Re: 2nd question - Run MX as nobody? - Solution
Hi Jesse, Not to be annoying :-), but any update on internal talks about this? Thanks! Cathy - Original Message - From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 1:14 PM Subject: RE: 2nd question - Run MX as nobody? - Solution > Cathy- > >I do recommend trying the noshell option. This was not written off as a non-issue, it was not feasible for us to write more C code binaries, and we were not left pleasant options. > > I will discuss this matter internally once I am over this flu-bug, and I will see what we can do. Our only real option is to either write a new C-launcher binary (not good, very bad, severe change in CFMX) or enforce the JRun method of installation (Not a good user experience) it is a loose-loose situation on our part. > >I will see what I can do, and will explore the options internally. > > -Jesse Noller > Macromedia > > -Original Message- > From: Cathy Taylor > To: CF-Talk > Sent: 10/10/2002 9:26 AM > Subject: Re: 2nd question - Run MX as nobody? - Solution > > This is not an option. I don't know how many times I have to say that. > We have been using ColdFusion for years and have systems in place on it. > We're forward thinking and trying to get rid of our legacy applications, > not create new ones. It will not be an option for us to move forward > unless CFMX can be run as nobody. > > Part of our security hardening procedure on production servers is to > allow *no* user accounts other than administrators. None of our > production software runs as a user other than nobody. We have *never* > had a problem with that. I cannot just change the rules - they are > dictated by a federal governing body (and I would lose my job and worse > if I did). > > We took this problem to SUN to cover our bases as well and here was > their response, backing up my security issue here: > > "Following up on this case regarding locking down a solaris system via > the login shell. My understanding is one of your 3rd party plugins > (coldfusion) must implement a valid shell for the user nobody, who > normally does not have any shell assigned for obvious reasons. I dont > know if I agree with the fact that coldfusion actually requires a shell > since it is a security hole but thats another ballgame. Does coldfusion > actually require a user to login? If not, I would highly recommend using > the > noshell program which is much more secure than say /bin/false. This > shell wont let the user actually login but it is a valid shell. You can > get this right off of: > > "http://www.cert.org/security-improvement/implementations/i049.02.html > > "This site gives step by step instructions for using the noshell > program, which is very straight forward and takes no more than 10 > minutes. If coldfusion actually requires a login than their will be no > choice but to assign a valid shell (ie. /bin/csh) to the user nobody and > lock the system down appropriately (ie. specify NP in the /etc/shadow > file or what not). A valid shell always leave a system open to hacker > attacks so I would suggest reviewing the following security faq which > tells you pretty much everything you need to know on how to secure the > system: > > "http://muse.linuxmafia.org/lost+found/solaris-security-faq.html#Q3.10 > > "I hope this helps. > > "Best Regards," > > I will look into the noshell option to see if it works and is feasible, > but I am highly disappointed that this was written off as a seemingly > non-issue when it in fact is a huge issue. > > Cathy Taylor > > - Original Message - > From: "Jesse Noller" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Thursday, October 10, 2002 12:00 PM > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > Cathy- > > > > Do *not* run coldfusion as the nobody user then. CFMX requires the > user it runs as have a valid shell on solaris as solaris SU does not > allow for on the fly shell definition to run a given command. > > > > CF5 bypassed this by having an internal SUID system. CFMX does not. > > > > Jesse Noller > > [EMAIL PROTECTED] > > Macromedia Server Development > > > > > -Original Message- > > > From: Cathy Taylor [mailto:cathy@;4te.com] > > > Sent: Thursday, October 10, 2002 11:48 AM > > > To: CF-Talk > > > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > > > No, that's not a viable solution. I cannot give 'nobody' a shell. > That > > > defeats the purpose of nobod
RE: 2nd question - Run MX as nobody?
> >Inside the script, for Unixes, we perform an su -u $user -c > > Isn't that 'install and run as a given user', which I thought you said you > didn't want to do ? No. That's install as root, start as root, and as root when Su'ing to a given user with less than root privs. This means that when you execute the script the command syntax is: Root: execute script Root: run command su $RUNTIME_USER -s /bin/sh -c "COMMAND" After that, the process is started as $RUNTIME_USER and root "exits" because we used nohup to fork off as a daemon. However... Solaris *DOES NOT* support "-s /bin/sh" when running su. Therefor, the command executed looks like: su $RUNTIME_USER -c "COMMAND" Therefore, the user needs a shell. The difference between this, and the JRun scenario is that I would need to login and install JRun as the NOBODY user, and start it manually as NOBODY. I don't get a script that attempts to bypass it. > Uh huh, and so it must run with the priv's of the Jrun user, which should > have as little permissions as possible ? Why does Jrun require a shell is > the next question I guess... .. See above. > It is. The correct method is to start as a priviledged user, bind to port > 80 > (or whatever), then drop priv's and fork 'nobody' children. This is how > sshd > works, for instance. > If Jrun does not behave like this, and so coldfusion does not behave like > this, then fine, we should go shout at the Jrun people :-) > Yeah, SSHD, Apache, everyone else is also written in C++ and run SUID. Re-read my previous posts on why this was not an option. > Which sounds like a sane plan. It's just some people have got this very > tight requirement. > I suppose they could just create an account that was functionaly > equivalent > to not having an account, demonstrate that, and use that account maybe ? Yes, they have a tight requirement. I am examining the situation. > (to all) What about using sudo instead ? > We're only running MX on an IIS test bed, atm, otherwise I'd go and thrash > it myself :-) SUDO has the same problem. We can't have the script prompt for a password, and the command STILL needs a valid target shell to run. You *NEED* a shell to run a command. < -Jesse Noller MAcromedia ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
Re: 2nd question - Run MX as nobody? - Solution
back, the web server wouldn't start until CF was happy. That seems like it just added another level of fault possibility to my web server which supports applications that do not run on CF in addition to the CF ones. Cathy - Original Message - From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 1:14 PM Subject: RE: 2nd question - Run MX as nobody? - Solution > Cathy- > >I do recommend trying the noshell option. This was not written off as a non-issue, it was not feasible for us to write more C code binaries, and we were not left pleasant options. > > I will discuss this matter internally once I am over this flu-bug, and I will see what we can do. Our only real option is to either write a new C-launcher binary (not good, very bad, severe change in CFMX) or enforce the JRun method of installation (Not a good user experience) it is a loose-loose situation on our part. > >I will see what I can do, and will explore the options internally. > > -Jesse Noller > Macromedia > > -Original Message- > From: Cathy Taylor > To: CF-Talk > Sent: 10/10/2002 9:26 AM > Subject: Re: 2nd question - Run MX as nobody? - Solution > > This is not an option. I don't know how many times I have to say that. > We have been using ColdFusion for years and have systems in place on it. > We're forward thinking and trying to get rid of our legacy applications, > not create new ones. It will not be an option for us to move forward > unless CFMX can be run as nobody. > > Part of our security hardening procedure on production servers is to > allow *no* user accounts other than administrators. None of our > production software runs as a user other than nobody. We have *never* > had a problem with that. I cannot just change the rules - they are > dictated by a federal governing body (and I would lose my job and worse > if I did). > > We took this problem to SUN to cover our bases as well and here was > their response, backing up my security issue here: > > "Following up on this case regarding locking down a solaris system via > the login shell. My understanding is one of your 3rd party plugins > (coldfusion) must implement a valid shell for the user nobody, who > normally does not have any shell assigned for obvious reasons. I dont > know if I agree with the fact that coldfusion actually requires a shell > since it is a security hole but thats another ballgame. Does coldfusion > actually require a user to login? If not, I would highly recommend using > the > noshell program which is much more secure than say /bin/false. This > shell wont let the user actually login but it is a valid shell. You can > get this right off of: > > "http://www.cert.org/security-improvement/implementations/i049.02.html > > "This site gives step by step instructions for using the noshell > program, which is very straight forward and takes no more than 10 > minutes. If coldfusion actually requires a login than their will be no > choice but to assign a valid shell (ie. /bin/csh) to the user nobody and > lock the system down appropriately (ie. specify NP in the /etc/shadow > file or what not). A valid shell always leave a system open to hacker > attacks so I would suggest reviewing the following security faq which > tells you pretty much everything you need to know on how to secure the > system: > > "http://muse.linuxmafia.org/lost+found/solaris-security-faq.html#Q3.10 > > "I hope this helps. > > "Best Regards," > > I will look into the noshell option to see if it works and is feasible, > but I am highly disappointed that this was written off as a seemingly > non-issue when it in fact is a huge issue. > > Cathy Taylor > > - Original Message - > From: "Jesse Noller" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Thursday, October 10, 2002 12:00 PM > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > Cathy- > > > > Do *not* run coldfusion as the nobody user then. CFMX requires the > user it runs as have a valid shell on solaris as solaris SU does not > allow for on the fly shell definition to run a given command. > > > > CF5 bypassed this by having an internal SUID system. CFMX does not. > > > > Jesse Noller > > [EMAIL PROTECTED] > > Macromedia Server Development > > > > > -Original Message- > > > From: Cathy Taylor [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, October 10, 2002 11:48 AM > > > To: CF-Talk > > > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > > > No
RE: 2nd question - Run MX as nobody?
See other assorted emails. It's because solaris su does not allow on the fly shell definition for command execution -Original Message- From: Troy Simpson To: CF-Talk Sent: 10/10/2002 9:42 AM Subject: Re: 2nd question - Run MX as nobody? Jesse, Why does the CFMX deamon require a user account with a shell? Thanks, Troy Jesse Noller wrote: > You don't need to login as the cfuser, however, the CFuser needs a valid shell as well as typical privs associated with it. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > "No concept man forms is valid unless he > integrates it without contradiction into the > sum of his knowledge." > - Ayn Rand > > > -Original Message- > > From: Thomas Chiverton [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 11:24 AM > > To: CF-Talk > > Subject: RE: 2nd question - Run MX as nobody? > > > > > Make the cfmx user with privs to access the webserver document > > > directory, otherwise, it is a normal user account. > > > > ! > > > > Why would you ever need to login as the user CF runs as ? > > Why does it need to be a member of the groups most users are part of > > (usually 'users' by default) ? > > > > Tom Chiverton > > You don't have to be a mad scientist to believe in ColdFusion > > > > > > > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: 2nd question - Run MX as nobody? - Solution
Cathy- I do recommend trying the noshell option. This was not written off as a non-issue, it was not feasible for us to write more C code binaries, and we were not left pleasant options. I will discuss this matter internally once I am over this flu-bug, and I will see what we can do. Our only real option is to either write a new C-launcher binary (not good, very bad, severe change in CFMX) or enforce the JRun method of installation (Not a good user experience) it is a loose-loose situation on our part. I will see what I can do, and will explore the options internally. -Jesse Noller Macromedia -Original Message- From: Cathy Taylor To: CF-Talk Sent: 10/10/2002 9:26 AM Subject: Re: 2nd question - Run MX as nobody? - Solution This is not an option. I don't know how many times I have to say that. We have been using ColdFusion for years and have systems in place on it. We're forward thinking and trying to get rid of our legacy applications, not create new ones. It will not be an option for us to move forward unless CFMX can be run as nobody. Part of our security hardening procedure on production servers is to allow *no* user accounts other than administrators. None of our production software runs as a user other than nobody. We have *never* had a problem with that. I cannot just change the rules - they are dictated by a federal governing body (and I would lose my job and worse if I did). We took this problem to SUN to cover our bases as well and here was their response, backing up my security issue here: "Following up on this case regarding locking down a solaris system via the login shell. My understanding is one of your 3rd party plugins (coldfusion) must implement a valid shell for the user nobody, who normally does not have any shell assigned for obvious reasons. I dont know if I agree with the fact that coldfusion actually requires a shell since it is a security hole but thats another ballgame. Does coldfusion actually require a user to login? If not, I would highly recommend using the noshell program which is much more secure than say /bin/false. This shell wont let the user actually login but it is a valid shell. You can get this right off of: "http://www.cert.org/security-improvement/implementations/i049.02.html "This site gives step by step instructions for using the noshell program, which is very straight forward and takes no more than 10 minutes. If coldfusion actually requires a login than their will be no choice but to assign a valid shell (ie. /bin/csh) to the user nobody and lock the system down appropriately (ie. specify NP in the /etc/shadow file or what not). A valid shell always leave a system open to hacker attacks so I would suggest reviewing the following security faq which tells you pretty much everything you need to know on how to secure the system: "http://muse.linuxmafia.org/lost+found/solaris-security-faq.html#Q3.10 "I hope this helps. "Best Regards," I will look into the noshell option to see if it works and is feasible, but I am highly disappointed that this was written off as a seemingly non-issue when it in fact is a huge issue. Cathy Taylor - Original Message - From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 12:00 PM Subject: RE: 2nd question - Run MX as nobody? - Solution > Cathy- > > Do *not* run coldfusion as the nobody user then. CFMX requires the user it runs as have a valid shell on solaris as solaris SU does not allow for on the fly shell definition to run a given command. > > CF5 bypassed this by having an internal SUID system. CFMX does not. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > > -Original Message- > > From: Cathy Taylor [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 11:48 AM > > To: CF-Talk > > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > No, that's not a viable solution. I cannot give 'nobody' a shell. That > > defeats the purpose of nobody. > > > > I posted in the forum (hey Troy, that was probably me!) and am not > > receiving a response and have also submitted a bug report. I have narrowed > > it down to this: > > > > CFMX will run as nobody if no shell is specified (nothing at the end of > > the line in /etc/passwd). It will not run if /dev/null or /bin/false is > > specified as the shell. The gov't agency I work for has strict > > requirements that one of the above be specified. This worked for for CF > > 4.5 and 5.0. It suddenly does not work with CFMX. (It also works for all > > web servers we have run and currently run, so should not be a major issue). > > > > Glad to hear I'm not the only one. I'm kind
RE: 2nd question - Run MX as nobody?
