-1

i have a snippet of code:

public void MyMethod()
{
   DirectoryEntry de; 
   ...
   de.AuthenticationType = AuthenticationTypes.Secure;
   ...
}

that FxCop chokes on:

CA2122: Do not indirectly expose methods with link demands

Resolution: MyMethod() calls into DirectoryEntry.AuthenticationType.set(AuthenticationTypes) which has a LinkDemand.
By making this call, DirectoryEntry.AuthenticationType.set(AuthenticationTypes) is indirectly exposed to user code.

Info: Do not wrap a method protected by a LinkDemand with a method that does not perform a security check. A LinkDemand checks the permissions of the immediate caller rather than checking the permissions of all callers in the call stack. In this case, the permissions of the wrapper method will be checked. If the wrapper method does not, itself, check the permissions of callers higher in the call stack, malicious code might be able to execute the wrapped function even though it lacks permission to do so."

i'm all for adding something, somewhere to "fix" this issue. But it can't add it if it will cause code that currently works for customers to spontaneously not work for customers.

Note: i don't know what to add, or where (FxCop doesn't include that information), and i don't want to delve too deep into the secret world of code security if it's a dead end.

If i add "a security check* to MyMethod, is there a possibility that code that currently works will stop working?

i assume that the code, as written now, will not work if someone doesn't have permission. In other words:

directoryEntry.AuthenticationType = AuthenticationTypes.Secure

will already fail if someone doesn't have correct "permissions". Adding a "security check" higher up in the call stack will not change that fact - only trigger the failure sooner. In that case adding the security check is OK.

On the other hand if:

public void MyMethod() {...}

MyMethod();

currently works, but

[SecurityCheck(...)]
public void MyMethod() {...}

AD.MyMethod()

will begin to fail, then i can't really add it.

Especially in library code that everyone uses.

The reason i can't test this for myself is that nobody knows how to replicate the situation where there would be a problem.

It's like when most people check credentials against active directory by trying to connect to AD with a username and password and read a property. You might not be allowed to read properties, even though the username/password is correct. i'd wager that nobody besides myself knows to to configure ActiveDirectory to replicate that failure case.

In my case, i presume nobody knows how to configure stuff so that the code security would fail.

Community
  • 1
  • 1
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
  • This stuff is all useless if running in full trust mode. You need a lesser trust mode to trigger security checks (and subsequent failures). – leppie Nov 28 '11 at 15:31
  • As I understand it, the concept is that there may be user-impersonation going on. Something that uses a service account, or running under an app-pool account are all common times when the 'executing' user might not be the 'current user'. So, if you code passes through a block like that, then it is certain that adding a security check as described by FxCop could break earlier code. This also means that you can NEVER assume that someone *already* has permissions to do something, because at different levels of the stack, they might be a different someone! – DevinB Nov 28 '11 at 15:41
  • @DevinB Strictly speaking, since **Link Demand** happens when the code is JITed, and JITed code is cached, could the Link Demand be checked by one user of the application (me) runs it. If someone else logs onto my machine, and use the same cached jitted code, the check is incorrect. That's a **Link Demand** that i have no control over. – Ian Boyd Nov 28 '11 at 15:47
  • @Ian, that's why it was a comment, because I didn't actually have anything useful to say :(. Sorry. It would appear, based on the documentation that I just read, that unless your entire stack is secure and known to be secure, you shouldn't be using anything that has a "linkdemand", which is why FxCop is complaining. – DevinB Nov 28 '11 at 15:55

1 Answers1

0

i assume that the code, as written now, will not work if someone doesn't have permission

That's not true for a LinkDemand, which only requires the immediate caller to possess the target permission(s). This is the reason that FxCop is warning you of a potential problem: a malicious caller could potentially use your method to indirectly invoke a DirectoryEntry method despite not having sufficient CAS permissions to do so itself.

The best fix for this depends on several things, including which .NET Framework version you are using. For early .NET versions, add a LinkDemand or full demand for unrestricted DirectoryServicesPermission to your method. If FxCop is happy, you're pretty much done wrt this particular problem. However, it will be possible that some callers will no longer be able to invoke your method. If this is a problem, they you need to evaluate your use of DirectoryEntry and determine whether it could be abused by a malicious caller before you remove the protection.

For more recent .NET versions, things get more complicated. If you need help with this, please specify which version(s) of .NET you are targeting and whether you consider it necessary to support partially trusted callers.

Nicole Calinoiu
  • 20,843
  • 2
  • 44
  • 49
  • .NET Framework 2.0-4.0. i don't know if it's necessary to support trusted callers as i don't know when callers might be partially trusted. If i'm a standard user, running an executable from a network location, i assume i am still fully trusted - because i'm me. i guess the easier way to put it is: nobody would never *choose* to not be fully trusted - so as long as nobody ever experiences an error that they didn't *mean* to experience due to some way .NET decides "caller trust". – Ian Boyd Nov 28 '11 at 21:10
  • Code Access Security (CAS) evaluates the permissions of the code, not of the user. When running an executable directly from a network location, the code would not be fully trusted by default prior to .NET 3.5 SP1. However, it may be fully trusted if the client machine's CAS policy has been altered to increase the CAS permissions of code run from the intranet. It sounds like you actually do want all the consuming applications to run with full trust. However, this is usually an IT decision, not a developer decision, so you should probably consult with them before making a final decision. – Nicole Calinoiu Nov 29 '11 at 12:52
  • If my application doesn't run, i will have to tell IT what they have to change on every computer in the enterprise to make it work. Or i could change my app to not cause the security error. – Ian Boyd Dec 07 '11 at 15:01