Bug #59202 Connector/Net does not run in less than full trust
Submitted: 29 Dec 2010 2:28 Modified: 19 May 2011 20:25
Reporter: James Gurung Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / NET Severity:S3 (Non-critical)
Version:6.3.5.0 OS:Any
Assigned to: Julio Casal CPU Architecture:Any
Tags: connector, full trust, gac, partial trust, trust

[29 Dec 2010 2:28] James Gurung
Description:
The MySql Connector/Net does not run correctly in less than Full trust. This is unacceptable as it prevents operation in shared hosting environments.

How to repeat:
Attempt to connect with the Entity Framework in a partial trust environment. You receive the error:

Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Stack Trace:

[SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
   MySql.Data.MySqlClient.MySqlTrace..cctor() +0

Who called MySqlTrace anyway? I didn't.
[29 Dec 2010 4:50] Valeriy Kravchuk
Thank you for the problem report. Please, check if the same problem happens with a newer version, 6.3.5.
[29 Dec 2010 9:16] James Gurung
Yes, it's the same with the latest version. Incidentally, the problem is resolved by installing the DLLs to the GAC, but in a shared hosting environment this is not always possible/allowed.
[30 Dec 2010 6:35] Bogdan Degtyariov
James,

can you try the debug build attached below (MySql.Data.zip) and send the full stack trace with the line numbers?

I suspect that security issue might come when creating the static TraceSource instance, but we need your feedback to identify and resolve the problem:

MySqlTrace.cs:
-----------------------------------------------------------
public class MySqlTrace
{
   private static string qaHost;
   private static bool qaEnabled = false;

#if !CF
   private static TraceSource source = new TraceSource("mysql"); // <-- bang!
-----------------------------------------------------------
[30 Dec 2010 6:36] Bogdan Degtyariov
debug build (dll and pdb)

Attachment: MySql.Data.zip (application/x-zip-compressed, text), 399.67 KiB.

[30 Dec 2010 13:40] James Gurung
My hosting provider just kindly agreed to install the connector to the GAC (he installed version 6.3.4.0) - which is a workaround.

I tried to test your DLL anyway, by putting it into my bin directory and changing the <add assembly ...> line in my web.config for the new version. But the site just kept working as if nothing had changed.

I don't want to mess about my hosting providor, so ideally someone could test this who can run an app in partial trust without the connector in the GAC?
[2 Jan 2011 6:14] James Gurung
Right, my web host just got a problem so MySql's not in the GAC for now. I've tested your debug dll (with pdb) with the following result:

Server Error in '/' Application.
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
   MySql.Data.MySqlClient.MySqlTrace..cctor() +0

No line numbers or anything, for some reason.

See the sample project I attached. I had to remove the connection string because it contains my own database but I hope it's still some help.
[5 Jan 2011 5:31] Bogdan Degtyariov
James,

I uninstalled all MySql.Data.dll from GAC and tried running your project.
Even though `teachers` table was missing, I reverse-engineered it from edmx file and edited web.config.
After performing these steps the aspx script showed data from the table and no exception was thrown.

Am I missing anything? The Connector/NET files were not in GAC, but I am not sure I set partial trust options anywhere... 

ASP.NET is running under non-admin account on Windows machine, which has limited privileges, so the conditions should be as you described.
Please comment.
[10 Jan 2011 17:38] Ken Frances
I'm wondering if the .dll is not signed properly, thus breaking the security rules.
[10 Jan 2011 19:14] James Gurung
Thanks for working on this. I'm not sure exactly which trust options trigger the error, because this also works on my local machine without the connector installed (with just the DLL in the bin folder).
[24 Jan 2011 0:44] Justin Caldicott
Seeing the same problem here with both 6.3.5 and 6.3.6.

I've requested our host to install the assemblies into the GAC; hopefully they will.

Currently though this is a showstopper for us.

Is there a last known good version?  6.0.4 sounds like a long way back, and we're using the EntityFramework support heavily, which I expect to have improved a lot in recent versions.

Thanks,
[24 Jan 2011 2:24] Bogdan Degtyariov
Justin,

can you help us to repeat the problem with Connector/NET on a local machine?
We cannot fix something, which is not repeatable...

The question is, what exactly should be done to have the SecutiryException described in the report?

