Last week I mentioned that although currently assemblies in the GAC receive FullTrust as a side effect of the GAC being on the local machine, from Whidbey beta 2 and beyond, being in the GAC will imply FullTrust on its own. A lot of the feedback wondered why we were doing this. Here's some of the reasoning:
- Assemblies in the GAC build up the managed platform that all managed applications can run on. In order to build up a platform where any application, trusted or not, can run safely, it makes sense that you need to trust the assemblies making up that platform. If you don't trust an assembly enough for any code to be able to call into it, then the best place for it is probably not the GAC
- By side-effect, assemblies in the GAC did already receive FullTrust. The only way that you could change this would be to either not grant MyComputer FullTrust, or create an exclusive code group that matched the strong name of the assembly and granted less trust.
- Since you have to be an administrator in order to add an assembly to the GAC, it is already considered special from a security standpoint. For instance, strong name verification is skipped for assemblies that are loaded from the GAC.
- If an application is hosting the CLR, it has the ability to protect itself from assemblies it doesn't trust to load. For instance, SQL Server 2005 does not allow the Windows Forms library to load. Applications can provide an AppDomainManager and HostSecurityManager in order to disallow some assemblies from loading, or to tweak their grant sets.
- Assembly-level declarative security still works to reduce the grant set, so if you really need it, there is a knob you can turn to reduce the granted permissions of an assembly stored in the GAC.
- Based upon the assumption that GACed assemblies are receiving FullTrust, tools such as NGEN can have simpler code paths around security. And reducing complexity in code paths that involve security helps to reduce the risk of bugs, which is a very good thing.
All that being said, one of the reasons we did this in a public beta is so that we can gather feedback, and asses the impact that the change will have on real world applications. I'd love to get some comments from people who are currently locking down assemblies in the GAC. Specifically I'm interested in what scenarios you're trying to solve with this problem, and some other ways you tried to go about fixing the problem.