On 21 April 2008 00:21 Yawar Amin wrote: > I'm running Mono 1.2.4 on Ubuntu 7.10. I've been trying to > use the System.Security.Permissions.FileIOPermission class to
The first thing to note is that CAS is not fully implemented on Mono, and is disabled by default. http://www.mono-project.com/CAS However this is immaterial here, see below. > `demand' write access to my home directory and all its parent > directories (i.e. > /home, /). Here's a sample script based on my understanding > of the security permissions concept: > > // test_security_permissions.cs > using System.IO; > using System.Security.Permissions; > > class Test_Security_Permissions { > /* > Demands write access to all parents of this directory. Framework > is supposed to throw an exception if access is not granted. > */ This is actually /not/ what CAS is for, remember that it is *Code* Access Security. That is, it is orthogonal to *Role* Access Security. As a user I run some .NET code in my web browser, *I* (logged in as Role "user1" say) have full rights to do anything with files in my home directory (chmod etc shows that), however I don't trust the *Code* that I'm downloading and running, so *it* has no rights to do anything with files at all. > static void demand_write_access_to_all_parents(string dir_arg) { > DirectoryInfo curr_dir = new DirectoryInfo(dir_arg); > > (new FileIOPermission(FileIOPermissionAccess.Write, > curr_dir.FullName)).Demand(); So here Demand is checking that all the *calling methods* on the stack have CAS permission for that permission. (So, assuming CAS was fully implemented or running on the MSFT CLR) since we're running a command-line program on the local disk it will be Fully-Trusted, and thus all the code is fully-trusted and all permissions will be granted and thus any demand will always succeed. > System.Console.WriteLine("Successfully demanded write > access to {0}", curr_dir.FullName); > if (curr_dir.FullName != curr_dir.Root.FullName) { > > Test_Security_Permissions.demand_write_access_to_all_parents(c > urr_dir.Parent.FullName); > } > } > > public static void Main() { > Test_Security_Permissions.demand_write_access_to_all_parents("."); > } > } > > What's happening is that it seems to successfully `get' write > access to all these directories: > Yup, as above. When I run this on the MSFT CLR I see the same behaviour -- all successes. However, if I run the code from the network it then gets "Intranet" permissions. In that permission set FileIOPermission is a restricted set (Read/Dir access to the network directory from which it was run). So I get the following failure: [[ C:\temp>"\\pc1\temp\Test_Security_Permissions.exe" Unhandled Exception: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) at System.Security.CodeAccessPermission.Demand() at System.IO.DirectoryInfo..ctor(String path) at Test_Security_Permissions.demand_write_access_to_all_parents(String dir_arg) at Test_Security_Permissions.Main() The action that failed was: Demand The type of the first permission that failed was: System.Security.Permissions.FileIOPermission The first permission that failed was: <IPermission class="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Read="C:\temp\."/> .... .... ]] > [EMAIL PROTECTED]:~/code$ gmcs test_security_permissions.cs > /t:exe && mono test_security_permissions.exe Successfully > demanded write access to /home/yawar/code Successfully > demanded write access to /home/yawar Successfully demanded > write access to /home Successfully demanded write access to / > [EMAIL PROTECTED]:~/code$ > > But obviously I don't have write access to /home and /: > > [EMAIL PROTECTED]:~/code$ ls -ldh / /home drwxr-xr-x 21 root > root 4.0K 2008-04-13 23:08 / drwxr-xr-x 3 root root 4.0K > 2008-04-14 03:01 /home [EMAIL PROTECTED]:~/code$ > > Could someone be kind enough to run this on their own machine > and/or explain what I'm doing wrong? _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
