Why is CAS demo code running in localhost (127.0.0.1) not recognizing security zones?

Question

I'm running the labs in MCTS 70-536 Training Kit chapter 11 about Code Access Security. I'm running XP Pro. The first lab creates an assembly which checks for different permissions and reports a message if they exist. However when I run it as \\\127.0.0.1\c$\ListPermissions.exe it is supposed to recognize being in the intranet zone and use the intranet permission set. However all permissions seem to be granted. Does this behavior sound familiar to anyone? If not is there a way to check what zone the assembly thinks it is in when run from the share? If a specific part of this question is too vague, let me know and I will try to rephrase it.

Answer 1

I had the same problem.However I had tried something else. Instead of executing the program from various locations like from a shared folder or from the root of C drive, I have created an application domain and executed the code from my application domain with various Zone settings. Here is my code:

 object[] hostEvidence = { new Zone(SecurityZone.Internet) };
 Evidence appDomainEvidence = new Evidence(hostEvidence, null);
 AppDomain d = AppDomain.CreateDomain("MyDomain", appDomainEvidence);
 d.ExecuteAssembly("ListPermissions.exe");

When my zone is set to MyComputer the ListPermissions executes without giving any exeption and every permission returns true. However when I set my zone to internet or intranet the ExecuteAssembly line starts to give exeptions which actually made me happy. At least at some point it works.

From my understanding what book says when you run your application from different locations the CLR sees that the running code has a different evidence and assings the assembly to a different code group like mycomputer or internet. However at least with my configuration it is not like that, and another forum it is concluded that with .NET framework 3.5 a running assembly from a shared folder does not have the exact evidence as an assembly running from internet zone. http://social.msdn.microsoft.com/Forums/en/clr/thread/5f5f0925-64fc-4fc8-9be3-d077d27d2554 I actually do not know the exact sollution which makes the program executes as it does in the book. Just want to share that with a created custom application domain the code works as it is supposed to do.

Hope this helps

Thanks

Answer 2

It seems that there has been a change to the .net platform. A new piece of evidence has been added when launching a managed exe. When the exe is launched from the win32 CreateProcess API directly the managed exe is given full trust.

Of course, the .net configuration tool doesn't launch the exe, merely inspects it. This means that the evidence is different and affects the code group assigned to it. This in turn affects the permissions.

It's mightily confusing. Even more confusing is the answer you should give in the exam. I think the answer will be as in the book. I don't imagine that this change has filtered through to the exam content teams.

More information can be found here:

msdn social

brad abrams blog

Answer 3

Hi I don't know if you found out what happens when running this example but using Evaluate Assembly under .NET Framework 2.0 Configuration Tool I can see that that assembly should run under Internet_Zone and Internet_Same_Site_Access code groups. These code groups grants the subset composed by 5 authorizations: - UI - Isolated Storages - Protection - IO Dialogs - Print

It seems ok under configuration tool... but the assembly behavior is quite different... Don't know :(

Marco