Railo on Win2008/Tomcat/IIS - Problems with CFEXECUTE when running service as unprivileged user
53 views
Skip to first unread message
andreas
Feb 15, 2012, 3:30:15 PM2/15/12
to Railo
Hi to all,
I am also new to Railo and also to Tomcat. I've read a lot about
securing tomcat, and I know that for security it's better to run
tomcat service as an unpriviliged user. Now I am facing problems with
running a vbs-Script through cfobject with Wscript.Shell-Class that
should start or stop a service with WMI with the following code:
<CFOBJECT ACTION="Create" NAME="objShell2" type="com"
class="Wscript.Shell">
<cfset temp=objShell2.Exec("wscript d:\path\stopservice.vbs")>
When I run tomcat as "system" everything works perfectly fine, and the
script is executed. But when I run tomcat as an unpriviliged user, the
scripts simply won't work. Seems that tomcat needs admin rights for
wscripts. I've tried nearly everything to try to make wscript and the
vbs-script run as admin for tomcat, but that might be a potential risk
also.
My question is: What is the best practice here to run tomcat with
railo? Should I keep sticked running tomcat as an unprivileged user
and find a workaround, or should I better switch back to run it with
local system account, so I can use the sensitive cfexecute, cfobjects
and other Tags?
I'm starting to think that the best way to run the railo application,
is to run tomcat as local system and use the built in security
manager, Otherwise I will get in conflict when using important cf-tags
needed to start relevant vbs and bat scripts.
Can someone point out a little which may be the best way to go on with
enhanced security? What should I do? Run as System or should I let
tomcat run as unprivileged user and always change all FilePermissions
in tomcat/java-folders when changes are needed manually?
Thanks a lot in advance for any help!
I am also new to Railo and also to Tomcat. I've read a lot about
securing tomcat, and I know that for security it's better to run
tomcat service as an unpriviliged user. Now I am facing problems with
running a vbs-Script through cfobject with Wscript.Shell-Class that
should start or stop a service with WMI with the following code:
<CFOBJECT ACTION="Create" NAME="objShell2" type="com"
class="Wscript.Shell">
<cfset temp=objShell2.Exec("wscript d:\path\stopservice.vbs")>
When I run tomcat as "system" everything works perfectly fine, and the
script is executed. But when I run tomcat as an unpriviliged user, the
scripts simply won't work. Seems that tomcat needs admin rights for
wscripts. I've tried nearly everything to try to make wscript and the
vbs-script run as admin for tomcat, but that might be a potential risk
also.
My question is: What is the best practice here to run tomcat with
railo? Should I keep sticked running tomcat as an unprivileged user
and find a workaround, or should I better switch back to run it with
local system account, so I can use the sensitive cfexecute, cfobjects
and other Tags?
I'm starting to think that the best way to run the railo application,
is to run tomcat as local system and use the built in security
manager, Otherwise I will get in conflict when using important cf-tags
needed to start relevant vbs and bat scripts.
Can someone point out a little which may be the best way to go on with
enhanced security? What should I do? Run as System or should I let
tomcat run as unprivileged user and always change all FilePermissions
in tomcat/java-folders when changes are needed manually?
Thanks a lot in advance for any help!
Jordan Michaels
Feb 15, 2012, 5:07:10 PM2/15/12
to ra...@googlegroups.com
I am not aware of any security issues relating to running Tomcat under the system user. As with all things, be sure to stay up to date with the latest security releases, make sure your applications are secured, and you should be alright.
Regarding the Tomcat SecurityManager, I've been working with that a little recently in an effort to identify the ideal configuration for shared hosting environments. The goal is to make shared CFML hosting more approachable/supportable by hosting companies.
If you are familiar with SecurityManager and have implemented a policy that works with Railo, I'd be *very* interested in seeing your policy file. Please feel free to contact me offlist if that would help! Thank you!
-Jordan
andreas
Feb 15, 2012, 10:10:53 PM2/15/12
to Railo
Thanks Jordan for quick reply. I would like to run tomcat as
unprivileged user to tighten security up, just in case an unknown
vulnerablitiy or some kind of zero-day exploit comes up. In this case
the system would be totally exposed until it gets patched. I would
like to avoid that scenario and minimize risks of any kind.
At this moment I'm just checking things and situations out and making
some tests. I'm not very familiar with TOMCAT at all, nor Security
Manager and Java, but I'm doing some reading about it, have some good
literature I am working on. There is also some information about it in
the web. My configuration won't be for a shared hosting environment,
but that would be a model I would like to approach in future also. I
will get in touch with you as soon as I get more information about
this, okay?
Thanks, Claudio
unprivileged user to tighten security up, just in case an unknown
vulnerablitiy or some kind of zero-day exploit comes up. In this case
the system would be totally exposed until it gets patched. I would
like to avoid that scenario and minimize risks of any kind.
At this moment I'm just checking things and situations out and making
some tests. I'm not very familiar with TOMCAT at all, nor Security
Manager and Java, but I'm doing some reading about it, have some good
literature I am working on. There is also some information about it in
the web. My configuration won't be for a shared hosting environment,
but that would be a model I would like to approach in future also. I
will get in touch with you as soon as I get more information about
this, okay?
Thanks, Claudio
Jordan Michaels
Feb 16, 2012, 1:25:50 PM2/16/12
to ra...@googlegroups.com
Thanks Claudio, I appreciate the offer to help! I don't mind doing my
own research though, so it's okay. I was just thinking that if you
already had something working, that it might save me some time. ;) If
not, that's fine too!
own research though, so it's okay. I was just thinking that if you
already had something working, that it might save me some time. ;) If
not, that's fine too!
Warm Regards,
Jordan Michaels
Reply all
Reply to author
Forward
0 new messages