Skip to main content
A
Anonymous
October 1, 2012
Question

ColdFusion 10 Mandatory Update leaves server running as root

  • October 1, 2012
  • 2 replies
  • 2945 views

When performed on a ColdFusion 10 standalone server instance on Linux, silent installation of CF 10 Mandatory Update appears to leave the instance running as root.

Obviously this kind of privilege escalation is undesirable.

Workaround: Make sure you shut down the updated server instance immediately after applying ColdFusion 10 Mandatory Update.

I filed a bug about this one as well.

This topic has been closed for replies.

2 replies

A
Adam Cameron.
Inspiring
October 1, 2012

When performed on a ColdFusion 10 standalone server instance on Linux, silent installation of CF 10 Mandatory Update appears to leave the instance running as root.

EEK.

I filed a bug about this one as well.

What's the bug ref / URL, mate?

--

Adam

A
Anonymous
October 1, 2012

Adam: Adobe's bugbase hides security-related bugs even from the submitter, so even I can't see the ID, URL or status of the issue. Sorry. I'll definitely post here if I get any update on it.

Br,

Jan

K
krishnapreddy_adobe
Participating Frequently
October 1, 2012

Nope....

It runs as the user that you have put while installing ColdFusion Server as Runtime user. The default Runtime user shown while installing is 'nobody'.

 

If I am not mistaken, probably one of the following would be the case with you:

Either you might be asuming that following process is ColdFusion process but actually it is just a CF server invke script(this is run as root which runs only for the time Server is started) and not the actual running server process.

root     3156 3135  0 07:03 pts/1    00:00:00 /bin/bash /opt/coldfusion10/cfusion/bin/coldfusion start

Actual server process looks as the following process and runs as the user nobody if you have not changed default user while installing server.

nobody   3152     1 80 07:01 ?        00:00:13 /opt/coldfusion10/jre/bin/java -classpath /opt/coldfusion10/cfusion

OR

The value of RUNTIME_USER in the script /opt/coldfusion10/cfusion/bin/coldfusion is opted as root while installing.

Thanks,

Krishna

ColdFusion Team.

A
Anonymous
October 1, 2012

Update: ColdFusion 10 Update 2 does the same. Apparently this is a bug in the hotfix installer's silent mode.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices