tracker issue : CF-4202957

select a category, or use search below
(searches all categories and all time range)

Lockdown Installer does not use inheritance for file permissions

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): Peter Freitag / ()

Created: 06/20/2018

Components: Installation/Config, Lockdown Installer

Versions: 13.0

Failure Type: Usability Issue

Found In Build/Fixed In Build: Public Beta / 311532

Priority/Frequency: Normal / All users will encounter

Locale/System: ALL / Win 2016

Vote Count: 1

Problem Description: When the lockdown installer runs it sets file system permission individually on each file within the web root and ColdFusion directory. Ideally it should just set the file system permissions on the top level directory and then have all the subfolders and files inherit from this parent directory. This becomes a problem for example if you add a new file to the web root after you run the lockdown installer - the file will not have permissions to be served by IIS or executed by ColdFusion, so you will have to set each file permission individually - this will be too cumbersome for users and they will end up setting permissions for Everyone to get things to work (a step backwards).

If I were doing this in the windows explorer I would right click on the folder go to the security tab and then Advanced - I would click Disable Inheritance (to create a new root of inheritance for the parent folder, I want everything under it to actually inherit from this) and then check the checkbox that says "Replace all child object permission entries with inheritable permission entires from this object".

Steps to Reproduce: Create a website and run Lockdown Installer. Now add a new file to the website after running the lockdown installer, you will get an IIS permission error.

Actual Result: File system becomes difficult to work with

Expected Result: Use inheritance whenever possible so new files are given the appropriate permissions.

Any Workarounds: User can monkey with permissions after lockdown installer runs, but that defeats the purpose of having it do it for you.



+1 for sure! The current behavior will be a bear to deal with.
Vote by Aaron N.
29114 | June 20, 2018 11:57:31 PM GMT
Hi Pete, We tried this scenario in Lockdown where we try to set the permissions such as child files if any inherit their permissions from parent folder. Its easy if done by right click, but since we are using icacls, things were not working properly once done. If you have a better way to do it, would be great if you can share. Else, we will try a few other things. If not possible, this issue will have to remain as is   Thanks, Kailash
Comment by Kailash B.
29557 | July 05, 2018 07:48:53 AM GMT
Hi Pete,     It will be great if you can check this and let us know how to proceed?   Thanks, Kailash
Comment by Kailash B.
29788 | October 16, 2018 09:16:13 AM GMT
I just sent you a detailed email Kailash, but I'll repeat the relevant bits here: icacls c:\ColdFusion2018 /inheritance:r /grant:r BUILTIN\Administrators:(OI)(CI)F icacls c:\ColdFusion2018 /grant:r DomainName\cf2018user:(OI)(CI)F
Comment by Peter F.
29791 | October 16, 2018 07:38:32 PM GMT