Hosting provider security issues

Discussion of open issues, suggestions and bugs regarding ADO.NET provider for MySQL
Alexey
Posts: 2756
Joined: Mon 13 Mar 2006 07:43

Post by Alexey » Thu 09 Nov 2006 12:23

I don't have one. You can get it yourself by executing the next command:
mysqlnet.exe /v"/l*v corelab.log"

farshore
Posts: 19
Joined: Tue 07 Nov 2006 12:19

hosting security issues

Post by farshore » Thu 09 Nov 2006 12:48

ok I'll try it
in the meantime can you give the exact same details as below but for the MySQLDirect for .NET 3.5.14 component

"Then, the following permissions are required by OraDirect .NET:
in Direct mode - medium trust plus SocketPermission;
in OCI mode - medium trust plus ReflectionPermission, RegistryPermission, EnvironmentPermission for PATH environment variable, FileIOPermission for Oracle Client.
"
Saying medium trust is ok is not enough, I am trying to resolve an issue with our hosting provider which is preventing us for getting several websites deployed.
They are asking for detailed security information and saying "medium trust should be ok" is not what they want to hear.
please help me to resolve this issue

Thanks

farshore
Posts: 19
Joined: Tue 07 Nov 2006 12:19

error message

Post by farshore » Thu 09 Nov 2006 13:59

Hi this is the error we are getting

Server Error in '/' Application.
--------------------------------------------------------------------------------

Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
System.Security.CodeAccessSecurityEngine.CheckNReturnSO(PermissionToken permToken, CodeAccessPermission demand, StackCrawlMark& stackMark, Int32 unrestrictedOverride, Int32 create) +0
System.Security.CodeAccessSecurityEngine.Assert(CodeAccessPermission cap, StackCrawlMark& stackMark) +62
System.Security.CodeAccessPermission.Assert() +20
CoreLab.Common.aq.a(Type A_0, String& A_1, Assembly& A_2) +127
CoreLab.Common.aq.a(LicenseContext A_0, Type A_1, String& A_2, Boolean& A_3, String& A_4) +41
CoreLab.Common.aq.a(LicenseContext A_0, Type A_1, Object A_2, Boolean A_3) +1261
CoreLab.MySql.MySqlConnection.Open() +98
System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +121
System.Data.Common.DbDataAdapter.Fill(DataTable[] dataTables, Int32 startRecord, Int32 maxRecords, IDbCommand command, CommandBehavior behavior) +162
System.Data.Common.DbDataAdapter.Fill(DataTable dataTable) +107
DataSet1TableAdapters.testTableAdapter.GetData() +108

Alexey
Posts: 2756
Joined: Mon 13 Mar 2006 07:43

Post by Alexey » Fri 10 Nov 2006 09:15

Seemingly, you have some security settings changed (different from the default ones) in Microsoft .NET Framework Configuration. Try to debug using these strings:

Code: Select all

      FileIOPermission permission1 = new FileIOPermission(PermissionState.Unrestricted);
      permission1.Assert();
      try {
        text2 = AppDomain.CurrentDomain.SetupInformation.ApplicationBase;
      }
      finally {
        CodeAccessPermission.RevertAssert();
      }
They react to that permissions the same way.

Alexey
Posts: 2756
Joined: Mon 13 Mar 2006 07:43

Post by Alexey » Fri 10 Nov 2006 09:19

The detailed security information is:

Code: Select all

    
        
            
                
                    
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                    
                    
                        
                        
                        
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                                
                                    
                                
                            
                        
                    
                    
                        
                        
                            
                        
                        
                            
                        
                        
                        	
                            
                                
                            
                            
                                
                            
                        
                    
                
            
        
    

farshore
Posts: 19
Joined: Tue 07 Nov 2006 12:19

Security issues

Post by farshore » Fri 10 Nov 2006 10:58

Hi I understand the hosting party have contacted you directly about this issue and they are now awaiting a response from your sales department.
I hope a positive answer is forthcoming so we can continue to develop our solutions using corelab technology.
Many thanks for your help so far

farshore
Posts: 19
Joined: Tue 07 Nov 2006 12:19

Security issues

Post by farshore » Mon 13 Nov 2006 13:55

HiI have not heard anything about this issue since last week , and it is now beyond a priority for us.
Can you send me contact details for the relevant party regarding licensing
Thanks

