 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / November 2004Defining minimum permissions
Hey, I'm trying to work out a minimum permission set that my app (several separate assemblies) needs. I'd like to be a good .net citizen by not requesting more permissions than I need, so I'm using the approach I found on the web an in this group to start with [assembly:PermissionSet(SecurityAction.RequestOptional, Unrestricted=false)] and go from there. One thing I'm stuck on now is the FileIOPermission. I find that an assembly I wrote wants it, with PathDiscovery set to the directory from which the app is running at that time. Now, how am I supposed to put that into a RequestMinimum statement on the assembly level? I know I could alternatively safeguard the code where that specific permission is needed and catch the SecurityException that might be thrown. But the problem is, I'd still need that permission in my minimum set, wouldn't I? So how do I define the minimum set of FileIOPermissions when I'm not sure at compile time where exactly those paths end up on the end user system? I mean, it seems like it would really make sense not to request complete FileIOPermissions because I really don't do much file related stuff. I'm writing a log file to one single place, which depends on the installation location of my app. How can I incorporate that into my minimum request if I don't want the minimum request to contain anything I don't really need? Oliver Sturm  Signatureomnibus ex nihilo ducendis sufficit unum MSN oliver@sturmnet.org Jabber sturm@amessage.de ICQ 27142619 Oliver, If you have no idea where the files will end up, you're pretty much stuck with making a declarative request for unrestricted FileIOPermission in the assembly attributes. There are two main reasons for this: 1. Any values used in attribute properties must be known at compile-time. Since you don't know the path, you would need to request PathDiscovery for all paths. However... 2. FileIOPermissionAttribute doesn't expose any way to manipulate either the AllFiles or AllLocalFiles properties of FileIOPermission, so you can't request only PathDiscovery for all files. Since you can't restrict either the path set or the permission set, you have to request unrestricted FileIOPermission via the attribute. However, since the assembly doesn't actually need the full unrestricted permission, you might want to consider making it an optional rather than a minimum request. This will allow the user to run your assembly even if policy further restricts FileIOPermission to only PathDiscovery on the assembly path. HTH, Nicole > Hey, > [quoted text clipped - 27 lines] > > Oliver Sturm > Since you can't restrict either the path set or the permission set, you have > to request unrestricted FileIOPermission via the attribute. However, since > the assembly doesn't actually need the full unrestricted permission, you > might want to consider making it an optional rather than a minimum request. > This will allow the user to run your assembly even if policy further > restricts FileIOPermission to only PathDiscovery on the assembly path. Thanks, Nicole, that makes a lot of sense. Oliver Sturm Signatureomnibus ex nihilo ducendis sufficit unum MSN oliver@sturmnet.org Jabber sturm@amessage.de ICQ 27142619 Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.