.NET security question

A

Adam J. Rosen

A coworker is trying to run a .Net winforms application from a network share
(shared from my computer). When he tries to execute it, he gets a "Request
Failed" message - a bit of poking reveals that this is a security issue,
presumably from running on a network share (and accessing a DB on the
network share) without any permissions set on the app. Setting the trust
level to full access fixes the problem, but when I recompile an put a new
copy there, he has to go through that process again.

Is there a way that I can release new builds without him having to
're-trust'? Does signing assemblies help in here? Also, is there anything an
app can do, aside from detect and degrade/exit gracefully when network
access is denied? I assume a program can't request higher access, as that
would defeat the purpose of having to trust code manually.

Any info greatly appreciated!

Adam
 
M

mikeb

Adam said:
A coworker is trying to run a .Net winforms application from a network share
(shared from my computer). When he tries to execute it, he gets a "Request
Failed" message - a bit of poking reveals that this is a security issue,
presumably from running on a network share (and accessing a DB on the
network share) without any permissions set on the app. Setting the trust
level to full access fixes the problem, but when I recompile an put a new
copy there, he has to go through that process again.

Is there a way that I can release new builds without him having to
're-trust'? Does signing assemblies help in here? Also, is there anything an
app can do, aside from detect and degrade/exit gracefully when network
access is denied? I assume a program can't request higher access, as that
would defeat the purpose of having to trust code manually.

Any info greatly appreciated!
Click to expand...

Signing assemblies would possibly help, as he can create a security
policy that grants increased (or full) trust to assemblies signed with
your key pair.

This can be done by having him set up a security code group based on
'Publisher'.

Note that if you sign assemblies to get increased permissions, you will
probably need to mark the assemblies with the
AllowPartiallyTrustedCallers attribute - see the articles referenced at
the end of this post for details.

You can also use the Runtime Security Policy tool to add what ever
permissions are required to the 'LocalIntranet_Zone' code group, and
code that runs from a network share will gain those permissions. If the
intranet is secure and trusted, you could probably simply assign 'Full
Trust' to that zone.

It's also possible for him to assign a security policy code group based on:

'Site', which means that it's associated with a particular DNS
machine name/port combination

'URL'


Chris Sells has written some good articles that detail running WinForms
from URLs and/or network shares:

http://msdn.microsoft.com/msdnmag/issues/02/07/NetSmartClients/


http://msdn.microsoft.com/library/en-us/dnforms/html/winforms11122002.asp

As for an application detecting and handling lowered trust gracefully,
the app can make security 'demands' that enable it to determine whether
a particular security permission is granted or not at run-time. See the
SDK for details on how that works.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Error when trying to create a instance of a class on the network 2
v3.5 SP1 issue with previous versions 3
Full trust for unsigned assembly on a network 2
Running .NET apps from shared folders 1
Security Issue: run app from network drive (v3.5 + v1.1) 1
Newbie Question: Trust an Assembly Wizard 1
Code Access Security issue 6
Security: Shared Drive and EXE 1

Top