If only everyone would just play nice…

Continuing with my rebuttal of Shawn’s listing of reasons for forcing full trust of assemblies in the GAC…

4. “If an application is hosting the CLR, it has the ability to protect itself from assemblies it doesn’t trust to load. For instance, SQL Server 2005 does not allow the Windows Forms library to load. Applications can provide an AppDomainManager and HostSecurityManager in order to disallow some assemblies from loading, or to tweak their grant sets.”

That’s nice. Unfortunately, it does nothing to protect users against the majority of .NET applications, which are run outside of such custom hosts. I suppose this does mean that one could force stand-alone .NET apps to run in a host of one’s choosing, but I have a really hard time seeing this is a general workaround for reduced CAS policy flexibility. Amongst other things, who could be trusted by most users to build, test, and distribute such a host (keeping in mind that a buggy host might introduce security problems of its own)?

5. “Assembly-level declarative security still works to reduce the grant set, so if you really need it, there is a knob you can turn to reduce the granted permissions of an assembly stored in the GAC.”

This works for the assemblies we create, but not the ones we consume (either via our own code or applications authored by others). It would be naive not to recognize that some developers will be GACing assemblies just to acquire a guaranteed full trust grant. These are not folks who would be likely to be willing to reduce their permission grants in any way. They may also do some pretty silly things like blindly asserting any permission their own callers might need, thereby creating some rather ugly security holes on our machines.

If the platform allows developers to abuse the system with such ease, it should at least allow users to protect themselves with as little effort.

Leave a Reply

Your email address will not be published. Required fields are marked *