How to fix System.Security.Permissions.FileIOPermission failed

Yesterday I ran into a very interesting problem. In one of my ASP.Net DNN portal web sites, I started getting following exception when I tried to access a folder outside the web site's virtual folder.

'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed'

The first obvious reaction to this was that since I am trying to access files that are outside this web site's folder, I need to provide right set of access privilege to the windows account that is being used for the web application. The application is hosted on Windows 2008 R2 and is using application pool using ASP.Net 2.0. I check the pool's identity and it was set to use NETWORK SERVICE account. So I gave this account rights to read from that folder. Well that did not help. Then to check if it really is some user rights issue, I gave Everyone group full access to that folder. That did not help either. At that point I narrowed the problem down to following possibilities.

  • IIS7.5 on Windows 2008 R2 is missing some configuration that is preventing the folder access
  • There is something in the application itself that is altering Code Access Security policy that is causing DEMAND to fail.

I explored all the switches and settings in IIS7.5 and I did not see anything related to File IO restrictions. So only thing that was left was to check web application's settings and configuration. There was nothing that was obvious at this point. So I went back to basics and opened up Microsoft's article on Code Access Security (CAS) for ASP.Net. There it was the thing that I was looking for.

It was the trust level of the application that caused the problem. I looked in web.config file of the application and trust level was set to MEDIUM. Here is summary of medium trust definition from MS's article.

  • OleDbPermission is not available. This means you cannot use the ADO.NET managed OLE DB data provider to access databases. However, you can use the managed SQL Server provider to access SQL Server databases.
  • EventLogPermission is not available. This means you cannot access the Windows event log.
  • ReflectionPermission is not available. This means you cannot use reflection.
  • RegistryPermission is not available. This means you cannot access the registry.
  • WebPermission is restricted. This means your application can only communicate with an address or range of addresses that you define in the <trust> element.
  • FileIOPermission is restricted. This means you can only access files in your application's virtual directory hierarchy. Your application is granted Read, Write, Append, and PathDiscovery permissions for your application's virtual directory hierarchy.

Notice the last bullet item. It clearly states the problem I am having. After I changed trust level to Full application worked fine.

Medium trust or not

Now the question you are asking is should I elevate this trust level and what is down side of it. Answer is that it depends on your application and hosting environment. Since DNN can be used to host multiple portals on same server, it is very essential to provide proper security to folders or individual portals. For example if all portals are using same pool identity and you grant IO rights to this account outside web application's folder, that means other applications may be able to sniff around and eventually get to folders of other applications and access secure files. So if you are hosting multiple web sites on a server and you do not control all those sites, then it is important that you configure each site to run under its own application pool and each pool has its own identity. That way if you have to run the application at FULL trust, you can configure individual folder's security to add the required pool identity user.

Default Trust Level

Default value of trust level is always Full unless you specify otherwise. Therefore most of ASP.Net applications do not run into this kind of problem.

How to set trust level of ASP.Net application

You will need to add following entry in your web.config file to alter trust level of the application.

<trust level="Medium" originUrl="" />

Further Reading

Please read the following article to get more details on Medium trust level usage.

comments powered by Disqus

Blog Tags