-click, select "New...";
3. Select "Create a new code group" radio button and enter code group name
of your choice; click "Next";
4. In dropdown list, choose "URL" and enter URL (such as
file://theserver/theshare/myCodeFolder/*); click "Next";
5. Select a existing permission set, such as "FullTrust"; click "Next" and
then "Finish".

Now test your app. It should work (It work on a few of my Win form apps,
including .NET1.1 and 2.0 apps)

Hi Norman,

The user (myself) has full access (on OS level) to the UNC share.

The CASPOL call is:
caspol -q -m -ag 1.2. -url file://SERVER/Share/* FullTrust

--
Adri
Programmers do it Bit by Bit

It is obviously the security/permission issue. In order to run .NET code
from a network share, you need to

1. Give user necessary file access permission, read and execute, whether
it
is .NET file or not;
2. Allow .NET code from outside computer to run with CASPOL tool.

Are you sure you have done both correctly? I do not see there is other
reasons.


I've built an localised .NET 2.0 application, which runs fine on my
development machine. But when I deploy the app, it fails to run from an
UNC
path. I've already used CASPOL to add FullTrust to the UNC.

The error that occurs us the following:
System.InvalidOperationException was unhandled
Message="An error occurred creating the form. See
Exception.InnerException
for details. The error is: Request for the permission of type
'System.Security.Permissions.SecurityPermission, mscorlib,
Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."
Source="TMD"
StackTrace:
at TMD.My.MyProject.MyForms.Create__Instance__[T](T Instance)
at TMD.My.MyApplication.OnCreateSplashScreen()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.ShowSplashScreen()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnInitialize(ReadOnlyCollection`1
commandLineArgs)
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.DoApplicationModel()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[]
commandLine)
at TMD.My.MyApplication.Main(String[] Args)

It seems to happen when the app tries to show the SplashScreen

 

[Kevin Yu [MSFT]]

Hi Adri,

Please try to grant FullTrust permission to Intranet on the machine that
runs the code to see if this can work.

Kevin Yu
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Hi Kevin,

Tried to give FullTrust to the Intranet, but it still doesn't work

 

[Norman Yuan]

It is big mistake that MS leave .NET 2.0 configuration applet (the GUI tool
equivalent of CASPOL.exe) out of .NET redistribution and make it only
avalable in SDK. MS should really do the otherway around: SDK is for
developers, who are really should be a bit better that other users to use a
commandline tool. Come on, MS, is it a good idea to promote WINDOWS by
giving a so important utility tool in a old DOS way? Is MS tired of use its
own GUI? I really hope the .NET 2.0 Configuration applet can be added back
to 2.0 framework redistribution in upcoming SP1, or 3.0.

 

[Norman Yuan]

Sorry, I never used CASPOL commandline. You make want to try this to see if
you can get the Configuration applet to the computer with this link:

http://www.mcse.ms/archive102-2005-12-1950554.html

At least, with GUI tool, you could easily change/test your security
settings, IMO, MS made mistake to give the applet to SDK user/developer
only.

Hi Norman,

The target machine has only the .NET 2.0 Runtime installed, and therefor
there is no ".NET Framework 2.0 Configuration" available on the
"Administrative Tools". That's why I used CASPOL

--
Adri
Programmers do it Bit by Bit

I usually do this (to give permission to run .NET code from a network
share
on our LAN) by using .NET Framework Configuration console in "Control
Panel->Administrative Tools" and it always workd. Can you try that,
instead
of CASPOL.exe at command line? (Although the result should be the same,
if
you do it correctly.) Just give it a try to prove you did it correctly
with
caspol.exe command line.

If you have not done that in .NET framework configuration console,
following
these steps:

1. Open "Control Panel->Administrative Tools->.NET Framework 2.0
Configuration";
2. Select node "Console Root->.Net Framework 2.0 Configuration->My
Computer->Runtime Security Policy->Machine->Code Groups->All_Code" and
right-click, select "New...";
3. Select "Create a new code group" radio button and enter code group
name
of your choice; click "Next";
4. In dropdown list, choose "URL" and enter URL (such as
file://theserver/theshare/myCodeFolder/*); click "Next";
5. Select a existing permission set, such as "FullTrust"; click "Next"
and
then "Finish".

