Fog Creek Software
Discussion Board




Welcome! and rules

Joel on Software

Giving code from network share greater permissions

In a classroom environment, I'd like to be able to have students create programs and save/run them from a network share.

This is proving to be a greater challenge than I thought. I assumed I could do this easily (Ha!) with the .Net Framework Configuration tool. However, I'm getting lost. I think I have to add the network share to one of the zones but have no clue how to do that.

Any help is greatly appreciated.

Himanshu (Harry) Nath
Friday, November 22, 2002

1. Run the .NET Configuration Tool
2. Expand the tree Runtime Security Policy/Machine/Code Groups/All Code/Local Intranet Zone (I chose this because it seems a logical location to me).
3. Click Add a Child Code Group in the right-hand pane.
4. Give it whatever name and description you like, click Next
5. Choose the URL condition. Enter a URL that points to the network share. For example, I've got one set up for a drive I use for remote storage as file://WINDMILL/SILO/* . Click Next.
6. Use the existing Full Trust permission set, click Next.
7. Click Finish. All done.

That's how you do it in the UI. Depending on your lab environment, you may want to set up a batch file that runs the appropriate caspol.exe command line instead.

Mike Gunderloy
Saturday, November 23, 2002

Mike,

Thank you!

Could you perhaps point me to articles/books on security and deploying .Net applications? Xcopy deployment sounds too good to be true, and I am wondering if there are any gotchas to deploying WinForm applications, particularly from a web site.

Thank you again for your help.

Himanshu (Harry) Nath
Saturday, November 23, 2002

The best reference I've run across so far is Brian Lamacchia and Sebatian Lange's .NET FRAMEWORK SECURITY (Addison-Wesley). It's got five authors, so it's a bit disorganized, but most security-related stuff is in there somewhere.

You'll find a couple of WinForms deployment articles at http://www.sellsbrothers.com/writing/ .

Mike Gunderloy
Saturday, November 23, 2002

It's not quite clear what the problem is -- is it simply an ACL problem where the students do not have the right to write to the share?  Or is it a code security problem?

Code run from an Intranet share is automatically granted a limited permission set -- it is not allowed to write arbitrary files, discover your environment variables, etc.  If your students are writing programs which do these dangerous sorts of things, you can weaken your security policy.

However, don't forget that you are then opening yourself up to possible abuse.  There are good reasons why you might not want to allow students to write arbitrary programs and run them on each others machines!

You asked for good books -- Brian's book is excellent if you are looking for a very complete overview of the entire security system.  It is particularly good if you're an administrator who needs to understand security.  If on the other hand you are a programmer who needs to rapidly get a handle on security _programming_ I'd suggest my book "The VB.NET Code Security Handbook".

Feel free to contact me directly if you have more code security questions -- I don't read this forum every day. 

Eric Lippert
Tuesday, November 26, 2002

Not a question, but a suggestion you could pass back to the product team: it would be nice to have a super-easy way to grant full trust to a particular directory/share. This is the third or fourth time I've seen this come up. In my own case, it was because I keep all of my code projects on a mapped network drive (due to the eternal necessity to keep rebuilding my main dev machine as it developers "ring around the Windows") and I know I'm not the only dev who works this way.

On the other hand, if you make it too easy it becomes too easy to screw things up...

Mike Gunderloy
Tuesday, November 26, 2002

I agree that the current administration tools are too hard to use -- and I've certainly told the security team that!  I have not heard whether there are planned improvements coming (and if I had heard, I couldn't tell you, which makes the point somewhat moot.)

In the meanwhile, you can grant full trust to a directory on the command line something like this:

caspol -ag 1 -url file://\\foo\bar\baz\ FullTrust

That is "add group to top level, give code in this directory full trust".

Eric Lippert
Tuesday, November 26, 2002

Our college is teaching .NET (VB.NET, C#, and ASP.NET), and the security thing has been our biggest problem. We still haven't figured it out--all of us are just hoping we can get through the rest of the semester with our dignity somewhat intact.

Here are the two problems that stand out in my memory.  Any help on how to fix these (especially the second one) would be much appreciated.

1) All student storage is on a network share; they have no local disk storage so that their projects can follow them from machine to machine through the computing center. One of the first examples in each of the textbooks we're using is to put a button on a Windows form, and then call Application.Exit() from the buttton. It seems like this method is a security risk when run from a network share. I'm not sure why.

2) In the ASP.NET class, the entire class shares the same Web Server, and each student has his/her own site. We simply have not found any way to say to the students - "your programs can read and write files and create and delete folders, but they can only do file I/O inside your own folder." I teach our Java Servlet programming, and this was trivial to do with the Java security manager. I'm sure it must also be possible with ASP.NET, otherwise no ISP could ever offer shared ASP.NET hosting, because any client could read and write files in any other client's directories. 

Any direction appreciated. Thanks much.

--Steve

Stephen Gilbert
Thursday, November 28, 2002

At our college we have the same problem with VB.NET. It does not want to allow the creation of a solution on a network drive. If one chooses the option to go ahead and do this, the .NET framework would lock up the system. We do not want to use a shared folder on a network drive.

I think we have solved the problem.
We downloaded Service Pak 2 for .NET Framework, and installed it. This cured the problem of VB.NET locking up.
Next, I used the .NET Framework configuration tool to create a child under LocalIntranet_Zone, type URL, file://C:/foo/bar/baz/*, with FullTrust permissions from the info provided by Eric.

No lockups. No message about trying to create a solution on a network or mapped drive.

I hope this works for you.

Suzanne Sever
Wednesday, December 04, 2002

*  Recent Topics

*  Fog Creek Home