How to check which permission your assembly requires using Permcalc.exe

  • Article

I was working on a case recently where the customer was a hosting service provider and his client's hosted application was showing a server error. Specifically the error was thrown due to a security exception.

Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

The customer was using a custom-medium trust security policy which is common across all applications hosted. Therefore we needed to work out which permissions the client's application required on the system. This was achieved in the following way:

1. Copied over the BIN directory with custom assemblies to a windows 2008 R2 server.

2. Downloaded the .NET framework 2.0 SDK from here: https://www.microsoft.com/en-us/download/details.aspx?id=19988

3. Ran the SDK command prompt and ran permcalc.exe with the following command: permcalc – show <assembly> <assembly> etc (you can add more assemblies with a space)

4. This generates an xml file with the required permissions the assemblies require.

The following is sample output from this command.

<?xml version="1.0" ?>

<Assembly>

<Namespace Name="ClassLibrary1">

<Type Name="Class1">

<Method Sig="instance void test()" />

<Method Sig="instance void .ctor()">

<Demand>

<PermissionSet version="1"

class="System.Security.PermissionSet">

<IPermission version="1"

class="System.Security.Permissions.RegistryPermission,
mscorlib,

Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"

Read="true" />

<IPermission version="1" class="System.Security.Permissions.FileIOPermission,
mscorlib,

Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"

Unrestricted="true" />

</PermissionSet>

</Demand>

<Sandbox>

<PermissionSet version="1"
class="System.Security.PermissionSet">

<IPermission version="1"
class="System.Security.Permissions.RegistryPermission, mscorlib,

Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"

Read="true" />

<IPermission version="1"
class="System.Security.Permissions.FileIOPermission, mscorlib,

Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"

Unrestricted="true" />

</PermissionSet>

</Sandbox>

</Method>

</Type>

</Namespace>

</Assembly>

Examine the permissions listed in the <Demand> element. These represent the permissions that the assembly needs. In this case, the assembly needs RegistryPermission and FileIOPermission.

<IPermission version="1"
class="System.Security.Permissions.RegistryPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Read="true"
/>

<IPermission version="1"

class="System.Security.Permissions.FileIOPermission,
mscorlib,

Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"

Unrestricted="true" />

 5. Add the missing permissions into the policy file and the exception should go away :)

 

Hope that helps.

 

Rez