How to change trust level in application?

Question

3.00/5 (3 votes)

See more:

I am bringing up my first asp web site and running into security issues, specifically, a SecurityException when I try to create a text file in App_Data from my code.
After going back and forth with my web hosting tech support, it developed that my host will only allow a trust level of "medium", and I am not permitted to change it (the host is godaddy but that does not matter). I am further told that what I want to do is legal under the host configuration (I hope so, I ain't asking for much), but that I need to change the *app* to conform to the *server's* security policy. The question is, how to do that? I have already been here with my web.config:

<system.web><trust level="medium"></trust></system.web>

My host barks at this and tells me I am not allowed to change trust levels in the server, which is what I am doing.

So, how to change the trust level in the app?

Here is some debug spew from the exception:
"The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. "

[SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
System.Security.CodeAccessPermission.Demand() +58
System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy) +644
System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options) +65
System.IO.StreamWriter.CreateFile(String path, Boolean append) +62
System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize) +58
System.IO.StreamWriter..ctor(String path, Boolean append) +33
System.IO.File.CreateText(String path) +37
_Default.SaveUserInfo() +65
_Default.Page_Load(Object sender, EventArgs e) +13
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +14
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +35
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +50
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +242
System.Web.UI.Page.ProcessRequest() +80
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
System.Web.UI.Page.ProcessRequest(HttpContext context) +49
ASP.default_aspx.ProcessRequest(HttpContext context) in App_Web_mu23d-ig.0.cs:0
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

Posted 15-Apr-11 16:49pm

EricFowler

Updated 15-Apr-11 16:54pm

v3

Add a Solution

5 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Abhinav S · Answer 1 · 2011-04-15T17:46:00

Solution 1

You need more than "medium" perhaps as your trust level.
See http://msdn.microsoft.com/en-us/library/ms998326.aspx[^] as well.

Posted 15-Apr-11 17:46pm

Abhinav S

v2

Albin Abel · Answer 2 · 2011-04-15T19:48:00

Solution 2

Hi EricFowler,

App_Data is a reserved folder. If there is no valid reason to create file in this folder at runtime better avoid that and use a custom folder. Because by increasing the permission level you are creating more vulnerability in your application.

And looks like you are on a shared hosting. Probably they won't allow you to override the trust levels.
More on security practices are here if you are interested.

http://www.prestwoodboards.com/ASPSuite/KB/Document_View.asp?QID=100385[^]

http://msdn.microsoft.com/en-us/library/ff647403.aspx#paght000028_webconfigvsmachineconfig[^]

Posted 15-Apr-11 19:48pm

Albin Abel

Comments

EricFowler 16-Apr-11 2:58am

Here is some info from my host:

"Trust level refers to permissions set in the Web.config file that dictate what operations can and cannot be performed by Web applications. Our ASP.NET 3.5 and 4.0 shared hosting servers use the default Medium trust level with the addition of OleDbPermission, OdbcPermission[this explains why the user information db works in App_Data], and a less-restrictive WebPermission.

Applications operating under a Medium trust level have no registry access, no access to the Windows event log, and cannot use ReflectionPermission (but can use Reflection). Such applications can communicate only with a defined range of network addresses and file system access is limited to the application's virtual directory hierarchy.

Using a Medium trust level prevents applications from accessing shared system resources and eliminates the potential for application interference. Adding OleDbPermission and OdbcPermission allows applications to use those data providers to access databases. WebPermission is modified to allow outbound http and https traffic."

So what is the 'virtual directory heirarchy'? I have created another directory in their control panel and given in the right perms but no joy in Mudville.

EricFowler · Answer 3 · 2011-04-15T20:11:00

Solution 3

I know they won't allow me to override the trust levels - I have tried.

Do the trust levels also apply to a folder I create?

I find it bizarre that even on shared hosting, I can't open a text file and write to it. Can that possibly be the intention? Is medium trust too low to write a file? Why is App_Data even there? The hosting template created MDB files for me in that directory. I suppose I can't write them either (whine).

Eric

Posted 15-Apr-11 20:11pm

EricFowler

Comments

Albin Abel 16-Apr-11 4:03am

You can access the data files and databases inside app_data (read and write), no issues.

EricFowler 16-Apr-11 4:23am

Yeah - but they specifically granted OleDbPermission and OdbcPermission on the host. I want to do this:
protected void Page_Load(object sender, EventArgs e)
{
string sName = "~//mydata//myfile.txt";
StreamWriter w = File.CreateText(sName);
w.Close();
}

Albin Abel 16-Apr-11 4:41am

You may try string sName=Server.MapPath(@"mydata\myfile.txt"); sometime it may due to path issue as well. You are trying to write a file on the virtual path. That is not allowed. You have to use the physical path. If that also not works you may need to check the write permission on application folders and get help from the hosting.

EricFowler 16-Apr-11 15:06pm

This was the correct answer. It works now. Thank you for your assistance.

Eric

Member 12613458 11-Jul-16 6:31am

Works now

EricFowler · Answer 4 · 2011-04-16T09:12:00

Albin Alba's solution was correct, but I can't push 'Accept' on it ... no button.

Here is the answer posted for benefit of others searching for this. I am amazed at how many people hit this, and how few know how to deal with it. This took me all day.

protected void Page_Load(object sender, EventArgs e)
   {
       string sName = Server.MapPath(@"~//mydata//myfile.txt");
       StreamWriter w = File.CreateText(sName);
       w.Close();
   }

Ashishmau · Answer 5 · 2011-04-17T18:27:00

Solution 5

Download exe given in this link and use to change your trust level

http://brandonpotter.wordpress.com/2010/01/23/code-access-security-policy-caspol-exe-gui-utility/[^]

Posted 17-Apr-11 18:27pm

Ashishmau