So where do you find a decent explanation of security contexts and how to
set them up?
Dave maybe a CFUG on this would be nice :)
Neil
----- Original Message -----
From: "Dave Watts" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, September 12, 2000 12:20 PM
Subject: RE: ISP's Headache: CFFILE
> > If I'm assuming correctly the implementation of this:
> >
> > - Run CF under a user account.
> >
> > - Allow developer A to access via CFFILE (maybe read & write access)
> > only specific directories. Give the CF user account necessary NTFS
> > access rights to allow this.
> >
> > - Allow developer B to access via CFFILE (maybe read & write access)
> > only specific directories. Give the CF user account necessary NTFS
> > access rights to allow this.
> >
> > Now, say the two developers are running the same off-the-shelf CF
> > application, such as a shopping cart that (for whatever reason) uses
> > CFFILE. Wouldn't they still have access to each other's directories
> > wherever read or right access has been granted to the CF user account?
>
> Yes, they would. The purpose of my suggestion was to limit what files the
CF
> service can read, and then CFFILE would only work with those files.
> Application script files don't generally need to be read, they just need
to
> be executed. If you had a subset of application files that did need to be
> read, you'd set the ACLs appropriately. Most of those files wouldn't be
> scripts, I suspect.
>
> Again, if you had Advanced Security working, you could conceivably use
> CFIMPERSONATE to act as the appropriate user (the one with rights to read
> and write files via CFFILE) and deny the CF service any read/write rights
to
> the files. Of course, if you have Advanced Security working, you could
just
> use rules and policies within it to prevent CFFILE from being used
> inappropriately, but file-level ACLs are always a good idea, from a
security
> standpoint.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> voice: (202) 797-5496
> fax: (202) 797-5444
> --------------------------------------------------------------------------
----
> To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
>
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