Now test your app. It should work (It work on a few of my Win form apps,
including .NET1.1 and 2.0 apps)

Hi Norman,

The user (myself) has full access (on OS level) to the UNC share.

The CASPOL call is:
caspol -q -m -ag 1.2. -url file://SERVER/Share/* FullTrust

--
Adri
Programmers do it Bit by Bit


:

It is obviously the security/permission issue. In order to run .NET
code
from a network share, you need to

1. Give user necessary file access permission, read and execute,
whether
it
is .NET file or not;
2. Allow .NET code from outside computer to run with CASPOL tool.

Are you sure you have done both correctly? I do not see there is other
reasons.


I've built an localised .NET 2.0 application, which runs fine on my
development machine. But when I deploy the app, it fails to run from
an
UNC
path. I've already used CASPOL to add FullTrust to the UNC.

The error that occurs us the following:
System.InvalidOperationException was unhandled
Message="An error occurred creating the form. See
Exception.InnerException
for details. The error is: Request for the permission of type
'System.Security.Permissions.SecurityPermission, mscorlib,
Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."
Source="TMD"
StackTrace:
at TMD.My.MyProject.MyForms.Create__Instance__[T](T Instance)
at TMD.My.MyApplication.OnCreateSplashScreen()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.ShowSplashScreen()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnInitialize(ReadOnlyCollection`1
commandLineArgs)
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.DoApplicationModel()
at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[]
commandLine)
at TMD.My.MyApplication.Main(String[] Args)

It seems to happen when the app tries to show the SplashScreen

 

[Jim Wooley]

Please try to grant FullTrust permission to Intranet on the machine

that runs the code to see if this can work.

Kevin Yu
Microsoft Online Community Support

This is just the kind of recommendation I was afraid of when I first heard
about CAS. What is the purpose of establishing an Intranet zone and giving
it specific permissions, when at the first case of an issue, you just recommend
opening up the flood gates and granting full trust? Why not just set it as
full trust to begin with. Honestly, I would much rather see a more granular
approach to the recommendation, including strong naming the project in question
and granting only the necessary CAS rights based on the strong name. I understand
how it is easier to make a quick recommendation, but often the easiest answer
will only turn around and bit you in the long run.

Jim Wooley
http://devauthority.com/blogs/jwooley/default.asp

 

[Kevin Yu [MSFT]]

Hi Adri,

This is really weird. Based on the stack trace, it fails at the beginning
when splash screen shows. Are you doing anything special on the splash
screen showing? For example, are your writing to some file, while you don't
have permission writing to that shared folder? Please also try to give full
control of that UNC to your account.

Kevin Yu
Microsoft Online Community Support
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Hi Kevin

It's just a regular splash-screen, derived from the VS2005 template. The
only modifications I've done are adding an animated GIF to the picture box
and stting the Localizable property to True.

I have Full Control to the UNC where the aplication is run from.

Regards,

 

[Kevin Yu [MSFT]]

Hi Adri,

Can you try to run this app again if you have another machine that have
.NET framework installed? If it works fine on that machine, please
re-install .NET framework on you machine. Is the version of .NET framework
you've developed on the same to the one it is running on?

If that still doesn't help, could you please send me a copy of your app by
email? Remove 'online' from the nospam alias is my real email? I'll check
it ASAP. Thank you!

Kevin Yu
Microsoft Online Community Support
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Kevin Yu [MSFT]]

Hi Adri,

Thanks for your repro code. I tried to run the app on serveral computers
that has only .NET framework 2.0 installed.

At the beginning, when I run the .exe directly from the UNC path, the app
crashed as desired. But after the .cmd is executed, the app loads OK.

Is the directory file://devnov/TrademarkDirectory/ containing TMD.exe file
directly?

Kevin Yu
Microsoft Online Community Support
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Hi Kevin,

Yes, the directory "file://devnov/TrademarkDirectory/" contains the TMD.exe
file.

