Core Framework

Re: DNN 4.0 Trust level

Conwy — Mon, 05 Dec 2005 17:26:03 GMT

I am WebSecureStores customer and I have the same problem. I am looking for new release.

Re: DNN 4.0 Trust level

lsanderlin — Sun, 04 Dec 2005 05:50:11 GMT

All,

I am yet another Crystal Tech customer with the same line of questions. I understand this issue will be resolved (given a circumvention) with the release of 4.0.1. Who can I contact in order to get this release or at least the date it'll be released?

Thanks,

Luke Sanderlin

Re: DNN 4.0 Trust level

CybrEnergy — Wed, 23 Nov 2005 02:13:49 GMT

As far as I know there hasn't been a fix yet.

Here's a thread on CrystalTech's discussion forum.

http://www.crystaltech.com/forum/topic.asp?TOPIC_ID=12952

Re: DNN 4.0 Trust level

Ed Word — Tue, 22 Nov 2005 19:55:55 GMT

I am yet another with this security problem on CrystalTech attempting to run DNN 4.0. I have been reading through the posts and reviewing the DNN bug list, where this issue is mentioned as being resolved in 4.0.1. It would appear that 4.0.1 is not yet available, so what have others done to resolve/circumvent this problem?

Re: DNN 4.0 Trust level

CybrEnergy — Sun, 20 Nov 2005 20:21:35 GMT

I am also a CrystalTech customer and am hoping that this problem with 4.0 can be resolved soon. I am in the process of switching hosts from WebHost4Life to CrystalTech and seem to be having the problem on CT and not WH4L. I guess WH4L does not run in medium trust.

I did notice other errors with WH4L with running 2.0 and 1.1 sites under the same account, but that's a different issue.

Re: DNN 4.0 Trust level

CamberGoose — Wed, 09 Nov 2005 21:49:43 GMT

Charles,
here is the error I get when I fix the other parts you mention. I have given the application full user permissions, so I am not sure why it is doing this.
Error:

Server Error in '/' Application.

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Source Error:

Line 77:                 'save the current config files
Line 78:                 If Not Directory.Exists(ApplicationMapPath & backupFolder) Then
Line 79:                     Directory.CreateDirectory(ApplicationMapPath & backupFolder)
Line 80:                 End If
Line 81:

Source File: D:\inetpub\test\Install\Install.aspx.vb Line: 79

Stack Trace:

[SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral,
 PublicKeyToken=b77a5c561934e089' failed.]
   System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
   System.Security.CodeAccessPermission.Demand() +59
   System.IO.Directory.InternalCreateDirectory(String fullPath, String path, DirectorySecurity dirSecurity) +458
   System.IO.Directory.CreateDirectory(String path, DirectorySecurity directorySecurity) +150
   System.IO.Directory.CreateDirectory(String path) +6
   DotNetNuke.Framework.Install.InstallApplication() in D:\inetpub\test\Install\Install.aspx.vb:79
   DotNetNuke.Framework.Install.Page_Load(Object sender, EventArgs e) in D:\inetpub\test\Install\Install.aspx.vb:358
   System.Web.UI.Control.OnLoad(EventArgs e) +99
   System.Web.UI.Control.LoadRecursive() +47
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6953
   System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +154
   System.Web.UI.Page.ProcessRequest() +86
   System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
   System.Web.UI.Page.ProcessRequest(HttpContext context) +49
   ASP.install_install_aspx.ProcessRequest(HttpContext context) +29
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +154
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64

Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.42

Re: DNN 4.0 Trust level

cnurse — Tue, 08 Nov 2005 22:32:36 GMT

There is still another niggling issue (after doing those two things) IF you run in debug mode (seems ok if you browse to the site in your browser)

Re: DNN 4.0 Trust level

CamberGoose — Tue, 08 Nov 2005 19:25:37 GMT

Charles,
thanks for looking into this, I will be in a position to test this in about 3 hours. Once I get home I will test and let you know what happened.

thanks
Alec

Re: DNN 4.0 Trust level

cnurse — Tue, 08 Nov 2005 19:20:28 GMT

I think I have tracked down the error. At least part of it !!

