Jesse, I think many people would agree that in a shared environment they should disable CFREG. I don't think many will disagree with this one, but I think the second part of this is where everyone is having difficulty. Many people using CF use it's capabilities to easily upload files to the server. Many people running shared CF hosting servers find themselves in the position that this is an absolute requirement by their customers. Frankly as a CF programmer, I agree with their point of view and consider CFFILE a necessity in most systems.
Let me also say that I don't think this is a CF on Linux issue so much as it is a CF issue. Basically the engine runs under a single user account. All access to the file system, regardless of platform, is regulated by that single user account. This brings us to the question at hand. As hosting providers we find ourselves in a position that we need to enable CFFILE. I think we are all asking for a best practices approach to how to enable CFFILE in a shared hosting environment. -Peter Amiri [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> www.amiri.net <http://www.amiri.net> --------------------------------------------- So powerful is the light of unity that it can illuminate the whole earth. --Baha'i Faith (http://www.us.bahai.org) --------------------------------------------- > -----Original Message----- > From: Jesse Noller [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 12, 2001 2:14 PM > To: CF-Linux > Subject: RE: CFFILE usage on a shared CF server > > > Or just move the CFIDE directory out of the web root. > > mv /var/www/html/CFIDE /opt/coldfusion > > Viola. Sides, in a shared environment, you can lock CF down to a private > username, disable the needed tags (CFREG and CFFILE if you > desire) and your > pretty locked down. > > The "registry" is nothing more than a flat text file used for > configuration > guidelines like the httpd.conf, smb.conf, etc files. Nothing > 'special' about > it. Yes, it stores a hashed password on it. That's why in a shared > environment, it is important to evaluate what tags you would like to 'not > use'. > > Yes, this is not a perfect solution, however, it is currently the only > option available. > > > -Jesse > > -----Original Message----- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 12, 2001 4:38 PM > To: CF-Linux > Subject: RE: CFFILE usage on a shared CF server > > > > Hrm. I was referring more to the fact that a 'registry' was > > used in Linux as well. And that there is a script floating > > around that someone with shared access can upload, and then > > run, and output the cfserver's admin password to the browser... > > I didn't mean that cfregistry was bad, or that windows was > > bad (tho I prob. thought that one <g>), but that since there > > is no Adv. Sec. for CFLinux, to not allow this tag to be > > available if you're gonna share CFLinux Hosting... > > Well, I don't have a lot of experience with CF on Linux, but if > it's like it > is on Solaris, the "registry" is just a text file that CF uses to > store its > configuration info. This isn't used by anything other than CF. I > agree with > you that you might want to disable CFREGISTRY if you're setting > up a shared > host. > > Rather than relying on the CF Administrator password for > security, you might > be better off simply setting up the CF Administrator to run on a separate, > protected virtual server using .htaccess and SSL to prevent unauthorized > users getting into it. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ Archives: http://www.mail-archive.com/cf-linux%40houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_linux or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
