Hi Jesse, Not to be annoying :-), but any update on internal talks about this?
Thanks! Cathy ----- Original Message ----- From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 1:14 PM Subject: RE: 2nd question - Run MX as nobody? - Solution > Cathy- > > I do recommend trying the noshell option. This was not written off as a non-issue, it was not feasible for us to write more C code binaries, and we were not left pleasant options. > > I will discuss this matter internally once I am over this flu-bug, and I will see what we can do. Our only real option is to either write a new C-launcher binary (not good, very bad, severe change in CFMX) or enforce the JRun method of installation (Not a good user experience) it is a loose-loose situation on our part. > > I will see what I can do, and will explore the options internally. > > -Jesse Noller > Macromedia > > -----Original Message----- > From: Cathy Taylor > To: CF-Talk > Sent: 10/10/2002 9:26 AM > Subject: Re: 2nd question - Run MX as nobody? - Solution > > This is not an option. I don't know how many times I have to say that. > We have been using ColdFusion for years and have systems in place on it. > We're forward thinking and trying to get rid of our legacy applications, > not create new ones. It will not be an option for us to move forward > unless CFMX can be run as nobody. > > Part of our security hardening procedure on production servers is to > allow *no* user accounts other than administrators. None of our > production software runs as a user other than nobody. We have *never* > had a problem with that. I cannot just change the rules - they are > dictated by a federal governing body (and I would lose my job and worse > if I did). > > We took this problem to SUN to cover our bases as well and here was > their response, backing up my security issue here: > > "Following up on this case regarding locking down a solaris system via > the login shell. My understanding is one of your 3rd party plugins > (coldfusion) must implement a valid shell for the user nobody, who > normally does not have any shell assigned for obvious reasons. I dont > know if I agree with the fact that coldfusion actually requires a shell > since it is a security hole but thats another ballgame. Does coldfusion > actually require a user to login? If not, I would highly recommend using > the > noshell program which is much more secure than say /bin/false. This > shell wont let the user actually login but it is a valid shell. You can > get this right off of: > > "http://www.cert.org/security-improvement/implementations/i049.02.html > > "This site gives step by step instructions for using the noshell > program, which is very straight forward and takes no more than 10 > minutes. If coldfusion actually requires a login than their will be no > choice but to assign a valid shell (ie. /bin/csh) to the user nobody and > lock the system down appropriately (ie. specify NP in the /etc/shadow > file or what not). A valid shell always leave a system open to hacker > attacks so I would suggest reviewing the following security faq which > tells you pretty much everything you need to know on how to secure the > system: > > "http://muse.linuxmafia.org/lost+found/solaris-security-faq.html#Q3.10 > > "I hope this helps. > > "Best Regards," > > I will look into the noshell option to see if it works and is feasible, > but I am highly disappointed that this was written off as a seemingly > non-issue when it in fact is a huge issue. > > Cathy Taylor > > ----- Original Message ----- > From: "Jesse Noller" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Thursday, October 10, 2002 12:00 PM > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > Cathy- > > > > Do *not* run coldfusion as the nobody user then. CFMX requires the > user it runs as have a valid shell on solaris as solaris SU does not > allow for on the fly shell definition to run a given command. > > > > CF5 bypassed this by having an internal SUID system. CFMX does not. > > > > Jesse Noller > > [EMAIL PROTECTED] > > Macromedia Server Development > > > > > -----Original Message----- > > > From: Cathy Taylor [mailto:cathy@;4te.com] > > > Sent: Thursday, October 10, 2002 11:48 AM > > > To: CF-Talk > > > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > > > No, that's not a viable solution. I cannot give 'nobody' a shell. > That > > > defeats the purpose of nobody. > > > > > > I posted in the forum (hey Troy, that was probably me!) and am not > > > receiving a response and have also submitted a bug report. I have > narrowed > > > it down to this: > > > > > > CFMX will run as nobody if no shell is specified (nothing at the end > of > > > the line in /etc/passwd). It will not run if /dev/null or /bin/false > is > > > specified as the shell. The gov't agency I work for has strict > > > requirements that one of the above be specified. This worked for for > CF > > > 4.5 and 5.0. It suddenly does not work with CFMX. (It also works for > all > > > web servers we have run and currently run, so should not be a major > issue). > > > > > > Glad to hear I'm not the only one. I'm kind of bummed I haven't > received > > > any reply from Macromedia though to at least confirm my suspicion > and say, > > > "Hey, we'll get right on that!". We're at a standstill until it's > resolved. > > > > > > Thanks for the feedback! I seem to miss some using the digest and > will try > > > to pay more attention! > > > > > > Cathy > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
