Creating Partial Trust Directories

Last night at the Writing Partial Trust Code BoF, someone was wondering if they could create a sort of download sandbox on their machine.  The problem that we’re trying to solve is to be able to save code to the local machine from the browser instead of just pressing run.  However, when you do that the code ends up running with FullTrust, instead of the Internet permission set it would have gotten if it was run directly from the browser.

To solve this problem, you can setup a special directory, say c:\temp\download and tell the CLR that any code run from that directory will receive the Internet permission set.  Time to pull out some CasPol kung-fu:

c:\Windows\Microsoft.Net\Framework\v2.0.50215>CasPol -m -ag 1. -url file://c:\temp\download\* Internet -exclusive on

Added union code group with “-url” membership condition to the Machine level.

That command creates a new code group under the root code group of the machine level.  This code group matches any assembly which is located under the c:\temp\download directory tree and grants that code the Internet permission set.  We need to set the exclusive bit, because any code that matches c:\temp\download will also match MyComputer and therefore end up with FullTrust.  By marking this code group exclusive we say don’t match any other code groups at this level, so the MyComputer group gets ignored.

Of course, once you’ve done this, you’ll want to copy your security.config to security.config.default so that caspol -all -reset doesn’t remove your change.

Comments (2)

  1. Sam says:

    How can code from the Internet determine its origin URL? With .Net v2, AppDomain.CurrentDomain.BaseDirectory (worked in v1.1), AppDomain.CurrentDomain.Evidence and Assembly.GetExecutingAssembly().Location require permissions that are not in the Internet set. The origin URL is required so that the code can connect back to the site with WebRequest. Obviously when using a partial trust directory, there would be no URL.

  2. shawnfa says:

    You would need to know what URL you were deployed from in order to connect back to it. Maybe ship that information in a .config file?