diff options
author | Sebastien Pouliot <sebastien@ximian.com> | 2004-12-10 23:52:30 +0300 |
---|---|---|
committer | Sebastien Pouliot <sebastien@ximian.com> | 2004-12-10 23:52:30 +0300 |
commit | 8b01b597c4e7f311ee99af6b572908ec127128cf (patch) | |
tree | ebeef273427459fd1bfc8a806ae9b4bcc9af8612 /man/caspol.1 | |
parent | e93227df5451c1da2fdb2ca3f9889b2025b95cb2 (diff) |
2004-12-10 Sebastien Pouliot <sebastien@ximian.com>
* caspol.1: New. Man page for caspol.
* man.xml: Updated to include caspol.1.
svn path=/trunk/mono/; revision=37597
Diffstat (limited to 'man/caspol.1')
-rw-r--r-- | man/caspol.1 | 217 |
1 files changed, 217 insertions, 0 deletions
diff --git a/man/caspol.1 b/man/caspol.1 new file mode 100644 index 00000000000..f0e4ebfa07b --- /dev/null +++ b/man/caspol.1 @@ -0,0 +1,217 @@ +.\" +.\" caspol manual page. +.\" Copyright (C) 2004 Novell, Inc (http://www.novell.com) +.\" Author: +.\" Sebastien Pouliot (sebastien@ximian.com) +.\" +.TH Mono "caspol" +.SH NAME +caspol \- Command line tool to modify Code Access Security policies. +.SH SYNOPSIS +.PP +.B caspol [options] [policy level] [actions] [parameters] ... +.SH DESCRIPTION +This tools allow to list and modify the different policy levels (user, +machine and enterprise). +.SH OPTIONS +.TP +.I -q[uiet] +Do not ask confirmation to change the policy level. +.TP +.I -f[orce] +Caspol.exe is a managed tool. Changing the security policies could affect +it's ability to work properly. This option permit changes that could +disallow caspol.exe from working properly. +.TP +.I -? | /? | -h[elp] +Display help about the Code Access Security policies tool + +.SH POLICY LEVELS +.TP +.I -en[terprise] +Use the enterprise policy level for the next actions +.TP +.I -m[achine] +Use the machine policy level for the next actions. This is the default +level for administrators (i.e. with write access to the machine policy +files). +.TP +.I -u[ser] +Use the user policy level for the next actions. This is the default +level for users (i.e. without write access to the machine policy files). +.TP +.I -ca policyfile | -customall policyfile +Use the specified file as the machine policy level for other arguments +Use the policy levels Enterprise, Machine and the custom (specified) +user policy level for the next actions +.TP +.I -cu[stomuser] policyfile +Use the specified file as the user policy level for next actions +.TP +.I -a[ll] +Use all the policy levels (Enterprise, Machine and User) for the next +actions + +.SH ACTIONS +.I -l[ist] +List all code groups in their hierarchical structure, all named +permissions sets and all fully trusted assemblies +.TP +.I -ld | -listdescription +List all code groups, in their hierarchical structure, with their +descriptions +.TP +.I -lg | -listgroups +List all the code groups in their hierarchical structure +.TP +.I -lp | -listpset +List all the permission sets including their names and XML representation +.TP +.I -lf | -listfulltrust +List all fully trusted assemblies + +.TP +.I -rsg | -resolvegroup assemblyname +List all code groups that the assembly is part of for the policy level +.TP +.I -rsp | -resolveperm assemblyname +List all permissions granted to the specified assembly by the policy level + +.TP +.I -ap | -addpset namedxmlfile | (xmlfile name) +Add a named permission set to the policy level +.TP +.I -cp | -chgpset xmlfile psetname +Change a named permission set in the policy level +.TP +.I -rp | -rempset psetname +Remove the specified named permission set from the policy level + +.TP +.I -af | -addfulltrust assemblyname +Add the specified assembly to the fully trusted assembly list in the +policy level. If a policy use some custom security permissions then the +assembly containing the custom permissions must be in the fully trusted +list. Note that this requirement is recursive (all assemblies required +by the specified assembly must also be in the list). The assembly must be +strongnamed to be included in the fully trusted list +.TP +.I -rf | -remfulltrust