Cathy- I wrote the CFMX start script. I also wrote the install. I wrote all of the scripts located in /bin/coldfusion. If you do not want to define a shell for the nobody user, and as solaris does *NOT* allow on the fly shell definition, you must run CFMX as something other than nobody with a validly defined shell. CFMX is written on top of JRun, therefore, we inherit it's methodology to an extent. JRun requires you install, and run (therefore it must be a valid user account) JRun as the user you wish to run it as. As you have pointed out, this differs from CF5. This is because CFMX is not written on the CF6 codebase, and has negligable C components. CF5 and previous revisions has a C binary, the launcher, which would read out the "run time user" you defined. It would then perform a start function as the root user, fork the process and perform an SUID "switching" to that defined user. This was made possible because Tom J (the primary engineer) wrote the C binaries for launching implementing his own SUID system. CFMX did not have that luxury, our goal was to utilize as little C code as humanly possible. We were also built on top of JRun. As we could not expect CF users to install and run as a given user like JRun requires, we did what you see now. Inside the script, for Unixes, we perform an su -u $user -c 'command' and on Linux, we define an "on the fly shell" which is only utilized for the running of that single command. Solaris does not *allow* the definition of a shell when you su to a given user. This was a servere problem with us, and the only way around it is to ensure the defined user has a predefined shell. While some will accuse this as a security risk, the coldfusion documentation states (or should) that you should run CFMX as a user OTHER than nobody, instead, you should create a user account specifically for CFMX. It has never been recommended that you run CF as the same user as the webserver, we choose nobody during the install as that provides the easiest method of installation. If solaris changed SU to allow for on the fly shell definition, then we can change the script, otherwise on solaris the runtime user must have a valid shell. -Jesse Noller Macromedia -Original Message- From: Cathy Taylor To: CF-Talk Sent: 10/10/2002 9:15 AM Subject: Re: 2nd question - Run MX as nobody? No, this is not a good enough answer. Nobody is *not supposed* to have a shell and it worked just fine before CFMX. This is a security issue and I feel should be investigated more fully before being written off in a pat manner. I'm quite familiar with the script and how it works. I think this has more to do with how it is doing the suid function. Cathy Taylor - Original Message - From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 11:58 AM Subject: RE: 2nd question - Run MX as nobody? > Look in the coldfusion start script. > > The start script run su -$user -c "command" > > On linux, su gives you the option of defining a run-time shell. Solaris does not, therefore, the solaris user you run CFMX as needs a valid shell. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > "No concept man forms is valid unless he > integrates it without contradiction into the > sum of his knowledge." > - Ayn Rand > > > -Original Message----- > > From: Thomas Chiverton [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 11:50 AM > > To: CF-Talk > > Subject: RE: 2nd question - Run MX as nobody? > > > > > You don't need to login as the cfuser, however, the CFuser needs > > > a valid shell > > > > It does ? What for ? > > > > > as well as typical privs associated with it. > > > > I guess it depends what you mean by typical :-) > > I wouldn't want my CFMX user to have read access to everything below /home > > (some UNIXs set permissions by default that allow this) for instance. > > > > Tom Chiverton > > You don't have to be a mad scientist to believe in ColdFusion > > > > > > > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
Re: 2nd question - Run MX as nobody?
