Dave, What are your best practices for setting up CF? What perms do you assign? What groups do you assign the user which CF runs under to?
Rey... Dave Watts wrote: >>Are you talking about permissions here? Disk permissions or >>some type of IIS permissions? In any case, if you are running >>windows, most services run under a system account (although >>this has changed in windows 2003), and the system account >>usually has access to execute in any directory. So if you >>buffer overrun the service, then you can execute the files >>wherever they are. Even if it's linux, you can probably run >>a chmod on the files beforehand, and then execute, so >>permissions are not going to help you much... > > > This is why it's so important not to run CF or similar services as SYSTEM. > If I can run unauthorized code on your machine as SYSTEM, it's not your > machine any more - it's mine. Filesystem access is irrelevant at that point. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:216010 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
