Tales from the Evil Empire

Bertrand Le Roy's blog


Bertrand Le Roy

BoudinFatal's Gamercard

Tales from the Evil Empire - Blogged

Blogs I read

My other stuff


More on medium trust: what permission are you missing?

Yesterday, I asked some questions about your usage of medium trust. Thank you all for the great answers and comments (but don’t read too much into that, I’m just playing with stuff). If you haven’t answered yet, feel free to do so.

Now I have an additional question:

What missing permission is preventing you from running in medium trust?

Please answer in comments. And thanks again for the great feedback.


joelvarty said:

Binary Serialization / Reflection

System.Diagnostics (Tracing)

Custom Configuration (workarounds are available, tho)

# December 4, 2009 2:24 PM

aroberts said:

Custom Configuration

ASP.NET Charting (although 4.0 fixes this)

Reflection Permission

Web Permission

# December 4, 2009 4:20 PM

Krunal said:

MySql.Data is not working in medium trust...

i think it requires some web permission.

# December 5, 2009 3:26 AM

mjm2 said:


# December 7, 2009 1:49 AM

Tsvetomir Tsonev said:

I agree about ReflectionPermission (with the RestrictedMemberAccess flag) and WebPermission. Those will be very useful.

# December 7, 2009 6:44 AM

Mark Hildreth said:

We require full trust because we use the BinaryFormatter.

# December 7, 2009 9:30 AM

Stephen M. Redd said:

It might be easier to just ask what needs to be tightened in full trust to make it a reasonably secure default.

The answer is --Not much.

Full trust is reasonably secure already. Shops that REALLY care to tighten security will likely use a custom policy anyway.  

The big things full trust can do to make it more secure without breaking too much stuff is:

Take away EventLog

Restict IO to the virtual directory

Take away registry access

There just seems to be little point in pre-defining more than one "default" policy. Make a single default that is as secure as possible without breaking "normal" or "common" things web apps are likely to need.

For anything else, just make it easier for admins and developers to create and manage custom policies and do away with the other pre-defined levels.    

# December 7, 2009 3:38 PM

Steve said:

UnmanagedCode permission. Exports to pdf from every single reporting product requires this ..

# December 7, 2009 3:42 PM

guoqizheng said:

At Kooboo, we have to ask user to add the reflection permission and ability to create and manipulate an appdomain.

And due to a MS bug, we have to add "UnmanagedCode" flag to SecurityPermission.

See trust level section at: www.kooboo.com/.../kooboo12_installation_guide

# December 8, 2009 3:44 AM

Devesh said:

Encryption and Decryption are not allowed

# December 8, 2009 4:51 AM

Tim said:

Steve said:

UnmanagedCode permission. Exports to pdf from every single reporting product requires this ..

I'm using SSRS to generate a PDF and I don't need UnmanagedCode permission.

# December 8, 2009 4:25 PM

plblum said:


My commercial web controls have optional features that use reflection. It impacts about 1% of my customers.

# December 17, 2009 10:23 AM