Jesse, Why does the CFMX deamon require a user account with a shell? Thanks, Troy Jesse Noller wrote: > You don't need to login as the cfuser, however, the CFuser needs a valid shell as >well as typical privs associated with it. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > "No concept man forms is valid unless he > integrates it without contradiction into the > sum of his knowledge." > - Ayn Rand > > > -Original Message- > > From: Thomas Chiverton [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 11:24 AM > > To: CF-Talk > > Subject: RE: 2nd question - Run MX as nobody? > > > > > Make the cfmx user with privs to access the webserver document > > > directory, otherwise, it is a normal user account. > > > > ! > > > > Why would you ever need to login as the user CF runs as ? > > Why does it need to be a member of the groups most users are part of > > (usually 'users' by default) ? > > > > Tom Chiverton > > You don't have to be a mad scientist to believe in ColdFusion > > > > > > > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
Re: 2nd question - Run MX as nobody? - Solution
This is not an option. I don't know how many times I have to say that. We have been using ColdFusion for years and have systems in place on it. We're forward thinking and trying to get rid of our legacy applications, not create new ones. It will not be an option for us to move forward unless CFMX can be run as nobody. Part of our security hardening procedure on production servers is to allow *no* user accounts other than administrators. None of our production software runs as a user other than nobody. We have *never* had a problem with that. I cannot just change the rules - they are dictated by a federal governing body (and I would lose my job and worse if I did). We took this problem to SUN to cover our bases as well and here was their response, backing up my security issue here: "Following up on this case regarding locking down a solaris system via the login shell. My understanding is one of your 3rd party plugins (coldfusion) must implement a valid shell for the user nobody, who normally does not have any shell assigned for obvious reasons. I dont know if I agree with the fact that coldfusion actually requires a shell since it is a security hole but thats another ballgame. Does coldfusion actually require a user to login? If not, I would highly recommend using the noshell program which is much more secure than say /bin/false. This shell wont let the user actually login but it is a valid shell. You can get this right off of: "http://www.cert.org/security-improvement/implementations/i049.02.html "This site gives step by step instructions for using the noshell program, which is very straight forward and takes no more than 10 minutes. If coldfusion actually requires a login than their will be no choice but to assign a valid shell (ie. /bin/csh) to the user nobody and lock the system down appropriately (ie. specify NP in the /etc/shadow file or what not). A valid shell always leave a system open to hacker attacks so I would suggest reviewing the following security faq which tells you pretty much everything you need to know on how to secure the system: "http://muse.linuxmafia.org/lost+found/solaris-security-faq.html#Q3.10 "I hope this helps. "Best Regards," I will look into the noshell option to see if it works and is feasible, but I am highly disappointed that this was written off as a seemingly non-issue when it in fact is a huge issue. Cathy Taylor - Original Message - From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 12:00 PM Subject: RE: 2nd question - Run MX as nobody? - Solution > Cathy- > > Do *not* run coldfusion as the nobody user then. CFMX requires the user it runs as >have a valid shell on solaris as solaris SU does not allow for on the fly shell >definition to run a given command. > > CF5 bypassed this by having an internal SUID system. CFMX does not. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > > -Original Message- > > From: Cathy Taylor [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 11:48 AM > > To: CF-Talk > > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > No, that's not a viable solution. I cannot give 'nobody' a shell. That > > defeats the purpose of nobody. > > > > I posted in the forum (hey Troy, that was probably me!) and am not > > receiving a response and have also submitted a bug report. I have narrowed > > it down to this: > > > > CFMX will run as nobody if no shell is specified (nothing at the end of > > the line in /etc/passwd). It will not run if /dev/null or /bin/false is > > specified as the shell. The gov't agency I work for has strict > > requirements that one of the above be specified. This worked for for CF > > 4.5 and 5.0. It suddenly does not work with CFMX. (It also works for all > > web servers we have run and currently run, so should not be a major issue). > > > > Glad to hear I'm not the only one. I'm kind of bummed I haven't received > > any reply from Macromedia though to at least confirm my suspicion and say, > > "Hey, we'll get right on that!". We're at a standstill until it's resolved. > > > > Thanks for the feedback! I seem to miss some using the digest and will try > > to pay more attention! > > > > Cathy > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
Re: 2nd question - Run MX as nobody?
No, this is not a good enough answer. Nobody is *not supposed* to have a shell and it worked just fine before CFMX. This is a security issue and I feel should be investigated more fully before being written off in a pat manner. I'm quite familiar with the script and how it works. I think this has more to do with how it is doing the suid function. Cathy Taylor - Original Message - From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 11:58 AM Subject: RE: 2nd question - Run MX as nobody? > Look in the coldfusion start script. > > The start script run su -$user -c "command" > > On linux, su gives you the option of defining a run-time shell. Solaris does not, therefore, the solaris user you run CFMX as needs a valid shell. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > "No concept man forms is valid unless he > integrates it without contradiction into the > sum of his knowledge." > - Ayn Rand > > > -Original Message- > > From: Thomas Chiverton [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 11:50 AM > > To: CF-Talk > > Subject: RE: 2nd question - Run MX as nobody? > > > > > You don't need to login as the cfuser, however, the CFuser needs > > > a valid shell > > > > It does ? What for ? > > > > > as well as typical privs associated with it. > > > > I guess it depends what you mean by typical :-) > > I wouldn't want my CFMX user to have read access to everything below /home > > (some UNIXs set permissions by default that allow this) for instance. > > > > Tom Chiverton > > You don't have to be a mad scientist to believe in ColdFusion > > > > > > > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: 2nd question - Run MX as nobody?
Look in the coldfusion start script. The start script run su -$user -c "command" On linux, su gives you the option of defining a run-time shell. Solaris does not, therefore, the solaris user you run CFMX as needs a valid shell. Jesse Noller [EMAIL PROTECTED] Macromedia Server Development "No concept man forms is valid unless he integrates it without contradiction into the sum of his knowledge." - Ayn Rand > -Original Message- > From: Thomas Chiverton [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 10, 2002 11:50 AM > To: CF-Talk > Subject: RE: 2nd question - Run MX as nobody? > > > You don't need to login as the cfuser, however, the CFuser needs > > a valid shell > > It does ? What for ? > > > as well as typical privs associated with it. > > I guess it depends what you mean by typical :-) > I wouldn't want my CFMX user to have read access to everything below /home > (some UNIXs set permissions by default that allow this) for instance. > > Tom Chiverton > You don't have to be a mad scientist to believe in ColdFusion > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: 2nd question - Run MX as nobody? - Solution
Cathy- Do *not* run coldfusion as the nobody user then. CFMX requires the user it runs as have a valid shell on solaris as solaris SU does not allow for on the fly shell definition to run a given command. CF5 bypassed this by having an internal SUID system. CFMX does not. Jesse Noller [EMAIL PROTECTED] Macromedia Server Development > -Original Message- > From: Cathy Taylor [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 10, 2002 11:48 AM > To: CF-Talk > Subject: RE: 2nd question - Run MX as nobody? - Solution > > No, that's not a viable solution. I cannot give 'nobody' a shell. That > defeats the purpose of nobody. > > I posted in the forum (hey Troy, that was probably me!) and am not > receiving a response and have also submitted a bug report. I have narrowed > it down to this: > > CFMX will run as nobody if no shell is specified (nothing at the end of > the line in /etc/passwd). It will not run if /dev/null or /bin/false is > specified as the shell. The gov't agency I work for has strict > requirements that one of the above be specified. This worked for for CF > 4.5 and 5.0. It suddenly does not work with CFMX. (It also works for all > web servers we have run and currently run, so should not be a major issue). > > Glad to hear I'm not the only one. I'm kind of bummed I haven't received > any reply from Macromedia though to at least confirm my suspicion and say, > "Hey, we'll get right on that!". We're at a standstill until it's resolved. > > Thanks for the feedback! I seem to miss some using the digest and will try > to pay more attention! > > Cathy > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
RE: 2nd question - Run MX as nobody? - Solution
No, that's not a viable solution. I cannot give 'nobody' a shell. That defeats the purpose of nobody. I posted in the forum (hey Troy, that was probably me!) and am not receiving a response and have also submitted a bug report. I have narrowed it down to this: CFMX will run as nobody if no shell is specified (nothing at the end of the line in /etc/passwd). It will not run if /dev/null or /bin/false is specified as the shell. The gov't agency I work for has strict requirements that one of the above be specified. This worked for for CF 4.5 and 5.0. It suddenly does not work with CFMX. (It also works for all web servers we have run and currently run, so should not be a major issue). Glad to hear I'm not the only one. I'm kind of bummed I haven't received any reply from Macromedia though to at least confirm my suspicion and say, "Hey, we'll get right on that!". We're at a standstill until it's resolved. Thanks for the feedback! I seem to miss some using the digest and will try to pay more attention! Cathy ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: 2nd question - Run MX as nobody?
