> If I'm assuming correctly the implementation of this:
>
> - Run CF under a user account.
>
> - Allow developer A to access via CFFILE (maybe read & write access)
> only specific directories. Give the CF user account necessary NTFS
> access rights to allow this.
>
> - Allow developer B to access via CFFILE (maybe read & write access)
> only specific directories. Give the CF user account necessary NTFS
> access rights to allow this.
>
> Now, say the two developers are running the same off-the-shelf CF
> application, such as a shopping cart that (for whatever reason) uses
> CFFILE. Wouldn't they still have access to each other's directories
> wherever read or right access has been granted to the CF user account?
Yes, they would. The purpose of my suggestion was to limit what files the CF
service can read, and then CFFILE would only work with those files.
Application script files don't generally need to be read, they just need to
be executed. If you had a subset of application files that did need to be
read, you'd set the ACLs appropriately. Most of those files wouldn't be
scripts, I suspect.
Again, if you had Advanced Security working, you could conceivably use
CFIMPERSONATE to act as the appropriate user (the one with rights to read
and write files via CFFILE) and deny the CF service any read/write rights to
the files. Of course, if you have Advanced Security working, you could just
use rules and policies within it to prevent CFFILE from being used
inappropriately, but file-level ACLs are always a good idea, from a security
standpoint.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
