Page view counter
Home
ASP.NET Forums » Starter Kits and Source Projects » DotNetNuke » Core Framework » DNN 4.0 Trust level

Shortcuts

DNN 4.0 Trust level

Last post 12-05-2005 12:26 PM by Conwy. 11 replies.

Sort Posts:

  • DNN 4.0 Trust level

    11-08-2005, 1:22 PM
    • Loading...
    • CamberGoose
    • Joined on 03-23-2005, 11:14 AM
    • Phoenix, AZ
    • Posts 16
    • Points 80
    First off, I just wanted say thank you to the core team for 3.2 and 4.0. Though I run accross problems when new releases come out all the time, I still love the product in the end.

    With that said, I must ask a very serious security question:
    What does DNN 4.0 need full trust to run? Most shared hosts use Medium trust levels and impersonation to get around the asp.net security issues in shared hosting environments. By overriding the machine.config to allow a site to run at full trust, the site has the ability to do anything an edmin level user can, am I not correct on this?

    I have been working with the CrystalTech developers and support personel to determine which part needs the Full trust, but so far we are coming to blanks.
    Why does 3.2 need only medium and it runs fine?

    Sorry guys but this seems to be a big problem and I would really love to get some answers on this from the core team. CrystalTech offers their customers an automated install of DNN from their control center web application, but they will not be able to offer any of the ASP.NET 2.0 based versions unless this can be resolved.

    Please help with this, I know a few people that really want to get this resolved and so far no posts I have made on this have even been answered.

    DNN 2.X Installation Guide

  • Re: DNN 4.0 Trust level

    11-08-2005, 1:43 PM
    • Loading...
    • cnurse
    • Joined on 11-05-2003, 3:46 PM
    • Langley, BC, Canada
    • Posts 562
    • Points 2,810
     CamberGoose wrote:
    First off, I just wanted say thank you to the core team for 3.2 and 4.0. Though I run accross problems when new releases come out all the time, I still love the product in the end.

    With that said, I must ask a very serious security question:
    What does DNN 4.0 need full trust to run? Most shared hosts use Medium trust levels and impersonation to get around the asp.net security issues in shared hosting environments. By overriding the machine.config to allow a site to run at full trust, the site has the ability to do anything an edmin level user can, am I not correct on this?

    I have been working with the CrystalTech developers and support personel to determine which part needs the Full trust, but so far we are coming to blanks.
    Why does 3.2 need only medium and it runs fine?

    Sorry guys but this seems to be a big problem and I would really love to get some answers on this from the core team. CrystalTech offers their customers an automated install of DNN from their control center web application, but they will not be able to offer any of the ASP.NET 2.0 based versions unless this can be resolved.

    Please help with this, I know a few people that really want to get this resolved and so far no posts I have made on this have even been answered.



    Not sure is the short answer. 

    There is no serious code differences, so it must be that .NET2 changes some of the CodeAccess Security levels, that we are not aware of.  When porting the code, I must admit we did not check that it still worked in Medium Trust - kind of assumed that the code would run the same on .NET2 as .NET 1.1 - after all that is the assurance that we received from MS - full compatability.


    Charles Nurse
    Keydance Computer Services
    Langley, BC, Canada

  • Re: DNN 4.0 Trust level

    11-08-2005, 1:52 PM
    • Loading...
    • CamberGoose
    • Joined on 03-23-2005, 11:14 AM
    • Phoenix, AZ
    • Posts 16
    • Points 80
    Charles,
         Thank you for the reply. I will wait for more information as you guys test it out in Medium trust. If there is anything I can do to help, please let me know.

    Thanks
    Alec Whittington

    DNN 2.X Installation Guide

  • Re: DNN 4.0 Trust level

    11-08-2005, 2:20 PM
    • Loading...
    • cnurse
    • Joined on 11-05-2003, 3:46 PM
    • Langley, BC, Canada
    • Posts 562
    • Points 2,810
    I think I have tracked down the error.  At least part of it !!

    ASP.NET2 extends the CodeAccess level permisions required to manage/load the various configuration settings of the web.config file. 

    By default in .NET 1.1, an application could load the configuration nodes (providers section) under Medium Trust.  In .NET 2 under Medium Trust it checks a requirePermission attribute on the configuration section declaration - the section at the top of web.config.  For example:

    <section name="data" requirePermission="false" type="DotNetNuke.Framework.Providers.ProviderConfigurationHandler, DotNetNuke"  />
    <section name="logging" requirePermission="true" type="DotNetNuke.Framework.Providers.ProviderConfigurationHandler, DotNetNuke"/>

    If they are declared as above then acces to the "data" provider section is allowed but access to the logging section is not (under Medium Trust).

    By default in .NET 2 the requirePermission is set to true, therefore we will need to add the requirePermission="false" attribute to the element.

    This is not documented in msdn at all - in fact if you add the node intellisense tells you it is not a valid attribute for the element.

