分享
 
 
 

Viewing Assembly Permissions

王朝system·作者佚名  2006-01-08
窄屏简体版  字體: |||超大  

Introduction

In this article I will show you how you can view the Code Groups that an assembly belongs to and what permissions belong to the assembly. I will demonstrate the Caspol utility supplied with the .NET SDK.

When would you need to view access rights?

When a developer creates an assembly, he or she may require access to a resource or action that may usually be available to an assembly used by most users or clients. There may be times when the Administrator of a host for his or her own reasons has restricted the action or resource required by the developer's assembly. This restriction could cause the assembly to function improperly or fail all together when the security exception(s) is thrown. Viewing the requirements of the assembly could help you narrow down the problem and determine if the problems are security issues.

Code Groups and Permission Sets

Code Groups - Security Policies have several levels such as the Machine policy level, the User Policy level or the Application Domain Policy level. Within these policy levels is a hierarchy of code groups. The Code Groups then break down into child nodes of other groups (Strong name, URL, App directory, etc.). The condition of each Code Group is called the Membership Condition. Each Membership Condition must be met in order for an assembly 's code to be part that Code Group. Each Code Group contains a permission set.

Permission Sets - Each of the Policy Levels mentioned above: Machine, User, and Application Domain, supply the assembly with their combined permissions to create the assembly's Permission Set.

What is CASPol?

CASPol is a command line utility that is included with the .NET run time SDK. CASPol stands for Code Access Security Policy. It is used to administer policy changes as well as view existing permissions and Code Group hierarchy.

Your default view will be determined by your current access permissions (machine or user). Your default view if you do not currently have administrative permissions will be the Users view. In the samples below, I will explicitly specify either the Machine policy level or the User policy level. When both should be displayed together, the -all option will be used.

Viewing the Code Groups

To view the Code Groups we will use the CASPol utility. Using the -all option lets you see both the user and machine groups at the same time.

CASPol -all -resolvegroup hello.dll

The above command will show the code groups that a specific assembly file belongs to. In the above example I used a library called hello.dll. This could however be replaced with any assembly, even caspol.exe itself. The hello.dll is the module that was used in my article " Assemblies: The Ins and Outs - Part 2". There are no custom or added restrictions in the hello.dll assembly. An example of the commands output looks like:

Microsoft (R) .NET Framework CasPol 1.0.2204.21

Copyright (c) Microsoft Corp 1999-2000. All rights reserved.

Level = Machine

Code Groups:

1. All code: Nothing

1.1. Zone - MyComputer: FullTrust

Level = User

Code Groups:

1. All code: FullTrust

Success

The output above is brief and simple but is sufficient to demonstrate what you can expect to see when viewing the groups. In the example above, the first item we see is one of the policy levels. The first policy listed is the Machine policy. Then the Code Groups that our code belongs to are listed. At the Machine level our code belongs to the All Code group which uses the built-in permission set called Nothing, (Other non modifiable built-in permission sets include Execution, and FullTrust). The permission set called "Nothing", prohibits all resources, including the right to execute code. However, the All Code group has a subgroup called Zone. The Zone group requires that I meet the MyComputer Membership Condition, and if I do then the FullTrust permission set is used. FullTrust allows full access to all resources.

The next policy level listed is the User level. The User level specifies that I have FullTrust permissions to run all code.

Finally the program displays that it ran successfully.

Viewing the Permissions

If you are viewing an assembly's permission sets for diagnostic reasons than you may want to use the -all option with CASPol. You would want to do this because when the assembly is run, its being run by a user. When a user runs a program the machine and user policies are combined including the application domain's policy. Using the -all option lets you see both the user and machine permission sets at the same time.

CASPol -all -resolveperm hello.dll

The above command shows the Permission Sets that a specific assembly file belongs to. Again I used the library called hello.dll. This could however be replaced with any assembly. An example of the commands output looks like:

Microsoft (R) .NET Framework CasPol 1.0.2204.21

Copyright (c) Microsoft Corp 1999-2000. All rights reserved.

Resolving permissions for level = Machine

Resolving permissions for level = User

Grant =

<PermissionSet class="System.Security.PermissionSet" version="1">

<Unrestricted/>

<Permission class="System.Security.Permissions.StrongNameIdentityPermission,

mscorlib, Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33" version="1">

<PublicKeyBlob>

<Key>00240000048000009400000006020000002400005?lt;/Key>

</PublicKeyBlob>

<Name>hello</Name>

<Version>1.0.444.35256</Version>

</Permission>

<Permission class="System.Security.Permissions.URLIdentityPermission, mscorlib,

Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33" version="1">

<Url>file:///D:/Projects/hello.dll</Url>

</Permission>

<Permission class="System.Security.Permissions.ZoneIdentityPermission, mscorlib,

Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33" version="1">

<Zone>MyComputer</Zone>

</Permission>

</PermissionSet>

Success

In the example above, the first item we see are the policy levels. The output above combines both the Machine and User policies to display what permissions my code has been granted.

The Permission Set itself is set to Unrestricted allowing all permissions to be available. Next there are three specific sets of permissions being demanded:

StrongNameIdentityPermission - The hello.dll library contains a strong name (it is a Shared Assembly using public key cryptography). This permission contains the public key that must be matched for other code to make valid calls to this assembly. I shortened the cryptographic number for display.

URLIdentityPermission - This is the URL of where the code originated. If you are viewing one of your own assemblies, you will most likely see the path that you compiled to.

ZoneIdentityPermission - This permission determines if the calling code is from a specific zone. Only exact zone matches can be defined for this permission, and a URL can only belong to a single zone.

The -all option can also be abbreviated to just -a in the command.

Worth Mentioning

Another option that can be used with the CASPol utility is the -list option. The -list option shows the list of code groups followed by a list of named permission sets available in the most recent displayed policy. The output from the command below is for your entire current configuration, and not just for a single assembly. So this command is good for getting an overall look at your permissions.

CASPol -list

If the output from the above command is too long for your shell window, then try using the following command. This will save the output to text file called output.txt.

CASPol -list > output.txt

To shorten the output further you could use the following command to list all Code Groups for your current configuration:

CASPol -listgroups

This would display just the Code Groups and produce an output similar to the following:

Security is ON

Execution checking is OFF

Policy change prompt is ON

Level = Machine

Code Groups:

1. All code: Nothing

1.1. Zone - MyComputer: FullTrust

1.1.1. Honor SkipVerification requests: SkipVerification

1.2. Zone - Intranet: LocalIntranet

1.2.1. All code: Same site Socket and Web.

1.3. Zone - Internet: Internet

1.4. Zone - Untrusted: Nothing

1.5. Zone - Trusted: Internet

1.6. StrongName - 0024000004800000940000000? Everything

Success

CASPol -listpset would also do the same as the previous command except that only the permission sets would be displayed.

Summary

The output from the hello.dll module was a very short example with very few restricted permissions. Using the CASPol utility to view restrictions for a specific assembly will allow you to discover what permissions your assembly needs to run. Using the CASPol -list command will allow you to get familiar with what permissions are available to you as a user or administrator.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有