Skip to content

12. FullTrust, Security permission attributes, gacutil

February 24, 2011

34. What is FullTrust? Do GAC’ed assemblies have FullTrust?
FullTrust means FullTrust there is no CAS protection. FullTrust assemblies have the right to do everything. GAC has FullTrust permission because it resides on the local HD. This can be modified using CASPOL. The recommended trust level for an ASP.NET Application is medium trust. The runtime defines several trust levels that can constrain what an application is able to do. A highly restrictive level is minimal trust to full trust which has no restrictions at all. Problems arising from full trust are that the AppDomain hosting the application is no longer a security boundary. Full trust allow native code to execute and poke around a process that is hosting multiple AppDomains to find or corrupt data from other applications. In full trust mode resource protection is up to the operating system which is a bad idea when all applications are running with the same identity and have equal access to the file system and registry keys.

35. What benefit does your code receive if you decorate it with attributes demanding specific Security permissions?
Most Security permissions are useful when building reusable libraries that will run in partial trust. This way access can be restricted to certain functions when calling an assembly or AppDomain that does not have the proper rights configured. For an application that runs in full trust, most security permissions are not that useful. An exception to the rule is PrincipalPermissionAttribute. When decorating a class or function with this attribute, .NET will verify on every access whether the current thread’s principle has the proper rights. Stated differently, access can be granted or denied to the code based on the role of the user (role based security). Here is an Examl:
Principa PermissionAttributeRoleBasedSecurity

36. What does this do? gacutil /L | find /i “Corillian” 
gacutil /L lists all the assemblies located in the GAC. find /i “Corillian” lists all Corillian named assemblies and /i ignores the case, not case sensitive.

Happy Programing! =)

Source: manly MSDN and,

From → OOP

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: