locked
Problem with Custom Trust Levels RRS feed

  • Question

  • User-1842880510 posted

    Our IIS servers just were upgraded to IIS 7.5.  As part of the government mandated security tightening, they (the Data Center people) are now required to implement a Medium Trust Level.  However the Medium Trust Level does not allow our application to do what is needed.  We tried to get them to apply a Custom Trust Level using instructions we got from an MSDN article.  It did not work.  I started a thread in the General Forums catagory about it at http://forums.iis.net/t/1214527.aspx?Setting+Custom+Trust+level+with+changed+FileI+O+Permission It only got one answer, 12 days ago, which totally failed.

    I am hoping that people more interested in security will access this thread and be able to assist us in this. 

    I have been informed on other forums that once a thread reaches a certain age then it is pointless to expect a reply and you might as well start a new thread. So although this is essentially a duplicate of the other thread I am hoping someone will see this and be able to give us the answer.

    Update 7/24/2014:  I have not received any assistance to this in the last 8 days.  We have not forgotten this.  We were successful in using the MS instructions to implement a custom trust level file that would allow us to use OLEDB connections while in what is otherwise the medium Trust level.  So the MSDN article at http://msdn.microsoft.com/en-us/library/ff648344.aspx is not totally wrong.  However, we still have not been able to implement the section on File I/O permissions.  Since the article is about ASP.Net 2.0 permissions, we intend to create a test 2.0 web app and a test 2.0 app pool, put the customized tust level config under the 2.0 folder and try it there to see if we can modify the File I/O permission there.

    Update 7/30/2014

    Created test 2.0 app to do both oledb connection and read file outside of $AppDir.  Put it in 2.0 app pool.  Created custom trust level based on medium in 2.0 folder.  Changed web config in 2.0 folder to use custom trust level.

    App made Oledb connection but failed to read file outside of $AppDir.  So MSDN article is incorrect.  Reply on other thread referenced a reply on different thread http://forums.iis.net/p/1197427/2048658.aspx?ASP+Trust+level+web+config to create new location elements with a explicit path for the folder I want to read from.  It did not work.  Putting those location elements in caused all the apps on the site to fail with 500 errors.

    Wednesday, July 16, 2014 12:05 PM

Answers

  • User-1842880510 posted

    As a solution.  I called MS support.  They reported that code like File.Open() needs to use certain overloads with additional parameters beyond the default.  We were also using

    System.Configuration.ExeConfigurationFileMap file_map = new ExeConfigurationFileMap(); 
    

    We were required to use:

    sPath = "<actual system path>"
    System.Configuration.ExeConfigurationFileMap file_map = new ExeConfigurationFileMap(sPath); 
    

    We were also instructed to change ALL of the attributes of the FileIOPermission, Like this

                              <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="D:\Inetpub\wwwroot\NewWebConfig;$AppDir$"
                                        Write="D:\Inetpub\wwwroot\NewWebConfig;$AppDir$"
                                        Append="D:\Inetpub\wwwroot\NewWebConfig;$AppDir$"
                                        PathDiscovery="D:\Inetpub\\wwwroot\NewWebConfig;$AppDir$"
                                />

    However we found that File.Exists() and Server.MapPath() still did not work.  ( In fact Server.MapPath() did not work even within the $AppDir$).

    So what we did was make the change to we ended up removing all calls to Server.MapPath(), and File.Exists(), and changing the alteration of the FileIOPermission to

                               <IPermission
                                        class="FileIOPermission"
                                        version="1"
                                        Read="D:\Inetpub\CadPad\wwwroot\VFSWebConfig;$AppDir$"
                                        Write="$AppDir$"
                                        Append="$AppDir$"
                                        PathDiscovery="D:\Inetpub\CadPad\wwwroot\VFSWebConfig;$AppDir$"
                                />

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, September 12, 2014 10:23 AM