Run ado.net application from network share requires FullTrust permission set?

[Jahyen]

Is there any way to get an assembly to run from a network share with less than FullTrust permission set? I've tried adding SQL Client permission to the permission set that's assigned to the LocalIntranet but that I still get a SecurityException thrown for SqlClientPermission.

Here's the error:
An unhandled exception of type 'System.Security.SecurityException' occurred in system.data.dll
Additional information: Request for the permission of type System.Data.SqlClient.SqlClientPermission, System.Data, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

I've also tried signing the assembly and granting it LocalIntranet + SQL Client, Everything or FullTrust permissions. The only way it will run correctly is if I give it the FullTrust permission set. Is it possible to run an ado.net application without assigning the FullTrust permission set?

 

[Nicole Calinoiu]

In version 1.0 of the .NET Framework, the SqlClient provider did not permit
partially trusted callers (see, for example,
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconcodeaccesssecurityadonet.asp).
This is no longer the case in version 1.1 of the .NET Framework. Unless
you're willing to either run your application as a fully trusted assembly or
create and distribute a fully trusted intermediate proxy, upgrading to 1.1
might be your best bet.


message Is there any way to get an assembly to run from a network share with less
than FullTrust permission set? I've tried adding SQL Client permission to
the permission set that's assigned to the LocalIntranet but that I still get
a SecurityException thrown for SqlClientPermission.

Here's the error:
An unhandled exception of type 'System.Security.SecurityException' occurred
in system.data.dll
Additional information: Request for the permission of type
System.Data.SqlClient.SqlClientPermission, System.Data, Version=1.0.5000.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

I've also tried signing the assembly and granting it LocalIntranet + SQL
Client, Everything or FullTrust permissions. The only way it will run
correctly is if I give it the FullTrust permission set. Is it possible to
run an ado.net application without assigning the FullTrust permission set?

 

[Jahyen]

I thought I was running version 1.1 -- All the dependent framework dlls
(including system.data.dll) are 1.0.5000.0.
Is there something else that I ought to be checking?

thanks!

 

[Nicole Calinoiu]

Sorry, I didn't read your original post carefully enough. The problem is
not that your assembly requires full trust. It needs an appropriate
SqlClientPermission, and it looks like the problem lies with how you are
attempting to set the policy to allow this permission to be granted. Try
these steps:

1. Revert your policy settings back to their previous settings.
2. At the machine policy level...
a. Create a new permission set that grants an appropriate
SqlClientPermission.
b. Under the LocalIntranet_Zone code group, create a new child group
that uses your strong name for its membership condition.
c. Use the permission set created in step 2.a for the new code group.

With the above setup, your assembly should be granted the
SqlClientPermission if it meets the criteria for both the intranet zone and
the targeted strong name.

HTH,
Nicole

 

[Jahyen]

Thank you so much for your help so far.

I've tried the steps you outline below but now get a SecurityException
without the SQLClient message. Unfortunately, catching the exception and
trying to debug is unhelpful as trying to access any useful fields in the
exception such as GrantedSet, PermissionState, RefusedSet and TargetSite
result in another SecurityException.

My custom permission set is based on the LocalIntranet permission set,
adding the SQL client permission (unrestricted).

Using caspol -rsg confirms that the membership is set up as described in
your message, using caspol -rsp I can see a SQLClientPermission in the
permission set. I've attached the results of running caspol -rsg and -rsp
below.

Let me know if you have any other suggestions.

thanks!

Jahyen.
-----
caspol -rsg
Microsoft (R) .NET Framework CasPol 1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.


Level = Enterprise

Code Groups:

1. All code: FullTrust


Level = Machine

Code Groups:

1. All code: Nothing
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web.
1.2.2. All code: Same directory FileIO - Read, PathDiscovery
1.2.3. StrongName -
002400000480000094000000060200000024000052534131000400000100010025714CFA96F5
C44412EAA70F06EA6474D61B5B5FE22F723D9E944A8BF96F3655271DF7EF481FBEDB16D32D1C
B317ED03FA3A4CC2F4F79DC74D54822D66935AFED5AEC84EE47FD89A29DA78C70F0D76207160
0C86509081BDE1BF82B509B0A0893CC9E03D08CB999AAF3E1A609460AEAEEF5A8448E977CDE7
07BF42C4242861C2: LocalIntranet + SQL Client


Level = User

Code Groups:

1. All code: FullTrust

Success
-------------------------------------
caspol -rsp

Microsoft (R) .NET Framework CasPol 1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.

Resolving permissions for level = Enterprise
Resolving permissions for level = Machine
Resolving permissions for level = User

Grant =
<PermissionSet class="System.Security.PermissionSet"
version="1">
<IPermission class="System.Security.Permissions.EnvironmentPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Read="USERNAME"/>
<IPermission class="System.Security.Permissions.FileDialogPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Security.Permissions.FileIOPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Read="\\intranet.local\contacts\"
PathDiscovery="\\intranet.local\contacts\"/>
<IPermission
class="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Allowed="AssemblyIsolationByUser"
UserQuota="9223372036854775807"
Expiry="9223372036854775807"
Permanent="True"/>
<IPermission class="System.Security.Permissions.ReflectionPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Flags="ReflectionEmit"/>
<IPermission class="System.Security.Permissions.SecurityPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Flags="Assertion, Execution, BindingRedirects"/>
<IPermission class="System.Security.Permissions.UIPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Net.DnsPermission, System, Version=1.0.5000.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Drawing.Printing.PrintingPermission,
System.Drawing, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
version="1"
Level="DefaultPrinting"/>
<IPermission class="System.Diagnostics.EventLogPermission, System,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1">
<Machine name="."
access="Instrument"/>
</IPermission>
<IPermission class="System.Data.SqlClient.SqlClientPermission,
System.Data, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission
class="System.Security.Permissions.StrongNameIdentityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"

PublicKeyBlob="0024000004800000940000000602000000240000525341310004000001000
10025714CFA96F5C44412EAA70F06EA6474D61B5B5FE22F723D9E944A8BF96F3655271DF7EF4
81FBEDB16D32D1CB317ED03FA3A4CC2F4F79DC74D54822D66935AFED5AEC84EE47FD89A29DA7
8C70F0D762071600C86509081BDE1BF82B509B0A0893CC9E03D08CB999AAF3E1A609460AEAEE
F5A8448E977CDE707BF42C4242861C2"
Name="Contacts"
AssemblyVersion="1.0.1653.30918"/>
<IPermission class="System.Security.Permissions.UrlIdentityPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Url="file://intranet.local/contacts/contacts.exe"/>
<IPermission class="System.Security.Permissions.ZoneIdentityPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Zone="Intranet"/>
</PermissionSet>

Success