Sandboxed Applications Can’t Elevate Their Own Permissions

Every once in a while someone will ask how they can do something similar to these caspol commands from within their application. Generally, they want their application to be deployed from the Internet or a file share and don’t want users to have to deal with setting up CAS policy properly to get the application to run.

The answer of course is that you can’t do this … if an application were allowed to add code groups to policy without user interaction in order to elevate their privileges then every malicious application out there would go ahead and grant themselves full access to everybody’s machine; effectively rendering CAS useless as a protection mechanism.

Instead, you’ll need to have the end user make a trust decision for you. In v1.x this was difficult, you generally had to deploy a policy MSI for the user to run or give them a set of caspol commands. With v2.0 of the CLR, we’ve made things a lot easier via ClickOnce applications. You can use ClickOnce to request any permissions that your application needs to run effectively – if these permissions would elevate the application above what it would normally get, then the user is prompted to make a trust decision.

This way your app can elevate to whatever permission level it needs, and you don’t have to worry about pushing out confusing CAS policy changes to everyone who wants to run it.