Re: Determining CF8's UNIX Account
Robert, can you tell us if you had any luck changing the groups around like I suggested? Thanks! ~Brad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326058 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Determining CF8's UNIX Account
Robert, thanks for the additional info. I think some flavors of Unix automatically create a group named the same as the user and set it as the user's primary group. I'm not sure why, but that might be why you have a bunch of groups named after users. Can you try something for me? Change the owning group of that folder to the PRIMARY group for your foo user (use the GID in the /etc/passwd file), OR change the foo user's primary group to "beta". According to Sun's docs, the group only applies for users who have that group as their primary group. "foo" user has "beta" group as a secondary group, but I think it is being ignored for file permissions since "foo" users primary group is "foo" which doesn't have any ownership to that folder. http://docs.sun.com/app/docs/doc/801-6628/6i108op89?l=zh_tw&a=view "Setting Up Groups" Section "Some applications, like the file system, look only at the user's primary group. For example, ownership of files accounting data reflect the primary group, not any secondary groups." ~Brad Original Message Subject: Re: Determining CF8's UNIX Account From: Robert Nurse Date: Thu, September 03, 2009 8:09 am To: cf-talk Ok, we start CF manually with the command: ./jrun -nohup -start -childVM foo ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325992 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Determining CF8's UNIX Account
Ok, we start CF manually with the command: ./jrun -nohup -start -childVM foo ps -ef reports (under foo login): foo ... ./jrun -nohup -start -childVM foo (here, foo is the name of the service) Notice that there is a user account named "foo". Logging in as "foo", the groups command reports that user "foo" is in three groups: foo, alpha and beta. Notice that there is a group named "foo". The group "beta" has "rwx" access on the offending folder and the user "foo" is in the group "beta". drwxrwxr-xbeta beta Jun 23 14:22 offending_folder To further confuse things, there's a user account called "beta". Don't ask me why this was set up like this. I had the application echo the target folder where it would write the uploaded file and it is exactly where it should be pointing: the offending folder. This is a local mount. We can access the file system from our Windows workstations via Samba/Windows Shares. The exact same code works fine on our test server. But, permissions/users/groups are somewhat different. Just as a test, I changed the permissions on the offending folder from rwxrwxr-x to rwxrwxrwx and the app works just fine. We see the uploaded file in the directory listing. Therefore, whatever account CF is running under, it is not seen as owner or part of the accessible group with write permissions. >Wait a minute now, Robert Nurse is the OP. I think Rick was just >chiming in with his config... > >Robert said CF has been starting with a user called "foo" however he >also said they have been starting CF manually as well. Robert, we need >you to be more specific. Does the file write work when you start it >manually? When you start CF manually, _how_ are you starting it? Like, >what specifically do you run from the command line to start it. If you >you are running a bash script that has the "foo" user inside it then it >is running under "foo". If you are directly invoking Jrun, then it is >using your current user. > >Can you please grep the process list and find out. We can only make >wild assumptions until then. > >And lest we get carried away on grepping and psing, can you back up a >little and confirm that the directory you are trying to write in is >actually the location you think you are using? If you are using expand >path or a relative path, you may be actually pointing somewhere else and >not be realizing it. Also, is this on a local mount? Writes to Samba >shares to a file server introduce a new level of permission problems. > >Tell us, has this code ever worked, or did it just now stop working? I >would step through the code and figure out if you are really writing >where you think you are, and chmod the folder to 777 just to see and >take small steps. You've got to systematically eliminate your problems. > I still think there's a chance you might be pointed at the wrong >directory if there is no exception being thrown. > >~Brad > > Yup, that's your issue. Either chmod -R 777 on the dir where you want > to save files (maybe not so good) or change that line to > RUNTIME_USER="foo" and you should be on your way! > If you do change the RUNTIME_USER ensure your other dirs have correct > permissions too or you will have bigger problems! > > > > > > I am running Coldfusion 7 Standard under CentOS Linux > > > > This line is in /etc/init.d/coldfusionmx7 > > > > RUNTIME_USER=""nobody"" > > > > Rick > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325974 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Determining CF8's UNIX Account
Wait a minute now, Robert Nurse is the OP. I think Rick was just chiming in with his config... Robert said CF has been starting with a user called "foo" however he also said they have been starting CF manually as well. Robert, we need you to be more specific. Does the file write work when you start it manually? When you start CF manually, _how_ are you starting it? Like, what specifically do you run from the command line to start it. If you you are running a bash script that has the "foo" user inside it then it is running under "foo". If you are directly invoking Jrun, then it is using your current user. Can you please grep the process list and find out. We can only make wild assumptions until then. And lest we get carried away on grepping and psing, can you back up a little and confirm that the directory you are trying to write in is actually the location you think you are using? If you are using expand path or a relative path, you may be actually pointing somewhere else and not be realizing it. Also, is this on a local mount? Writes to Samba shares to a file server introduce a new level of