Is requirePermission a Hack or a Useful Feature?
Is requirePermission a hack or a useful feature? Don Kiely tellsus.
October 30, 2009
Secure ASP.NET
Is requirePermission a Hack or a Useful Feature?
By Don Kiely
Over the last few years in this column I ve explored howwriting partial trust ASP.NET applications is reasonably straightforward.Microsoft has provided .NET developers plenty of tools for utilizing codeaccess security so that an assembly can have restricted permissions based onits evidence. Even if a user has full administrative rights on the localmachine, an assembly may not be able to make full use of resources because, forexample, it is running from an untrusted location (such as the Internet).
As you write more sophisticated partial trust ASP.NETapplications, you ll start bumping into some of what seem like idiosyncrasiesof code access security and trust levels in ASP.NET. One in particular came tomy attention recently through Rick Stahl s blog post titled ConfigSectionSecurity. I encourage you to go read it, but the quick summary is thatafter developing some code used in an ASP.NET application, he tested it underthe standard Medium trust level. That broke some things, including the abilityto access custom configuration sections.
As Rick discovered, the required System.Configuration.ConfigurationPermissionis only included with the Full and High standard trust levels. If you use therecommended Medium trust level for your ASP.NET application or create acustom trust level based on the Medium trust level your assembly by defaultwon t have that permission. Any attempt to access a custom configurationsection at the Medium or lower trust levels will result in a SecurityException.
The normal solution to this kind of problem is to create acustom trust level and include the permission. But unless you sandbox the codethat accesses configuration sections, this means that the entire assembly willhave the ConfigurationPermission. This violates the principle of leastprivilege, limiting what code can do to that which is absolutely necessary. Putanother way, it unnecessarily opens security holes in your application andpotentially exposes sensitive information you ve saved in the customconfiguration section.
To get around the necessity of granting an entire assemblythis permission, in .NET 2.0 Microsoft added a new attribute to the
element of configuration files: requirePermission. This attribute is set totrue by default, but by setting it to false you tell the CLR to bypass checkingwhether the assembly has the ConfigurationPermission. Now, no matter what trustlevel your application is running with, it can read the section and you haven tgranted any extraordinary permission to all your code.
By the way, the default machine.config file setsrequirePermission to false in a few of its standardsections: appSettings, connectionStrings, and xmlSerializer. This is why youcan access those sections without heightened permission.
The caution here is that you shouldn t userequirePermission with sections that have sensitive information. Doing so couldresult in exposing secrets to hostile code.
But Is It Secure?
So requirePermission is a useful addition to ASP.NET 2.0,getting around some gnarly problems. But is it secure? By settingrequirePermission to true, you re essentially telling the CLR to let any andall code access the data stored in the configuration section. On the surface,this seems to be a Bad Thing, because it potentially opens up the contents ofthe configuration section to hostile code. On the other hand, your ASP.NETcode, no matter its trust level, has to have access to the section in order torun properly. And on the third hand, because ConfigurationPermission is an all or nothing permission full or not at all you canfine tune access to configuration sections by using requirePermission.
I have to admit that requirePermission set to true makesme nervous. Typically, I d much rather create a custom trust level instead ofcircumventing the CLR this way. That way, you have much more control overaccess to the section. But if the section doesn t contain important secrets,the attribute can be a great way to fine tune code access to configurationsections.
By the way, if you do ASP.NET development and haven tadded RickStahl s blog to your RSS reader, you re missing out on some incredibleinformation!
DonKiely, MVP, MCSD, is a senior technology consultant, building customapplications as well as providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#,ASP.NET, and Microsoft Office. He writes regularly for several trade journals,and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and readhis blog at http://www.sqljunkies.com/weblog/donkiely/.
About the Author
You May Also Like