.Net and the falacy of security

.Net purports to be a secure platform, but when I create a .Net setup package and used a custom action I found that I could not run the setup package on a network.

I have a VB.Net installer. The installer program I created
(System.Configuration.Install) handles the various events
like MyBase.AfterUninstall, etc. This program works fine
but when I run the installer on a network resource (a UNC
path) it generates a System.Security.Security exception
before the program even starts. The .MSI installer kicks
off just fine, but throws the exception just when the .EXE
program starts.

The installer works fine if the UNC drive is mapped, or if a
local drive. Any idea on what may be happening?

The solution may surprise you. It surprised me! The setup package created in VS.Net has to be given permissions to execute from a UNC path, but not from a mapped drive! My users would never go for having to do that. They want to click a link in the email I send or on a web page and have the installer run. Fortunately, there is an easy work around, but it shows just how crummy the .Net security is.

Here’s the trick: Create a batch file named setup.bat that gives the user all the permissions the setup package needs to run on the network. Here’s the contents of the batch file used to set security on .Net 1.1:

@GOTO :START
/******************************************/
/* $Date: 2006/06/09 17:51:05 $ */
/* $Revision: 1.1 $ */
/* $Author: mike $ */
/******************************************/

:START

IF NOT "%1" == "/?" GOTO :TESTOS
	ECHO.
	ECHO CONFIGNET.BAT - Sets up the .NET configuration
	GOTO :END

:TESTOS
IF "%OS%" == "Windows_NT" GOTO :SETLOC
	ECHO.
	ECHO !!! ERROR: SETUP PACKAGE REQUIRES A WINDOWS NT TYPE OS
	GOTO :ERROR

:SETLOC
SETLOCAL ENABLEEXTENSIONS
	IF ERRORLEVEL 1 GOTO :SETLOCERR
	GOTO :TRIMCMD

:SETLOCERR
	ECHO.
	ECHO !!! ERROR: COMMAND EXTENSIONS NOT AVAILABLE
	GOTO :ERROR

:TRIMCMD
rem Trim the command line to be only a drive letter and path only
SET MYROOTDIR=%~dp0
IF "%MYROOTDIR%" == "" GOTO :RUNSU

rem Test the SETUP DIR to see if we are on a UNC path. UNC paths start with "\\"
rem A UNC path requires us to run caspol to give .NET permissions to run the setup
	IF "%MYROOTDIR:~0,2%" == "\\" GOTO :TESTCAS
	GOTO :RUNSU

:TESTCAS
rem At this point we have assumed that the batch file is run from a UNC path
rem This requires that we SET the .NET permissions using CASPOL.EXE
rem Verify that CASPOL.EXE is on the system
	SET CASPOL_EXE=%SystemRoot%\Microsoft.NET\Framework\v1.1.4322\CasPol.exe
	IF EXIST "%CASPOL_EXE%" GOTO :RUNCAS
	ECHO.
	ECHO !!! ERROR: MICROSOFT .NET v1.1.4322 PACKAGE NOT INSTALLED
	GOTO :ERROR

:RUNCAS
rem Run CASPOL and see if the permissions are already SET for this UNC.
rem CASPOL has the nasty habbit of creating permissions each time,
rem regardless if they are already present or not.
rem Change the "\" to "/" which is what caspol likes to see
ECHO Testing .NET security: "%MYROOTDIR%"
"%CASPOL_EXE%" -lg 2>NUL | findstr /I /C:"%MYROOTDIR:\=/%" >NUL
	IF ERRORLEVEL 1 GOTO :NEEDCAS
	GOTO :CASOK

:NEEDCAS
rem CASPOL is required for this UNC Path. Add it to the .NET configuration
ECHO Setting .NET security
"%CASPOL_EXE%" -q -machine -addgroup 1 -url "file:%MYROOTDIR%*" FullTrust -n "mmGrasp" >NUL
	IF ERRORLEVEL 1 GOTO :CASERR
	GOTO :RUNSU

:CASERR
	ECHO.
	ECHO !!! ERROR: Setting .NET for "%MYROOTDIR%"
	GOTO :ERROR

:CASOK
	ECHO.NET security OK
	GOTO :RUNSU

:RUNSU
	GOTO :END

:END

So there it is- one of the ways that .Net security falls short and an easy way to beat it.

Leave a Reply

You must be logged in to post a comment.