Running "partially trusted" .NET assemblies from a network share

Question

When I try to run a .NET assembly (boo.exe) from a network share (mapped to a drive), it fails since it's only partially trusted:

Unhandled Exception: System.Security.SecurityException: That assembly does not allow partially trusted callers.
   at System.Security.CodeAccessSecurityEngine.ThrowSecurityException(Assembly asm, PermissionSet granted, PermissionSet refused, RuntimeMethodHandle rmh, SecurityAction action, Object demand, IPermission permThatFailed)
   at BooCommandLine..ctor()
   at Program..ctor()
   at ProgramModule.Main(String[] argv)
The action that failed was:
LinkDemand
The assembly or AppDomain that failed was:
boo, Version=0.0.0.0, Culture=neutral, PublicKeyToken=32c39770e9a21a67
The Zone of the assembly that failed was:
Intranet
The Url of the assembly that failed was:
file:///H:/boo-svn/bin/boo.exe

With instructions from a blog post, I added a policy to the .NET Configuration fully trusting all assemblies with file:///H:/* as their URL. I verified this by entering the URL file:///H:/boo-svn/bin/boo.exe into the Evaluate Assembly... tool in the .NET Configuration and noting that boo.exe had the Unrestricted permission (which it didn't have before the policy).

Even with the permission, boo.exe does not run. I still get the same error message.

What can I do to debug this problem? Is there another way to run "partially trusted" assemblies from network shares without having to change something for every assembly I want to run?

Answer 1

With .NET 3.5 SP1, .NET assemblies running from UNC shares have full permissions.

See Brad Abrams's Allow .exes to be run off a network shares for workaround and discussions, and finally the follow up .NET 3.5 SP1 allows managed code to be launched from a network share.

Answer 2

I think you want to add the AllowPartiallyTrustedCallers attribute to your assembly. The error message implies that something that's calling into your boo.exe assembly is not fully trusted, and boo.exe doesn't have this attribute allowing it.

Answer 3

Take a look at the 'caspol.exe' program (provided with .NET runtimes). You will have to do this on the machine you are trying to run the application from. I wasn't able to 'mark' and assembly (probably just me). However, using caspol and setting up the proper permission for my app, LocalIntranet_Zone, fix my similar issue.

I have heard (but haven't tried it yet), that .NET 3.5 sp1 removed this tighten security requirement (not allowing .NET assemblies to reside on a share by default).

Answer 4

I resolved the problem by using caspol as instructed in Johnny Hughes' blog post Running a .Net application from a network share:

caspol -addgroup 1.2 -url file:///H:/* FullTrust

It seems the .NET Configuration GUI for managing the policies simply doesn't work.