Alexey
Posts: 2756
Joined: Mon 13 Mar 2006 07:43

Post by Alexey » Tue 14 Nov 2006 09:49

I've provided your hosting providers with the answer.
Also i would like to know whether you are licensed user or you are just going to buy the license?

farshore
Posts: 19
Joined: Tue 07 Nov 2006 12:19

Security issues

Post by farshore » Tue 14 Nov 2006 11:29

Hi thanks for providing our hostingparty with the information.
Our developer uses licensened corelab components to develop sites for us. I won't post the license number here for obvious reasons

Alexey
Posts: 2756
Joined: Mon 13 Mar 2006 07:43

Post by Alexey » Tue 14 Nov 2006 11:54

I see. Please provide it by e-mail (i've sent you appropriate letter).

farshore
Posts: 19
Joined: Tue 07 Nov 2006 12:19

Security issues

Post by farshore » Fri 17 Nov 2006 11:59

Hi Aleksey
This is the response of the hosting provider
is there a good answer for them?

"We don't supply socketpermissions for .net. So direct mode doesn't seem
to be the option to use.

We assumed that placing the assembly in the GAC would give it enough
rights. Unfortunately this wasn't the case.

If you want to use the non direct mode libmysql.dll is needed. We don't
want to place this dll in the path or register it on the webserver. Can
Core Lab tell us were to place this dll so the MySQLDirect connector can
find it."

farshore
Posts: 19
Joined: Tue 07 Nov 2006 12:19

Security issues

Post by farshore » Fri 17 Nov 2006 16:42

Thanks to Aleksey this topic has been resolved by copying the libmysql.dll file to the "%:\WINDOWS\assembly\GAC_MSIL\CoreLab.MySql\3.50.14.0__09af7300eec23701\" or
so. folder
Many thanks

Alexey
Posts: 2756
Joined: Mon 13 Mar 2006 07:43

Post by Alexey » Fri 17 Nov 2006 17:47

You are welcome.

csnell
Posts: 12
Joined: Wed 06 Dec 2006 20:20

File IO Permission in Medium Trust

Post by csnell » Wed 06 Dec 2006 20:40

I'm getting the following error trying to use MySqlDirect (3.50.12.0) in medium trust (set by hosting provider) with ASP.NET 2.0.

[SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
System.Security.CodeAccessPermission.Demand() +59
System.Reflection.Assembly.VerifyCodeBaseDiscovery(String codeBase) +118
System.Reflection.Assembly.GetName(Boolean copiedName) +59
System.Reflection.Assembly.GetName() +6
CoreLab.Common.am.a(Assembly A_0) +10
CoreLab.Common.ap.a(Type A_0, String& A_1, Assembly& A_2) +1111
CoreLab.Common.ap.a(LicenseContext A_0, Type A_1, String& A_2, Boolean& A_3, String& A_4) +41
CoreLab.Common.ap.a(LicenseContext A_0, Type A_1, Object A_2, Boolean A_3) +1261
CoreLab.MySql.MySqlConnection.Open() +98
MySqlSource..ctor() +93
base_login.Auth_User(String strUser, String strPwd) +33
base_login.btnLogin_Click(Object sender, EventArgs e) +82
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +105
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +107
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6953
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +154
System.Web.UI.Page.ProcessRequest() +86
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
System.Web.UI.Page.ProcessRequest(HttpContext context) +49
ASP.base_login_aspx.ProcessRequest(HttpContext context) +29
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +154
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64

The web site was working before the provider changed the trust level on the server to medium (with no advance warning, but that's another issue...). The provider says the ONLY security change they made was setting trust to medium.

I've tried direct=true and direct=false with same result.

I get the same exception on my development box when I set trust=medium in the application's web.config file (again, direct=true or false doesn't fix it), all other security settings are ASP.NET 2.0 defaults.

Alexey
Posts: 2756
Joined: Mon 13 Mar 2006 07:43

Post by Alexey » Thu 07 Dec 2006 07:34

What does your medium level policy file (web_mediumtrust.config) look like?

Post Reply