Ok, final post for today. This one is also a follow up to a demonstration made by the instructor in my DB Design class that was intended to stress the importance of users setting Read permission on for Other on a common Linux server used by the class. Reposting here for benefit of those not on the internal class forum.


In last night's class Maria demonstrated the importance of having the read bit turned on for Other for your ColdFusion cfm files.

Initially she removed the read bit for Other and then refreshed the browser while expecting to demonstrate an error that she wants to protect you from. Instead the page worked as normal? So what happened?

As mentioned in my earlier post, ColdFusion will read a cfm source file, validate the syntax, compile it directly to Java bytecode, store the bytecode in memory, and then execute that byte code. Normally, when the next request for the same cfm file is made, ColdFusion will check the timestamp on the file to determine if it has been modified, and then if not, ColdFusion will simply execute the corresponding bytecode that it already has in memory without having to re-read the source file or recompile it. There is a setting known as Trusted Cache in ColdFusion which is intended for applications in production environments where the CFML source code will not be changed, and when enabled ColdFusion will stop checking the timestamp of the file and just serve the bytecode from memory.

So Maria used chmod o-r file.cfm to remove the read bit for Other, but it turns out that changing a file attribute like its permission does not affect its content and so the file timestamp did not change. ColdFusion continued to serve the page since it knew that the content of the cfm file had not changed.

In order for ColdFusion to recognize the change in permission, Maria had to open the file for editing, make an insignficant change, and resave it. When resaved it has a new timestamp, and during the next request for it ColdFusion observed the change and attempted to re-read the source file. The operating system (Linux) denied read permission to ColdFusion since the ColdFusion process was running neither as the file's user account nor in the file's group account. When ColdFusion attempts to read a file and is denied permission like this it returns a HTTP 404 status code and associated error message File Not Found.

When installed on Unix or Linux, the ColdFusion server runs as a process (where that process has many threads that show up in the process list when the command ps is used), and that process runs as a designated user account. Most often this user account is a non-privileged account such as the user 'nobody' for increased security. The original cfm file in question had a User of Maria and a Group of Teacher, so since the ColdFusion user Nobody is not Maria and is not in the Group called Teacher, it is delegated to last category 'Other'. For ColdFusion to read the cfml source file, the 'Nobody' user needs read permission for 'Other' on the file.