ASP.NET2 extends the CodeAccess level permisions required to manage/load the various configuration settings of the web.config file.

By default in .NET 1.1, an application could load the configuration nodes (providers section) under Medium Trust. In .NET 2 under Medium Trust it checks a requirePermission attribute on the configuration section declaration - the section at the top of web.config. For example:

<section name="data" requirePermission="false" type="DotNetNuke.Framework.Providers.ProviderConfigurationHandler, DotNetNuke" />
<section name="logging" requirePermission="true" type="DotNetNuke.Framework.Providers.ProviderConfigurationHandler, DotNetNuke"/>

If they are declared as above then acces to the "data" provider section is allowed but access to the logging section is not (under Medium Trust).

By default in .NET 2 the requirePermission is set to true, therefore we will need to add the requirePermission="false" attribute to the element.

This is not documented in msdn at all - in fact if you add the node intellisense tells you it is not a valid attribute for the element.

Re: DNN 4.0 Trust level

CamberGoose — Tue, 08 Nov 2005 18:52:31 GMT

Charles,
Thank you for the reply. I will wait for more information as you guys test it out in Medium trust. If there is anything I can do to help, please let me know.

Thanks
Alec Whittington

Re: DNN 4.0 Trust level

cnurse — Tue, 08 Nov 2005 18:43:35 GMT

CamberGoose wrote:
First off, I just wanted say thank you to the core team for 3.2 and 4.0. Though I run accross problems when new releases come out all the time, I still love the product in the end.

With that said, I must ask a very serious security question:
What does DNN 4.0 need full trust to run? Most shared hosts use Medium trust levels and impersonation to get around the asp.net security issues in shared hosting environments. By overriding the machine.config to allow a site to run at full trust, the site has the ability to do anything an edmin level user can, am I not correct on this?

I have been working with the CrystalTech developers and support personel to determine which part needs the Full trust, but so far we are coming to blanks.
Why does 3.2 need only medium and it runs fine?

Sorry guys but this seems to be a big problem and I would really love to get some answers on this from the core team. CrystalTech offers their customers an automated install of DNN from their control center web application, but they will not be able to offer any of the ASP.NET 2.0 based versions unless this can be resolved.

Please help with this, I know a few people that really want to get this resolved and so far no posts I have made on this have even been answered.

Not sure is the short answer.

There is no serious code differences, so it must be that .NET2 changes some of the CodeAccess Security levels, that we are not aware of. When porting the code, I must admit we did not check that it still worked in Medium Trust - kind of assumed that the code would run the same on .NET2 as .NET 1.1 - after all that is the assurance that we received from MS - full compatability.

DNN 4.0 Trust level

CamberGoose — Tue, 08 Nov 2005 18:22:45 GMT

First off, I just wanted say thank you to the core team for 3.2 and 4.0. Though I run accross problems when new releases come out all the time, I still love the product in the end.

With that said, I must ask a very serious security question:
What does DNN 4.0 need full trust to run? Most shared hosts use Medium trust levels and impersonation to get around the asp.net security issues in shared hosting environments. By overriding the machine.config to allow a site to run at full trust, the site has the ability to do anything an edmin level user can, am I not correct on this?

I have been working with the CrystalTech developers and support personel to determine which part needs the Full trust, but so far we are coming to blanks.
Why does 3.2 need only medium and it runs fine?

Sorry guys but this seems to be a big problem and I would really love to get some answers on this from the core team. CrystalTech offers their customers an automated install of DNN from their control center web application, but they will not be able to offer any of the ASP.NET 2.0 based versions unless this can be resolved.

Please help with this, I know a few people that really want to get this resolved and so far no posts I have made on this have even been answered.