To demonstrate sandbox security, we'll create a directory in the Web root called Blackbox and a corresponding sandbox. First, let's create the directory using Windows Explorer: 1. | For Unix systems, open a console. For Windows, open Windows Explorer: Click Start, Run. Type Explorer and click OK. | 2. | Navigate to your Web root directory. For Unix: /opt/coldfusionmx7/wwwroot/ows. For Windows: C:\CFusionMX7\wwwroot\ows (or wherever your Web root exists). | 3. | Create a new directory/folder called Blackbox. Figure 9.5 shows the new folder in Windows. Figure 9.5. Create a directory named Blackbox in your Web root.
| TIP ColdFusion must be able to access the Blackbox directory. If you add this directory outside of your default Web root, you may need to add a ColdFusion mapping using the ColdFusion Administrator Mappings page. Because this example is using ColdFusion's stand-alone Web server, you may also need to add a virtual mapping in your cf_root\wwwroot\WEB-INF\jrun-web.xml file. Remember, this is Java, so all settings are case-sensitive! Enabling Sandbox Security Now that we have a directory on the Web server to hold the application code that we want to secure, we need to enable sandbox security. Remember, ColdFusion does not enable sandbox (or resource) security after installation. This allows developers full rein over all resources on the server. Follow these steps to enable sandbox security: 1. | Open ColdFusion Administrator. CAUTION To enable Sandbox security in the Multiserver and J2EE configurations, the underlying application server deploying ColdFusion must have a security manager (java.lang.SecurityManager) running with the following JVM arguments specified: -Djava.security.manager -Djava.security.policy="cf_root/WEB-INF/cfusion/lib/coldfusion.policy" -Djava.security.auth.policy="cf_root/WEB-INF/cfusion/lib/neo_jaas.policy" | 2. | Expand the Security section in the left navigation pane (if it's not already expanded. | 3. | Click the Sandbox Security link. | 4. | Check the box next to Enable ColdFusion Security in the window on the right. Click Submit. The page should refresh and display the success message shown in Figure 9.6. Figure 9.6. You must manually enable sandbox security using the Sandbox Security page.
| 5. | Restart ColdFusion. | TIP If the link in the Security section of the Administrator navigation pane says "Resource Security," you have the ColdFusion Standard edition and will not be able to configure additional sandboxes. Notice that after you enable sandbox security, ColdFusion automatically creates the two sandboxes shown in Figure 9.6: You can edit these two internal, system-level sandboxes, but you cannot delete them. NOTE If you have the Standard edition, the root security context is your sandboxsee Figure 9.3. This enables you to apply server-level security. Adding a Sandbox Follow these steps to add a sandbox: 1. | On the Sandbox Security page, enter the name of your sandbox in the Add New Security Sandbox field. Remember, sandboxes are directories, so either browse to or enter the absolute path to the Blackbox directory, as shown in Figure 9.7. In the selection box, choose New Sandbox. Figure 9.7. Enter the absolute path to your new sandbox. TIP If you already have a sandbox set up, you can copy its settings to your new sandbox by selecting the existing one in the selection box. | 2. | Click Add. Your sandbox is added to the Defined Directory Permissions list, as shown in Figure 9.8. Figure 9.8. Click Add to include your new sandbox in the list of Defined Directory Permissions.
| Configuring Your Sandbox Remember that you must manually enable sandbox security. You must also manually create resource permissions for your new sandboxes. If you chose to apply an existing sandbox's configuration to your new sandbox, some of those settings will be designated for you. Follow these steps to configure your new sandbox: 1. | Access the Sandbox Security page in the ColdFusion Administrator. | 2. | In the list of Defined Directory Permissions, click the name of your sandbox or click the Edit icon next to it. This opens the Security Permissions screen, shown in Figure 9.9. Figure 9.9. Use the Security Permissions page to add resource permissions for your sandbox.
| 3. | The Security Permissions page opens to the Data Sources tab. All pages in your sandbox have full access to all configured data sources on your server. To disable a data source, select it in the Enabled Data Sources list on the left, and click the right arrow to move it to the Disabled Data Source window on the right. NOTE The <<all datasources>> option means every existing data sourcewhether enabled or disabledand all future data sources. | 4. | Select the CF Tags tab. All pages in your sandbox have full access to all ColdFusion tags. To disable tags, highlight the tags in the Enabled Tags list on the left, and click the right arrow. For our Blackbox sandbox example, we want to disable the <cfdirectory> tag, as shown in Figure 9.10. Figure 9.10. Disable access to the <cfdirectory> tag.
| 5. | Select the CF Functions tab, as shown in Figure 9.11. All pages in your sandbox have full access to every ColdFusion function. To disable functions, highlight the functions in the Enabled Functions list on the left, and click the right arrow. Figure 9.11. Disable access to functions on the CF Functions tab.
| 6. | Select the Files/Dirs tab. Use this tab to grant permissions to files and directories, instead of disabling permissions as on other tabs. Figure 9.12 shows that two directories are secured by default. Verify that these paths are correct. To secure a new file or directory, enter the absolute path in the File Path box, or click the Browse Server button to navigate to it. To edit an existing file or directory, click the pathname or the Edit button next to it in the Secured Files and Directories list. Figure 9.13 shows the Browse Server screen. Figure 9.13. Add Read and Execute permissions for the directory.cfm template in our sandbox.
