如何允许DLL只在DLL所在的目录中创建/读取/更新/删除文件 [英] How to allow DLL create/read/update/delete files ONLY in the directory where the DLL is located

问题描述

我有几个文件夹，每个文件夹都包含几个.DLL文件。 DLL可以执行，我必须禁止这个DLL在其自己的文件夹之外的CRUD操作。

I have a few folders and every folder contains a few .DLL files. The DLL can be executed, and I have to ban CRUD operations by this DLL outside of its own folder.

但DLL可以执行任何所需的保存操作作为它在DLL所在的同一个文件夹中。

But the DLL can perform any save operation it needs, as long as its in the same folder where the DLL is situated.

例如：

//这段代码可以执行成功

//this code can be executed succesfully

public static void Create()
{
 string path = Directory.GetCurrentDirectory() + "\\file.txt";
 File.Create(path);
}

//但执行此代码我必须禁止

//but execution of this code I have to ban

public static void Create()
{
File.Create("../file.txt");
}

推荐答案

一个href =http://msdn.microsoft.com/en-us/library/bb763046.aspx =nofollow>安全功能来完成你想做的事情。您需要做的是将安全上下文应用于DLL的AppDomain并限制什么它可以访问。

.NET has built in security features to do exactly what you want to do. What you need to do is apply a security context to the DLL's AppDomain and restrict what it can access.

为了做你想做的，我最感兴趣的可能设置是 FileIOPermission 。它将允许您将DLL的访问权限限制为从DLL加载的文件夹。如果您有多个DLL，您可能需要制作多个AppDomains或允许所有的DLL访问彼此的文件夹（但不能在系统的其他任何地方）。

To do what you want to do the likely setting that would me most interesting to you is FileIOPermission. It will let you restrict the DLL's access to only the folder that the DLL is loaded from. If you have multiple DLL's you will likely need to make multiple AppDomains or allow all of the DLL's to access each other's folders (but not anywhere else on the system).

如果该DLL可以被修改，所以它不再必须写入它自己的文件夹可以使它更容易自己通过要求他们读取和写入隔离存储，那么加载DLL的位置并不重要，以防在同一文件夹中存在其他敏感文件DLL。

If the DLL can be modified so it no longer has to write to it's own folder can make it even easier on yourself by requiring they read and write to Isolated Storage, then it does not matter where the DLL was loaded from, in case there happens to be other sensitive files in the same folder as the DLL.

有一点需要考虑的是，最好给DLL没有权限，只授予它你想做的事情可能会有其他的东西，它被用来绕过你的限制。例如： FileIOPermission 如果他们P \Invoke调用$ code> FileOpen API在Windows中不会停止而不是通过.NET的流对象。

One thing to consider is it is better to give the DLL no permissions at all and only grant it the things you want to do as there could be other things it uses to get arround your restrictions. For example: FileIOPermission won't stop a call if they P\Invoke a call to the FileOpen API's in windows instead of going though .NET's Stream object.

这篇关于如何允许DLL只在DLL所在的目录中创建/读取/更新/删除文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！