Why does my .net application require full trust?

Question

I\'ve developed a .net 3.0 application, which is deployed using clickonce.

I\'d like to move from full trust to partial trust to ease deployment.

I\'ve tried

Answer 1

Adding the requirePermission='false' attribute in the app.config's configsections helps a lot :

 <sectionGroup name="system.net" type="System.Net.Configuration.NetSectionGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
      <section requirePermission="false" name="defaultProxy" type="System.Net.Configuration.DefaultProxySection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    </sectionGroup>

It made the trick for me !

Answer 2

Microsoft has a tool called permcalc which analyse an assembly and produces a detailed xml output file which looks like this :

<Type Name="MyClass">
<Method Sig="instance void .ctor()">
<Demand>
<PermissionSet version="1" class="System.Security.PermissionSet">
  <IPermission version="1" class="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Unrestricted="true" /> 
  <IPermission version="1" class="System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Unrestricted="true" /> 
...

Answer 3

Without seeing the code for your application, it's impossible to tell. There is something that is requiring full trust in your app that you might have overlooked (perhaps a dependency?).

Answer 4

It seems my problem is caused by the fact that my assembly is strongly signed.

Quoted from msdn

In strong-named assemblies, a LinkDemand is applied to all publicly accessible methods, properties, and events therein to restrict their use to fully trusted callers. To disable this feature, you must apply the AllowPartiallyTrustedCallersAttributeattribute.

I'm adding the needed attribute to my assembly, and I'll let you know how things turn out :

[assembly:AllowPartiallyTrustedCallers]

Update : I've added the attribute to my assemblies, but I'm also using some .net assemblies.

Not all .net assemblies can be used by partially trusted assemblies (here's a list), namely, WCF assemblies (ie System.ServiceModel) is not on the list

However, Microsoft states that it's possible to use WCF in a partial trust environment (see here)

I've tried to remove all the unneeded assemblies from my references, I've used the AllowPartiallyTrustedCallers in all my assemblies, and I'm still stucked...

Answer 5

Your stack-trace does not show the type of permission being demanded.

AllowPartiallyTrustedCallers won't help you in this case. It should be specified on the calling target, e.g. when some partially trusted code calls into your trusted assembly. In your situation you should examine whether your app calls into assemblies that do not have this attribute defined. If yes then your app will need to run in full-trust and won't work in partial trust at all (this is how CAS is enforced and is by design.)

Otherwise use permcalc. It will show you the permissions that should then be enabled in the security settings of the project. However I'm not sure if after including all those perms you will still have "partial trust" or rather full trust with a few stripped-down permissions. This is due to the fact that partial trust is very restrictive (open security.config and look at the enabled permissions!), as far as I know WebPermission is not there (which is needed to send http requests), same with FileIOPermission.

Answer 6

Hrm, just a guess, but is it running off of a network share? .NET seems to assign trust based on the location the code is being run from. If it's from anywhere but your local hard drive then you're going to have security issues.