Can RDS be configured so that the ColdFusion server restricts file system
access to certain directories? Right now with RDS configured, anyone with
access can actually browse all the drives on the server and that is not good.
I would like to restrict all RDS users to just the web root directory. Thanks
Are you on CF 10, or earlier? There is a change in 10 that no longer requires creation of sandboxes to restrict dirs in RDS (see http://blogs.coldfusion.com/post.cfm/new-way-to-add-sandbox-permission s-for-users-with-rds-access).
Prior to that, it does require sandboxes, and then you’d use the multiple user feature of the CF Admin to define different users (for the admin and/or RDS) and allocate them to a sandbox. Things do vary also depending on whether you’re using CF Standard or Enterprise/Trial/Developer edition.
For more (besides the docs, such as the Config and Admin manual), see these articles I’ve done in the Adobe Dev Center:
Enabling multiple user access to the ColdFusion Administrator and RDS
The following are much older (2002) but most still applies:
ColdFusion Security, Part One: Understanding Sandbox/Resource Security
ColdFusion Security, Part Two: Sandbox/Resource Basics
Providing fast, remote, on-demand troubleshooting services for CF (and CFBuilder)
See also http://www.cf911.com for more on CF troubleshooting resources
Thank you so much for replying so fast! I am using ColdFusion 10 and I indeed created a user
under User Manager and even specified just one directory for access under the Sandbox secured
files and directories. The problem is that I don't see it doing anything. I restarted my ColdFusion
Builder 2 and I'm still able to see the C:\ drive and access all the system areas of the server. I
hope I'm missing something here....
So to be clear, you are saying you see the C drive when viewing things in the RDS FileView view (window>show view)?
And are you configuring the server properties (from the server, as listed in the Servers view, right-clicking and choosing “edit server”) to specify the indicated username and password as the server’s Other Settings>RDS Username?
Thank you again for your reply! I missed something pretty "big" I didn't realize. In order for User Manager to perform sandbox controls you must first have SandBox Security enabled. I totally missed that one as I was more focused on RDS than actual application Sandboxing. Now that I have enabled it everything works as described. Thank you again!
Europe, Middle East and Africa