The commandline to invoke the application is
"\\DEVNOV\TrademarkDirectory\TMD.exe"
with workingdirectory "\\DEVNOV\TrademarkDirectory"

Regards,

 

[Kevin Yu [MSFT]]

Hi Adri,

Could you also try to check the minimum grand set of permission your
TMD.EXE requires. The following Permission Calculator tools can do it for
you.

http://msdn2.microsoft.com/en-us/library/ms165077.aspx

I used

permcalc -sandbox tmd.exe

on my machine and it returns the following.

<?xml version="1.0" ?>
<Sandbox>
<PermissionSet version="1" class="System.Security.PermissionSet">
<IPermission version="1"
class="System.Security.Permissions.EnvironmentPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Security.Permissions.FileIOPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Security.Permissions.ReflectionPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Security.Permissions.RegistryPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Security.Permissions.SecurityPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Flags="UnmanagedCode, Execution, ControlEvidence, ControlPrincipal,
ControlAppDomain" />
<IPermission Window="AllWindows" Clipboard="OwnClipboard" version="1"
class="System.Security.Permissions.UIPermission, mscorlib, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<IPermission version="1"
class="System.Security.Permissions.KeyContainerPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Data.SqlClient.SqlClientPermission, System.Data,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1" class="System.Diagnostics.EventLogPermission,
System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
</PermissionSet>
</Sandbox>

Please check if these permission sets are met. If not, add them.

If that still doesn't work, you can also add a strong name key to the .exe
file and make the machine trust the key instead of trusting the shared
folder.

Please let me know the results after you try it.

Kevin Yu
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Hello Kevin,

I've done some more investigation (using caspol.exe), but I've found out
some interesting behaviour that I can't explain.

I've done a CASPOL -rsg 'assemblyname' on my machine, where everything runs
perfect and issued the same command on the machine where it went wrong.

Examine the following results on my machine:
caspol -lg
Microsoft (R) .NET Framework CasPol 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.

Security is ON
Execution checking is ON
Policy change prompt is ON

Level = Machine

Code Groups:

1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
1.1.1. StrongName -
002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust
1.1.2. StrongName - 00000000000000000400000000000000: FullTrust
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web
1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'
1.2.3. Url - file://devnov/TrademarkDirectory/*: FullTrust <-- the
added trust...
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web
1.4. Zone - Untrusted: Nothing
1.5. Zone - Trusted: Internet
1.5.1. All code: Same site Web
Success

And now resolve the appropriate group...

caspol -rsg \\devnov\trademarkdirectory\TMD.exe
Microsoft (R) .NET Framework CasPol 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.


Level = Enterprise

Code Groups:

1. All code: FullTrust


Level = Machine

Code Groups:

1. All code: Nothing
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web
1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'
1.2.3. Url - file://devnov/TrademarkDirectory/*: FullTrust <-- is OK


Level = User

Code Groups:

1. All code: FullTrust

Success

On the other hand, the results of caspol -rsg differ on the machine where
TMD.exe won't run (I've omitted the results of caspol -lg, because they are
the same)

caspol -rsg \\devnov\trademarkdirectory\TMD.exe
Microsoft (R) .NET Framework CasPol 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.


Level = Enterprise

Code Groups:

1. All code: FullTrust


Level = Machine

Code Groups:

1. All code: Nothing
1.5. Zone - Trusted: Internet
1.5.1. All code: Same site Web


Level = User

Code Groups:

1. All code: FullTrust

Success

It seems to be that the application runs in a different zone. I can't figure
out what causes this...

 

[Kevin Yu [MSFT]]

Hi Adri,

It seems that this site is in the different zone. Have you ever added this
site to trusted zone? Please check it in the internet settings.

Kevin Yu
Microsoft Online Community Support

==================================================


(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Hi Kevin,

Thanks for your hit. It appeared that on the PC's where the app didn't work
the site was added to the trusted zone. After removing the site from the
trusted zone, the app worked quite fine. Also giving the UNC Share FullTrust
permissons to the Trusted Zone group (and the site back in the trusted sites)
gave correct results.

Regards,

 

[Kevin Yu [MSFT]]

Great, Adri! It was nice to know that this issue is resolved. Thanks for
sharing your experience with all the people here. If you have any
questions, please feel free to post them in the community.

Kevin Yu
Microsoft Online Community Support
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)