There is a point to this story, but it has temporarily escaped my mind...
Contact Me FaceBook LinkedIn RSS Feed

Using CASPOL to Fully Trust a Network Share

The .NET 4.0 Framework does not apply CAS policy by default. Any settings modified by CasPol will only affect applications that opt into using CAS policy. Please see http://go.microsoft.com/fwlink/?LinkId=131738 for more information.

Network shares get “LocalIntranet” permission by default. If you use the IP address of the server or if you use the FQDN of the server, that share will get “Internet” permissions. I find this common when I use domain-based DFS (\\domain.local\dfs\share). Since I trust these share locations, I find myself constantly updating the code access security policy so that I can run .Net applications from network share locations.

If I wanted to trust everything on the share \\server\share, the command:

CasPol.exe -m -pp off -ag 1.2 -url file://///server/share/* FullTrust
  • -m - modify the machine level of the policy. This is needed, since the machine level is where all of the default policy lives.
  • -pp off - Turns the confirmation prompt off
  • -ag 1.2 - add a code group under group 1.2. In the default policy, group 1.2 is the “LocalIntranet” group, so the new code group that we're creating will only be checked if the file comes from the intranet.
  • -url file://///server/share/* - The membership condition for the new code group is should be a UrlMembershipCondition
  • FullTrust - The permission set to grant assemblies that match the code group.

Sometimes I map that drive to the local system and when you do that you have to slightly modify the above -url pattern to file:///F:/*

If you are running a 64-bit system, make sure to run caspol.exe on both the 32-bit version and the 64-bit version of the framework…

I also run my development tools inside a VM on my laptop and so I map drives back to the host system. These are the commands that I use to allow me to use those drives as if they were local drives:

caspol.exe -m -pp off -ag 1 -url "file:///D:/*" FullTrust
caspol.exe -m -pp off -ag 1 -url "file:///L:/*" FullTrust

The difference here is that I'm adding the code group to the “LocalComputer” instead of the “LocalIntranet”.

 
programming/caspol_network_share.txt · Last modified: 2010/08/10 11:08 by julian@julianscorner.com
 
Copyright © 2011 by Julian Easterling. SOME RIGHTS RESERVED.

Creative Commons License
Except where otherwise noted, content on this site is
licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.


All of the opinions expressed on this website are those of Julian Easterling and
do not represent the views of any of my current and previous clients or employers in any way.

If you notice an error on the site or content that has not been properly attributed, bring
it to my attention using the contact page and I will endeavor to fix it as soon as I can.

I accept no responsibility or liability for any damages incurred by following any of
my advice or by using any of the information on my site or of those sites that I link to.