> You don't need to login as the cfuser, however, the CFuser needs > a valid shell It does ? What for ? > as well as typical privs associated with it. I guess it depends what you mean by typical :-) I wouldn't want my CFMX user to have read access to everything below /home (some UNIXs set permissions by default that allow this) for instance. Tom Chiverton You don't have to be a mad scientist to believe in ColdFusion ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
RE: 2nd question - Run MX as nobody?
You don't need to login as the cfuser, however, the CFuser needs a valid shell as well as typical privs associated with it. Jesse Noller [EMAIL PROTECTED] Macromedia Server Development "No concept man forms is valid unless he integrates it without contradiction into the sum of his knowledge." - Ayn Rand > -Original Message- > From: Thomas Chiverton [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 10, 2002 11:24 AM > To: CF-Talk > Subject: RE: 2nd question - Run MX as nobody? > > > Make the cfmx user with privs to access the webserver document > > directory, otherwise, it is a normal user account. > > ! > > Why would you ever need to login as the user CF runs as ? > Why does it need to be a member of the groups most users are part of > (usually 'users' by default) ? > > Tom Chiverton > You don't have to be a mad scientist to believe in ColdFusion > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: 2nd question - Run MX as nobody?
> Make the cfmx user with privs to access the webserver document > directory, otherwise, it is a normal user account. ! Why would you ever need to login as the user CF runs as ? Why does it need to be a member of the groups most users are part of (usually 'users' by default) ? Tom Chiverton You don't have to be a mad scientist to believe in ColdFusion ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
RE: 2nd question - Run MX as nobody?
> I run this idea by our Sun Administrator. > Should we make the "cfmx" user a common user with a home directory, etc.? > Or is this considered common knowledge for a Sun Administrator? I would think that the admin should know how to set up a limited permissions user for running a deamon with. That should mean no home dir, no shell etc. etc. How much this breaks things I don't know, you may have to be more relaxed if you want to use cfexecute for example. Tom Chiverton You don't have to be a mad scientist to believe in ColdFusion ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: 2nd question - Run MX as nobody?
Make the cfmx user with privs to access the webserver document directory, otherwise, it is a normal user account. At this time there is not a "recommended config" document. I should write one. Jesse Noller [EMAIL PROTECTED] Macromedia Server Development "No concept man forms is valid unless he integrates it without contradiction into the sum of his knowledge." - Ayn Rand > -Original Message- > From: Troy Simpson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 10, 2002 10:58 AM > To: CF-Talk > Subject: Re: 2nd question - Run MX as nobody? > > Jesse, > > Thanks for the response. > I run this idea by our Sun Administrator. > Should we make the "cfmx" user a common user with a home directory, etc.? > Is there a recommended (possible published) method of how to configure the > system for ColdFusion MX Enterprise Server? > Or is this considered common knowledge for a Sun Administrator? > > Any other tips would be greatly appreciated. > > Thanks, > Troy > > Jesse Noller wrote: > > > Change it from the nobody user to a "cfmx" user you add to the system. > Don't use nobody if nobody does not have a shell predefined. > > > > Jesse Noller > > [EMAIL PROTECTED] > > Macromedia Server Development > > > > "No concept man forms is valid unless he > > integrates it without contradiction into the > > sum of his knowledge." > > - Ayn Rand > > > > > -Original Message- > > > From: Troy Simpson [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, October 09, 2002 4:16 PM > > > To: CF-Talk > > > Subject: Re: 2nd question - Run MX as nobody? > > > > > > All, > > > > > > I was able to configure ColdFusion MX to run as the nobody user on Sun > > > Solaris 8. > > > But in order to run it I had to provide the nobody user with a shell. > > > In my case, I used the Korn Shell. > > > > > > When I set the shell for the nobody user back to: /usr/sbin/noshell > > > > > > I get the following: > > > > > > # ./coldfusion start > > > Starting ColdFusion MX... > > > Oct 9 15:59:09 huey noshell[5813]: Titan warning: user 60001 login > from a > > > disabled shell > > > > > > Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... > > > huey noshell[5813]: Titan warning: user 60001 login from a disabled > shell > > > > > > Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... > > > huey noshell[5813]: Titan warning: user 60001 login from a disabled > shell > > > > > > Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... > > > huey noshell[5813]: Titan warning: user 60001 login from a disabled > shell > > > There may be a few moments before you can access the Coldfusion MX > > > administrator. This > > > is normal. > > > There has been an error starting Coldfusion MX, please check the logs. > > > > > > I check the logs in the /opt/coldfusionmx/logs directory. The logs > are > > > empty. Nada! > > > Nothin' there. > > > > > > Apache 2.0.40 has no problem with this. > > > It is my understanding that the nobody user should not have a shell > > > assigned to for > > > security reasons. > > > This appears to be bug. > > > Am I missing something? > > > > > > Thanks, > > > Troy > > > > > > Sean A Corfield wrote: > > > > > > > Cathy Taylor wrote: > > > > >> I'm trying to evaluate our CF MX upgrade on Solaris before I turn > our > > > > >> masses loose on it. I can't run it as root and our security > > > > >> regulations forbid me from creating a new user to run it as (that > > > > >> wouldn't work anyway since our web server runs as nobody). I've > read > > > > >> the docs and modified the user to "nobody", but it won't start. > The > > > > >> error log just says 'su no shell'. Of course nobody has no shell, > but > > > > >> I'm sure it must be able to run that way. Am I missing something? > > > > > > > > I just checked one of our QA servers and we are indeed running it as > > > > nobody: > > > > > > > >nobody 24650 24648 0 Sep 30 ? 306:11 > > > > /data/www/appserver/cfusionmx/bin/cfusion -start default > > > >nobody 24648 1 0 Sep 30 ?0:00
Re: 2nd question - Run MX as nobody?