    Charles Nurse
    Keydance Computer Services
    Langley, BC, Canada

  • Re: DNN 4.0 Trust level

    11-08-2005, 2:25 PM
    • Loading...
    • CamberGoose
    • Joined on 03-23-2005, 11:14 AM
    • Phoenix, AZ
    • Posts 16
    • Points 80
    Charles,
       thanks for looking into this, I will be in a position to test this in about 3 hours. Once I get home I will test and let you know what happened.

    thanks
    Alec

    DNN 2.X Installation Guide

  • Re: DNN 4.0 Trust level

    11-08-2005, 5:32 PM
    • Loading...
    • cnurse
    • Joined on 11-05-2003, 3:46 PM
    • Langley, BC, Canada
    • Posts 562
    • Points 2,810
    There is still another niggling issue (after doing those two things) IF you run in debug mode (seems ok if you browse to the site in your browser)
    Charles Nurse
    Keydance Computer Services
    Langley, BC, Canada

  • Re: DNN 4.0 Trust level

    11-09-2005, 4:49 PM
    • Loading...
    • CamberGoose
    • Joined on 03-23-2005, 11:14 AM
    • Phoenix, AZ
    • Posts 16
    • Points 80
    Charles,
        here is the error I get when I fix the other parts you mention. I have given the application full user permissions, so I am not sure why it is doing this.
    Error:

    Server Error in '/' Application.

    Security Exception

    Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

    Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

    Source Error: 

    Line 77:                 'save the current config files
    Line 78:                 If Not Directory.Exists(ApplicationMapPath & backupFolder) Then
    Line 79:                     Directory.CreateDirectory(ApplicationMapPath & backupFolder)
    Line 80:                 End If
    Line 81:

    Source File: D:\inetpub\test\Install\Install.aspx.vb    Line: 79

    Stack Trace: 

    [SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral,
     PublicKeyToken=b77a5c561934e089' failed.]
       System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
       System.Security.CodeAccessPermission.Demand() +59
       System.IO.Directory.InternalCreateDirectory(String fullPath, String path, DirectorySecurity dirSecurity) +458
       System.IO.Directory.CreateDirectory(String path, DirectorySecurity directorySecurity) +150
       System.IO.Directory.CreateDirectory(String path) +6
       DotNetNuke.Framework.Install.InstallApplication() in D:\inetpub\test\Install\Install.aspx.vb:79
       DotNetNuke.Framework.Install.Page_Load(Object sender, EventArgs e) in D:\inetpub\test\Install\Install.aspx.vb:358
       System.Web.UI.Control.OnLoad(EventArgs e) +99
       System.Web.UI.Control.LoadRecursive() +47
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6953
       System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +154
       System.Web.UI.Page.ProcessRequest() +86
       System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
       System.Web.UI.Page.ProcessRequest(HttpContext context) +49
       ASP.install_install_aspx.ProcessRequest(HttpContext context) +29
       System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +154
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64

    Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.42

    DNN 2.X Installation Guide

  • Re: DNN 4.0 Trust level

    11-20-2005, 3:21 PM
    • Loading...
    • CybrEnergy
    • Joined on 09-26-2002, 2:11 PM
    • Mount Airy, MD
    • Posts 94
    • Points 381
    I am also a CrystalTech customer and am hoping that this problem with 4.0 can be resolved soon.  I am in the process of switching hosts from WebHost4Life to CrystalTech and seem to be having the problem on CT and not WH4L.  I guess WH4L does not run in medium trust.

    I did notice other errors with WH4L with running 2.0 and 1.1 sites under the same account, but that's a different issue.

  • Tongue Tied [:S] Re: DNN 4.0 Trust level

    11-22-2005, 2:55 PM
    • Loading...
    • Ed Word
    • Joined on 05-19-2005, 4:39 PM
    • Posts 9
    • Points 45
    I am yet another with this security problem on CrystalTech attempting to run DNN 4.0. I have been reading through the posts and reviewing the DNN bug list, where this issue is mentioned as being resolved in 4.0.1. It would appear that 4.0.1 is not yet available, so what have others done to resolve/circumvent this problem?

  • Re: DNN 4.0 Trust level

    11-22-2005, 9:13 PM
    • Loading...
    • CybrEnergy
    • Joined on 09-26-2002, 2:11 PM
    • Mount Airy, MD
    • Posts 94
    • Points 381
    As far as I know there hasn't been a fix yet.

    Here's a thread on CrystalTech's discussion forum.

    http://www.crystaltech.com/forum/topic.asp?TOPIC_ID=12952

  • Re: DNN 4.0 Trust level

    12-04-2005, 12:50 AM
    • Loading...
    • lsanderlin
    • Joined on 12-04-2005, 5:46 AM
    • Posts 1
    • Points 5

    All,

    I am yet another Crystal Tech customer with the same line of questions.  I understand this issue will be resolved (given a circumvention) with the release of 4.0.1.  Who can I contact in order to get this release or at least the date it'll be released?

    Thanks,

    Luke Sanderlin

  • Re: DNN 4.0 Trust level

    12-05-2005, 12:26 PM
    • Loading...
    • Conwy
    • Joined on 11-29-2005, 2:52 PM
    • Posts 21
    • Points 105

    I am WebSecureStores customer and I have the same problem. I am looking for new release.

     
Page 1 of 1 (12 items)
RSS Available

Contact | Advertise | Ads by BanManPro | Running IIS7
All Rights Reserved. | Terms of Use | Trademarks | Privacy Statement
© 2009 Microsoft Corporation.

  • ASP.net
  • Silverlight
  • Channel 8
  • Channel 9
  • TechNet Edge
  • IIS
  • MIX
  • MSDN
  • Channel 10
  • Windows Client