permission problems. Tell us, has this code ever worked, or did it just now stop working? I would step through the code and figure out if you are really writing where you think you are, and chmod the folder to 777 just to see and take small steps. You've got to systematically eliminate your problems. I still think there's a chance you might be pointed at the wrong directory if there is no exception being thrown. ~Brad ---- Original Message ---- Subject: Re: Determining CF8's UNIX Account From: Maureen Barger Date: Wed, September 02, 2009 7:17 pm To: cf-talk Yup, that's your issue. Either chmod -R 777 on the dir where you want to save files (maybe not so good) or change that line to RUNTIME_USER="foo" and you should be on your way! If you do change the RUNTIME_USER ensure your other dirs have correct permissions too or you will have bigger problems! On Wed, Sep 2, 2009 at 19:59, Rick Root wrote: > > I am running Coldfusion 7 Standard under CentOS Linux > > This line is in /etc/init.d/coldfusionmx7 > > RUNTIME_USER=""nobody"" > > Rick > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325970 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Determining CF8's UNIX Account
Yup, that's your issue. Either chmod -R 777 on the dir where you want to save files (maybe not so good) or change that line to RUNTIME_USER="foo" and you should be on your way! If you do change the RUNTIME_USER ensure your other dirs have correct permissions too or you will have bigger problems! On Wed, Sep 2, 2009 at 19:59, Rick Root wrote: > > I am running Coldfusion 7 Standard under CentOS Linux > > This line is in /etc/init.d/coldfusionmx7 > > RUNTIME_USER=""nobody"" > > Rick > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325967 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Determining CF8's UNIX Account
I am running Coldfusion 7 Standard under CentOS Linux This line is in /etc/init.d/coldfusionmx7 RUNTIME_USER=""nobody"" Rick ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325965 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Determining CF8's UNIX Account
You said you are running CF under jRun - have you implemented sandbox security as well? If so you may have to check permissions for that directory. If you have been starting it manually, ensure you are starting it under the correct user. Have you grepped for the process yet? (Someone already documented that for you. ps -ef | grep {process} or you could even ps -ef | grep foo) Also do your logs say anything? I would check stderr.log or what ever you have defined. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325963 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Determining CF8's UNIX Account
We're running CF under SunOS. I'd have to check tomorrow to see if there is a start-up script. But, we've been starting it manually. I understand about permissions and umask and all somewhat. That's why I assumed it was some kind of permissions issue. One question though. The user account that starts CF is called, e.g., "foo". foo was placed in a group named "cfuser". The group "cfuser" has rwx permissions on that troublesome folder. There's also a user account that owns the troublesome folder. Its name is, oddly enough, "cfuser". So, if user "foo" is in the group "cfuser" and the group "cfuser" has rwx access on that folder, why can't files be uploaded there? Could there be some sort of confusion having the group and owner name the same? That's my guess. drwxrwxr-x cfuser cfuser folderInQuestion > > > I checked the /etc/init.d folder and didn't see anything for CF8 > startup. > > My server is Open SuSE. Starup scripts can vary from distro to disrto. > > Just use the PS command and look for the CF process. That will tell > you > how it is running under. Did you install CF on this server? I > believe > the default user for Linux used to be "nobody". > > > Is there an XML file under the Jrun4 install that might contain the > user account I'm after? > > I doubt it. Jrun has nothing to do with the user running the process. > > That's like looking in "Program Files" under windows to find out what > a > service is running as. > > Do you understand how users and groups work in Linux? What group > owns > the file in question? Also, are you trying to create a new file or > just > modify an existing one? Creation of files uses the permissions at > the > folder level above you. > Once you find the user CF is running as, look and see what groups > that > user is in. On my distro /etc/passwd has all the users and their > primary group, and /etc/group has all the groups and what users are > in > them. > > If you have root access, you can try chmodding the directory that > isn't > working as a test. > > These are the questions you need to be able to answer to solve you > riddle: > > What user owns the file/folder in question? > What group owns the file/folder in question? > What are the user/group/others permissions on that file/folder > What user is CF running as? > What groups is that user in? > > Also, another factor to consider if creating files: > What is the default UMASK for the user CF is running as? > > ~Brad > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325962 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Determining CF8's UNIX Account
How are you starting CF on your server? Are you using using the supplied startup scripts (multiserver startup script has a bug in it) or are you starting it manually? If you're starting it using the script, then the user is specified in the script. If you start it manually, e.g. ./jrun -start myinstance, then it'll use whichever user account you are currently logged in as. Andy 2009/9/2 Robert Nurse : > > Hi All, > > Does anyone know how to determine the UNIX account under which CF8 is > running? We're using CFFILE to upload files to the server. The code runs > fine on the test server (of course). But, not production. I placed a > right after the command so I could > check the file system to make sure the file was actually being uploaded. > But, it's not: cffile.filesaved is NO. This sounds like some kind of > permissions problem. I have an idea what the account name is. But, I need > to verify it. > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325959 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Determining CF8's UNIX Account
