.NET Security

[GMiller]

I am fairly new to .NET programming so this may be a simplistic
question. I wrote a C# application that reads and writes files. If
the program resides on a local drive everything is fine. If the
program resides on a network drive then I get the following error.

System.Security.SecurityException: Request for the permission of type
'System.Security.Permissions.FileIOPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
failed.
at System.Security.CodeAccessSecurityEngine.Check(Object demand,
StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.IO.Directory.GetCurrentDirectory()
at Transmitter.TransmProcess.GetFiles(Form1 oTWin, String sDirPath)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Security.Permissions.FileIOPermission
The Zone of the assembly that failed was:
Intranet

I have tried the following with no luck. Any suggestions?
FileIOPermission f = new
FileIOPermission(PermissionState.Unrestricted);
f.AllFiles = FileIOPermissionAccess.AllAccess;


Thanks,

Gary

 

[Nicholas Paldino [.NET/C# MVP]]

Gary,

The problem here is that you are running it off a network drive. Code
that resides on the local drive typically is given unrestricted freedom.
When running of a network drive (or the internet, which is even more
restrictive), the thinking here is that since the code came from a place not
on your machine (which you probably have less control over than your own
machine), it shouldn't be trusted.

In order to get around this, you have to go to the .NET Framework
Configuration tool, located in the Administrative Tools for your machine.
Once you have that, you can add a new code group to the runtime security
policy for the user or machine. In this code group, you identify your app
(through location, hash, or strong name. Signing your app with a strong
name key is the best bet in this scenario, as recompiles will mess with your
hash), and then you can assign it Full Trust, or whatever permissions subset
is required to run your application.

Hope this helps.

 

[Alberto Poblacion]

[...] If
the program resides on a local drive everything is fine. If the
program resides on a network drive then I get the following error.

System.Security.SecurityException: Request for the permission of type
'System.Security.Permissions.FileIOPermission,
[...]
I have tried the following with no luck. Any suggestions?
FileIOPermission f = new
FileIOPermission(PermissionState.Unrestricted);
f.AllFiles = FileIOPermissionAccess.AllAccess;

No, you don't fix it in code from within the program. This is the .Net
runtime protecting you against a potentially harmful program. Since you are
running the executable from a network drive, and the framework does not know
that this location is trusted, it defaults to limiting the permissions of
the program.
You can grant additional permissions to the programas downloaded from
that location from the Control Panel, Administrative tools, .Net Framework
Configuration. This has to be done at every PC that needs to trust that
location. This configuration tool comes with the Framework v1, but not with
v2; if you have v2 you can get the configuration tool with the framework
SDK.
Another tool that serves the same purpose is CASPOL.exe. You run it from
a command prompt with various parameters that determine the permissions to
grant.
If you need to configure multiple computers, you create an enterprise
policy from control panel at a computer that has the framework configuration
tool installed. The tool can then generate a .msi that you can then install
at the rest of the computers. This can be automated via group policy if it
needs to be deployed in a large organization.

 

[GMiller]

Nicholas
Thanks for the quick answer. A couple of questions.

Is there a "best" way to handle this? Should I simply require a user
to run the application on a local drive and not a network drive?

How do a 'sign' my application for the security policy?

Exactly where under the .NET configuration tool do I assign the
security policy?

Thanks,

Gary

 

[Nicholas Paldino [.NET/C# MVP]]

Gary,

Well, having it on the local drive as opposed to the network drive is
not any big deal, but you do have to worry about re-deploying the app every
time it changes, which is what I imagine the reason for putting it on a
network share is.

If you want a better deployment story, look at ClickOnce. It is an
install/update mechanism in .NET which will help with all of these issues.

 

[GMiller]

I set the security policy to "full trust" at the machine level and I
still receive the same error. It seems like I'm missing the obvious
here.

Thanks,

Gary

 

[Alberto Poblacion]

I set the security policy to "full trust" at the machine level and I
still receive the same error. It seems like I'm missing the obvious
here.

"full trust" at the machine level ... and what code group? If your
server is on the "local intranet", and you apply "full trust" to the
local_intranet group at machine level, it should work ... unless inferior
permissions are assigned at the user or enterprise level, since you get the
intersection of the three permission sets (by default these two levels are
set to full trust so you should have no problems).

 

[PS]

I am fairly new to .NET programming so this may be a simplistic
question. I wrote a C# application that reads and writes files. If
the program resides on a local drive everything is fine. If the
program resides on a network drive then I get the following error.

System.Security.SecurityException: Request for the permission of type
'System.Security.Permissions.FileIOPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
failed.
at System.Security.CodeAccessSecurityEngine.Check(Object demand,
StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.IO.Directory.GetCurrentDirectory()
at Transmitter.TransmProcess.GetFiles(Form1 oTWin, String sDirPath)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Security.Permissions.FileIOPermission
The Zone of the assembly that failed was:
Intranet

I have tried the following with no luck. Any suggestions?
FileIOPermission f = new
FileIOPermission(PermissionState.Unrestricted);
f.AllFiles = FileIOPermissionAccess.AllAccess;

%windir%\Microsoft.Net\Framework\v2.0.50727\caspol -cg 1.2 FullTrust will
allow "intranet" applications to run. Note that referencing an IP address
will make this an "internet" zone so use UNC. IE7 can also change the
interpretation of "intranet" so Tools / Options / Security and add server
name to Local Intranet if necessary.

PS