Running CF as a specific user
I haven't seen this discussed in years, and the Adobe Knowledge Base article is more than three years old. So I'd like to see if someone has recent experience with setting a specific user account for CF, rather than running it as System. The server in question is Win Server 2008 running CF Standard. My specific question involves the fact that Adobe says that the CF User must have full control of the OS directories (windows and system32 in the KB article). My concern is that giving that user account full control of those directories is a little scary. Does anyone know if full control is really required? Or does anyone have any specific advice in this regard? -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330263 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Running CF as a specific user
I haven't seen this discussed in years, and the Adobe Knowledge Base article is more than three years old. So I'd like to see if someone has recent experience with setting a specific user account for CF, rather than running it as System. The server in question is Win Server 2008 running CF Standard. My specific question involves the fact that Adobe says that the CF User must have full control of the OS directories (windows and system32 in the KB article). My concern is that giving that user account full control of those directories is a little scary. Does anyone know if full control is really required? Or does anyone have any specific advice in this regard? Full control of those directories is NOT required. In fact, you can run CF as a very limited user. It will need control over its own directories, and at least read/execute over your web content (more if you plan to use CFFILE, etc). Presumably, you'd need additional privileges if you use the CFREGISTRY tag, but otherwise CF is pretty well separated from Windows in general. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330265 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Running CF as a specific user
Hi Dave, I was hoping you'd jump in, since you always know more about server configuration than the rest of us combined. So just to make sure I'm clear: On Fri, Jan 29, 2010 at 11:42 AM, Dave Watts dwa...@figleaf.com wrote: Full control of those directories is NOT required. In fact, you can run CF as a very limited user. It will need control over its own directories, and at least read/execute over your web content (more if you plan to use CFFILE, etc). So as long as I have the correct permissions on the CF install directory and on the directories containing my content (in and out of the actual web root), I'm good, right? No need to set any permissions on the Windows directories at all? The old KB article also says to give the user full control of the registry key /HKEY_LOCAL_MACHINE/SOFTWARE/. Is that still necessary? Was it ever? -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330267 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Running CF as a specific user
So as long as I have the correct permissions on the CF install directory and on the directories containing my content (in and out of the actual web root), I'm good, right? No need to set any permissions on the Windows directories at all? If you create a new user account as a member of the Local Users group, it will have Read permissions on the Windows directories. I think CF may need that, but honestly I'm not sure it does. The old KB article also says to give the user full control of the registry key /HKEY_LOCAL_MACHINE/SOFTWARE/. Is that still necessary? Was it ever? If you were (or presumably are) storing Client variables in the Registry, CF needs to be able to write to a subkey within there. My answer to that is, don't store Client variables in the Registry - it's just a bad idea. http://jochem.vandieten.net/2008/04/06/windows-file-permissions-for-the-coldfusion-account/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Running CF as a specific user
Hi Dave, On Fri, Jan 29, 2010 at 12:17 PM, Dave Watts dwa...@figleaf.com wrote: If you were (or presumably are) storing Client variables in the Registry, CF needs to be able to write to a subkey within there. My answer to that is, don't store Client variables in the Registry - it's just a bad idea. Wouldn't think of it. Thanks again for your always-generous help. And thanks for the link to Jochem's blog entry. -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330270 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Running CF as a specific user
Does anyone have the number of the technote that describes the process? I need the one for MX, I remember there being one specific to MX. I've already seen the article that apples to 4 and 5 - http://www.macromedia.com/support/coldfusion/ts/documents/tn17279.htm Thanks! [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Running CF as a specific user
You are on windows I assume?What version? it is pretty much the same as the technote you supplied.the screens are slightly different depnding on the OS, but the idea is the same. Just specify a domain login for the ColdFusionMX service. Sorry I do no know of a technote that explains it further HTH, Josh --- Exciteworks -- expert hosting for less! http://exciteworks.com specializing in reseller accounts stas wrote: Does anyone have the number of the technote that describes the process? I need the one for MX, I remember there being one specific to MX. I've already seen the article that apples to 4 and 5 - http://www.macromedia.com/support/coldfusion/ts/documents/tn17279.htm Thanks! [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Running CF as a specific user
Thanks, Josh. Sorry, yes, we are on Win2K/CF MX 6.1. - Original Message - From: Josh To: CF-Talk Sent: Monday, January 26, 2004 10:07 AM Subject: Re: Running CF as a specific user You are on windows I assume?What version? it is pretty much the same as the technote you supplied.the screens are slightly different depnding on the OS, but the idea is the same. Just specify a domain login for the ColdFusionMX service. Sorry I do no know of a technote that explains it further HTH, Josh --- Exciteworks -- expert hosting for less! http://exciteworks.com specializing in reseller accounts stas wrote: Does anyone have the number of the technote that describes the process? I need the one for MX, I remember there being one specific to MX. I've already seen the article that apples to 4 and 5 - http://www.macromedia.com/support/coldfusion/ts/documents/tn17279.htm Thanks! [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Running CF as a specific user
stas said: Sorry, yes, we are on Win2K/CF MX 6.1. If you are not using the CF MX ODBC Services, just follow the manual for CF 5 (you can even skip the registry part). I never worked with ODBC and MX, so I can't tell you about them. Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Running CF as a specific user