As you see (check the replies: [5 Jan 6:31] Bogdan Degtyariov, [10 Jan 20:14] James Gurung), not having MySql.Data.dll in GAC is not enough. There must be some system setting, which triggers Connector/NET exceptions. Do you have any ideas what it might be and where we should look?
[28 Jan 2011 19:06] Igor Knelev
I'm having the same issue. I'm using 6.3.6 connector version and was able to replicate the problem in VS 2010 environment. I uninstalled connector from my PC and added 4 dll files(MySql.Data, MySql.Web, MySql.Data.Entity, MySql.Data.CF) to project's bin directory. In web.config I changed the trust level to Medium. Under medium trust I get this Exception when running using VS development server:

[SecurityException: Request for the permission of type 'System.Net.SocketPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
   System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
   System.Security.CodeAccessPermission.Demand() +61
   System.Net.Sockets.Socket.CheckCacheRemote(EndPoint& remoteEP, Boolean isOverwrite) +155
   System.Net.Sockets.Socket.BeginConnectEx(EndPoint remoteEP, Boolean flowContext, AsyncCallback callback, Object state) +133
   System.Net.Sockets.Socket.BeginConnect(EndPoint remoteEP, AsyncCallback callback, Object state) +125
   MySql.Data.Common.StreamCreator.CreateSocketStream(IPAddress ip, Boolean unix) +187
   MySql.Data.Common.StreamCreator.GetStream(UInt32 timeout) +493
   MySql.Data.MySqlClient.NativeDriver.Open() +265

Under Full trust web site works fine.

About my project:
ASP.NET web site created using VS 2010 targeting .NET 3.5 framework. Data Access using Entity Framework. Entities are built in separate project and added to web.site bin (dll, ssdl, msl, csdl).
[30 Jan 2011 16:21] Igor Knelev
Looks like the problem is in MySqlTrace. I commented out code in constructor block and it worked on godady shared web hosting site. Can't find why this won't work in less than full trust.  
  static MySqlTrace()
        {
            //foreach (TraceListener listener in source.Listeners)
            //{
            //    if (listener.GetType().ToString().Contains("MySql.EMTrace.EMTraceListener"))
            //    {
            //        qaEnabled = true;
            //        break;
            //    }
            //}
        }
[20 Feb 2011 18:16] Nathan Moinvaziri
I had the exact same problem as Igor Knelev and his solution worked for me on GoDaddy as well.

Thanks!
[23 Feb 2011 9:08] Bogdan Degtyariov
Verified with Connector/NET 6.3.6 and 6.4
[24 Feb 2011 11:12] Simon Høgås
I have the same problem, but I can't manage to recompile. After making the changes to MySQLTrace, I get the build error:

Error	1	Cryptographic failure while signing assembly 'C:"..." -- 'Keyword ConnectorNet does not exist'	MySql.Data

Does anyone have a compiled version of the modified dll, or a solution to this. 
Version 6.3.6 btw
[24 Feb 2011 11:51] James Gurung
Is enough now known about this bug to push a fix in the next release?
[19 May 2011 20:25] Julio Casal
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

Fixed in 6.3.7 and 6.4.1+

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html
[15 Jan 2012 3:49] David Kuik
I'm seeing this same problem again with version 6.4.4 on Rackspace.com Cloud Sites.  Error is as follows:

[SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
   MySql.Data.MySqlClient.MySqlTrace..cctor() +0
[26 Jan 2012 22:19] Sam Kimmel
6.4.4 in the bin directory. Same issue with MySqlTrace here.
[26 Jan 2012 22:53] Sam Kimmel
Corrected the MySqlTrace issue by adding the following to the AssemblyInfo.cs in the Properties folder of my MVC 3 application:

[assembly: System.Security.AllowPartiallyTrustedCallers()]
[7 Jun 2012 16:58] Marco Cianciaruso
I have same issue with framework 4.0 and connector 6.5.4 on developement machine (win7 x64)

I continue to receive 

[SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
   MySql.Data.MySqlClient.MySqlTrace..cctor() +0

I'm using a custom machine web.config with :
...
...
<SecurityClass Name="OleDbPermission" Description="System.Data.OleDb.OleDbPermission, System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
...
...							 <IPermissionclass="OleDbPermission" version="1" Unrestricted="true" />
...
[29 Jan 2014 22:53] Tony McCreath
Things worked fine for me in 6.6.5 but when I switched to 6.8.3 I started getting the same SecurityPermission exception.

I switched back to 6.6.5 and all works fine.

This is on Hostgator shared hosting.
[2 Aug 2015 0:02] Longinos Castillo
Hi.

I am having the same trouble using Godaddy.com, I am using Net/Connector version MySql.Data (6.9.7.0) and MySql.Data.Entity.EF6 (6.9.7.0)

I wrote in my web.config 
    <securityPolicy>
      <trustLevel name="Full" policyFile="internal"/>
    </securityPolicy>

But anyway I have the error:

[SecurityException: System.Security.Permissions.SecurityPermission]
   MySql.Data.MySqlClient.MySqlClientFactory..ctor() +24
   MySql.Data.Entity.MySqlEFConfiguration..ctor() +62

Thanks. 

lcastillo
Mexico