I’ve seen quite a few articles over the past few months that make the assumption that one can only connect to the hosting database from SQLCLR code running at the SAFE permission level. I can’t seem to find any official MSDN documentation that would directly reinforce this misconception, so I’m guessing that it stems from the limitation of the SqlClientPermission at the SAFE level to only allow use of the following connection strings (with optional specification of the Type System Version parameter): context connection=trueorcontext connection=yes Unfortunately, the documentation for the SqlClientPermission.Add method is a wee bit ambiguous with respect to … Continue reading Hopping databases from the SAFE SQLCLR permission level
Odd exceptions at odd times If you apply a PrincipalPermission attribute to a class in order to restrict the users and/or roles that are permitted to use the class, you may start seeing security exceptions like the following being thrown at unexpected times (like, say, when your application is quitting): System.Security.SecurityException was unhandled Message=”Request for principal permission failed.” Source=”mscorlib” StackTrace: at System.Security.Permissions.PrincipalPermission.ThrowSecurityException() at System.Security.Permissions.PrincipalPermission.Demand() at System.Security.PermissionSet.DemandNonCAS() at YourNamespace.YourClass.Finalize() What’s up with that? The basic gist of the above exception that the demand for your specified PrincipalPermission is failing when the finalizer for your class is invoked. If your class also … Continue reading Why is my application coughing up a SecurityException after my code stops running?
Surprise! User instances are a new capability of SQL Server 2005 (Express edition only) that are supposedly intended to allow non-admins to attach database files without requiring additional permissions. This actually works just fine and, at first glance, it probably strikes most folks as a lovely least-privilege accomodation. The unfortunate bit that might not be immediately obvious to the casual user is that this is accomplished by granting the connecting user sysadmin privilege over his user instance. This means that every connection to a user instance is a connection running as sysadmin. So… What’s so bad about connecting as sysadmin? … Continue reading Secure by de…what?
I’d been hoping that the details of the SQL CLR CAS permission sets might make it into the SQL Server Books Online or other relevant documentation by the RTM timeframe. Unfortunately, I can’t seem to find anything that even begins to resemble a listing of the permissions, never mind coverage of some of the pickier details of their assessment and consequences. I’d already started trying to investigate some of this on my own during the beta and, after spending a bit more time with the RTM build (i.e.: pretty much wasting a perfectly good Saturday), here’s what I think I’ve … Continue reading Speculations on the suprisingly under-documented world of SQL CLR CAS permission grants
Finally wrapping up my rebuttal of Shawn’s listing of reasons for forcing full trust of assemblies in the GAC… 6.a) “Based upon the assumption that GACed assemblies are receiving FullTrust, tools such as NGEN can have simpler code paths around security.” Not too many users of the platform are likely to lose sleep worrying about how complex Microsoft’s private implementation of such tools might be. If any given feature is too difficult to implement without eroding the security protections offered by the platform, dropping the feature might be a better solution than dropping the protection. Of course, this only holds … Continue reading Heads, you lose. Tails, you lose.
Continuing with my rebuttal of Shawn’s listing of reasons for forcing full trust of assemblies in the GAC… 4. “If an application is hosting the CLR, it has the ability to protect itself from assemblies it doesn’t trust to load. For instance, SQL Server 2005 does not allow the Windows Forms library to load. Applications can provide an AppDomainManager and HostSecurityManager in order to disallow some assemblies from loading, or to tweak their grant sets.” That’s nice. Unfortunately, it does nothing to protect users against the majority of .NET applications, which are run outside of such custom hosts. I suppose … Continue reading If only everyone would just play nice…
Continuing with my rebuttal of Shawn’s listing of reasons for forcing full trust of assemblies in the GAC… 3.a) “Since you have to be an administrator in order to add an assembly to the GAC, it is already considered special from a security standpoint.” Ouch. Got a few things to say about this one… i. Joe User can’t write to the Program Files directory either. Does this make it special too? (Rhetorical question, I hope. ;)) ii. One absolutely does not need to be an administrator to add assemblies to the GAC. Even under default ACLs (at least on fully … Continue reading I’m so special…
Continuing with my rebuttal of Shawn’s listing of reasons for forcing full trust of assemblies in the GAC… 2.a) “By side-effect, assemblies in the GAC did already receive FullTrust.” Under default policy only. I’d be one of the first to argue that this default policy is probably too permissive, but it’s a little late in the game for that. At least those of us who don’t like the default policy can alter it so that not all locally installed code is fully trusted. Forcing full trust of all assemblies in the GAC would deny us that possibility. 2.b) “The only … Continue reading Secure by default?
After introducing a Microsoft plan to force full trust all assemblies in the GAC, Shawn Farkas posted follow-up inviting further feeback. Included in his post are six points explaining some of the reasoning behind the change. In my opinion, none of these reasons even begins to justify the change, and I’d like to present some counter-arguments to each. I’ll address each of Shawn’s points in a separate post here, with the individual points and subpoints labeled for ease of discussion. Starting with point 1… 1.a) “Assemblies in the GAC build up the managed platform that all managed applications can run … Continue reading I’m in the platform? Little old me?
This post is in response to a Microsoft plan to force full trust all assemblies in the GAC regardless of CAS policy settings. CAS Imagine for a moment that you could find an “intro to CAS” document from Microsoft that gives a simple, clear statement of the purpose of CAS. What would that statement be? Unfortunately, my own search for such a document failed to turn up anything that didn’t jump directly from the “why” into the “how” of CAS, leaving the reader to infer the purpose from the “why”. In the absence of a clear statement of from Microsoft … Continue reading Keep it simple, smarty