Workaround for several known issues regarding Sandbox Security and ColdFusion MX

I've recently encountered a variety of reports on the topic of ColdFusion MX 7.x Sandbox Security (SBS). Here I summarize and explain how to resolve each one:

1. Datasource names are case sensitive in SBS
2. File Uploads require SBS permission on a temp directory
3. CFDOCUMENT requires SBS permission to System Fonts
4. Multiserver Configuration requires manual edit to jvm.config

1) Datasource names are case sensitive in SBS

If the case of datasource names in CFML source code do not match the exact datasource name case in the ColdFusion Administrator, then a security error will be reported when using SBS. This has been logged as a bug, and an example of the error message is.

Security: The requested template has been denied access to oracle_psdb_upper.
The following is the internal exception message: access denied (coldfusion.sql.DataSourcePermission oracle_psdb_upper)

The error occurred in C:\CFusionMX7\wwwroot\sandbox1\sub1\sub2\query_dsncase.cfm: line 2

1 : <!--- dsn registered in CFAdmin as "ORACLE_PSDB_UPPER" --->
2 : <cfquery datasource="oracle_psdb_upper" name="test">
3 :    SELECT SYSDATE
4 :    FROM   DUAL

java.security.AccessControlException: access denied (coldfusion.sql.DataSourcePermission oracle_psdb_upper)
   at java.security.AccessControlContext.checkPermission(Unknown Source)
...

Change the code to use the same case as the datasource definition in the CFAdmin.

2) File Uploads require SBS permission on a temp directory

Forms that submit multipart/form-data file uploads to ColdFusion pages using CFFILE action="upload" will require read and write permission to an intermediate directory where ColdFusion initially stores the uploaded file before moving it to a final destination according to the CFFILE tag. On Server Configuration on Windows, for example, the sandbox must contain a read/write rule for C:\CFusionMX7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\, and Multiserver Configuration must contain a rule for C:\JRun4\servers\cfusion\SERVER-INF\temp\cfusion-war-tmp\ for the initial server instance of cfusion.

A single rule added to the sandbox files/dir tab ending in an asterisk like one of these should suffice:

C:\JRun4\servers\cfusion\SERVER-INF\temp\cfusion-war-tmp\*
C:\CFusionMX7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\*

Of course if the file upload is destined for a location outside the sandbox directory tree, then you will also need write or read\write rules for that target location as well.

The error that occurs when the intermediate temp directory is not accessible is:

Security: The requested template has been denied access to C:\JRun4\servers\cfusion\SERVER-INF\temp\cfusion-war-tmp\neotmp10130.tmp.
The following is the internal exception message: access denied (java.io.FilePermission C:\JRun4\servers\cfusion\SERVER-INF\temp\cfusion-war-tmp\neotmp10130.tmp read)

java.security.AccessControlException: access denied (java.io.FilePermission C:\JRun4\servers\cfusion\SERVER-INF\temp\cfusion-war-tmp\neotmp10130.tmp read) at cfupload2ecfm1069950295.runPage(C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\sandbox1\sub1\sub2\upload.cfm:16)

java.security.AccessControlException: access denied (java.io.FilePermission C:\JRun4\servers\cfusion\SERVER-INF\temp\cfusion-war-tmp\neotmp10130.tmp read)
   at java.security.AccessControlContext.checkPermission(Unknown Source)
...

3) CFDOCUMENT requires SBS permission to System Fonts

Starting in ColdFusion MX 7.0 there is a Fonts Management page in the ColdFusion Administrator for use with dynamically generated forms created with CFDOCUMENT. Those Fonts need to be accessible to code in a sandbox. A read rule for c:\windows\fonts\* should suffice, for example. The error might look like this:

access denied (java.io.FilePermission c:\windows\fonts\tahoma.ttf read)

ExceptionConverter: java.security.AccessControlException: access denied (java.io.FilePermission c:\windows\fonts\tahoma.ttf read)
   at java.security.AccessControlContext.checkPermission(Unknown Source)
...

