ClickOnce and Security

  • Article

From reading some of my other posts, you can see that most of the information available
on ClickOnce is about the deployment features -- generally skimming right over the
security features.  I'd like to point out one of the security features of ClickOnce
-- permission elevation.

Permission elevation allows a ClickOnce application to specify that it would like
to run with a specified set of permissions, and it can be granted these permissions
without the need to have the user modify their policy.  For instance, if I wrote
an RSS aggregator, it would need to have permission to contact multiple websites. 
Under .Net version 1.1, if this application was run off of my website, it would not
have enough permission to do this, and would be a relatively useless application. 
The only options I would have would be to provide explicit instructions for the user
to modify their security policy (not very user-friendly), provide a .msi file with
a modified security policy allowing my app to run (bad user experience, and could
be wiped-out by other policy .msi installs), or write an installer to copy my program
to their local drive (making updates difficult).

Enter ClickOnce.  Once I finish my project in Visual Studio, I can right click
on it in the Solution Explorer, and choose the Publish menu option, which starts a
wizard to publish my newsreader as a ClickOnce application.  I can choose to
publish it directly to my website, and Visual Studio will go ahead and copy the necessary
files there, as well as create two manifest files, one ending with .deploy the other
with .manifest.  Inside .manifest file (which is just an XML file), there is
a TrustInfo section, which contains the permission set that my application would like
to run under.  This permission set is an XML permission set, the same that is
used throughout the .Net framework.  By modifying this permission set, I can
change which permissions my application needs to run, so in this instance, I might
create a permission set with UI permissions, NetPermission, and maybe some File IO
permissions.  On my website itself, I provide a link to the .deploy file, which
the user can click to install my application.

Once the user clicks on this .deploy file, the security system sees that my application
is requesting more permissions than a normal application from the InternetZone would
receive. It then invokes a trust manager to determine if this application should be
allowed to have this extra level of trust.

The trust manager is a pluggable piece of this system. It implements the ITrustManager
interface, which is responsible for determining if ClickOnce applications
should be allowed to receive these elevated permissions. The trust manager for
the system is chosen in the %WINDIR%\Micrsoft.Net\Framework\<version>\config\applicationtrust.config
file. The trust manager is what users will perceive as the UI portion of the ClickOnce
install -- We will be shipping a default implementation in Whidbey (System.Security.Policy.TrustManager
in System.Windows.Forms.dll), which most users will never have changed on them.

Once a trust decision is made by the trust manager, it is stored in a trust decision
cache.  Each user sees two of these caches, there is one for the entire machine,
and one for each user.  This allows a computer administrator to install an application
for everyone to use (placing the trust decision in the per-machine cache), while each
individual user can make trust decisions about applications independently.

When the user tries to run the RSS aggregator, the security system still has to provide
the extra permissions that the application requested.  This is implemented
through the use of a new code group that has been added to the default security
policy, the ApplicationSecurityManagerCodeGroup.  Basically this code group checks
to see if an assembly is part of an application, looks in the trust cache for a decision
about that application, and applies whatever permissions the app requested. 
Since this permission set will be intersected with the other code groups in the policy,
the net effect is that the application gets extra permissions.