ColdFusion 10 Mandatory Update leaves server running as root

Adam: Adobe's bugbase hides security-related bugs even from the submitter, so even I can't see the ID, URL or status of the issue. Sorry. I'll definitely post here if I get any update on it.

Br,

Jan

Nope....

It runs as the user that you have put while installing ColdFusion Server as Runtime user. The default Runtime user shown while installing is 'nobody'.

If I am not mistaken, probably one of the following would be the case with you:

Either you might be asuming that following process is ColdFusion process but actually it is just a CF server invke script(this is run as root which runs only for the time Server is started) and not the actual running server process.

root     3156 3135  0 07:03 pts/1    00:00:00 /bin/bash /opt/coldfusion10/cfusion/bin/coldfusion start

Actual server process looks as the following process and runs as the user nobody if you have not changed default user while installing server.

nobody   3152     1 80 07:01 ?        00:00:13 /opt/coldfusion10/jre/bin/java -classpath /opt/coldfusion10/cfusion

OR

The value of RUNTIME_USER in the script /opt/coldfusion10/cfusion/bin/coldfusion is opted as root while installing.

Thanks,

Krishna

ColdFusion Team.

Thanks for the reply, Krishna.

Here's a session log fresh off my lab box.. please let me know what you think.

Baseline: Clean standalone installation in /opt/coldfusion10, no hotfixes applied yet.

[root@labhost ~]# grep "RUNTIME_USER=" /opt/coldfusion10/cfusion/bin/coldfusion
RUNTIME_USER="coldfusion"
[root@labhost ~]# id -a coldfusion
uid=501(coldfusion) gid=503(coldfusion) groups=503(coldfusion)
[root@labhost ~]# /opt/coldfusion10/cfusion/bin/coldfusion status
Server is running
[root@labhost ~]# ps -aef |grep "coldfusion.home=/opt/coldfusion10/cfusion"
501      19867     1 19 14:36 ?        00:01:00 /opt/coldfusion10/jre/bin/java -classpath /opt/coldfusion10/cfusion/(truncated)...
root     20356  3081  0 14:41 pts/0    00:00:00 grep coldfusion.home=/opt/coldfusion10/cfusion
[root@labhost ~]# cat patch.props
INSTALLER_UI=SILENT
USER_INSTALL_DIR=/opt/coldfusion10
DOC_ROOT=/opt/coldfusion10/cfusion/wwwroot
INSTANCE_LIST=cfusion

[root@labhost ~]# java -jar cf10_mdt_updt.jar -i silent -f patch.props
[root@labhost ~]# sleep 20
[root@labhost ~]# ps -aef |grep "coldfusion.home=/opt/coldfusion10/cfusion"
root     20579     1 61 14:45 pts/0    00:00:35 /opt/coldfusion10/jre/bin/java -classpath /opt/coldfusion10/cfusion/(truncated)...
root     20770  3081  0 14:46 pts/0    00:00:00 grep coldfusion.home=/opt/coldfusion10/cfusion
[root@labhost ~]#

Before installing the mandatory update the server is running as coldfusion (uid 501) like it's supposed to. After installing the update it runs as root. Or am I seeing things here?

Br,

Jan

Additionally, check out this code /opt/coldfusion10/cfusion/bin/coldfusion_hf contains:

        Linux)
                OS=Linux
                PSCMD="ps -ef"
                LD_LIBRARY_PATH="$CF_DIR/lib:$CF_DIR/lib/_ilnx21/bin:$JAVA_LIBRARY_PATH"
                SUCMDFILE=su
                if [ -x /sbin/runuser ]; then
                        SUCMDFILE=/sbin/runuser
                fi
                CFSTART='export LD_LIBRARY_PATH=$LD_LIBRARY_PATH; cd $CF_DIR/bin; nohup $JAVA_EXECUTABLE -classpath $CLASSPATH $JVM_ARGS com.adobe.coldfusion.bootstra
p.Bootstrap -start &'
                CFSTOP='env -i; cd $CF_DIR/bin;$JAVA_EXECUTABLE -classpath $CLASSPATH $JVM_ARGS_NODEBUG com.adobe.coldfusion.bootstrap.Bootstrap -stop'
                CFSTATUS='cd $CF_DIR/bin; $JAVA_EXECUTABLE -classpath $CLASSPATH $JVM_ARGS_NODEBUG com.adobe.coldfusion.bootstrap.Bootstrap -status'
        ;;

Running CFSTART as specified here will just launch $JAVA_EXECUTABLE and put it in the background without calling su, sudo or runuser at all.

If the HF installer is using this script to (re)start CF, that would explain the results I'm seeing. Didn't have time to confirm this yet, though.

Br,

Jan

One addition from my side for the note which I made above:

Whatever I have communicated above is for Console and UI installation.

For mandatory Hotfix, you are recommended to use Console or GUI installation( /opt/coldfusion10/jre/bin/java -jar <hotfix-path> depending on your installation. This uses the script named ./bin/coldfusion.

For silent installtion, server is started with the same user as your console's session. So, in your console session, switch user to the one you want and then then invoke installation. Silent installation uses the script /./bin/coldfusion_hf .

Sorry for the convenience. We will update the technote.

Thanks,

Krishna

For mandatory Hotfix, you are recommended to use Console or GUI installation( /opt/coldfusion10/jre/bin/java -jar <hotfix-path> depending on your installation. This uses the script named ./bin/coldfusion.

What about any other updates/hotfixes to CF10? As I said above, this problem is not limited to the Mandatory Update. Does this mean that silent mode hotfix installation should be avoided entirely?

Console or GUI installation is not a really an option in enterprise environments where automated configuration management is applied.

For silent installtion, server is started with the same user as your console's session. So, in your console session, switch user to the one you want and then then invoke installation. Silent installation uses the script /./bin/coldfusion_hf .

I consider this behaviour a bug.

My suggestion for fixing it would be to use the default server control script also in silent mode hotfix installation. That would keep things much more consistent and DRY. Especially when the custom _hf version is mostly redundant and so badly broken.

Br,

Jan

We will look into this for the next avilable Update.

Thanks,

Krishna

ColdFusion

Good to hear that. Thanks, Krishna!