Jesse, Thanks for the response. I run this idea by our Sun Administrator. Should we make the "cfmx" user a common user with a home directory, etc.? Is there a recommended (possible published) method of how to configure the system for ColdFusion MX Enterprise Server? Or is this considered common knowledge for a Sun Administrator? Any other tips would be greatly appreciated. Thanks, Troy Jesse Noller wrote: > Change it from the nobody user to a "cfmx" user you add to the system. Don't use >nobody if nobody does not have a shell predefined. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > "No concept man forms is valid unless he > integrates it without contradiction into the > sum of his knowledge." > - Ayn Rand > > > -Original Message- > > From: Troy Simpson [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, October 09, 2002 4:16 PM > > To: CF-Talk > > Subject: Re: 2nd question - Run MX as nobody? > > > > All, > > > > I was able to configure ColdFusion MX to run as the nobody user on Sun > > Solaris 8. > > But in order to run it I had to provide the nobody user with a shell. > > In my case, I used the Korn Shell. > > > > When I set the shell for the nobody user back to: /usr/sbin/noshell > > > > I get the following: > > > > # ./coldfusion start > > Starting ColdFusion MX... > > Oct 9 15:59:09 huey noshell[5813]: Titan warning: user 60001 login from a > > disabled shell > > > > Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... > > huey noshell[5813]: Titan warning: user 60001 login from a disabled shell > > > > Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... > > huey noshell[5813]: Titan warning: user 60001 login from a disabled shell > > > > Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... > > huey noshell[5813]: Titan warning: user 60001 login from a disabled shell > > There may be a few moments before you can access the Coldfusion MX > > administrator. This > > is normal. > > There has been an error starting Coldfusion MX, please check the logs. > > > > I check the logs in the /opt/coldfusionmx/logs directory. The logs are > > empty. Nada! > > Nothin' there. > > > > Apache 2.0.40 has no problem with this. > > It is my understanding that the nobody user should not have a shell > > assigned to for > > security reasons. > > This appears to be bug. > > Am I missing something? > > > > Thanks, > > Troy > > > > Sean A Corfield wrote: > > > > > Cathy Taylor wrote: > > > >> I'm trying to evaluate our CF MX upgrade on Solaris before I turn our > > > >> masses loose on it. I can't run it as root and our security > > > >> regulations forbid me from creating a new user to run it as (that > > > >> wouldn't work anyway since our web server runs as nobody). I've read > > > >> the docs and modified the user to "nobody", but it won't start. The > > > >> error log just says 'su no shell'. Of course nobody has no shell, but > > > >> I'm sure it must be able to run that way. Am I missing something? > > > > > > I just checked one of our QA servers and we are indeed running it as > > > nobody: > > > > > >nobody 24650 24648 0 Sep 30 ? 306:11 > > > /data/www/appserver/cfusionmx/bin/cfusion -start default > > >nobody 24648 1 0 Sep 30 ?0:00 > > > /data/www/appserver/cfusionmx/bin/cfusion -autorestart -start default > > > scorfiel 28370 28362 0 13:38:39 pts/10:00 fgrep cf > > > > > > Then I checked another one: > > > > > > scorfiel 23763 23758 0 13:40:03 pts/20:00 fgrep cf > > >nobody 27009 27007 0 Sep 04 ? 1435:01 > > > /data/www/appserver/neo/bin/cfusion -start default > > >nobody 27007 1 0 Sep 04 ?0:00 > > > /data/www/appserver/neo/bin/cfusion -autorestart -start default > > > > > > Also running as nobody (that one's a production server, BTW). > > > > > > As far as I know, our guys just followed the installation instructions > > > but I'll ask them if there were any issues around the 'nobody' user. > > > > > > An Architect's View -- http://www.corfield.org/blog/ > > > > > > Macromedia DevCon 2002, October 27-30, Orlando, Florida > > > Architecting a New Internet Experience > > > Register today at http://www.macromedia.com/go/devcon2002 > > > > > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
RE: 2nd question - Run MX as nobody?
