An issue with accessing files outside of web root

Sorry.. I'm a walking zombie.. I'm an insomniac who has to wake up at 5am to get ready for work.  I can't copy/paste stuff, so I have to manually type error messages - the 9 is in the actual error message.

^_^

Adam Cameron. wrote: Did you google the error message to seeif anyone else has had this? -- Adam

Yes, and I'm not finding anything, yet.

^_^

Well check to see if the a/c CF is using can see the file first.  That might be all it is.

--

Adam

I opened netplwiz AND lusrmgr and there are still only three accounts; mine, guest, administrator.  I'm a member of the administrator group.

Don't know if it makes any difference, but I'm on an Alienware Area51 running Win7 Pro.

If there is another way to get to the User Management that shows ALL users, please let me know.  I'm beginning to hate this machine.

^_^

Most of the internal system accounts don't show in the User administration.  But you should be able to see them when you examine the security on a folder or file.

Again, what account is the ColdFusion service running as?

Right click on the XCFC folder and select Properties.  Click on the Security tab. What group and user names are listed at the top?  If the account that ColdFusion is running as is not listed, add it.  Click the Edit... button.  In the dialog that pops up, click Add...  Another dialog will pop up.  Click the Advanced... button to open yet another dialog.  On this one, click Find Now. The bottom of this dialog should show all of the user and groups that exist on your computer, including all the internal system accounts.  Find the one that the ColdFusion service is using in the list, select it, and click OK.  Click OK to close the previous dialog.  That user will now show up in the Permissions dialog, with Read, Read & execute, and List folder contents checked.  If ColdFusion doesn't need to write to this folder, then click OK to close the permissions dialog, and OK to close the properties dialog.

Thank you for the instructions, Carl.  Unfortunately, this just gives me a long list of groups, and the same three users: Administrator (disabled), Guest (disabled), and myself (Administrator group).

Would the lack of a CF user be because I installed CF 9.0.2 as a stand-alone and using the built-in web server?

^_^

No.  ColdFusion doesn't create its own user account.  It defaults to LocalService (I think).  Try enabling the Administrator account, and logging in under that account.  Sometimes Windows 7 will not give a user that is a member of the Administrator group full Administrator rights to everything.  Logging in as the actual Administrator account should allow you to see all the internal system accounts.

You might actually want to create a ColdFusion user, and not make that user a member of Administrators.  You'll need to grant that user read and modfiy rights to the C:\ColdFusion9 directory, but nowhere else on your computer (unless you want ColdFusion to access files in other places).  Then go into the Administrative Tools --> Services applet and change the Login As settings for the "ColdFusion9 Application Server" service to the ColdFusion user.

Thanks, Carl.  I'll get started on that, but the finish will have to wait until Monday.. it's almost quittin' time. 

UPDATE: I changed the password for the Administrator of my computer, re-enabled the account, and logged on following your earlier instructions for getting all users.  Same thing; a whole lot of groups and the same three accounts.

I'm giving up the ghost until Monday.  Have a great weekend.

^_^

I have the map to C:\ColdFusion9\xcfc in the CF Admin; I have set permissions within CF Admin for that folder; I have gone into the security settings for that folder and added Local Service giving it full permission.  Still getting the permission denied message when loading a page that has CFINCLUDE template="/xcfc/test.txt" in it.

^_^

Humour me: change the file name to be *.cfm instead of *.txt.  It should not make a difference, but let's see.

Also try outputting the expanded path to the include:

#expandPath("/xcfc/test.txt")#

And do a fileExists() on it:

#fileExists(expandPath("/xcfc/test.txt"))#

What do you get from those?

--

Adam

Changing the extension to .cfm didn't make a difference.

Checking the expanded path: ExpandPath("/xcfc/test.cfm") outputs as C:\ColdFusion9\xcfc\test.cfm

Check with FileExists: #FileExists(ExpandPath("/xcfc/test.cfm"))# gives the permission denied message.   ????

^_^

Please upload a screen cap of the following:

1) the screen from your Windows Services panel showing which account CF is logging in as;

2) the screen showing the "Effective Permissions" for that same account for the file in question.

--

Adam

Unfortunately, I cannot get any screencaps from my dev system for uploading, here; my dev system is isolated from the internet and I do not have CD burn permission, and flash drives are proscribed.

How do I determine which account CF is logging in as?

UPDATE: I checked properties of the CF Application Server in Services, and the Local Service account is what is logging on to run CF.

^_^

Unfortunately, I cannot get any screencaps from my dev system for uploading, here; my dev system is isolated from the internet and I do not have CD burn permission, and flash drives are proscribed.

That's a bloody ridiculous way to be expected to have to work (but, yes, I have been in a similar situation in the past).  But Oh well.

Um, like I said before... the account CF uses is specified (and, accordinly, displayed) in the Windows Services app.

--

Adam

The Local Service account is logging on for CF, and I've given it almost full control for that folder.  Still getting the error message.

And this is the first job I've ever had that required a Secret clearance, so I'm not used to not being able to transfer files like I can at home. 

^_^

WolfShade,

Just curious.  Does the IIS website for this application have the "jakarta" virtual directory created?  I ran into "permissions" errors last night on a CF10 site I created after I had run the WSCONFIG tool, so this particular site didn't have the "jakarta" virtual directory.

-Carl V.

Hi, Carl.  Not sure if that applies, as I'm using neither IIS nor Apache; I'm using the built-in webserver in CF.

OK.  Couldn't remember if you had said IIS or built-in, so that was a "red herring".

-Carl V.

Have you restarted CF since you made the perms changes?

Irrespective of what you think you have set for that directory, can you go to the FILE and check the "Effective Permissions" on it for the local service a/c.

Speaking of silly dev environments:

The highest security I had to work with was "Secret" too, writing the system that processed *telegrams* moving between [can't say] and [can't say] (none of the [can't says] were at all interesting, btw).  There needed to be an air gap between the node receiving the traffic and anything on the network, and there needed to be a door blocking that air gap.  It still at least had a floppy drive though (this was 15yrs ago, so FDDs were still around).  But that was the live machine.  I could still write the code on my own PC on the network.  Couldn't test it though... it just had to work... those were the days.

Then there was the joint I worked at at which one was not allowed to have cellphones switched on within any room that had computers in them.  For supposedly national security reasons (it is actually possible to read the display on a CRT just from analysing the interference on a cellphone carrier, apparently).  Heaven forbid Zee Russians (as it was in those days) found out there was a printer out of toner on the fourth floor... which was the sort of thing I was working on @ the time... 😉

Bloody hell I'm glad I'm not in the civil service any more.

[And - hey - what's that black helicopter landing outside...?]

--

Adam

Yes, I restarted the CF Server from the Services panel, and when that didn't change anything, I rebooted the computer.  Still no change.

I can confirm that the file in the /xcfc folder does have the Local Service account listed, with all the permissions I gave it on the folder.

Not only are we not allowed cellphones inside this building, but there are tiny storage lockers near all entrance/exits where they are to be stored before entering the building.  They are supposed to be turned off before being locked inside, but every once in a while you hear one ringing as you pass.  LOL.

^_^

Anyone else have any suggestions regarding this?  I am totally stumped.

^_^

If you LOGIN as that account (you'll have to give it "interact with desktop" permissions, or something like that), can you see the file when you navigate to it in Windows Explorer?

--
Adam