I'm trying to understand what happens when a web client set to medium trust calls a fully trusted assembly in .Net v2.0. I have a simple assembly that is signed with a strong name, and has been granted full trust using: caspol -af fulltrust.dll. The fulltrust code has an assembly level attribute to allow partially trusted callers: [assembly: AllowPartiallyTrustedCallers].
In most cases, this works as I would expect. That is to say the web client can access methods in the fulltrust assembly without any problem. However there is one case where it fails, and I'm trying to understand why. The method in question should return a list of active processes on the local computer:
public List<string> GetCurrentProcesses()
{
List<string> list = new List<string>();
Process[] myProcesses = Process.GetProcesses();
foreach (Process myProcess in myProcesses)
{
list.Add(myProcess.ProcessName);
}
return list;
}
The code works fine for fully trusted clients, but throw a security exception when the client is only partially trusted. The exception returned looks like this:
System.Security.SecurityException was unhandled by user code
Message="Request failed."
Source="FullTrust"
StackTrace:
at System.Security.CodeAccessSecurityEngine.ThrowSecurityException(Assembly asm, PermissionSet granted, PermissionSet refused, RuntimeMethodHandle rmh, SecurityAction action, Object demand, IPermission permThatFailed)
at System.Security.CodeAccessSecurityEngine.ThrowSecurityException(Object assemblyOrString, PermissionSet granted, PermissionSet refused, RuntimeMethodHandle rmh, SecurityAction action, Object demand, IPermission permThatFailed)
at System.Security.CodeAccessSecurityEngine.CheckSetHelper(PermissionSet grants, PermissionSet refused, PermissionSet demands, RuntimeMethodHandle rmh, Object assemblyOrString, SecurityAction action, Boolean throwException)
at System.Security.CodeAccessSecurityEngine.CheckSetHelper(CompressedStack cs, PermissionSet grants, PermissionSet refused, PermissionSet demands, RuntimeMethodHandle rmh, Assembly asm, SecurityAction action)
at FullTrust.ProcessListUtil.GetCurrentProcesses()
at _Default.ProcessesLinkButton_Click(Object sender, EventArgs e)
If I replace the call to GetProcesses with something else then everything seems to work fine. I guess this almost makes sense, as the GetProcesses method could potentially be something of a security risk. However, my understanding is that granting full trust and allowing partially trusted callers is specifically meant to deal with this kind of issue. Am I missing the point here, or is this a bug, or. . .
Using partial trust client with fully trusted assembly
Hot Topic
- Query regarding uniqueidentifier
- Exception "Object reference not set to an instance of an object." at changing the value of dataRow[myColumns]
- FtpWebRequest re-sending USER and PASS commands half way through download loop
- PDC DAT408: ADO.NET 2.0: Advanced Data Access Patterns: Demo code for Dataset querying
- C# CodeCompiler errors
- Trying to connect to SQL using app.Connfig
- Object model diagram
- Threading problem
- Enterprise Library 2006 Error when referenced from GAC
- SerializationException: No assembly ID for object type
.NET Development
- Using Bluetooth with VS 2005 beta 2
- SGen on the Server
- FK violation on TableAdapter.Update
- Could not find file Microsoft.Windows.CommonLanguageRuntime....
- Using an XSD to Validate an XmlDocument
- Urgent: MSI forms Memory Leak: Major Issue
- Is there a way to force derived classes to implement serializable?
- DataGrid Populating Columns manually
- Using version independent references
- Unable to run pre-compiled code-behind
Using partial trust client with fully trusted assembly
Judah
Is your fully trusted assembly marked with either SecurityTransparentAttribute or SecurityCriticalAttribute The System.Diagnostics.Process class has a link demand for full trust. If your fully trusted assembly is transparent, this link demand will be promoted to a full demand, which your partially trusted will fail.
If you've mark the assembly as SecurityCritical, you can allow just your ProcessListUtil.GetCurrentProcesses method to fulfill the link demand by marking it as SecurityCritical as well. However, if you do this, you should probably add a demand to the method for some other permission that would screen out unexpected partially trusted callers.
Also, if you avoid the link demand promotion, you'll still need to cope with a full demand for SecurityPermission\UnmanagedCode, which is not included in the default ASP.NET medium trust permission set. Asserting this permission from within your ProcessListUtil.GetCurrentProcesses would avoid this problem but, as with the full trust link demand fulfillment, you should demand an alternate permission that would prevent exploit of this method by unexpected partially trusted callers.
KLWSearch
The trusted assembly isn't marked with either of those attributes, as far as I am aware. There are no such attributes explicitly set in AssemblyInfo.cs, or anywhere else in the code I've written. Is it possible to set/check these attributes in some other way
Regarding the process in general, I had imagined that setting full trust would relieve or isolate the partially trusted caller from concern about link demands further down the chain. Otherwise, why bother Is my thinking fundamentally flawed here or am I just missing something
Anyway, partial trust is something new for me to work with, and I very much appreciate the input. I will go and have a look now at the docs on SecurityTransparentAttribute and SecurityCriticalAttibute.
/brett