What is CAS?
Code access security (CAS) is a new feature provided by the .NET Common Language Runtime. CAS is the part of the .NET security model that determines whether or not a piece of code is allowed to run, and what resources it can use when it is running.
Example: CAS that will prevent a .NET web applet from formatting your hard disk.
The CAS security policy revolves around two key concepts:
- Code groups and permissions.
Each .NET assembly is a member of a particular code group, and each code group is granted the permissions specified in a named permission set.
Defining the CAS code groups:
Microsoft defines some default ones, but you can modify these and even create your own. To see the code groups defined on your system, run ‘caspol –lg’ from the command line. It lists the code groups on your machine.
Microsoft (R) .NET Framework CasPol 1.0.3705.0
Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.
Security is ON
Execution checking is ON
Policy change prompt is ON
Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
1.1.1. StrongName - 00240000048000009400000006020000002400005253413100040
0000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE
79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E82
1C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8
A12436518206DC093344D5AD293: FullTrust
1.1.2. StrongName - 00000000000000000400000000000000: FullTrust
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web.
1.2.2. All code: Same directory FileIO - Read, PathDiscovery
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web.
1.4. Zone - Untrusted: Nothing
1.5. Zone - Trusted: Internet
1.5.1. All code: Same site Web.
Success
Note the hierarchy of code groups: The top of the hierarchy is the most general(‘All code’), which is then sub-divided into several groups, each on which in turn can be sub-divided. Also note that a sub group can be associated with a more permissive permission set than it’s parent.
Defining the own code group:
By using caspol you can define your own code group.
For example, suppose you trust code from www.mydomain.com and you want it have full access to your system, but you want to keep the default restrictions for all other internet sites. To achieve this, you would add a new code group as a sub-group of the 'Zone - Internet' group, like this:
caspol -ag 1.3 -site www.mydomain.com FullTrust
Now if you run caspol -lg you will see that the new group has been added as group 1.3.1:
...
1.3. Zone - Internet: Internet
1.3.1. Site - www.mydomain.com: FullTrust
...
Note that the numeric label (1.3.1) is just a caspol invention to make the code groups easy to manipulate from the command-line. The underlying runtime never sees it.
Changing the permission set for a code group:
By using caspol, change the permission set for a code group. If you are the machine administrator, you can operate at the 'machine' level - which means not only that the changes you make become the default for the machine, but also that users cannot change the permissions to be more permissive. If you are a normal (non-admin) user you can still modify the permissions, but only to make them more restrictive. For example, to allow intranet code to do what it likes you might do this:
caspol -cg 1.2 FullTrust.
Note that because this is more permissive than the default policy (on a standard system), you should only do this at the machine level - doing it at the user level will have no effect.
Creating own permission set:
Usecaspol -ap, specifying an XML file containing the permissions in the permission set. When you have edited the sample, add it to the range of available permission sets like this:
aspol -ap samplepermset.xml
Then, to apply the permission set to a code group, do something like this:
caspol -cg 1.3 SamplePermSet (By default, 1.3 is the 'Internet' code group)
Trouble with CAS:
If u have any trouble with CAS, if u want to diagnose your problem, caspol has a couple of options that might help. First, you can ask caspol to tell you what code group an assembly belongs to, using caspol -rsg. Similarly, you can ask what permissions are being applied to a particular assembly using caspol -rsp.
Turn it off CAS:
If u want to turn it off CAS, u should be the administrator. By using this command u can turn it off CAS. Caspol –s off
No comments:
Post a Comment