Using sandbox security

Sandbox security uses the location of your ColdFusion pages to control access to ColdFusion resources. A sandbox is a designated directory of your site to which you apply security restrictions. By default, a subdirectory (or child directory) inherits the sandbox settings of the directory one level above it (the parent directory). If you define sandbox settings for a subdirectory, you override the sandbox settings inherited from the parent directory. For example, consider the following directories:

D:\Leaders

D:\Leaders\Roman
D:\Leaders\Roman\Pompey

By default, the sandbox settings of the Leaders directory are inherited by the Roman and Pompey directories. If you define sandbox settings for the Roman directory, these settings are inherited by the Pompey directory; the Leaders directory maintains its original settings.

This hierarchical arrangement of security permits the rapid configuration of personalized sandboxes for users with different security levels. For example, if you are a web hosting administrator who hosts several clients on a ColdFusion shared server, you can configure a sandbox for each customer. This prevents one customer from accessing the data sources or files of another customer.

These are the resources that you can restrict:

Data Sources Data sources connect ColdFusion applications to databases.
CF Tags These ColdFusion tags interact with other components of the server environment, such as the mail server.
CF Functions These ColdFusion functions have read or write access to files.
Files/Dirs Using a parent and child directory model, you restrict permissions based on the path.
IP/Ports You restrict pages in a sandbox from accessing entire IPs, a specific port, or port range with the tags that call third-party resources.

About directories and permissions

ColdFusion file permissions are based on the Java security model. A dash (-) indicates all files in the present directory and any child directories, including files in any child directories; an asterisk (*) indicates all files in the present directory and a list of child directories, but not files.

Consider the following file structure:

C:\foo\bar.txt

C:\pat\riots\c.txt
C:\pat\riots2\d.txt
C:\pat\a.txt

The following table shows the relationship between file path and the affected files or directories:

File path

Affected files or directories

C:\foo\bar.txt

C:\foo\bar.txt

C:\pat\-

C:\pat\riots\c.txt C:\pat\riots2\d.txt C:\pat\a.txt

C:\pat\*

C:\pat\riots\ C:\pat\riots2\ C:\pat\a.txt

C:\pat\

C:\pat\

File path	Affected files or directories
C:\foo\bar.txt	C:\foo\bar.txt
C:\pat\-	C:\pat\riots\c.txt C:\pat\riots2\d.txt C:\pat\a.txt
C:\pat\*	C:\pat\riots\ C:\pat\riots2\ C:\pat\a.txt
C:\pat\	C:\pat\

The following table shows the relationship between permissions of a file and of a directory:

Permission

Affect on files

Affect on directories

Read

View the file

List all files in the directory

Write

Write to the file

Not applicable

Execute

Execute the file

Not applicable

Delete

Delete the file

Delete the directory

Permission	Affect on files	Affect on directories
Read	View the file	List all files in the directory
Write	Write to the file	Not applicable
Execute	Execute the file	Not applicable
Delete	Delete the file	Delete the directory

You combine the file path and permissions settings to secure permissions on files and directories; for example, setting the read permission on C:\pat\* lets you do the following tasks:

List all files in the C:\pat\riots\ directory.
List all files in the C:\pat\riots2\.
Read the C:\pat\a.txt file.

Adding a sandbox

The Root Security Content is the default sandbox for your ColdFusion MX server. If your security requirements are minimal and you do not need additional sandboxes, configure the default sandbox so that the child directories will inherit its security settings.

To add a sandbox:

Open the Security > Sandbox Security page in the ColdFusion Administrator.
The Root Security Context appears in the list of Defined Directory Permissions, as the following figure shows:
In the Add Security Sandbox box, enter the name of the new sandbox. This name can be a relative URL or a webserver mapping. In this example, mytestapps corresponds to C:\Neo\wwwroot\mytestapps.
Select New Sandbox from the drop-down list to create a sandbox based on the default sandbox, or select an existing sandbox to copy its settings to your new sandbox.
Click Add.
The new sandbox appears in the list of Defined Directory Permissions, as in the following figure:

Configuring a sandbox

You use the ColdFusion Administrator to configure a sandbox.

To configure a sandbox:

Open the Security > Sandbox Security page in the ColdFusion Administrator.
In the list of Defined Directory Permissions, click the name or the Edit icon for the directory that you want to edit.

As in the following figure, several tabs appear, which subsequent steps discuss:
To disable a data source, in the left column of the Data Sources tab, highlight the data source, and click the right arrow.
By default, ColdFusion pages in this sandbox can access all data sources.
Note: If <<ALL DATASOURCES>> is in the Enabled Datasources column, any data source that you add when creating this sandbox is enabled. If you move <<ALL DATASOURCES>> to the Disabled Datasources column, any new data source is disabled.
Click the CFTags tab.
To disable tags, in the left column of the CFTags tab, highlight the tags, and click the right arrow.
By default, ColdFusion pages in this sandbox can access all listed tags.
Click the CFFunctions tab.
To disable functions, in the left column of the CFFunctions tab, highlight the functions, and click the right arrow.
By default, ColdFusion pages in this sandbox can access all listed functions.
Click the Files/Dirs tab.
In the Secured Files and Directories list, verify that the file path is correct.

The character after the backslash is important. A dash (-) indicates all files in the present directory and any child directories, including files in any child directories; an asterisk (*) indicates all files in the present directory and a list of child directories, but not files.
Note: The Files/Dirs tab works together with the file-based permissions of the operating system. To restrict a user from browsing another user's directory, you must use file-based permissions.
To enable files or directories, in the File Path box, enter or browse to the files or directories to enable; for example, C:\pix.
Select the permissions.
For example, select the Read check box for ColdFusion pages within the mytestapps sandbox to read files in the C:\pix directory.
Note: This behavior differs from other tabs, such as CFTags, where you select items to disable.
Click Add Files/Paths.

The file path and its permissions appear in the Secured Files and Directories list.
Click the IP/Port tab.

These settings let you prevent ColdFusion pages in this sandbox from accessing IPs and ports with the tags that call third-party resources, such as cfmail, cfpop, cfldap, cfhttp, and so on.
Note: These settings have no effect on an end user's ability to browse sites; they affect access to a ColdFusion page with certain tags. If a ColdFusion page does not use, for example, cfhttp, any sandbox restriction on cfhttp has no effect.
To prevent these ColdFusion tags from accessing an IP address at a port or range of ports, enter the IP Address and port or port range that the tags can access.
Note: By default, these ColdFusion tags in this sandbox can access all IPs at all ports.
For example, to deny this sandbox access to 207.88.220.3 on ports 80 and higher, perform the following steps:
1. In the IP Address field, enter 207.88.220.3.
2. In the Port field, enter 79, and click This Port and Lower.
  You disabled access by these ColdFusion tags for this and all other IPs and ports.

Tip: To deny access by these ColdFusion tags to an entire site, enable access for a local resource, such as your local mail server, ftp server, and so on.