NOTE Notice the character after the trailing backslash (or slash, for Unix) in the pathname. If there is no character, it means access permissions are valid for the current pathname only. An asterisk (*) indicates access permissions on all files in the current directory and a list of subdirectoriesbut not the files in those subdirectories. A dash (-) indicates recursive access permissions on all files in the current directory and any subdirectories. The special token <<all files>> added to the pathname matches any file in that path. In the File Path box, choose the permissions you want to grant for the pathname. For example, Figure 9.13 shows how to configure Read and Execute permissions for the directory.cfm template. TIP You must explicitly grant file/directory permissions for any area of the server you want ColdFusion tags and directories to accessincluding those outside of your sandbox. For example, if you want to enable access to D:\, you must enter D:\ in the File Path box, select the appropriate permissions, and click Add Files/Paths. Click Add Files/Paths to add the new pathname in the Secured Files and Directories list, as shown in Figure 9.14. If you are modifying permissions for an existing secured pathname, the button will read Edit Files/Paths. Figure 9.14. Add the pathname to the Secured Files and Directories list.
Figure 9.12. The Files/Dirs tab grants permissions for files and directories within the sandbox.
TIP Be careful not to press Finish before you apply your permissions for the pathname. If you do, you'll be returned to the Sandbox Security Permissions page and your settings won't be saved. NOTE ColdFusion throws the error shown in Figure 9.15 if you try to add a pathname without configuring any permissions. Figure 9.15. You must enter a valid pathname and select some level of permissions, or you'll get an error.
| 7. | Select the Servers/Port tab. Here you can restrict the IP addresses and ports used by the ColdFusion Protocol tags <cfftp>, <cfhttp>, <cfldap>, <cfmail>, and <cfpop>. By default, all server IPs and ports are open to these tags as shown in Figure 9.16. Figure 9.16. All IP addresses and ports are open by default.
TIP Server IP address and port restrictions are useful for shared hosted environments where multiple virtual servers are configured on different ports for a single IP. See Chapter 10, "Security in Shared Hosted Environments," for details. | 8. | Enter the IP address, server name (www.example.com), or domain (example.com) you wish to restrict. Additionally, choose an optional port or range of ports to block access.9. Click Add IP Address to add the entry to the Enabled IP/Ports list. NOTE IP address and port restrictions do not inhibit a user's ability to browse sites. Rather, they prohibit ColdFusion templates within a sandbox from accessing servers and/or ports that are not listed. | 10. | Click Finish to apply all the settings you have configured on each tab and return to the Sandbox Security Permissions screen. NOTE You should disable JSP integration for your ColdFusion sandboxes. ColdFusion restricts resource access for all CFM, CFML, CFC, and CFR requests it receives for templates in its sandbox. JSP requests have the capability to bypass this security and access the resources blocked by the sandbox. Remove any .jsp mappings from your Web serverColdFusion configuration. | The Blackbox Sandbox Example Now that you have configured the C:\Inetpub\wwwroot\Blackbox sandbox, let's put it into action. If you remember, we restricted access to the <cfdirectory> tag for all templates in the C:\Inetpub\wwwroot\Blackbox directory and subdirectories. The code in Listing 9.1 attempts to use <cfdirectory> to list the files in the current directory. Listing 9.1. DIRECTORY.CFMList the Files in the Current Directory Path [View full width] <cfsetting enablecfoutputonly="yes"> <!---#### File name: directory.cfm Description: Demonstrates ColdFusion sandbox and tag restrictions using <cfdirectory>. Assumptions: Creation of a Sandbox that restricts <cfdirectory>. Run this file from the sandbox. Author name and e-mail: Sarge (ssargent@macromedia.com) Date Created: July 17, 2002 Change Log: ####---> <cfsetting enablecfoutputonly="no"> <html> <head> <title>Blackbox Sandbox Security</title> </head> <body> <!---#### Create a variable to hold the current directory path ####---> <cfset VARIABLES.CurrentDir = GetDirectoryFromPath(CGI.CF_Template_Path)> <!---#### Pass the currentdir variable to the cfdirectory tag with Action=list ####---> <cfdirectory action="list" directory="#VARIABLES.CurrentDir#" name="blacklist"> <h2>Listing of <cfoutput>#VARIABLES.CurrentDir#</cfoutput></h2> <!---#### <cfdirectory> returns a query object. Use <cftable> to display the query object result set. ####---> <cftable query="blacklist" colheaders htmltable border> <cfcol text="#name#" header="File Name" align="left"> <cfcol text="#size#" header="File Size" align="center"> <cfcol text="#type#" header="File Type" align="center"> <cfcol text="#datelastmodified#" header="Date Last Modified"> </cftable> </body> </html> Figure 9.17 shows the error that results when the code in Listing 9.1 runs within the sandbox. Try creating a subdirectory in C:\Inetpub\wwwroot\Blackbox, and run the directory.cfm template. You should see the same error, because the default directory mappings in the sandbox (C:\Inetpub\wwwroot\Blackbox\-) are recursive. Figure 9.17. Sandbox security denies access to <cfdirectory>. Return to the sandbox definition and enable access to the <cfdirectory> tag. Now the directory listing displays correctly, as shown in Figure 9.18. Figure 9.18. Sandbox security allows access to <cfdirectory>.
|