Good Points in all accounts. Lemme explore this a little bit (As soon as my spare cycles equal >0) I'm getting ready for the devcon next week as well as working on the next gen cf, so, I'll try to figure something out.
As a side idea before I wander off, it would be possible to write a CFX tag that would give greater CFFILE control, including authentication. It's not a task I can take on, but it would be possible. Maybe something like CFX_CFFILE_DAEMON .. ======================== Jesse Noller Linux Fiend Macromedia Server Development [EMAIL PROTECTED] shotgun debugging: shotgun debugging n. The software equivalent of Easter egging; the making of relatively undirected changes to software in the hope that a bug will be perturbed out of existence. This almost never works, and usually introduces more bugs. -From the Jargon File. > -----Original Message----- > From: Peter Amiri [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 15, 2001 1:05 PM > To: CF-Linux > Subject: RE: CFFILE usage on a shared CF server > > > Jesse, > > I think many people would agree that in a shared environment > they should > disable CFREG. I don't think many will disagree with this > one, but I think > the second part of this is where everyone is having > difficulty. Many people > using CF use it's capabilities to easily upload files to the > server. Many > people running shared CF hosting servers find themselves in > the position > that this is an absolute requirement by their customers. > Frankly as a CF > programmer, I agree with their point of view and consider > CFFILE a necessity > in most systems. > > Let me also say that I don't think this is a CF on Linux > issue so much as it > is a CF issue. Basically the engine runs under a single user > account. All > access to the file system, regardless of platform, is > regulated by that > single user account. This brings us to the question at hand. > As hosting > providers we find ourselves in a position that we need to > enable CFFILE. I > think we are all asking for a best practices approach to how to enable > CFFILE in a shared hosting environment. > > -Peter Amiri > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > www.amiri.net <http://www.amiri.net> > > --------------------------------------------- > So powerful is the light of unity that it can > illuminate the whole earth. > --Baha'i Faith (http://www.us.bahai.org) > --------------------------------------------- > > > -----Original Message----- > > From: Jesse Noller [mailto:[EMAIL PROTECTED]] > > Sent: Friday, October 12, 2001 2:14 PM > > To: CF-Linux > > Subject: RE: CFFILE usage on a shared CF server > > > > > > Or just move the CFIDE directory out of the web root. > > > > mv /var/www/html/CFIDE /opt/coldfusion > > > > Viola. Sides, in a shared environment, you can lock CF down > to a private > > username, disable the needed tags (CFREG and CFFILE if you > > desire) and your > > pretty locked down. > > > > The "registry" is nothing more than a flat text file used for > > configuration > > guidelines like the httpd.conf, smb.conf, etc files. Nothing > > 'special' about > > it. Yes, it stores a hashed password on it. That's why in a shared > > environment, it is important to evaluate what tags you > would like to 'not > > use'. > > > > Yes, this is not a perfect solution, however, it is > currently the only > > option available. > > > > > > -Jesse > > > > -----Original Message----- > > From: Dave Watts [mailto:[EMAIL PROTECTED]] > > Sent: Friday, October 12, 2001 4:38 PM > > To: CF-Linux > > Subject: RE: CFFILE usage on a shared CF server > > > > > > > Hrm. I was referring more to the fact that a 'registry' was > > > used in Linux as well. And that there is a script floating > > > around that someone with shared access can upload, and then > > > run, and output the cfserver's admin password to the browser... > > > I didn't mean that cfregistry was bad, or that windows was > > > bad (tho I prob. thought that one <g>), but that since there > > > is no Adv. Sec. for CFLinux, to not allow this tag to be > > > available if you're gonna share CFLinux Hosting... > > > > Well, I don't have a lot of experience with CF on Linux, but if > > it's like it > > is on Solaris, the "registry" is just a text file that CF uses to > > store its > > configuration info. This isn't used by anything other than CF. I > > agree with > > you that you might want to disable CFREGISTRY if you're setting > > up a shared > > host. > > > > Rather than relying on the CF Administrator password for > > security, you might > > be better off simply setting up the CF Administrator to run > on a separate, > > protected virtual server using .htaccess and SSL to prevent > unauthorized > > users getting into it. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ Archives: http://www.mail-archive.com/cf-linux%40houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_linux or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