assemblyname +Remove the specified assembly from the fully trusted assembly list in the +policy level + +.TP +.I -ag | -addgroup label|name membership psetname flag +Add the specified code group with the supplied membership, permissions and +flags informations +.TP +.I -cg | -chggroup label|name membership|psetname|flag +Change the specified code group with the supplied informations +.TP +.I -rg | -remgroup label|name +Remove the specified code group + +.TP +.I -r[ecover] +Recover from previous version of the policy level (if available) +.TP +.I -rs | -reset +Reset the current policy level to it's default - or to the .default file +if available + +.SH CONFIGURATION SETTINGS +.TP +.I -s[ecurity] on | off +Turn Code Access Security (CAS) on or off. Note: This doesn't affect +non-CAS permissions +.TP +.I -e[xecution] on | off +Turn execution rights on or off +.TP +.I -b[uildcache] +Build a cache (serialized version) of the policy level (.CCH files) +.TP +.I -pp | -polchgprompt on | off +Turn on or off policy changes prompt for future commands + +.SH GROUPS SUB OPTIONS - MEMBERSHIP +.TP +.I -all +This condition applies to all code. +.TP +.I -appdir +This condition applies only for assemblies that URL evidence match the +application directory. +.TP +.I -custom xmlfile +Use the option to load a custom condition into the policy. The class that +will deserialize the XML policy must be in a fully trusted assembly. +.TP +.I -hash algo [-hex hash | -file assemblyname] +This condition specify a specific hash that an assembly must generate +(from itself) to be satisfied. Any change to the assembly will require the +policy to be updated (as the hash value will have changed). +.TP +.I -pub [-cert certificate | -file signedfile | -hex rawdata] +This condition specify a specific X.509 Authenticode(r) certificate that +must signed an assembly to be satisfied. The certificate can be referenced +as a file (binary DER), a signed file (containing the certificate) or with +the hexadecimal value of the certificate. Note that files outside the +policy must also be protected against tempering. +.TP +.I -site hostname +This condition specify the site from where the assembly must come from to +be satisfied. +.TP +.I -url URL +This condition specify the URL from where the assembly must come from to +be satisfied. +.TP +.I -zone zonename +This condition specify the zone from where the assembly must come from to +be satisfied. Existing zones are MyComputer, Internet, Intranet, Trusted +and Untrusted. + +.SH GROUPS SUB OPTIONS - FLAGS +.TP +.I -d[escription] description +Add (-ag) or change (-cg) the description for the specified code group +.TP +.I -exclusive on | off +If on (default is off) then only this permission set will be processed +for this code group (on this level). +.TP +.I -levelfinal on | off +If on (default is off) then no other level will be processed for this +code group. +.TP +.I -n[ame] name +Add (-ag) or change (-cg) the name of the specified code group. A code +group can be found by using it's name or it's label - but the later can +change as it is based on it's position in the policy level hierarchy. + +.SH EXAMPLES +.TP +It is possible to chain several commands with the tool, like: +.TP +.B caspol -m -lg -rg 1.6 -lg -rs -lg +.TP +This will list all machine level code groups, then remove the code group +labeled 1.6, list again all code groups (missing 1.6), reset the policy +and finally showing all code groups (where 1.6 is back). + +.SH KNOWN ISSUES +.TP +.B Hash Membership Condition +Mono implementation of the Hash evidence isn't compatible with Fx 1.0/1.1. +However it seems compatible with Fx 2.0. You are suggested to use a +StrongName evidence if comptaibility is an issue for your policy. + +.SH AUTHOR +Written by Sebastien Pouliot +.SH COPYRIGHT +Copyright (C) 2004 Novell, Inc (http://www.novell.com) +.SH MAILING LISTS +Visit http://mail.ximian.com/mailman/mono-list for details. +.SH WEB SITE +Visit: http://www.mono-project.com for details |