Ah, but that's my point about the Resource/Sandbox security. When I asked if people had considered it, I definitely meant "enabling other than the default settings", because, no, out of the box, it's wide open.
Still, I'm not denying the power and value of OS security to back it up. Just saying, especially in a shop where perhaps one is challenged to implement OS security, there's far more value in locking things down in the Resource/Sandbox security mechanism than many seem to consider. I just think it should always be brought up in addition to OS security when discussing locking down CF servers. /charlie -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mason Sent: Wednesday, August 01, 2007 4:58 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] CF Service Account The issue, as I remember, is how Jrun implements JAAS. Lib is actually open by default. Also bare in mind, I'm speaking of default settings here. Once again, the main point, is don't rely on Adobe/Microsoft to keep your site secure. You have to take additional precautions to secure your site and server John [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Wednesday, August 01, 2007 4:36 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] CF Service Account If you are using sandbox security, which under the hood probably uses JAAS, this shouldn't be possible. Besides... who allows someone to write to the lib dir anyway? -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "I have always strenuously supported the right of every man to his own opinion, however different that opinion might be to mine. He who denies another this right makes a slave of himself to his present opinion, because he precludes himself the right of changing it." -- Thomas Paine, 1783 On Aug 1, 2007, at 4:34 PM, John Mason wrote: > You're right and it's been post a few years ago so it's not news > really. > This is one of the reasons I wish CF was more open source to begin > with, but here you guys go. If you have cfobject (java) enabled, this > script simply writes and compiles a java class in the lib directory. > This then opens up the ability to do other things. This dates back to > when CF made the jump into java. I believe this is more an issue with > Jrun4 really than CF. > > http://securitytracker.com/alerts/2004/Oct/1011475.html > > John > [EMAIL PROTECTED] > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. > Saxe > Sent: Wednesday, August 01, 2007 3:32 PM > To: discussion@acfug.org > Subject: Re: [ACFUG Discuss] CF Service Account > > Well the point is really you can't secure what you don't know about. > CF can be a very secure platform if you know how to secure it and > write secure code on top of it. Hiding details on security > vulnerabilities does nothing to help the situation, the blackhats know > the details and the rest of us are left to defend ourselves. > > Honestly, I'm too lazy (er, busy!) right now to go look up the > specifics on this vulnerability that is mentioned here... > > -dhs > > > Dean H. Saxe, CISSP, CEH > [EMAIL PROTECTED] > "What is objectionable, what is dangerous about extremists is not that > they are extreme, but that they are intolerant." > -- Robert F. Kennedy, 1964 > > > On Aug 1, 2007, at 3:28 PM, Kevin wrote: > >> "Security by obscurity is not a good mechanism... let everyone see." >> >> Yes really... >> Thats what MS does... Hide everything so you cant see the holes? >> >> This community may find out your NOT as secure as you thought? >> >> >> >> On 8/1/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote: >>> Security by obscurity is not a good mechanism... let everyone see. >>> >>> -dhs >>> >>> >>> Dean H. Saxe, CISSP, CEH >>> [EMAIL PROTECTED] >>> "What is objectionable, what is dangerous about extremists is not >>> that they are extreme, but that they are intolerant." >>> -- Robert F. Kennedy, 1964 >>> >>> >>> On Aug 1, 2007, at 3:24 PM, John Mason wrote: >>> >>> Dean, I'll need to email you off list after the meeting. I naturally >>> don't like sharing that stuff in the open for everyone to see. >>> >>> For everyone out there - needless to say, don't just depend on the >>> CF level of security. Security should always include multiple >>> layers. >>> Otherwise it >>> won't hold up very well. >>> >>> John Mason >>> [EMAIL PROTECTED] >>> 770.337.8363 >>> >>> www.FusionLink.com - ColdFusion and Flex hosting Now offering >>> ColdFusion 8 Enterprise hosting FREE Subversion hosting >>> >>> ________________________________ >>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. >>> Saxe >>> Sent: Wednesday, August 01, 2007 3:17 PM >>> To: discussion@acfug.org >>> Subject: Re: [ACFUG Discuss] CF Service Account >>> >>> Sandbox security is fine when it is backed up by OS-level security. >>> >>> What hack do you refer to? That's a new one on me. >>> >>> -dhs >>> >>> >>> Dean H. Saxe, CISSP, CEH >>> [EMAIL PROTECTED] >>> "[U]nconstitutional behavior by the authorities is constrained only >>> by the peoples' willingness to contest them" >>> --John Perry Barlow >>> >>> >>> On Aug 1, 2007, at 3:12 PM, John Mason wrote: >>> >>> There's some, but there's a known remote java class hack to get >>> around it. >>> I'm testing CF8 for this issue. Bluedragon doesn't have this issue >>> by the way. For a lot of things sandboxing is certainly good if >>> people would just use it ;) But if you have COM objects on and CF is >>> running under the local service account. Which a lot of people do >>> for some reason. You can pretty much do anything you want to a >>> server. Taking CF off local service account achieves a lot of known >>> security issues out right and it's easy to implement. That's why I >>> jump on that whenever possible. >>> John Mason >>> [EMAIL PROTECTED] >>> 770.337.8363 >>> www.FusionLink.com - ColdFusion and Flex hosting Now offering >>> ColdFusion 8 Enterprise hosting FREE Subversion hosting >>> >>> ________________________________ >>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie >>> Arehart >>> Sent: Wednesday, August 01, 2007 2:59 PM >>> To: discussion@acfug.org >>> Subject: RE: [ACFUG Discuss] CF Service Account >>> >>> >>> No value in the resource/sandbox security? :-) /charlie >>> >>> ________________________________ >>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob >>> Saxon >>> Sent: Wednesday, August 01, 2007 2:05 PM >>> To: discussion@acfug.org >>> Subject: RE: [ACFUG Discuss] CF Service Account >>> >>> >>> >>> >>> Thank you John and Dean for your feedback. The CF script needs to >>> write the contents of a web form to a folder on another server so >>> that an application on that server can read in the form results. >>> >>> >>> ------------------------------------------------------------- >>> Annual Sponsor - Figleaf Software >>> >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists Archive @ >>> http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink >>> ------------------------------------------------------------- >>> ------------------------------------------------------------- >>> Annual Sponsor - Figleaf Software >>> >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists Archive @ >>> http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink >>> ------------------------------------------------------------- >>> >>> ------------------------------------------------------------- >>> Annual Sponsor - Figleaf Software >>> >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists Archive @ >>> http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink >>> ------------------------------------------------------------- >>> >> >> >> -- >> <K /> >> >> "A government big enough to give you everything you want, is strong >> enough to take everything you have." >> -Thomas Jefferson >> >> "If your a horse, and someone gets on you, and falls off, and then >> gets right back on you; I think you should buck him off right away." >> -Todays deep thoughts >> >> "The winner in any meeting is the one with the highest caffeine >> resistance and bladder capacity" -Roger Wright >> >> >> ------------------------------------------------------------- >> Annual Sponsor FigLeaf Software - http://www.figleaf.com >> >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform >> >> For more info, see http://www.acfug.org/mailinglists Archive @ >> http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by http://www.fusionlink.com >> ------------------------------------------------------------- >> >> >> > > > > ------------------------------------------------------------- > Annual Sponsor FigLeaf Software - http://www.figleaf.com > > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists Archive @ > http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > > > > ------------------------------------------------------------- > Annual Sponsor FigLeaf Software - http://www.figleaf.com > > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists Archive @ > http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
