Thursday, July 27, 2006

Getting CLR Security Right - Seeing Double

This one bit me the other day. Fortunately Dominick was able to straighten me out rather quickly.


What I was trying to do was to update a build script to run off of a shared drive (don't ask). Of course, when running .NET code like NAnt and the other 90 tools we use in the build, you need to elevate privileges or your tools are unlikely to work with the decreased permissions they get by default when running from a network drive. That much I knew. Where I got burned was that some of our tools are compiled for .NET 1.1, and some for 2.0. Well, policy for 1.1 is completely separate from policy for 2.0. So I had to change it in both places.


Luckily, I didn't waste too much time on this. It helps to be willing to bother your friends. :)


  1. It's pretty simple to change the policy to trust a network drive once you've dug through the documentation (which isn't necessarily as simple). All our dev workstations map R: to the release depot where we store our build output and third party assemblies. I have everyone designate it as a full trust zone:

    caspol -q -machine -addgroup 1 -url file://R:/* FullTrust -name "Release Depot"

  2. Yep, that's exactly what I did...except you have to do it twice - once for 1.1 and once for 2.0, using the caspol tool from the appropriate framework directory.