1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
.\"
.\" caspol manual page.
.\" Copyright (C) 2004 Novell, Inc (http://www.novell.com)
.\" Author:
.\" Sebastien Pouliot (sebastien@ximian.com)
.\"
.TH Mono "caspol"
.SH NAME
caspol \- Command line tool to modify Code Access Security policies.
.SH SYNOPSIS
.PP
.B caspol [options] [policy level] [actions] [parameters] ...
.SH DESCRIPTION
This tool allows to list and modify the different policy levels (user,
machine and enterprise).
.SH OPTIONS
.TP
.I -q[uiet]
Do not ask confirmation to change the policy level.
.TP
.I -f[orce]
Caspol.exe is a managed tool. Changing the security policies could affect
it's ability to work properly. This option permits changes that could
disallow caspol.exe from working properly.
.TP
.I -? | /? | -h[elp]
Display help about the Code Access Security policies tool
.SH POLICY LEVELS
.TP
.I -en[terprise]
Use the enterprise policy level for the next actions
.TP
.I -m[achine]
Use the machine policy level for the next actions. This is the default
level for administrators (i.e. with write access to the machine policy
files).
.TP
.I -u[ser]
Use the user policy level for the next actions. This is the default
level for users (i.e. without write access to the machine policy files).
.TP
.I -ca policyfile | -customall policyfile
Use the specified file as the machine policy level for other arguments
Use the policy levels Enterprise, Machine and the custom (specified)
user policy level for the next actions
.TP
.I -cu[stomuser] policyfile
Use the specified file as the user policy level for next actions
.TP
.I -a[ll]
Use all the policy levels (Enterprise, Machine and User) for the next
actions
.SH ACTIONS
.I -l[ist]
List all code groups in their hierarchical structure, all named
permissions sets and all fully trusted assemblies
.TP
.I -ld | -listdescription
List all code groups, in their hierarchical structure, with their
descriptions
.TP
.I -lg | -listgroups
List all the code groups in their hierarchical structure
.TP
.I -lp | -listpset
List all the permission sets including their names and XML representation
.TP
.I -lf | -listfulltrust
List all fully trusted assemblies
.TP
.I -rsg | -resolvegroup assemblyname
List all code groups that the assembly is part of for the policy level
.TP
.I -rsp | -resolveperm assemblyname
List all permissions granted to the specified assembly by the policy level
.TP
.I -ap | -addpset namedxmlfile | (xmlfile name)
Add a named permission set to the policy level
.TP
.I -cp | -chgpset xmlfile psetname
Change a named permission set in the policy level
.TP
.I -rp | -rempset psetname
Remove the specified named permission set from the policy level
.TP
.I -af | -addfulltrust assemblyname
Add the specified assembly to the fully trusted assembly list in the
policy level. If a policy uses some custom security permissions then the
assembly containing the custom permissions must be in the fully trusted
list. Note that this requirement is recursive (all assemblies required
by the specified assembly must also be in the list). The assembly must be
strongnamed to be included in the fully trusted list
.TP
.I -rf | -remfulltrust assemblyname
Remove the specified assembly from the fully trusted assembly list in the
policy level
.TP
.I -ag | -addgroup label|name membership psetname flag
Add the specified code group with the supplied membership, permissions and
flags informations
.TP
.I -cg | -chggroup label|name membership|psetname|flag
Change the specified code group with the supplied informations
.TP
.I -rg | -remgroup label|name
Remove the specified code group
.TP
.I -r[ecover]
Recover from previous version of the policy level (if available)
.TP
.I -rs | -reset
Reset the current policy level to it's default - or to the .default file
if available
.SH CONFIGURATION SETTINGS
.TP
.I -s[ecurity] on | off
Turn Code Access Security (CAS) on or off. Note: This doesn't affect
non-CAS permissions
.TP
.I -e[xecution] on | off
Turn execution rights on or off
.TP
.I -b[uildcache]
Build a cache (serialized version) of the policy level (.CCH files)
.TP
.I -pp | -polchgprompt on | off
Turn on or off policy changes prompt for future commands
.SH GROUPS SUB OPTIONS - MEMBERSHIP
.TP
.I -all
This condition applies to all code.
.TP
.I -appdir
This condition applies only for assemblies that URL evidence match the
application directory.
.TP
.I -custom xmlfile
Use the option to load a custom condition into the policy. The class that
will deserialize the XML policy must be in a fully trusted assembly.
.TP
.I -hash algo [-hex hash | -file assemblyname]
This condition specifies a specific hash that an assembly must generate
(from itself) to be satisfied. Any change to the assembly will require the
policy to be updated (as the hash value will have changed).
.TP
.I -pub [-cert certificate | -file signedfile | -hex rawdata]
This condition specifies a X.509 Authenticode(r) certificate that must have
signed an assembly in order to be satisfied. The certificate can be referenced
as a file (binary DER), a signed file (containing the certificate) or with
the hexadecimal value of the certificate. Note that files outside the
policy must also be protected against tempering.
.TP
.I -strong -file filename [name | -noname] [version | -noversion]
This condition specifies a specific StrongName that must have signed an
assembly to be satisfied. Use -noname if the assembly name isn't known
(or important) and -version if the version isn't known (or important) in
the resolution.
.TP
.I -site hostname
This condition specifies the site from where the assembly must come from to
be satisfied.
.TP
.I -url URL
This condition specifies the URL from where the assembly must come from to
be satisfied.
.TP
.I -zone zonename
This condition specifies the zone from where the assembly must come from to
be satisfied. Existing zones are MyComputer, Internet, Intranet, Trusted
and Untrusted.
.SH GROUPS SUB OPTIONS - FLAGS
.TP
.I -d[escription] description
Add (-ag) or change (-cg) the description for the specified code group
.TP
.I -exclusive on | off
If on (default is off) then only this permission set will be processed
for this code group (on this level).
.TP
.I -levelfinal on | off
If on (default is off) then no other level will be processed for this
code group.
.TP
.I -n[ame] name
Add (-ag) or change (-cg) the name of the specified code group. A code
group can be found by using it's name or it's label - but the later can
change as it is based on it's position in the policy level hierarchy.
.SH EXAMPLES
.TP
It is possible to chain several commands with the tool, like:
.TP
.B caspol -m -lg -rg 1.6 -lg -rs -lg
.TP
This will list all machine level code groups, then remove the code group
labeled 1.6, list again all code groups (missing 1.6), reset the policy
and finally show all code groups (where 1.6 is back).
.SH KNOWN ISSUES
.TP
.B Hash Membership Condition
Mono implementation of the Hash evidence isn't compatible with Fx 1.0/1.1.
However it seems compatible with Fx 2.0. You are suggested to use a
StrongName evidence if comptaibility is an issue for your policy.
.SH AUTHOR
Written by Sebastien Pouliot
.SH COPYRIGHT
Copyright (C) 2004 Novell, Inc (http://www.novell.com)
.SH MAILING LISTS
Visit http://lists.ximian.com/mailman/listinfo/mono-list for details.
.SH WEB SITE
Visit http://www.mono-project.com for details
|