4) Multiserver Configuration requires manual edit to jvm.config

Simply turning on SBS in CFMX 7.0x Multiserver Configuration and restarting the JRun server instance cfusion will cause ColdFusion server to fail to deploy, producing errors like those at the bottom of this post. Some required arguments for the Java Security Manager are not written to the jvm.config as they should be. The wording of the technote implies that SBS is not even enabled, but in fact the sandbox is enabled and ColdFusion server is denied permission to load its own jar files.

While there is a technote with a workaround, the article is not fully accurate regarding the use of quotes at this time and is being republished. The article shows the following:

For Multiserver configuration:

Stop ColdFusion.
Locate the jvm.config file in jrun_root/bin.
Back up the file.
Open the file in a text editor.
Add the following lines to the java.args section:
-Djava.security.manager
-Djava.security.policy="cf_webapp_root/WEB-INF/cfusion/lib/coldfusion.policy"
-Djava.security.auth.policy="cf_webapp_root/WEB-INF/cfusion/lib/neo_jaas.policy"

The quotes are incorrectly placed in that example and it should read as follows:

For Multiserver configuration:

Stop ColdFusion.
Locate the jvm.config file in jrun_root/bin.
Back up the file.
Open the file in a text editor.
Add the following lines to the java.args section:
-Djava.security.manager
"-Djava.security.policy=cf_webapp_root/WEB-INF/cfusion/lib/coldfusion.policy"
"-Djava.security.auth.policy=cf_webapp_root/WEB-INF/cfusion/lib/neo_jaas.policy"

Note that cf_webapp_root should be changed to the appropriate path for your OS and configuration, such as this final example from a jvm.config for a Multiserver config on Windows (no line wrap):

# Arguments to VM
java.args=-server -Xmx512m -Dsun.io.useCanonCaches=false -XX:MaxPermSize=128m -XX:+UseParallelGC -DJINTEGRA_NATIVE_MODE -DJINTEGRA_PREFETCH_ENUMS -Dcoldfusion.rootDir={application.home}/ -Djava.security.manager "-Djava.security.policy=C:/JRun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/coldfusion.policy" "-Djava.security.auth.policy=C:/JRun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/neo_jaas.policy"

If the incorrect placement of quotes is used, the JRun server will not even start, let alone deploy ColdFusion, and the error will be:

C:\JRun4\bin>jrun -start cfusion
Exception in thread "main" java.lang.ExceptionInInitializerError
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission jrun.home read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at jrunx.kernel.JRun.<clinit>(JRun.java:52)

If the 3 security manager arguments are missing entirely, the default (bug) in Multiserver, then when ColdFusion server fails to deploy there will be a long series of error messages in the JRun cfusion-err.log, such as these few examples:

07/11 16:09:19 error Could not pre-load servlet: ColdFusionStartUpServlet
[1]java.util.MissingResourceException: Can't find resource for base name coldfusion/server/j2ee/resource.properties
   at coldfusion.util.RB.loadProperties(RB.java:183)
   at coldfusion.util.RB.<init>(RB.java:115)
   at coldfusion.util.RB.getMessage(RB.java:606)
   at coldfusion.util.RB.getString(RB.java:361)
   at coldfusion.server.CFService.start(CFService.java:305)
   at coldfusion.server.j2ee.CFStartUpServlet.startCFService(CFStartUpServlet.java:102)
   at coldfusion.server.j2ee.CFStartUpServlet.init(CFStartUpServlet.java:78)
   at javax.servlet.GenericServlet.init(GenericServlet.java:258)
   at coldfusion.bootstrap.ClassloaderHelper.initServletClass(ClassloaderHelper.java:96)
   at coldfusion.bootstrap.BootstrapServlet.init(BootstrapServlet.java:48)
   at jrun.servlet.WebApplicationService.loadServlet(WebApplicationService.java:1242)
   at jrun.servlet.WebApplicationService.preloadServlets(WebApplicationService.java:789)
   at jrun.servlet.WebApplicationService.postStart(WebApplicationService.java:291)
   at jrun.ea.EnterpriseApplication.start(EnterpriseApplication.java:203)
   at jrun.deployment.DeployerService.initModules(DeployerService.java:710)
   at jrun.deployment.DeployerService.createWatchedDeployment(DeployerService.java:242)
   at jrun.deployment.DeployerService.deploy(DeployerService.java:430)
   at jrun.deployment.DeployerService.checkWatchedDirectories(DeployerService.java:179)
   at jrun.deployment.DeployerService.run(DeployerService.java:891)
   at jrunx.scheduler.SchedulerService.invokeRunnable(SchedulerService.java:223)
   at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426)
   at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
[0]javax.servlet.ServletException: Can't find resource for base name coldfusion/server/j2ee/resource.properties
   at coldfusion.bootstrap.ClassloaderHelper.initServletClass(ClassloaderHelper.java:104)
   at coldfusion.bootstrap.BootstrapServlet.init(BootstrapServlet.java:48)
   at jrun.servlet.WebApplicationService.loadServlet(WebApplicationService.java:1242)
   at jrun.servlet.WebApplicationService.preloadServlets(WebApplicationService.java:789)
   at jrun.servlet.WebApplicationService.postStart(WebApplicationService.java:291)
   at jrun.ea.EnterpriseApplication.start(EnterpriseApplication.java:203)
   at jrun.deployment.DeployerService.initModules(DeployerService.java:710)
   at jrun.deployment.DeployerService.createWatchedDeployment(DeployerService.java:242)
   at jrun.deployment.DeployerService.deploy(DeployerService.java:430)
   at jrun.deployment.DeployerService.checkWatchedDirectories(DeployerService.java:179)
   at jrun.deployment.DeployerService.run(DeployerService.java:891)
   at jrunx.scheduler.SchedulerService.invokeRunnable(SchedulerService.java:223)
   at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426)
   at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

java.security.AccessControlException: access denied (java.io.FilePermission C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war read)
   at java.security.AccessControlContext.checkPermission(Unknown Source)
   at java.security.AccessController.checkPermission(Unknown Source)
   at java.lang.SecurityManager.checkPermission(Unknown Source)
   at java.lang.SecurityManager.checkRead(Unknown Source)
   at java.io.File.exists(Unknown Source)
   at flex.util.ServletPathResolver.<init>(ServletPathResolver.java:23)
   at flex.compiler.MxmlBaseServlet.init(MxmlBaseServlet.java:89)
   at flex.server.j2ee.SwfServlet.init(SwfServlet.java:72)
   at javax.servlet.GenericServlet.init(GenericServlet.java:258)
   at coldfusion.bootstrap.ClassloaderHelper.initServletClass(ClassloaderHelper.java:96)
   at coldfusion.bootstrap.BootstrapServlet.init(BootstrapServlet.java:48)
   at jrun.servlet.WebApplicationService.loadServlet(WebApplicationService.java:1242)
   at jrun.servlet.WebApplicationService.preloadServlets(WebApplicationService.java:789)
   at jrun.servlet.WebApplicationService.postStart(WebApplicationService.java:291)
   at jrun.ea.EnterpriseApplication.start(EnterpriseApplication.java:203)
   at jrun.deployment.DeployerService.initModules(DeployerService.java:710)
   at jrun.deployment.DeployerService.createWatchedDeployment(DeployerService.java:242)
   at jrun.deployment.DeployerService.deploy(DeployerService.java:430)
   at jrun.deployment.DeployerService.checkWatchedDirectories(DeployerService.java:179)
   at jrun.deployment.DeployerService.run(DeployerService.java:891)
   at jrunx.scheduler.SchedulerService.invokeRunnable(SchedulerService.java:223)
   at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426)
   at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

Comments