 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / January 2006Problems deploying security policy via .msi
Hi, I am deploying my security policy (.NET 2.0) via an .msi. Problem is it seems I have to run it twice to get the policy changes to take effect. I have tried giving it several minutes to run and I have tried rebooting, but the first time through never does the trick. For my test, after I get the policy installed I click "Reset All Policy Levels" and try again. What can I be doing wrong? Thanks, Mark Hi, how have you created the MSI - using the snapshot feature? this is very dangerous as it will overwrite all customization done before..keep that in mind. I would recommend shelling out to caspol or writing a small C# app that does the policy mods...gives you much more flexibility than the dumb snapshot feature... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Hi, > I am deploying my security policy (.NET 2.0) via [quoted text clipped - 6 lines] > Thanks, > Mar Thanks Dominick, I will look into that. Mark > Hi, > [quoted text clipped - 19 lines] > > Thanks, > > Mark Hi, and btw - if you package your policy mod app as a MSI (with VS deployment projects), you can also add an uninstall action that cleans up the policy changes again. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Thanks Dominick, > I will look into that. [quoted text clipped - 31 lines] >>> Thanks, >>> Mar "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote > [...]and btw - if you package your policy mod app as a MSI (with VS > deployment projects), you can also add an uninstall action that cleans up > the policy changes again. This may help as well: "http://staff.newtelligence.net/michaelw/PermaLink.aspx?guid=b424f73a-f762-42e2-9 046-edaa08a75b8c" If your policy uses a strong name as membership condition you need to specify the StrongNameKeyBlob as a byte array. SECUTIL is your friend here. Just redirect the output to a file and then grab it from there: SECUTIL.EXE -s <path\assembly> > blob.txt In addition you have to make sure that your codee has to be threat safe. CAS-Policies are stored in XML-Files. So you should make sure that you use a critical section, etc. And another code template ;-) <code> public class TestPolicyHelper { const string PsName = "Intranet"; const string CodeGroupName = "MyFullTrustAssemblies"; private static PolicyLevel InternalGetMachinePolicyLevel() { PolicyLevel level = null; IEnumerator policyLevelEnumerator = SecurityManager.PolicyHierarchy(); while (policyLevelEnumerator.MoveNext()) { level = (PolicyLevel)policyLevelEnumerator.Current; if ("Machine" == level.Label) break; } return level; } private static void InternalFindCodeGroup(PolicyLevel level) { CodeGroup rootcg = level.RootCodeGroup; IEnumerator rootchildren = (rootcg.Children).GetEnumerator(); while (rootchildren.MoveNext()) { CodeGroup cg = (CodeGroup)rootchildren.Current; if (CodeGroupName == cg.Name) throw new ArgumentException(); } } public static void CreateCodeGroup() { // array grabbed with secutil.exe byte[] publicKey = { 0, 36, 0, 0, 4, 128, 0, 0, 148, 0, 0, 0, 6, 2, 0, 0, 0, 36, 0, 0, 82, 83, 65,49, 0, 4, 0, 0, 1, 0, 1, 0, 69, 24, 118, 195, 152, 153, 115, 220, 127, 86, 19, 0, 219, 107, 144, 214, 130, 199, 128, 74, 101, 44, 108, 35, 231, 168, 38, 214, 21, 116, 74, 178, 126, 1, 117, 207, 123, 201, 165, 98, 67, 102, 178, 209, 233, 249, 46, 124, 102, 184, 234, 185, 179, 7, 147, 225, 39, 11, 178, 127, 196, 120, 210, 120, 28, 229, 57, 193, 71, 18, 217, 138, 160, 235, 127, 144, 139, 122, 66, 2,40, 228, 102, 42, 212, 188, 20, 124, 154, 227, 230, 16, 7, 93, 165, 205, 92, 119, 96, 28, 38, 244, 251, 124, 201, 227, 191, 216, 208, 8, 143, 95, 182, 196, 83,41, 219, 217, 66, 172, 165, 204, 207, 176, 226, 128, 54, 200 }; PolicyLevel level = InternalGetMachinePolicyLevel(); // Check if group exits // if not we exit with an argument exception here InternalFindCodeGroup(level); // Create the membership condition for the codegroup StrongNamePublicKeyBlob blob = new StrongNamePublicKeyBlob(publicKey); StrongNameMembershipCondition mc = new StrongNameMembershipCondition(blob,null,null); PermissionSet ps = level.GetNamedPermissionSet(PsName); PolicyStatement policy = new PolicyStatement(ps,PolicyStatementAttribute.Exclusive); // Create the codegroup CodeGroup cg = new UnionCodeGroup(mc, policy); cg.Description = CodeGroupName; cg.Name = cg.Description; level.RootCodeGroup.AddChild(cg); // save changes SecurityManager.SavePolicyLevel(level); } public static void RemoveCodeGroup() { PolicyLevel level = InternalGetMachinePolicyLevel(); CodeGroup rootcg = level.RootCodeGroup; IEnumerator rootchildren = (rootcg.Children).GetEnumerator(); while (rootchildren.MoveNext()) { CodeGroup cg = (CodeGroup)rootchildren.Current; if (CodeGroupName == cg.Name) { rootcg.RemoveChild(cg); SecurityManager.SavePolicyLevel(level); break; } } } </code> Hope that helps. Michael staff.newtelligence.net/michaelw Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.