> I checked the /etc/init.d folder and didn't see anything for CF8 startup. My server is Open SuSE. Starup scripts can vary from distro to disrto. Just use the PS command and look for the CF process. That will tell you how it is running under. Did you install CF on this server? I believe the default user for Linux used to be "nobody". > Is there an XML file under the Jrun4 install that might contain the user > account I'm after? I doubt it. Jrun has nothing to do with the user running the process. That's like looking in "Program Files" under windows to find out what a service is running as. Do you understand how users and groups work in Linux? What group owns the file in question? Also, are you trying to create a new file or just modify an existing one? Creation of files uses the permissions at the folder level above you. Once you find the user CF is running as, look and see what groups that user is in. On my distro /etc/passwd has all the users and their primary group, and /etc/group has all the groups and what users are in them. If you have root access, you can try chmodding the directory that isn't working as a test. These are the questions you need to be able to answer to solve you riddle: What user owns the file/folder in question? What group owns the file/folder in question? What are the user/group/others permissions on that file/folder What user is CF running as? What groups is that user in? Also, another factor to consider if creating files: What is the default UMASK for the user CF is running as? ~Brad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325953 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Determining CF8's UNIX Account
Oh, I checked what CFFILE reported. It said the file was not saved. >This doesn't answer your question, but don't just abort, > > too > >Rick > >-- >Rick Root >CFFM - Open Source Coldfusion File Manager >http://www.opensourcecf.com/cffm ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325949 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Determining CF8's UNIX Account
I thought the same thing about an exception being thrown. I tried a little experiment. One of the folders the application can write to has 777 access. The one having the problem has 775 access. When I attempted to upload to the former, there was no problem. That tells me that the account under which CF8 runs is not the owner of that folder. Nor is it in the group that has the necessary access. I checked the /etc/init.d folder and didn't see anything for CF8 startup. I'm not very UNIX-savy. So, please bare with me. Is there an XML file under the Jrun4 install that might contain the user account I'm after? >If permissions were denied, an exception should have been thrown. Run >the ps command to find the ColdFusion process and see who its owner is: >ps -A -F | grep cfmx7 (replece "cfmx7" with whatever the process name >is on your server/version) > >Also, the startup script that starts ColdFusion >(/etc/init.d/coldfusionmx7 on my CF7 server) will have a line in it like >so at the top: >RUNTIME_USER=""nobody"" >and it uses that variable below in an SU command to actually start the >service: >CFSTART='su -s /bin/sh $RUNTIME_USER -c "export >PATH=$PATH:$CF_DIR/runtime/bin; etc ... > >The value RUNTIME_USER var in the bash script is the user that the CF >service is "run as". > >~Brad > > > Hi All, > > Does anyone know how to determine the UNIX account under which CF8 is >running? We're using CFFILE to upload files to the server. The code runs >fine on the test server (of course). But, not production. I placed a > right after the command so I could >check the file system to make sure the file was actually being uploaded. >But, it's not: cffile.filesaved is NO. This sounds like some kind of >permissions problem. I have an idea what the account name is. But, I >need to verify it. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325947 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Determining CF8's UNIX Account
This doesn't answer your question, but don't just abort, too Rick -- Rick Root CFFM - Open Source Coldfusion File Manager http://www.opensourcecf.com/cffm ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325946 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Determining CF8's UNIX Account
If permissions were denied, an exception should have been thrown. Run the ps command to find the ColdFusion process and see who its owner is: ps -A -F | grep cfmx7 (replece "cfmx7" with whatever the process name is on your server/version) Also, the startup script that starts ColdFusion (/etc/init.d/coldfusionmx7 on my CF7 server) will have a line in it like so at the top: RUNTIME_USER=""nobody"" and it uses that variable below in an SU command to actually start the service: CFSTART='su -s /bin/sh $RUNTIME_USER -c "export PATH=$PATH:$CF_DIR/runtime/bin; etc ... The value RUNTIME_USER var in the bash script is the user that the CF service is "run as". ~Brad Original Message Subject: Determining CF8's UNIX Account From: Robert Nurse Date: Wed, September 02, 2009 12:52 pm To: cf-talk Hi All, Does anyone know how to determine the UNIX account under which CF8 is running? We're using CFFILE to upload files to the server. The code runs fine on the test server (of course). But, not production. I placed a right after the command so I could check the file system to make sure the file was actually being uploaded. But, it's not: cffile.filesaved is NO. This sounds like some kind of permissions problem. I have an idea what the account name is. But, I need to verify it. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325944 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Determining CF8's UNIX Account
> Does anyone know how to determine the UNIX account under > which CF8 is running? I have only done it for windows. But you might check the system properties and environment variables. http://java.sun.com/docs/books/tutorial/essential/environment/env.html http://cfsearching.blogspot.com/2008/01/determining-coldfusions-class-path-and.html -Leigh ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325943 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4