Using sandbox security

Sandbox security (called Resource security in the Standard Edition) uses the location of your ColdFusion pages to control access to ColdFusion resources. A sandbox is a designated directory of your site to which you apply security restrictions. Sandbox security lets you specify which tags, functions, and resources (for example, files, directories, and data sources) can be used by ColdFusion pages located in and under the designated directory.

To use sandbox security in the multiserver and J2EE editions, the application server must be running a security manager (java.lang.SecurityManager) and you define the following JVM arguments (for JRun, this is the java.args line in the jrun_root/jvm.config file):

-Djava.security.manager "-Djava.security.policy=cf_root/WEB-INF/cfusion/lib/coldfusion.policy" "-Djava.security.auth.policy=cf_root/WEB-INF/cfusion/lib/neo_jaas.policy" 
Note: Sandbox security is not enabled by default. You enable it on the Security > Sandbox Security page before ColdFusion enforces the settings.

Using multiple sandboxes (Enterprise Edition only)

By default, a subdirectory of a sandbox inherits the settings of the directory one level above it. However, if you define a sandbox for a subdirectory, the subdirectory no longer inherits settings from the parent, completely overriding the parent directory’s sandbox settings. For example, consider the following directories:

C:\Inetpub\wwwroot 
C:\Inetpub\wwwroot\sales 
C:\Inetpub\wwwroot\rnd 
C:\Inetpub\wwwroot\rnd\dev 
C:\Inetpub\wwwroot\rnd\'a

If you define a sandbox for the wwwroot directory, the settings also apply to the sales and rnd directories. If you also define a sandbox for the rnd directory, the rnd sandbox settings also apply to the dev and qa directories. The wwwroot and sales directories maintain their original settings, and the rnd settings override the wwwroot directory settings for the rnd directory and subdirectories.

This hierarchical arrangement of security permits the configuration of personalized sandboxes for users with different security levels. For example, if you are a web hosting administrator who hosts several clients on a ColdFusion shared server, you can configure a sandbox for each customer. This prevents one customer from accessing the data sources or files of another customer.

Resources that you can restrict

You can restrict the following resources:

Data Sources
Restrict the use of ColdFusion data sources.

CF Tags
Restrict the use of ColdFusion tags that manipulate resources on the server (or on an external server), such as files, the registry, Lightweight Directory Access Protocol (LDAP), mail, and the log.

CF Functions
Restrict the use of ColdFusion functions that access the file system.

Files/Dirs
Enable tags and functions in the sandbox to access files and directories outside the sandbox.
Note: To use the Administrator API when sandbox security is enabled, allow access to the cf_web_root/CFIDE/adminapi directory.

Server/Ports
Specify the servers, ports, and port ranges that the ColdFusion tags that call third-party resources can use.

For more information, see the Administrator online Help.

Note: When you run ColdFusion in the J2EE configuration on IBM WebSphere, the Files/Dirs and Server/Ports tabs are not enabled.

About directories and permissions

When you enable access to files outside the sandbox, you specify the filename. When you enable access to directories outside the sandbox, you specify directoryname\indicator, where indicator is a dash or asterisk, as follows:

  • A backslash followed by a dash (\-) lets tags and functions access all files in the specified directory, and recursively allows access to all files in subdirectories.

  • A backslash followed by an asterisk (\*) lets tags and functions access all files in the specified directory and also lets tags and functions access a list of subdirectories. However, this option denies access to files in any subdirectories.

You can also specify the actions that ColdFusion tags and functions can perform on files and directories outside the sandbox. The following table shows the relationship between the permissions of a file and a directory:

Permission

Effect on files

Effect on directories

Read

View the file

List all files in the directory

Write

Write to the file

Not applicable

Execute

Execute the file

Not applicable

Delete

Delete the file

Delete the directory

Add a sandbox (Enterprise Edition only)

ColdFusion Enterprise Edition lets you define multiple security sandboxes.

  1. Open the Security > Sandbox Security page in the ColdFusion Administrator.

    The Sandbox Security Permissions page appears.

  2. In the Add Security Sandbox box, enter the name of the new sandbox. This name must be either a ColdFusion mapping (defined in the Administrator) or an absolute path.

  3. Select New Sandbox from the drop-down list to create a sandbox based on the default sandbox, or select an existing sandbox to copy its settings to your new sandbox.

  4. Click Add.

    The new sandbox appears in the list of Defined Directory Permissions.

Configure a sandbox

Before you begin security sandbox configuration, analyze your application and its usage to determine the tags, functions, and resources that it requires. You can then configure the sandbox to enable access to the required resources and disable use of the appropriate tags and functions. For example, if the applications in the sandbox do not use the cfregistry tag, you can safely disable it.

