caspol man page
caspol — Command line tool to modify Code Access Security policies.
caspol [options] [policy level] [actions] [parameters] ...
This tools allow to list and modify the different policy levels (user, machine and enterprise).
- Do not ask confirmation to change the policy level.
- Caspol.exe is a managed tool. Changing the security policies could affect it's ability to work properly. This option permit changes that could disallow caspol.exe from working properly.
- -? | /? | -h[elp]
- Display help about the Code Access Security policies tool
- Use the enterprise policy level for the next actions
- Use the machine policy level for the next actions. This is the default level for administrators (i.e. with write access to the machine policy files).
- Use the user policy level for the next actions. This is the default level for users (i.e. without write access to the machine policy files).
- -ca policyfile | -customall policyfile
- Use the specified file as the machine policy level for other arguments Use the policy levels Enterprise, Machine and the custom (specified) user policy level for the next actions
- -cu[stomuser] policyfile
- Use the specified file as the user policy level for next actions
- Use all the policy levels (Enterprise, Machine and User) for the next actions
-l[ist] List all code groups in their hierarchical structure, all named permissions sets and all fully trusted assemblies
- -ld | -listdescription
- List all code groups, in their hierarchical structure, with their descriptions
- -lg | -listgroups
- List all the code groups in their hierarchical structure
- -lp | -listpset
- List all the permission sets including their names and XML representation
- -lf | -listfulltrust
- List all fully trusted assemblies
- -rsg | -resolvegroup assemblyname
- List all code groups that the assembly is part of for the policy level
- -rsp | -resolveperm assemblyname
- List all permissions granted to the specified assembly by the policy level
- -ap | -addpset namedxmlfile | (xmlfile name)
- Add a named permission set to the policy level
- -cp | -chgpset xmlfile psetname
- Change a named permission set in the policy level
- -rp | -rempset psetname
- Remove the specified named permission set from the policy level
- -af | -addfulltrust assemblyname
- Add the specified assembly to the fully trusted assembly list in the policy level. If a policy use some custom security permissions then the assembly containing the custom permissions must be in the fully trusted list. Note that this requirement is recursive (all assemblies required by the specified assembly must also be in the list). The assembly must be strongnamed to be included in the fully trusted list
- -rf | -remfulltrust assemblyname
- Remove the specified assembly from the fully trusted assembly list in the policy level
- -ag | -addgroup label|name membership psetname flag
- Add the specified code group with the supplied membership, permissions and flags informations
- -cg | -chggroup label|name membership|psetname|flag
- Change the specified code group with the supplied informations
- -rg | -remgroup label|name
- Remove the specified code group
- Recover from previous version of the policy level (if available)
- -rs | -reset
- Reset the current policy level to it's default - or to the .default file if available
- -s[ecurity] on | off
- Turn Code Access Security (CAS) on or off. Note: This doesn't affect non-CAS permissions
- -e[xecution] on | off
- Turn execution rights on or off
- Build a cache (serialized version) of the policy level (.CCH files)
- -pp | -polchgprompt on | off
- Turn on or off policy changes prompt for future commands
Groups Sub Options - Membership
- This condition applies to all code.
- This condition applies only for assemblies that URL evidence match the application directory.
- -custom xmlfile
- Use the option to load a custom condition into the policy. The class that will deserialize the XML policy must be in a fully trusted assembly.
- -hash algo [-hex hash | -file assemblyname]
- This condition specify a specific hash that an assembly must generate (from itself) to be satisfied. Any change to the assembly will require the policy to be updated (as the hash value will have changed).
- -pub [-cert certificate | -file signedfile | -hex rawdata]
- This condition specify a X.509 Authenticode(r) certificate that must have signed an assembly in order to be satisfied. The certificate can be referenced as a file (binary DER), a signed file (containing the certificate) or with the hexadecimal value of the certificate. Note that files outside the policy must also be protected against tempering.
- -strong -file filename [name | -noname] [version | -noversion]
- This condition specify a specific StrongName that must have signed an assembly to be satisfied. Use -noname if the assembly name isn't known (or important) and -version if the version isn't known (or important) in the resolution.
- -site hostname
- This condition specify the site from where the assembly must come from to be satisfied.
- -url URL
- This condition specify the URL from where the assembly must come from to be satisfied.
- -zone zonename
- This condition specify the zone from where the assembly must come from to be satisfied. Existing zones are MyComputer, Internet, Intranet, Trusted and Untrusted.
Groups Sub Options - Flags
- -d[escription] description
- Add (-ag) or change (-cg) the description for the specified code group
- -exclusive on | off
- If on (default is off) then only this permission set will be processed for this code group (on this level).
- -levelfinal on | off
- If on (default is off) then no other level will be processed for this code group.
- -n[ame] name
- Add (-ag) or change (-cg) the name of the specified code group. A code group can be found by using it's name or it's label - but the later can change as it is based on it's position in the policy level hierarchy.
- It is possible to chain several commands with the tool, like:
- caspol -m -lg -rg 1.6 -lg -rs -lg
- This will list all machine level code groups, then remove the code group
- labeled 1.6, list again all code groups (missing 1.6), reset the policy and finally showing all code groups (where 1.6 is back).
- Hash Membership Condition
- Mono implementation of the Hash evidence isn't compatible with Fx 1.0/1.1. However it seems compatible with Fx 2.0. You are suggested to use a StrongName evidence if comptaibility is an issue for your policy.
Written by Sebastien Pouliot