Re: 2nd question - Run MX as nobody? - Solution
Hi Jesse, Not to be annoying :-), but any update on internal talks about this? Thanks! Cathy - Original Message - From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 1:14 PM Subject: RE: 2nd question - Run MX as nobody? - Solution > Cathy- > >I do recommend trying the noshell option. This was not written off as a non-issue, it was not feasible for us to write more C code binaries, and we were not left pleasant options. > > I will discuss this matter internally once I am over this flu-bug, and I will see what we can do. Our only real option is to either write a new C-launcher binary (not good, very bad, severe change in CFMX) or enforce the JRun method of installation (Not a good user experience) it is a loose-loose situation on our part. > >I will see what I can do, and will explore the options internally. > > -Jesse Noller > Macromedia > > -Original Message- > From: Cathy Taylor > To: CF-Talk > Sent: 10/10/2002 9:26 AM > Subject: Re: 2nd question - Run MX as nobody? - Solution > > This is not an option. I don't know how many times I have to say that. > We have been using ColdFusion for years and have systems in place on it. > We're forward thinking and trying to get rid of our legacy applications, > not create new ones. It will not be an option for us to move forward > unless CFMX can be run as nobody. > > Part of our security hardening procedure on production servers is to > allow *no* user accounts other than administrators. None of our > production software runs as a user other than nobody. We have *never* > had a problem with that. I cannot just change the rules - they are > dictated by a federal governing body (and I would lose my job and worse > if I did). > > We took this problem to SUN to cover our bases as well and here was > their response, backing up my security issue here: > > "Following up on this case regarding locking down a solaris system via > the login shell. My understanding is one of your 3rd party plugins > (coldfusion) must implement a valid shell for the user nobody, who > normally does not have any shell assigned for obvious reasons. I dont > know if I agree with the fact that coldfusion actually requires a shell > since it is a security hole but thats another ballgame. Does coldfusion > actually require a user to login? If not, I would highly recommend using > the > noshell program which is much more secure than say /bin/false. This > shell wont let the user actually login but it is a valid shell. You can > get this right off of: > > "http://www.cert.org/security-improvement/implementations/i049.02.html > > "This site gives step by step instructions for using the noshell > program, which is very straight forward and takes no more than 10 > minutes. If coldfusion actually requires a login than their will be no > choice but to assign a valid shell (ie. /bin/csh) to the user nobody and > lock the system down appropriately (ie. specify NP in the /etc/shadow > file or what not). A valid shell always leave a system open to hacker > attacks so I would suggest reviewing the following security faq which > tells you pretty much everything you need to know on how to secure the > system: > > "http://muse.linuxmafia.org/lost+found/solaris-security-faq.html#Q3.10 > > "I hope this helps. > > "Best Regards," > > I will look into the noshell option to see if it works and is feasible, > but I am highly disappointed that this was written off as a seemingly > non-issue when it in fact is a huge issue. > > Cathy Taylor > > - Original Message - > From: "Jesse Noller" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Thursday, October 10, 2002 12:00 PM > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > Cathy- > > > > Do *not* run coldfusion as the nobody user then. CFMX requires the > user it runs as have a valid shell on solaris as solaris SU does not > allow for on the fly shell definition to run a given command. > > > > CF5 bypassed this by having an internal SUID system. CFMX does not. > > > > Jesse Noller > > [EMAIL PROTECTED] > > Macromedia Server Development > > > > > -Original Message- > > > From: Cathy Taylor [mailto:cathy@;4te.com] > > > Sent: Thursday, October 10, 2002 11:48 AM > > > To: CF-Talk > > > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > > > No, that's not a viable solution. I cannot give 'nobody' a shell. > That > > > defeats the purpose of nobod
RE: 2nd question - Run MX as nobody? - Solution
Seems my email is acting wonky all of a sudden. Hopefully this hits. The problem you guys are running into is that the "nobody" user does not have a defined shell. You need to run CF as a user with a valid shell on solaris, solaris does not allow SU to define a shell for temporary command-running use like Linux. Therefore, simply create a user on the system with a valid shell, and set CF to run as that, and you'll be fine. Jesse -Original Message- From: Sean A Corfield To: CF-Talk Sent: 10/8/2002 1:47 PM Subject: Re: 2nd question - Run MX as nobody? Cathy Taylor wrote: >> I'm trying to evaluate our CF MX upgrade on Solaris before I turn our >> masses loose on it. I can't run it as root and our security >> regulations forbid me from creating a new user to run it as (that >> wouldn't work anyway since our web server runs as nobody). I've read >> the docs and modified the user to "nobody", but it won't start. The >> error log just says 'su no shell'. Of course nobody has no shell, but >> I'm sure it must be able to run that way. Am I missing something? I just checked one of our QA servers and we are indeed running it as nobody: nobody 24650 24648 0 Sep 30 ? 