Change it from the nobody user to a "cfmx" user you add to the system. Don't use nobody if nobody does not have a shell predefined. Jesse Noller [EMAIL PROTECTED] Macromedia Server Development "No concept man forms is valid unless he integrates it without contradiction into the sum of his knowledge." - Ayn Rand > -Original Message- > From: Troy Simpson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 09, 2002 4:16 PM > To: CF-Talk > Subject: Re: 2nd question - Run MX as nobody? > > All, > > I was able to configure ColdFusion MX to run as the nobody user on Sun > Solaris 8. > But in order to run it I had to provide the nobody user with a shell. > In my case, I used the Korn Shell. > > When I set the shell for the nobody user back to: /usr/sbin/noshell > > I get the following: > > # ./coldfusion start > Starting ColdFusion MX... > Oct 9 15:59:09 huey noshell[5813]: Titan warning: user 60001 login from a > disabled shell > > Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... > huey noshell[5813]: Titan warning: user 60001 login from a disabled shell > > Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... > huey noshell[5813]: Titan warning: user 60001 login from a disabled shell > > Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... > huey noshell[5813]: Titan warning: user 60001 login from a disabled shell > There may be a few moments before you can access the Coldfusion MX > administrator. This > is normal. > There has been an error starting Coldfusion MX, please check the logs. > > I check the logs in the /opt/coldfusionmx/logs directory. The logs are > empty. Nada! > Nothin' there. > > Apache 2.0.40 has no problem with this. > It is my understanding that the nobody user should not have a shell > assigned to for > security reasons. > This appears to be bug. > Am I missing something? > > Thanks, > Troy > > Sean A Corfield wrote: > > > Cathy Taylor wrote: > > >> I'm trying to evaluate our CF MX upgrade on Solaris before I turn our > > >> masses loose on it. I can't run it as root and our security > > >> regulations forbid me from creating a new user to run it as (that > > >> wouldn't work anyway since our web server runs as nobody). I've read > > >> the docs and modified the user to "nobody", but it won't start. The > > >> error log just says 'su no shell'. Of course nobody has no shell, but > > >> I'm sure it must be able to run that way. Am I missing something? > > > > I just checked one of our QA servers and we are indeed running it as > > nobody: > > > >nobody 24650 24648 0 Sep 30 ? 306:11 > > /data/www/appserver/cfusionmx/bin/cfusion -start default > >nobody 24648 1 0 Sep 30 ?0:00 > > /data/www/appserver/cfusionmx/bin/cfusion -autorestart -start default > > scorfiel 28370 28362 0 13:38:39 pts/10:00 fgrep cf > > > > Then I checked another one: > > > > scorfiel 23763 23758 0 13:40:03 pts/20:00 fgrep cf > >nobody 27009 27007 0 Sep 04 ? 1435:01 > > /data/www/appserver/neo/bin/cfusion -start default > >nobody 27007 1 0 Sep 04 ?0:00 > > /data/www/appserver/neo/bin/cfusion -autorestart -start default > > > > Also running as nobody (that one's a production server, BTW). > > > > As far as I know, our guys just followed the installation instructions > > but I'll ask them if there were any issues around the 'nobody' user. > > > > An Architect's View -- http://www.corfield.org/blog/ > > > > Macromedia DevCon 2002, October 27-30, Orlando, Florida > > Architecting a New Internet Experience > > Register today at http://www.macromedia.com/go/devcon2002 > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
Re: 2nd question - Run MX as nobody?
All, I was able to configure ColdFusion MX to run as the nobody user on Sun Solaris 8. But in order to run it I had to provide the nobody user with a shell. In my case, I used the Korn Shell. When I set the shell for the nobody user back to: /usr/sbin/noshell I get the following: # ./coldfusion start Starting ColdFusion MX... Oct 9 15:59:09 huey noshell[5813]: Titan warning: user 60001 login from a disabled shell Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... huey noshell[5813]: Titan warning: user 60001 login from a disabled shell Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... huey noshell[5813]: Titan warning: user 60001 login from a disabled shell Message from syslogd@huey at Wed Oct 9 15:59:09 2002 ... huey noshell[5813]: Titan warning: user 60001 login from a disabled shell There may be a few moments before you can access the Coldfusion MX administrator. This is normal. There has been an error starting Coldfusion MX, please check the logs. I check the logs in the /opt/coldfusionmx/logs directory. The logs are empty. Nada! Nothin' there. Apache 2.0.40 has no problem with this. It is my understanding that the nobody user should not have a shell assigned to for security reasons. This appears to be bug. Am I missing something? Thanks, Troy Sean A Corfield wrote: > Cathy Taylor wrote: > >> I'm trying to evaluate our CF MX upgrade on Solaris before I turn our > >> masses loose on it. I can't run it as root and our security > >> regulations forbid me from creating a new user to run it as (that > >> wouldn't work anyway since our web server runs as nobody). I've read > >> the docs and modified the user to "nobody", but it won't start. The > >> error log just says 'su no shell'. Of course nobody has no shell, but > >> I'm sure it must be able to run that way. Am I missing something? > > I just checked one of our QA servers and we are indeed running it as > nobody: > >nobody 24650 24648 0 Sep 30 ? 306:11 > /data/www/appserver/cfusionmx/bin/cfusion -start default >nobody 24648 1 0 Sep 30 ?0:00 > /data/www/appserver/cfusionmx/bin/cfusion -autorestart -start default > scorfiel 28370 28362 0 13:38:39 pts/10:00 fgrep cf > > Then I checked another one: > > scorfiel 23763 23758 0 13:40:03 pts/20:00 fgrep cf >nobody 27009 27007 0 Sep 04 ? 1435:01 > /data/www/appserver/neo/bin/cfusion -start default >nobody 27007 1 0 Sep 04 ?0:00 > /data/www/appserver/neo/bin/cfusion -autorestart -start default > > Also running as nobody (that one's a production server, BTW). > > As far as I know, our guys just followed the installation instructions > but I'll ask them if there were any issues around the 'nobody' user. > > An Architect's View -- http://www.corfield.org/blog/ > > Macromedia DevCon 2002, October 27-30, Orlando, Florida > Architecting a New Internet Experience > Register today at http://www.macromedia.com/go/devcon2002 > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
RE: 2nd question - Run MX as nobody? - Solution
Seems my email is acting wonky all of a sudden. Hopefully this hits. The problem you guys are running into is that the "nobody" user does not have a defined shell. You need to run CF as a user with a valid shell on solaris, solaris does not allow SU to define a shell for temporary command-running use like Linux. Therefore, simply create a user on the system with a valid shell, and set CF to run as that, and you'll be fine. Jesse -Original Message- From: Sean A Corfield To: CF-Talk Sent: 10/8/2002 1:47 PM Subject: Re: 2nd question - Run MX as nobody? Cathy Taylor wrote: >> I'm trying to evaluate our CF MX upgrade on Solaris before I turn our >> masses loose on it. I can't run it as root and our security >> regulations forbid me from creating a new user to run it as (that >> wouldn't work anyway since our web server runs as nobody). I've read >> the docs and modified the user to "nobody", but it won't start. The >> error log just says 'su no shell'. Of course nobody has no shell, but >> I'm sure it must be able to run that way. Am I missing something? I just checked one of our QA servers and we are indeed running it as nobody: nobody 24650 24648 0 Sep 30 ? 306:11 /data/www/appserver/cfusionmx/bin/cfusion -start default nobody 24648 1 0 Sep 30 ?0:00 /data/www/appserver/cfusionmx/bin/cfusion -autorestart -start default scorfiel 28370 28362 0 13:38:39 pts/10:00 fgrep cf Then I checked another one: scorfiel 23763 23758 0 13:40:03 pts/20:00 fgrep cf nobody 27009 27007 0 Sep 04 ? 1435:01 /data/www/appserver/neo/bin/cfusion -start default nobody 27007 1 0 Sep 04 ?0:00 /data/www/appserver/neo/bin/cfusion -autorestart -start default Also running as nobody (that one's a production server, BTW). As far as I know, our guys just followed the installation instructions but I'll ask them if there were any issues around the 'nobody' user. An Architect's View -- http://www.corfield.org/blog/ Macromedia DevCon 2002, October 27-30, Orlando, Florida Architecting a New Internet Experience Register today at http://www.macromedia.com/go/devcon2002 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
Re: 2nd question - Run MX as nobody?
