Cathy- I wrote the CFMX start script. I also wrote the install. I wrote all of the scripts located in /bin/coldfusion.
If you do not want to define a shell for the nobody user, and as solaris does *NOT* allow on the fly shell definition, you must run CFMX as something other than nobody with a validly defined shell. CFMX is written on top of JRun, therefore, we inherit it's methodology to an extent. JRun requires you install, and run (therefore it must be a valid user account) JRun as the user you wish to run it as. As you have pointed out, this differs from CF5. This is because CFMX is not written on the CF6 codebase, and has negligable C components. CF5 and previous revisions has a C binary, the launcher, which would read out the "run time user" you defined. It would then perform a start function as the root user, fork the process and perform an SUID "switching" to that defined user. This was made possible because Tom J (the primary engineer) wrote the C binaries for launching implementing his own SUID system. CFMX did not have that luxury, our goal was to utilize as little C code as humanly possible. We were also built on top of JRun. As we could not expect CF users to install and run as a given user like JRun requires, we did what you see now. Inside the script, for Unixes, we perform an su -u $user -c 'command' and on Linux, we define an "on the fly shell" which is only utilized for the running of that single command. Solaris does not *allow* the definition of a shell when you su to a given user. This was a servere problem with us, and the only way around it is to ensure the defined user has a predefined shell. While some will accuse this as a security risk, the coldfusion documentation states (or should) that you should run CFMX as a user OTHER than nobody, instead, you should create a user account specifically for CFMX. It has never been recommended that you run CF as the same user as the webserver, we choose nobody during the install as that provides the easiest method of installation. If solaris changed SU to allow for on the fly shell definition, then we can change the script, otherwise on solaris the runtime user must have a valid shell. -Jesse Noller Macromedia -----Original Message----- From: Cathy Taylor To: CF-Talk Sent: 10/10/2002 9:15 AM Subject: Re: 2nd question - Run MX as nobody? No, this is not a good enough answer. Nobody is *not supposed* to have a shell and it worked just fine before CFMX. This is a security issue and I feel should be investigated more fully before being written off in a pat manner. I'm quite familiar with the script and how it works. I think this has more to do with how it is doing the suid function. Cathy Taylor ----- Original Message ----- From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 11:58 AM Subject: RE: 2nd question - Run MX as nobody? > Look in the coldfusion start script. > > The start script run su -$user -c "command" > > On linux, su gives you the option of defining a run-time shell. Solaris does not, therefore, the solaris user you run CFMX as needs a valid shell. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > "No concept man forms is valid unless he > integrates it without contradiction into the > sum of his knowledge." > - Ayn Rand > > > -----Original Message----- > > From: Thomas Chiverton [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 11:50 AM > > To: CF-Talk > > Subject: RE: 2nd question - Run MX as nobody? > > > > > You don't need to login as the cfuser, however, the CFuser needs > > > a valid shell > > > > It does ? What for ? > > > > > as well as typical privs associated with it. > > > > I guess it depends what you mean by typical :-) > > I wouldn't want my CFMX user to have read access to everything below /home > > (some UNIXs set permissions by default that allow this) for instance. > > > > Tom Chiverton > > You don't have to be a mad scientist to believe in ColdFusion > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