306:11 /data/www/appserver/cfusionmx/bin/cfusion -start default nobody 24648 1 0 Sep 30 ?0:00 /data/www/appserver/cfusionmx/bin/cfusion -autorestart -start default scorfiel 28370 28362 0 13:38:39 pts/10:00 fgrep cf Then I checked another one: scorfiel 23763 23758 0 13:40:03 pts/20:00 fgrep cf nobody 27009 27007 0 Sep 04 ? 1435:01 /data/www/appserver/neo/bin/cfusion -start default nobody 27007 1 0 Sep 04 ?0:00 /data/www/appserver/neo/bin/cfusion -autorestart -start default Also running as nobody (that one's a production server, BTW). As far as I know, our guys just followed the installation instructions but I'll ask them if there were any issues around the 'nobody' user. An Architect's View -- http://www.corfield.org/blog/ Macromedia DevCon 2002, October 27-30, Orlando, Florida Architecting a New Internet Experience Register today at http://www.macromedia.com/go/devcon2002 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
RE: 2nd question - Run MX as nobody? - Solution
No, that's not a viable solution. I cannot give 'nobody' a shell. That defeats the purpose of nobody. I posted in the forum (hey Troy, that was probably me!) and am not receiving a response and have also submitted a bug report. I have narrowed it down to this: CFMX will run as nobody if no shell is specified (nothing at the end of the line in /etc/passwd). It will not run if /dev/null or /bin/false is specified as the shell. The gov't agency I work for has strict requirements that one of the above be specified. This worked for for CF 4.5 and 5.0. It suddenly does not work with CFMX. (It also works for all web servers we have run and currently run, so should not be a major issue). Glad to hear I'm not the only one. I'm kind of bummed I haven't received any reply from Macromedia though to at least confirm my suspicion and say, "Hey, we'll get right on that!". We're at a standstill until it's resolved. Thanks for the feedback! I seem to miss some using the digest and will try to pay more attention! Cathy ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: 2nd question - Run MX as nobody? - Solution
Cathy- Do *not* run coldfusion as the nobody user then. CFMX requires the user it runs as have a valid shell on solaris as solaris SU does not allow for on the fly shell definition to run a given command. CF5 bypassed this by having an internal SUID system. CFMX does not. Jesse Noller [EMAIL PROTECTED] Macromedia Server Development > -Original Message- > From: Cathy Taylor [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 10, 2002 11:48 AM > To: CF-Talk > Subject: RE: 2nd question - Run MX as nobody? - Solution > > No, that's not a viable solution. I cannot give 'nobody' a shell. That > defeats the purpose of nobody. > > I posted in the forum (hey Troy, that was probably me!) and am not > receiving a response and have also submitted a bug report. I have narrowed > it down to this: > > CFMX will run as nobody if no shell is specified (nothing at the end of > the line in /etc/passwd). It will not run if /dev/null or /bin/false is > specified as the shell. The gov't agency I work for has strict > requirements that one of the above be specified. This worked for for CF > 4.5 and 5.0. It suddenly does not work with CFMX. (It also works for all > web servers we have run and currently run, so should not be a major issue). > > Glad to hear I'm not the only one. I'm kind of bummed I haven't received > any reply from Macromedia though to at least confirm my suspicion and say, > "Hey, we'll get right on that!". We're at a standstill until it's resolved. > > Thanks for the feedback! I seem to miss some using the digest and will try > to pay more attention! > > Cathy > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
Re: 2nd question - Run MX as nobody? - Solution
This is not an option. I don't know how many times I have to say that. We have been using ColdFusion for years and have systems in place on it. We're forward thinking and trying to get rid of our legacy applications, not create new ones. It will not be an option for us to move forward unless CFMX can be run as nobody. Part of our security hardening procedure on production servers is to allow *no* user accounts other than administrators. None of our production software runs as a user other than nobody. We have *never* had a problem with that. I cannot just change the rules - they are dictated by a federal governing body (and I would lose my job and worse if I did). We took this problem to SUN to cover our bases as well and here was their response, backing up my security issue here: "Following up on this case regarding locking down a solaris system via the login shell. My understanding is one of your 3rd party plugins (coldfusion) must implement a valid shell for the user nobody, who normally does not have any shell assigned for obvious reasons. I dont know if I agree with the fact that coldfusion actually requires a shell since it is a security hole but thats another ballgame. Does coldfusion actually require a user to login? If not, I would highly recommend using the noshell program which is much more secure than say /bin/false. This shell wont let the user actually login but it is a valid shell. You can get this right off of: "http://www.cert.org/security-improvement/implementations/i049.02.html "This site gives step by step instructions for using the noshell program, which is very straight forward and takes no more than 10 minutes. If coldfusion actually requires a login than their will be no choice but to assign a valid shell (ie. /bin/csh) to the user nobody and lock the system down appropriately (ie. specify NP in the /etc/shadow file or what not). A valid shell always leave a system open to hacker attacks