just create a local account called cfuser or something.Add to a group, I have mine in the Users group, this may differ based on your security requirements.Now go to the services MMC thingy , double click the CFMX service to get the properties dialog.This may differ depending on if you are running CFMX stand alone or CFMX for J2EE.Click the logon tab, choose 'this account', and choose the cfuser.Put in the password mash ok and restart the service.bamm. Doug -Original Message- From: stas [mailto:[EMAIL PROTECTED] Sent: Monday, January 26, 2004 10:30 AM To: CF-Talk Subject: Re: Running CF as a specific user Thanks, Josh. Sorry, yes, we are on Win2K/CF MX 6.1. - Original Message - From: Josh To: CF-Talk Sent: Monday, January 26, 2004 10:07 AM Subject: Re: Running CF as a specific user You are on windows I assume?What version? it is pretty much the same as the technote you supplied.the screens are slightly different depnding on the OS, but the idea is the same. Just specify a domain login for the ColdFusionMX service. Sorry I do no know of a technote that explains it further HTH, Josh --- Exciteworks -- expert hosting for less! http://exciteworks.com specializing in reseller accounts stas wrote: Does anyone have the number of the technote that describes the process? I need the one for MX, I remember there being one specific to MX. I've already seen the article that apples to 4 and 5 - http://www.macromedia.com/support/coldfusion/ts/documents/tn17279.htm Thanks! _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Running CF as a specific user
We are on 4.5, and I followed instructions in this KB article: http://www.macromedia.com/v1/Handlers/index.cfm?ID=11859Method=Full However, I am getting a CF error in my app with CF saying that even though it can see the custom tags in the custom tags directory it cannot read them. If I switch CF back to running under a local system account, all's fine. Thanks for any tips. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
RE: Running CF as a specific user
Did you check the permissions for one the tag files in question? Make sure Allow inheritable permissions from parent to propagate to this object is checked. WG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:36 To: CF-Talk Subject: Running CF as a specific user We are on 4.5, and I followed instructions in this KB article: http://www.macromedia.com/v1/Handlers/index.cfm?ID=11859Method=Full However, I am getting a CF error in my app with CF saying that even though it can see the custom tags in the custom tags directory it cannot read them. If I switch CF back to running under a local system account, all's fine. Thanks for any tips. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Running CF as a specific user
Does your cf user have admin rights? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:36 To: CF-Talk Subject: Running CF as a specific user We are on 4.5, and I followed instructions in this KB article: http://www.macromedia.com/v1/Handlers/index.cfm?ID=11859Method=Full However, I am getting a CF error in my app with CF saying that even though it can see the custom tags in the custom tags directory it cannot read them. If I switch CF back to running under a local system account, all's fine. Thanks for any tips. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
Re: Running CF as a specific user
Hmm. I did check it, however the propagation didn't seem to propagate to all the files in \Custom Tags. - Original Message - From: webguy [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, December 13, 2002 9:45 AM Subject: RE: Running CF as a specific user Did you check the permissions for one the tag files in question? Make sure Allow inheritable permissions from parent to propagate to this object is checked. WG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:36 To: CF-Talk Subject: Running CF as a specific user We are on 4.5, and I followed instructions in this KB article: http://www.macromedia.com/v1/Handlers/index.cfm?ID=11859Method=Full However, I am getting a CF error in my app with CF saying that even though it can see the custom tags in the custom tags directory it cannot read them. If I switch CF back to running under a local system account, all's fine. Thanks for any tips. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
RE: Running CF as a specific user
So you sorted ??? I remember seeing a document somewhere? on how to add very fine grained security. Instead of adding the user as admin etc... cf5 .. WG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 15:17 To: CF-Talk Subject: Re: Running CF as a specific user Hmm. I did check it, however the propagation didn't seem to propagate to all the files in \Custom Tags. - Original Message - From: webguy [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, December 13, 2002 9:45 AM Subject: RE: Running CF as a specific user Did you check the permissions for one the tag files in question? Make sure Allow inheritable permissions from parent to propagate to this object is checked. WG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:36 To: CF-Talk Subject: Running CF as a specific user We are on 4.5, and I followed instructions in this KB article: http://www.macromedia.com/v1/Handlers/index.cfm?ID=11859Method=Full However, I am getting a CF error in my app with CF saying that even though it can see the custom tags in the custom tags directory it cannot read them. If I switch CF back to running under a local system account, all's fine. Thanks for any tips. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
RE: Running CF as a specific user
Does your cf user have admin rights? The user account used by CF doesn't need administrative rights, and shouldn't have them if at all possible. One of the primary objectives of using a specific user account for CF is to deny it those administrative rights. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
RE: Running CF as a specific user
We are on 4.5, and I followed instructions in this KB article: http://www.macromedia.com/v1/Handlers/index.cfm? ID=11859Method=Full However, I am getting a CF error in my app with CF saying that even though it can see the custom tags in the custom tags directory it cannot read them. If I switch CF back to running under a local system account, all's fine. Thanks for any tips. You might want to check out this article, which is much more useful, I think: http://www.defusion.com/articles/index.cfm?ArticleID=89 In general, you want to ensure that the user account has the necessary rights for the files in question. In this specific case, you can find one of the custom tag files, right-click on it, and look at the ACLs. The CF account will need read rights on the file. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
Re: Running CF as a specific user
Dave, Going through the article to which you posted a link to I was confused for the naming convention the original author was using for kinds of rights. Am I correct in interpreting these as: (R)read (C)hange (Write) E(X)ecute What does Add translate to? Thank you - Original Message - From: Dave Watts [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, December 13, 2002 11:57 AM Subject: RE: Running CF as a specific user Does your cf user have admin rights? The user account used by CF doesn't need administrative rights, and shouldn't have them if at all possible. One of the primary objectives of using a specific user account for CF is to deny it those administrative rights. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
Re: Running CF as a specific user
[EMAIL PROTECTED] wrote: (R)read (C)hange (Write) E(X)ecute What does Add translate to? Write on directories and nothing on files. Dont forget to set the Creator/Owner to at least Change in that case. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