On Tuesday, Oct 8, 2002, at 13:47 US/Pacific, Sean A Corfield wrote: > As far as I know, our guys just followed the installation instructions > but I'll ask them if there were any issues around the 'nobody' user. I asked the engineers who did the installs: they just followed the instructions. They've all done multiple installations, following the instructions, with no issues at all due to CFMX running as nobody. Sorry if that is unhelpful. Can you provide more details about the problems you are seeing and any variations from the instructions during install? An Architect's View -- http://www.corfield.org/blog/ Macromedia DevCon 2002, October 27-30, Orlando, Florida Architecting a New Internet Experience Register today at http://www.macromedia.com/go/devcon2002 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
CFMX in production (was: 2nd question - Run MX as nobody?
On Tuesday, Oct 8, 2002, at 13:47 US/Pacific, Sean A Corfield wrote: > scorfiel 23763 23758 0 13:40:03 pts/20:00 fgrep cf > nobody 27009 27007 0 Sep 04 ? 1435:01 > /data/www/appserver/neo/bin/cfusion -start default > nobody 27007 1 0 Sep 04 ?0:00 > /data/www/appserver/neo/bin/cfusion -autorestart -start default > > Also running as nobody (that one's a production server, BTW). Just purely for information - this server is not part of our primary www cluster but it is public-facing... Since 7/25, this server has processed - on average: - 31,000 Flash Remoting requests per day - 7,700 direct .cfm / .cfc requests per day The web server shows an average of 52,000 requests per day for just *one* of the applications it hosts (yes, the majority of those are images and swf files - it's just to give an idea of traffic). Sean A Corfield -- Director, Architecture Web Technology Group -- Macromedia, Inc. tel: (415) 252-2287 -- cell: (415) 717-8473 fax: (415) 865-3113 -- http://www.macromedia.com An Architect's View -- http://www.corfield.org/blog/ Macromedia DevCon 2002, October 27-30, Orlando, Florida Architecting a New Internet Experience Register today at http://www.macromedia.com/go/devcon2002 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
Re: 2nd question - Run MX as nobody?
Cathy Taylor wrote: >> I'm trying to evaluate our CF MX upgrade on Solaris before I turn our >> masses loose on it. I can't run it as root and our security >> regulations forbid me from creating a new user to run it as (that >> wouldn't work anyway since our web server runs as nobody). I've read >> the docs and modified the user to "nobody", but it won't start. The >> error log just says 'su no shell'. Of course nobody has no shell, but >> I'm sure it must be able to run that way. Am I missing something? I just checked one of our QA servers and we are indeed running it as nobody: nobody 24650 24648 0 Sep 30 ? 306:11 /data/www/appserver/cfusionmx/bin/cfusion -start default nobody 24648 1 0 Sep 30 ?0:00 /data/www/appserver/cfusionmx/bin/cfusion -autorestart -start default scorfiel 28370 28362 0 13:38:39 pts/10:00 fgrep cf Then I checked another one: scorfiel 23763 23758 0 13:40:03 pts/20:00 fgrep cf nobody 27009 27007 0 Sep 04 ? 1435:01 /data/www/appserver/neo/bin/cfusion -start default nobody 27007 1 0 Sep 04 ?0:00 /data/www/appserver/neo/bin/cfusion -autorestart -start default Also running as nobody (that one's a production server, BTW). As far as I know, our guys just followed the installation instructions but I'll ask them if there were any issues around the 'nobody' user. An Architect's View -- http://www.corfield.org/blog/ Macromedia DevCon 2002, October 27-30, Orlando, Florida Architecting a New Internet Experience Register today at http://www.macromedia.com/go/devcon2002 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
Re: 2nd question - Run MX as nobody?
All, I'm having the same exact problem. I've also noticed a very descriptive posting in Macromedia's Forums related to this and there is also no response to that posting either. We also can not move forward until this has been resolved. Troy Cathy Taylor wrote: > I'm trying to evaluate our CF MX upgrade on Solaris before I turn our masses loose >on it. I can't run it as root and our security regulations forbid me from creating a >new user to run it as (that wouldn't work anyway since our web server runs as >nobody). I've read the docs and modified the user to "nobody", but it won't start. >The error log just says 'su no shell'. Of course nobody has no shell, but I'm sure it >must be able to run that way. Am I missing something? > > Thanks again! > > Cathy > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
2nd question - Run MX as nobody?
I'm trying to evaluate our CF MX upgrade on Solaris before I turn our masses loose on it. I can't run it as root and our security regulations forbid me from creating a new user to run it as (that wouldn't work anyway since our web server runs as nobody). I've read the docs and modified the user to "nobody", but it won't start. The error log just says 'su no shell'. Of course nobody has no shell, but I'm sure it must be able to run that way. Am I missing something? Thanks again! Cathy __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
