Manual Pages

Mono(caspol)

NAME

caspol - Command line tool to modify Code Access Security policies.

SYNOPSIS

caspol [options] [policy level] [actions] [parameters] ...

DESCRIPTION

This tools allow to list and modify the different policy levels (user, machine and enterprise).

OPTIONS

-q[uiet]
Do not ask confirmation to change the policy level.
-f[orce]
Caspol.exe is a managed tool. Changing the security policies could affect it's ability to work properly. This option permit changes that could disallow caspol.exe from working properly.
-? | /? | -h[elp]
Display help about the Code Access Security policies tool

POLICY LEVELS

-en[terprise]
Use the enterprise policy level for the next actions
-m[achine]
Use the machine policy level for the next actions. This is the default level for administrators (i.e. with write access to the machine policy files).
-u[ser]
Use the user policy level for the next actions. This is the default level for users (i.e. without write access to the machine policy files).
-ca policyfile | -customall policyfile
Use the specified file as the machine policy level for other arguments Use the policy levels Enterprise, Machine and the custom (specified) user policy level for the next actions
-cu[stomuser] policyfile
Use the specified file as the user policy level for next actions
-a[ll]
Use all the policy levels (Enterprise, Machine and User) for the next actions

ACTIONS

-l[ist] List all code groups in their hierarchical structure, all named permissions sets and all fully trusted assemblies
-ld | -listdescription
List all code groups, in their hierarchical structure, with their descriptions
-lg | -listgroups
List all the code groups in their hierarchical structure
-lp | -listpset
List all the permission sets including their names and XML representation
-lf | -listfulltrust
List all fully trusted assemblies
-rsg | -resolvegroup assemblyname
List all code groups that the assembly is part of for the policy level
-rsp | -resolveperm assemblyname
List all permissions granted to the specified assembly by the policy level
-ap | -addpset namedxmlfile | (xmlfile name)
Add a named permission set to the policy level
-cp | -chgpset xmlfile psetname
Change a named permission set in the policy level
-rp | -rempset psetname
Remove the specified named permission set from the policy level
-af | -addfulltrust assemblyname
Add the specified assembly to the fully trusted assembly list in the policy level. If a policy use some custom security permissions then the assembly containing the custom permissions must be in the fully trusted list. Note that this requirement is recursive (all assemblies required by the specified assembly must also be in the list). The assembly must be strongnamed to be included in the fully trusted list
-rf | -remfulltrust assemblyname
Remove the specified assembly from the fully trusted assembly list in the policy level
-ag | -addgroup label|name membership psetname flag
Add the specified code group with the supplied membership, permissions and flags informations
-cg | -chggroup label|name membership|psetname|flag
Change the specified code group with the supplied informations
-rg | -remgroup label|name
Remove the specified code group
-r[ecover]
Recover from previous version of the policy level (if available)
-rs | -reset
Reset the current policy level to it's default - or to the .default file if available

CONFIGURATION SETTINGS

-s[ecurity] on | off
Turn Code Access Security (CAS) on or off. Note: This doesn't affect non-CAS permissions
-e[xecution] on | off
Turn execution rights on or off
-b[uildcache]
Build a cache (serialized version) of the policy level (.CCH files)
-pp | -polchgprompt on | off
Turn on or off policy changes prompt for future commands

GROUPS SUB OPTIONS - MEMBERSHIP

-all
This condition applies to all code.
-appdir
This condition applies only for assemblies that URL evidence match the application directory.
-custom xmlfile
Use the option to load a custom condition into the policy. The class that will deserialize the XML policy must be in a fully trusted assembly.
-hash algo [-hex hash | -file assemblyname]
This condition specify a specific hash that an assembly must generate (from itself) to be satisfied. Any change to the assembly will require the policy to be updated (as the hash value will have changed).
-pub [-cert certificate | -file signedfile | -hex rawdata]
This condition specify a X.509 Authenticode(r) certificate that must have signed an assembly in order to be satisfied. The certificate can be referenced as a file (binary DER), a signed file (containing the certificate) or with the hexadecimal value of the certificate. Note that files outside the policy must also be protected against tempering.
-strong -file filename [name | -noname] [version | -noversion]
This condition specify a specific StrongName that must have signed an assembly to be satisfied. Use -noname if the assembly name isn't known (or important) and -version if the version isn't known (or important) in the resolution.
-site hostname
This condition specify the site from where the assembly must come from to be satisfied.
-url URL
This condition specify the URL from where the assembly must come from to be satisfied.
-zone zonename
This condition specify the zone from where the assembly must come from to be satisfied. Existing zones are MyComputer, Internet, Intranet, Trusted and Untrusted.

GROUPS SUB OPTIONS - FLAGS

-d[escription] description
Add (-ag) or change (-cg) the description for the specified code group
-exclusive on | off
If on (default is off) then only this permission set will be processed for this code group (on this level).
-levelfinal on | off
If on (default is off) then no other level will be processed for this code group.
-n[ame] name
Add (-ag) or change (-cg) the name of the specified code group. A code group can be found by using it's name or it's label - but the later can change as it is based on it's position in the policy level hierarchy.

EXAMPLES

It is possible to chain several commands with the tool, like:
caspol -m -lg -rg 1.6 -lg -rs -lg
This will list all machine level code groups, then remove the code group
labeled 1.6, list again all code groups (missing 1.6), reset the policy and finally showing all code groups (where 1.6 is back).

KNOWN ISSUES

Hash Membership Condition
Mono implementation of the Hash evidence isn't compatible with Fx 1.0/1.1. However it seems compatible with Fx 2.0. You are suggested to use a StrongName evidence if comptaibility is an issue for your policy.

AUTHOR

Written by Sebastien Pouliot

COPYRIGHT

Copyright (C) 2004 Novell, Inc (http://www.novell.com)

MAILING LISTS

Visit http://lists.ximian.com/mailman/listinfo/mono-list for details.

WEB SITE

Visit http://www.mono-project.com for details