OdeToCode IC Logo

Medium Trust ASP.NET Applications

Saturday, October 29, 2005

If you are an ISP offering shared hosting, or you are a developer deploying your app in a shared hosting environment, then there is no doubt you want to avoid running ASP.NET applications with full trust. Full trust is the default trust level for ASP.NET.

What is full trust? The runtime defines several trust levels we can use to constrain what an application can do. These trust level range from minimal trust, which is a highly restrictive level, to full trust, which has no restrictions at all. The recommended trust level for an ASP.NET application is right in the middle: medium trust (see the ASP.NET 2.0 Hosting Deployment Guide).

What is wrong with full trust? For starters, the AppDomain hosting the application is no longer a security boundary. Full trust allows native code to execute, and native code can poke around a process that is hosting multiple AppDomains to find or corrupt data from other applications. Full trust also leaves resource protection up to the operating system, which is a bad idea when all the applications are running with the same identity, and thus have equal access to files and registry keys.

For instance…

    1 string parentPath = Server.MapPath("~") + @"\..\";

    2 

    3 string[] webDirectories;

    4 webDirectories = Directory.GetDirectories(parentPath);

    5 

    6 foreach (string directory in webDirectories)

    7 {           

    8     string appDataPath = directory + @"\App_Data\";

    9 

   10     string[] appDataFiles;

   11     appDataFiles = Directory.GetFiles(appDataPath);

   12 

   13     foreach (string file in appDataFiles)

   14     {

   15         try

   16         {

   17             // goodbye, data

   18             File.Delete(file);

   19         }

   20         catch(Exception)

   21         {

   22             // eat it and go on

   23         }

   24     }           

   25 }

The above code tries to walk through the web sites on a server and destroy any files in the well known App_Data directories. Perhaps a database file will be in use and the runtime will throw an exception – that’s ok, we can try again later. The real problem here is that the code can even successfully retrieve a listing of files and directories outside of the root where the code executes.

Medium trust will place a number of restrictions on an application, including limiting an application’s file access to within the virtual directory where the application lives. If we run the above code under medium trust (see How To: Use Medium Trust in ASP.NET 2.0), the runtime will throw a System.Security.SecurityException exception on line 4. Line 4 is the where the code tries to get a list of directories one level above the application’s home directory.

In ASP.NET 2.0, Microsoft has made changes to make life easier for ISPs and developers who want to run code with the medium trust level. You can read more in the PAG document: Security Guidelines for ASP.NET 2.0.