Note: In the Standard Edition, the Root Security Context is the only sandbox without any initial list of defined directory permissions.
  1. Open the Security > Sandbox Security page (Security > Resource Security page in the Standard Edition) in the ColdFusion Administrator.

  2. (Enterprise Edition only) In the list of Defined Directory Permissions, click the name or Edit icon for the directory.

    A page with several tabs appears. This is the initial page in the Standard Edition. The remaining steps describe the use of each tab.

  3. To disable a data source, in the left column of the Datasources tab, highlight the data source, and click the right arrow.

    By default, ColdFusion pages in this sandbox can access all data sources.

    Note: If <<ALL DATASOURCES>> is in the Enabled Datasources column, any data source that you add is enabled. If you move <<ALL DATASOURCES>> to the Disabled Datasources column, any new data source is disabled.
  4. Click the CFTags tab.

  5. To disable tags, in the left column of the CFTags tab, highlight the tags, and click the right arrow.

    By default, ColdFusion pages in this sandbox can access all listed tags.

  6. Click the CFFunctions tab.

  7. To disable functions, in the left column of the CFFunctions tab, highlight the functions, and click the right arrow.

    By default, ColdFusion pages in this sandbox can access all listed functions.

  8. Click the Files/Dirs tab.

  9. To enable files or directories, in the File Path box, enter or browse to the files or directories; for example, C:\pix. A file path that consists of the special token <<ALL FILES>> matches any file. For information on using the backslash-hyphen (\-) and backslash-asterisk (\*) wildcard characters, see About directories and permissions.

  10. Select the permissions.

    For example, select the Read check box to let ColdFusion pages in the mytestapps sandbox read files in the C:\pix directory.

  11. Click Add Files/Paths. When you edit an existing sandbox, this button reads Edit Files/Paths.

    The file path and its permissions appear in the Secured Files and Directories list.

  12. In the Secured Files and Directories list, verify that the file path is correct.

    The character after the backslash is important. For information, see About directories and permissions.

    Note: The Files/Dirs tab works together with the file-based permissions of the operating system. To restrict a user from browsing another user’s directory, use file-based permissions.
  13. Click the Server/Ports tab.

  14. To turn off default behavior (global access to all servers and ports), enter the IP addresses and port numbers that pages in this sandbox can connect to by using tags that access external resources (for example, cfmail, cfpop, cfldap, cfhttp, and so on). You can specify an IP address, a server name (such as www.someservername.com), or a domain name (such as someservername.com). You can optionally specify a port restriction.

    Note: This behavior differs from other tabs, such as CFTags, where you select items to disable. If you set any values in this tab, external-resource tags executed in this sandbox can access only the specified servers and ports.

    For example, to allow this sandbox access to 207.88.220.3 on ports 80 and lower, perform the following steps:

    1. In the IP Address field, enter 207.88.220.3.

    2. In the Port field, enter 80, and click This Port and Lower.

    Note: To deny access by these ColdFusion tags to an entire site, enable access for a local resource, such as your local mail server, FTP server, and so on.
  15. Click Finish to save changes to the sandbox.

Sandbox Considerations

Using OpenOffice within Sandbox

Grant permissions in sandbox for the following filepaths:
  • D:\ColdFusion9\runtime\servers\lib Read

  • D:\ColdFusion9\runtime\servers\lib\- Read

  • D:\ColdFusion9\runtime\lib\- Read

  • D:\ColdFusion9\runtime\lib Read

  • C:\Program Files\OpenOffice.org 3\ Read, Execute

  • C:\Program Files\OpenOffice.org 3\- Read

, Execute

Using Caching within Sandbox

For disk-based caching to work inside a sandbox, the sandbox must provide read/write permission to the disk cache directory. This can be the default directory (java.io.tmpdir) or a user-configured directory as identified by the diskStore property.

The diskStore property in cf_root\lib\ehcache.xml is used to specify the directory for disk cache (<diskStore path="java.io.tmpdir"/>).Use the following code to identify the temp directory:
<cfscript> 
writeoutput("Temp Dir : " & createobject("java","java.lang.System").getProperty("java.io.tmpdir") ); 
</cfscript>
Also, read permission must be granted to cf_root\lib\ehcache.xml for certain functions that read from/write to ehCache.xml to work. For example, cacheGetProperties and cacheSetProperties.

Using Service CFCs within Sandbox

Grant the following permissions:

  • execute permission to cf_root\CustomTags\com\adobe\coldfusion

  • read permission to cf_root\WEB-INF\cftags\META_INF\taglib.tld