It is possible to do this using code access security. How are you doing the compilation? If you are using the Code DOM, you can control this kind of thing with the CompilerParameters you pass to ICodeCompiler.CompleAssemblyFrom[Dom/Source/File]. The Evidence property is the way to do this.
The basic idea is this: the evidence associate with an assembly associates what code groups that assembly belongs to, which in turn determines what permissions it gets. The evidence->code group mapping is determined by security policy configuration, as is the code group->permissions mapping. By default, there are code groups to represent local code (on local hard disks), and various categories of non-local code that correspond to the Internet Explorer 'zones'. If one of the existing permission sets meets your requirements, just use that. For example, the Intranet permission set restricts file IO - the application will only be able to read and write files if it goes through an Open File or Save File dialog. It won't have access to the registry. So if this is acceptable, you could just create the appropriate Zone evidence object and assign that to the assembly as you compile it. That code will then run as though it had been loaded from the intranet. -- Ian Griffiths DevelopMentor > -----Original Message----- > From: Janis Braslins [mailto:[EMAIL PROTECTED] > > Hi :) This is a bid foggy, but here goes: > > We are playing around with application server that is able to receive > csharp source code from the end-user via some communication channel, > compile it into an assembly at runtime, load the assembly, create instance > of certain class within the assembly then execute some functions on it. > > The question is, is there a way to restrict that dynamically generated > assembly from performing filesystem IO, network IO, registry access or > anything else that would allow that assembly to access information outside > the scope of the application server. > > The basic goal is to allow end-useds to create their own plugins that can > utilize certain functionality provided by the application server without > compromising server security. > > Thank you for your time! =================================== This list is hosted by DevelopMentor� http://www.develop.com NEW! ASP.NET courses you may be interested in: 2 Days of ASP.NET, 29 Sept 2003, in Redmond http://www.develop.com/courses/2daspdotnet Guerrilla ASP.NET, 13 Oct 2003, in Boston http://www.develop.com/courses/gaspdotnet View archives and manage your subscription(s) at http://discuss.develop.com
