I would definitely entertain using sandbox security to limit the database access, I trust that you're already using it to limit cffile access?
On 5/18/05 10:10 PM, "Jamie Price" <[EMAIL PROTECTED]> wrote: >> At this point in the discussion I'd like to invite anyone who knows of a >> shared host WITH A CLUE to give us all their details... > > Dave alerted me to this thread and the problem with CFMX + JSP just today, > so I'm going to be investigating this as well on the HMS end. I can tell you > that the initial reason why JSP can't be locked down is that a number of > clients are using it for a legitimate purpose - we can't just shut it off and > tell those clients that we suddenly became security-conscious and they have to > deal and find a shoddy host that will let them run their app. > > On the other hand, I can't see us allowing this to continue either. Just > because you're on a shared host it doesn't mean that you're on an insecure > server. It will never be as tightly locked down as a dedicated server (or > even a VPS, which is new at HostMySite) however that doesn't mean you're > publishing your code for the world to see. IF that were the case we would > change our name to HostMyBBS. :-) > > Seriously, I will be taking this up with the CEO and COO tomorrow, and we'll > be looking into possible alternatives so everyone gets what they want. I > suspect the solution will be a little different for Windows as opposed to the > Linux-based sites, however I'm not fluent in CFMX/JSP so I can't say for > certain. > > If any of you have any suggestions that would accomplish both the > functionality and the security, I'd be more than happy to entertain them and > bring them before the CEO. I can assure you that your suggestions will not be > brushed aside lightly for ANY reason. > > Along a similar vein, locking down datasources via sandbox security was at > one time considered, however it was discarded I believe because clients can > attain the same level of security by simply adding a user/pass to their code > via the Application.cfm and referencing the datasource that way. We will add > the user/pass to the DSN upon request, however we ALWAYS tell clients before > doing so that they are basically inviting other users on the server to > read/write to their database. > > If you have any questions and the CF mods have no problems with my being > here, please feel free to post them and I'll either answer them to the best of > my ability or find another rep from HostMySite.com who can. > > Jamie Price > Email Administrator, Sr. Tech Support Rep > HostMySite.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207127 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