so I would suggest reviewing the following security faq which tells you pretty much everything you need to know on how to secure the system: "http://muse.linuxmafia.org/lost+found/solaris-security-faq.html#Q3.10 "I hope this helps. "Best Regards," I will look into the noshell option to see if it works and is feasible, but I am highly disappointed that this was written off as a seemingly non-issue when it in fact is a huge issue. Cathy Taylor - Original Message - From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 12:00 PM Subject: RE: 2nd question - Run MX as nobody? - Solution > Cathy- > > Do *not* run coldfusion as the nobody user then. CFMX requires the user it runs as >have a valid shell on solaris as solaris SU does not allow for on the fly shell >definition to run a given command. > > CF5 bypassed this by having an internal SUID system. CFMX does not. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > > -Original Message- > > From: Cathy Taylor [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 11:48 AM > > To: CF-Talk > > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > No, that's not a viable solution. I cannot give 'nobody' a shell. That > > defeats the purpose of nobody. > > > > I posted in the forum (hey Troy, that was probably me!) and am not > > receiving a response and have also submitted a bug report. I have narrowed > > it down to this: > > > > CFMX will run as nobody if no shell is specified (nothing at the end of > > the line in /etc/passwd). It will not run if /dev/null or /bin/false is > > specified as the shell. The gov't agency I work for has strict > > requirements that one of the above be specified. This worked for for CF > > 4.5 and 5.0. It suddenly does not work with CFMX. (It also works for all > > web servers we have run and currently run, so should not be a major issue). > > > > Glad to hear I'm not the only one. I'm kind of bummed I haven't received > > any reply from Macromedia though to at least confirm my suspicion and say, > > "Hey, we'll get right on that!". We're at a standstill until it's resolved. > > > > Thanks for the feedback! I seem to miss some using the digest and will try > > to pay more attention! > > > > Cathy > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
RE: 2nd question - Run MX as nobody? - Solution
Cathy- I do recommend trying the noshell option. This was not written off as a non-issue, it was not feasible for us to write more C code binaries, and we were not left pleasant options. I will discuss this matter internally once I am over this flu-bug, and I will see what we can do. Our only real option is to either write a new C-launcher binary (not good, very bad, severe change in CFMX) or enforce the JRun method of installation (Not a good user experience) it is a loose-loose situation on our part. I will see what I can do, and will explore the options internally. -Jesse Noller Macromedia -Original Message- From: Cathy Taylor To: CF-Talk Sent: 10/10/2002 9:26 AM Subject: Re: 2nd question - Run MX as nobody? - Solution This is not an option. I don't know how many times I have to say that. We have been using ColdFusion for years and have systems in place on it. We're forward thinking and trying to get rid of our legacy applications, not create new ones. It will not be an option for us to move forward unless CFMX can be run as nobody. Part of our security hardening procedure on production servers is to allow *no* user accounts other than administrators. None of our production software runs as a user other than nobody. We have *never* had a problem with that. I cannot just change the rules - they are dictated by a federal governing body (and I would lose my job and worse if I did). We took this problem to SUN to cover our bases as well and here was their response, backing up my security issue here: "Following up on this case regarding locking down a solaris system via the login shell. My understanding is one of your 3rd party plugins (coldfusion) must implement a valid shell for the user nobody, who normally does not have any shell assigned for obvious reasons. I dont know if I agree with the fact that coldfusion actually requires a shell since it is a security hole but thats another ballgame. Does coldfusion actually require a user to login? If not, I would highly recommend using the noshell program which is much more secure than say /bin/false. This shell wont let the user actually login but it is a valid shell. You can get this right off of: "http://www.cert.org/security-improvement/implementations/i049.02.html "This site gives step by step instructions for using the noshell program, which is very straight forward and takes no more than 10 minutes. If coldfusion actually requires a login than their will be no choice but to assign a valid shell (ie. /bin/csh) to the user nobody and lock the system down appropriately (ie. specify NP in the /etc/shadow file or what not). A valid shell always leave a system open to hacker attacks so I would suggest reviewing the following security faq which tells you pretty much everything you need to know on how to secure the system: "http://muse.linuxmafia.org/lost+found/solaris-security-faq.html#Q3.10 "I hope this helps. "Best Regards," I will look into the noshell option to see if it works and is feasible, but I am highly disappointed that this was written off as a seemingly non-issue when it in fact is a huge issue. Cathy Taylor - Original Message - From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 12:00 PM Subject: RE: 2nd question - Run MX as nobody? - Solution > Cathy- > > Do *not* run coldfusion as the nobody user then. CFMX requires the user it runs as have a valid shell on solaris as solaris SU does not allow for on the fly shell definition to run a given command. > > CF5 bypassed this by having an internal SUID system. CFMX does not. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > > > -Original Message- > > From: Cathy Taylor [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 11:48 AM > > To: CF-Talk > > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > No, that's not a viable solution. I cannot give 'nobody' a shell. That > > defeats the purpose of nobody. > > > > I posted in the forum (hey Troy, that was probably me!) and am not > > receiving a response and have also submitted a bug report. I have narrowed > > it down to this: > > > > CFMX will run as nobody if no shell is specified (nothing at the end of > > the line in /etc/passwd). It will not run if /dev/null or /bin/false is > > specified as the shell. The gov't agency I work for has strict > > requirements that one of the above be specified. This worked for for CF > > 4.5 and 5.0. It suddenly does not work with CFMX. (It also works for all > > web servers we have run and currently run, so should not be a major issue). > > > > Glad to hear I'm not the only one. I'm kind
Re: 2nd question - Run MX as nobody? - Solution
back, the web server wouldn't start until CF was happy. That seems like it just added another level of fault possibility to my web server which supports applications that do not run on CF in addition to the CF ones. Cathy - Original Message - From: "Jesse Noller" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 1:14 PM Subject: RE: 2nd question - Run MX as nobody? - Solution > Cathy- > >I do recommend trying the noshell option. This was not written off as a non-issue, it was not feasible for us to write more C code binaries, and we were not left pleasant options. > > I will discuss this matter internally once I am over this flu-bug, and I will see what we can do. Our only real option is to either write a new C-launcher binary (not good, very bad, severe change in CFMX) or enforce the JRun method of installation (Not a good user experience) it is a loose-loose situation on our part. > >I will see what I can do, and will explore the options internally. > > -Jesse Noller > Macromedia > > -Original Message- > From: Cathy Taylor > To: CF-Talk > Sent: 10/10/2002 9:26 AM > Subject: Re: 2nd question - Run MX as nobody? - Solution > > This is not an option. I don't know how many times I have to say that. > We have been using ColdFusion for years and have systems in place on it. > We're forward thinking and trying to get rid of our legacy applications, > not create new ones. It will not be an option for us to move forward > unless CFMX can be run as nobody. > > Part of our security hardening procedure on production servers is to > allow *no* user accounts other than administrators. None of our > production software runs as a user other than nobody. We have *never* > had a problem with that. I cannot just change the rules - they are > dictated by a federal governing body (and I would lose my job and worse > if I did). > > We took this problem to SUN to cover our bases as well and here was > their response, backing up my security issue here: > > "Following up on this case regarding locking down a solaris system via > the login shell. My understanding is one of your 3rd party plugins > (coldfusion) must implement a valid shell for the user nobody, who > normally does not have any shell assigned for obvious reasons. I dont > know if I agree with the fact that coldfusion actually requires a shell > since it is a security hole but thats another ballgame. Does coldfusion > actually require a user to login? If not, I would highly recommend using > the > noshell program which is much more secure than say /bin/false. This > shell wont let the user actually login but it is a valid shell. You can > get this right off of: > > "http://www.cert.org/security-improvement/implementations/i049.02.html > > "This site gives step by step instructions for using the noshell > program, which is very straight forward and takes no more than 10 > minutes. If coldfusion actually requires a login than their will be no > choice but to assign a valid shell (ie. /bin/csh) to the user nobody and > lock the system down appropriately (ie. specify NP in the /etc/shadow > file or what not). A valid shell always leave a system open to hacker > attacks so I would suggest reviewing the following security faq which > tells you pretty much everything you need to know on how to secure the > system: > > "http://muse.linuxmafia.org/lost+found/solaris-security-faq.html#Q3.10 > > "I hope this helps. > > "Best Regards," > > I will look into the noshell option to see if it works and is feasible, > but I am highly disappointed that this was written off as a seemingly > non-issue when it in fact is a huge issue. > > Cathy Taylor > > - Original Message - > From: "Jesse Noller" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Thursday, October 10, 2002 12:00 PM > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > Cathy- > > > > Do *not* run coldfusion as the nobody user then. CFMX requires the > user it runs as have a valid shell on solaris as solaris SU does not > allow for on the fly shell definition to run a given command. > > > > CF5 bypassed this by having an internal SUID system. CFMX does not. > > > > Jesse Noller > > [EMAIL PROTECTED] > > Macromedia Server Development > > > > > -Original Message- > > > From: Cathy Taylor [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, October 10, 2002 11:48 AM > > > To: CF-Talk > > > Subject: RE: 2nd question - Run MX as nobody? - Solution > > > > > > No
