Cathy- I do recommend trying the noshell option. This was not written off as a non-issue, it was not feasible for us to write more C code binaries, and we were not left pleasant options.
I will discuss this matter internally once I am over this flu-bug, and I will see what we can do. Our only real option is to either write a new C-launcher binary (not good, very bad, severe change in CFMX) or enforce the JRun method of installation (Not a good user experience) it is a loose-loose situation on our part. I will see what I can do, and will explore the options internally. -Jesse Noller Macromedia -----Original Message----- From: Cathy Taylor To: CF-Talk Sent: 10/10/2002 9:26 AM Subject: Re: 2nd question - Run MX as nobody? - Solution This is not an option. I don't know how many times I have to say that. We have been using ColdFusion for years and have systems in place on it. We're forward thinking and trying to get rid of our legacy applications, not create new ones. It will not be an option for us to move forward unless CFMX can be run as nobody. Part of our security hardening procedure on production servers is to allow *no* user accounts other than administrators. None of our production software runs as a user other than nobody. We have *never* had a problem with that. I cannot just change the rules - they are dictated by a federal governing body (and I would lose my job and worse if I did). We took this problem to SUN to cover our bases as well and here was their response, backing up my security issue here: "Following up on this case regarding locking down a solaris system via the login shell. My understanding is one of your 3rd party plugins (coldfusion) must implement a valid shell for the user nobody, who normally does not have any shell assigned for obvious reasons. I dont know if I agree with the fact that coldfusion actually requires a shell since it is a security hole but thats another ballgame. Does coldfusion actually require a user to login? If not, I would highly recommend using the noshell program which is much more secure than say /bin/false. This shell wont let the user actually login but it is a valid shell. You can get this right off of: "http://www.cert.org/security-improvement/implementations/i049.02.html "This site gives step by step instructions for using the noshell program, which is very straight forward and takes no more than 10 minutes. If coldfusion actually requires a login than their will be no choice but to assign a valid shell (ie. /bin/csh) to the user nobody and lock the system down appropriately (ie. specify NP in the /etc/shadow file or what not). A valid shell always leave a system open to hacker attacks so I would suggest reviewing the following security faq which tells you pretty much everything you need to know on how to secure the system: "http://muse.linuxmafia.org/lost+found/solaris-security-faq.html#Q3.10 "I hope this helps. "Best Regards," I will look into the noshell option to see if it works and is feasible, but I am highly disappointed that this was written off as a seemingly non-issue when it in fact is a huge issue. Cathy Taylor ----- Original Message ----- From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 12:00 PM Subject: RE: 2nd question - Run MX as nobody? - Solution > Cathy- > > Do *not* run coldfusion as the nobody user then. CFMX requires the user it runs as have a valid shell on solaris as solaris SU does not allow for on the fly shell definition to run a given command. > > CF5 bypassed this by having an internal SUID system. CFMX does not. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > > -----Original Message----- > > From: Cathy Taylor [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 11:48 AM > > To: CF-Talk > > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > No, that's not a viable solution. I cannot give 'nobody' a shell. That > > defeats the purpose of nobody. > > > > I posted in the forum (hey Troy, that was probably me!) and am not > > receiving a response and have also submitted a bug report. I have narrowed > > it down to this: > > > > CFMX will run as nobody if no shell is specified (nothing at the end of > > the line in /etc/passwd). It will not run if /dev/null or /bin/false is > > specified as the shell. The gov't agency I work for has strict > > requirements that one of the above be specified. This worked for for CF > > 4.5 and 5.0. It suddenly does not work with CFMX. (It also works for all > > web servers we have run and currently run, so should not be a major issue). > > > > Glad to hear I'm not the only one. I'm kind of bummed I haven't received > > any reply from Macromedia though to at least confirm my suspicion and say, > > "Hey, we'll get right on that!". We're at a standstill until it's resolved. > > > > Thanks for the feedback! I seem to miss some using the digest and will try > > to pay more attention! > > > > Cathy > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
