Merge pull request #5714 from alexischr/update_bockbuild

[mono.git] / man / caspol.1

.\" 
.\" caspol manual page.
.\" Copyright (C) 2004 Novell, Inc (http://www.novell.com)
.\" Author:
.\"   Sebastien Pouliot (sebastien@ximian.com)
.\"
.TH Mono "caspol"
.SH NAME
caspol \- Command line tool to modify Code Access Security policies.
.SH SYNOPSIS
.PP
.B caspol [options] [policy level] [actions] [parameters] ... 
.SH DESCRIPTION
This tool allows to list and modify the different policy levels (user, 
machine and enterprise).
.SH OPTIONS
.TP
.I -q[uiet]
Do not ask confirmation to change the policy level.
.TP
.I -f[orce]
Caspol.exe is a managed tool. Changing the security policies could affect
it's ability to work properly. This option permits changes that could 
disallow caspol.exe from working properly.
.TP
.I -? | /? | -h[elp]
Display help about the Code Access Security policies tool

.SH POLICY LEVELS
.TP
.I -en[terprise]
Use the enterprise policy level for the next actions
.TP
.I -m[achine]
Use the machine policy level for the next actions. This is the default
level for administrators (i.e. with write access to the machine policy
files).
.TP
.I -u[ser]
Use the user policy level for the next actions. This is the default 
level for users (i.e. without write access to the machine policy files).
.TP
.I -ca policyfile | -customall policyfile
Use the specified file as the machine policy level for other arguments
Use the policy levels Enterprise, Machine and the custom (specified)
user policy level for the next actions
.TP
.I -cu[stomuser] policyfile
Use the specified file as the user policy level for next actions
.TP
.I -a[ll]
Use all the policy levels (Enterprise, Machine and User) for the next 
actions

.SH ACTIONS
.I -l[ist]
List all code groups in their hierarchical structure, all named 
permissions sets and all fully trusted assemblies
.TP
.I -ld | -listdescription
List all code groups, in their hierarchical structure, with their 
descriptions
.TP
.I -lg | -listgroups
List all the code groups in their hierarchical structure
.TP
.I -lp | -listpset
List all the permission sets including their names and XML representation
.TP
.I -lf | -listfulltrust
List all fully trusted assemblies

.TP
.I -rsg | -resolvegroup assemblyname
List all code groups that the assembly is part of for the policy level
.TP
.I -rsp | -resolveperm assemblyname
List all permissions granted to the specified assembly by the policy level

.TP
.I -ap | -addpset namedxmlfile | (xmlfile name)
Add a named permission set to the policy level
.TP
.I -cp | -chgpset xmlfile psetname
Change a named permission set in the policy level
.TP
.I -rp | -rempset psetname
Remove the specified named permission set from the policy level

.TP
.I -af | -addfulltrust assemblyname
Add the specified assembly to the fully trusted assembly list in the 
policy level. If a policy uses some custom security permissions then the
assembly containing the custom permissions must be in the fully trusted
list. Note that this requirement is recursive (all assemblies required 
by the specified assembly must also be in the list). The assembly must be
strongnamed to be included in the fully trusted list
.TP
.I -rf | -remfulltrust assemblyname
Remove the specified assembly from the fully trusted assembly list in the 
policy level

.TP
.I -ag | -addgroup label|name membership psetname flag
Add the specified code group with the supplied membership, permissions and
flags informations
.TP
.I -cg | -chggroup label|name membership|psetname|flag
Change the specified code group with the supplied informations
.TP
.I -rg | -remgroup label|name
Remove the specified code group

.TP
.I -r[ecover]
Recover from previous version of the policy level (if available)
.TP
.I -rs | -reset
Reset the current policy level to it's default - or to the .default file 
if available

.SH CONFIGURATION SETTINGS
.TP
.I -s[ecurity] on | off
Turn Code Access Security (CAS) on or off. Note: This doesn't affect 
non-CAS permissions
.TP
.I -e[xecution] on | off
Turn execution rights on or off
.TP
.I -b[uildcache]
Build a cache (serialized version) of the policy level (.CCH files)
.TP
.I -pp | -polchgprompt on | off
Turn on or off policy changes prompt for future commands

.SH GROUPS SUB OPTIONS - MEMBERSHIP
.TP
.I -all
This condition applies to all code.
.TP
.I -appdir
This condition applies only for assemblies that URL evidence match the
application directory.
.TP
.I -custom xmlfile
Use the option to load a custom condition into the policy. The class that
will deserialize the XML policy must be in a fully trusted assembly.
.TP
.I -hash algo [-hex hash | -file assemblyname]
This condition specifies a specific hash that an assembly must generate
(from itself) to be satisfied. Any change to the assembly will require the
policy to be updated (as the hash value will have changed).
.TP
.I -pub [-cert certificate | -file signedfile | -hex rawdata]
This condition specifies a X.509 Authenticode(r) certificate that must have 
signed an assembly in order to be satisfied. The certificate can be referenced
as a file (binary DER), a signed file (containing the certificate) or with
the hexadecimal value of the certificate. Note that files outside the 
policy must also be protected against tempering.
.TP
.I -strong -file filename [name | -noname] [version | -noversion]
This condition specifies a specific StrongName that must have signed an
assembly to be satisfied. Use -noname if the assembly name isn't known
(or important) and -version if the version isn't known (or important) in
the resolution.
.TP
.I -site hostname
This condition specifies the site from where the assembly must come from to 
be satisfied.
.TP
.I -url URL
This condition specifies the URL from where the assembly must come from to 
be satisfied.
.TP
.I -zone zonename
This condition specifies the zone from where the assembly must come from to 
be satisfied. Existing zones are MyComputer, Internet, Intranet, Trusted 
and Untrusted.

.SH GROUPS SUB OPTIONS - FLAGS
.TP
.I -d[escription] description
Add (-ag) or change (-cg) the description for the specified code group
.TP
.I -exclusive on | off
If on (default is off) then only this permission set will be processed
for this code group (on this level).
.TP
.I -levelfinal on | off
If on (default is off) then no other level will be processed for this 
code group.
.TP
.I -n[ame] name
Add (-ag) or change (-cg) the name of the specified code group. A code
group can be found by using it's name or it's label - but the later can
change as it is based on it's position in the policy level hierarchy.

.SH EXAMPLES
.TP
It is possible to chain several commands with the tool, like:
.TP
.B caspol -m -lg -rg 1.6 -lg -rs -lg
.TP
This will list all machine level code groups, then remove the code group
labeled 1.6, list again all code groups (missing 1.6), reset the policy
and finally show all code groups (where 1.6 is back).

.SH KNOWN ISSUES
.TP
.B Hash Membership Condition
Mono implementation of the Hash evidence isn't compatible with Fx 1.0/1.1.
However it seems compatible with Fx 2.0. You are suggested to use a 
StrongName evidence if comptaibility is an issue for your policy.

.SH AUTHOR
Written by Sebastien Pouliot
.SH COPYRIGHT
Copyright (C) 2004 Novell, Inc (http://www.novell.com)
.SH MAILING LISTS
Visit http://lists.ximian.com/mailman/listinfo/mono-list for details.
.SH WEB SITE
Visit http://www.mono-project.com for details