Viewing Assembly Permissions

Introduction

In this article I will show you how you can view the Code Groups that an assembly belongs to and what permissions belong to the assembly. I will demonstrate the Caspol utility supplied with the .NET SDK.

When would you need to view access rights?

When a developer creates an assembly, he or she may require access to a resource or action that may usually be available to an assembly used by most users or clients. There may be times when the Administrator of a host for his or her own reasons has restricted the action or resource required by the developer's assembly. This restriction could cause the assembly to function improperly or fail all together when the security exception(s) is thrown. Viewing the requirements of the assembly could help you narrow down the problem and determine if the problems are security issues.

Code Groups and Permission Sets

Code Groups - Security Policies have several levels such as the Machine policy level, the User Policy level or the Application Domain Policy level. Within these policy levels is a hierarchy of code groups. The Code Groups then break down into child nodes of other groups (Strong name, URL, App directory, etc.). The condition of each Code Group is called the Membership Condition. Each Membership Condition must be met in order for an assembly 's code to be part that Code Group. Each Code Group contains a permission set.

Permission Sets - Each of the Policy Levels mentioned above: Machine, User, and Application Domain, supply the assembly with their combined permissions to create the assembly's Permission Set.

What is CASPol?

CASPol is a command line utility that is included with the .NET run time SDK. CASPol stands for Code Access Security Policy. It is used to administer policy changes as well as view existing permissions and Code Group hierarchy.

Your default view will be determined by your current access permissions (machine or user). Your default view if you do not currently have administrative permissions will be the Users view. In the samples below, I will explicitly specify either the Machine policy level or the User policy level. When both should be displayed together, the -all option will be used.

Viewing the Code Groups

To view the Code Groups we will use the CASPol utility. Using the -all option lets you see both the user and machine groups at the same time.

CASPol   -all   -resolvegroup   hello.dll

The above command will show the code groups that a specific assembly file belongs to. In the above example I used a library called hello.dll. This could however be replaced with any assembly, even caspol.exe itself. The hello.dll is the module that was used in my article " Assemblies: The Ins and Outs - Part 2". There are no custom or added restrictions in the hello.dll assembly. An example of the commands output looks like:

Microsoft (R) .NET Framework CasPol 1.0.2204.21 Copyright (c) Microsoft Corp 1999-2000. All rights reserved. Level = Machine Code Groups: 1. All code: Nothing     1.1. Zone - MyComputer: FullTrust Level = User Code Groups: 1. All code: FullTrust Success

The output above is brief and simple but is sufficient to demonstrate what you can expect to see when viewing the groups. In the example above, the first item we see is one of the policy levels. The first policy listed is the Machine policy. Then the Code Groups that our code belongs to are listed. At the Machine level our code belongs to the All Code group which uses the built-in permission set called Nothing, (Other non modifiable built-in permission sets include Execution, and FullTrust). The permission set called "Nothing", prohibits all resources, including the right to execute code. However, the All Code group has a subgroup called Zone. The Zone group requires that I meet the MyComputer Membership Condition, and if I do then the FullTrust permission set is used. FullTrust allows full access to all resources.

The next policy level listed is the User level. The User level specifies that I have FullTrust permissions to run all code.

Finally the program displays that it ran successfully.

Viewing the Permissions

If you are viewing an assembly's permission sets for diagnostic reasons than you may want to use the -all option with CASPol. You would want to do this because when the assembly is run, its being run by a user. When a user runs a program the machine and user policies are combined including the application domain's policy. Using the -all option lets you see both the user and machine permission sets at the same time.

CASPol   -all   -resolveperm   hello.dll

The above command shows the Permission Sets that a specific assembly file belongs to. Again I used the library called hello.dll. This could however be replaced with any assembly. An example of the commands output looks like:

Microsoft (R) .NET Framework CasPol 1.0.2204.21 Copyright (c) Microsoft Corp 1999-2000. All rights reserved. Resolving permissions for level = Machine Resolving permissions for level = User Grant = <PermissionSet class="System.Security.PermissionSet" version="1">   <Unrestricted/>   <Permission class="System.Security.Permissions.StrongNameIdentityPermission,   mscorlib, Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33" version="1">     <PublicKeyBlob>       <Key>00240000048000009400000006020000002400005?lt;/Key>     </PublicKeyBlob>     <Name>hello</Name>     <Version>1.0.444.35256</Version>   </Permission>   <Permission class="System.Security.Permissions.URLIdentityPermission, mscorlib,   Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33" version="1">     <Url>file:///D:/Projects/hello.dll</Url>   </Permission>   <Permission class="System.Security.Permissions.ZoneIdentityPermission, mscorlib,   Ver=1.0.2204.21, Loc='', SN=03689116d3a4ae33" version="1">     <Zone>MyComputer</Zone>   </Permission> </PermissionSet> Success

In the example above, the first item we see are the policy levels. The output above combines both the Machine and User policies to display what permissions my code has been granted.

The Permission Set itself is set to Unrestricted allowing all permissions to be available. Next there are three specific sets of permissions being demanded:

• • StrongNameIdentityPermission - The hello.dll library contains a strong name (it is a Shared Assembly using public key cryptography). This permission contains the public key that must be matched for other code to make valid calls to this assembly. I shortened the cryptographic number for display.
  • URLIdentityPermission - This is the URL of where the code originated. If you are viewing one of your own assemblies, you will most likely see the path that you compiled to.
  • ZoneIdentityPermission - This permission determines if the calling code is from a specific zone. Only exact zone matches can be defined for this permission, and a URL can only belong to a single zone.

The -all option can also be abbreviated to just -a in the command.

Worth Mentioning

Another option that can be used with the CASPol utility is the -list option. The -list option shows the list of code groups followed by a list of named permission sets available in the most recent displayed policy. The output from the command below is for your entire current configuration, and not just for a single assembly. So this command is good for getting an overall look at your permissions.

CASPol   -list

If the output from the above command is too long for your shell window, then try using the following command. This will save the output to text file called output.txt.

CASPol   -list   > output.txt

To shorten the output further you could use the following command to list all Code Groups for your current configuration:

CASPol   -listgroups

This would display just the Code Groups and produce an output similar to the following:

Security is ON Execution checking is OFF Policy change prompt is ON Level = Machine Code Groups: 1. All code: Nothing   1.1. Zone - MyComputer: FullTrust     1.1.1. Honor SkipVerification requests: SkipVerification   1.2. Zone - Intranet: LocalIntranet     1.2.1. All code: Same site Socket and Web.   1.3. Zone - Internet: Internet   1.4. Zone - Untrusted: Nothing   1.5. Zone - Trusted: Internet   1.6. StrongName - 0024000004800000940000000? Everything Success

CASPol -listpset would also do the same as the previous command except that only the permission sets would be displayed.

Summary

The output from the hello.dll module was a very short example with very few restricted permissions. Using the CASPol utility to view restrictions for a specific assembly will allow you to discover what permissions your assembly needs to run. Using the CASPol -list command will allow you to get familiar with what permissions are available to you as a user or administrator.