Lucee Sandbox Security

There is plenty of reasonable advice everywhere to run Lucee as non-root, and it’s easy enough limiting write permissions to non-webroot folders, but for a linux server with multiple users, I have not found any documentation nor advice for how to prevent foo.cfm in /home/user1/public_html from reading the source of files in /home/user2/public_html. Since Lucee needs r-x on all public_html in order to serve pages, is that even possible?

It hasn’t been an issue for me before because I’ve limited ftp/shell access to only one other user besides myself whom I trust completely, but my business is growing so I’m curious now whether this can be done.

Yes I know Docker is a solution, and I’m very interested in that, but there’s the learning curve (and don’t tell me it’s easy because nothing ever is, especially with all the years of custom stuff I’ve done on my server) plus I’m still on a multi-year cPanel VPS contract which makes that even more complicated (and I’m not super keep on abandoning cPanel because it’s freakin’ awesome).

So I’m just wondering if there’s a different solution?

I assume Lucee doesn’t have a PHP-FPM equivalent?

Surely I’m not the only not-yet-using-Docker admin who needs to keep users sandboxed, which leaves me bewildered how I’ve never seen this topic, especially long before Docker existed.

OS: AlmaLinux 8.9 aka Linux (4.18.0) 64bit
Java Version: 11.0.20 (Eclipse Adoptium) 64bit
Tomcat Version: 9.0.78
Lucee Version: 5.3.9.173 Gelert

The two technologies work a little differently in concept.

Lucee / is faster than PHP 8.2, uses less memory and the learning curve is low.

As for User X and User Y running linux, Yes the setup is not overly different

instead of allowing Php-fpmd worker assign /drive/path
you can either spin up a lucee instance per user and assign it to /drive/path

or you could spin up a vhost for each “person” you want to have access to Xyz

Thank you Terry!

Now I’m curious how the learning curves, performance, efficiency, and maintainability of those two options compare to Docker. I’m guessing the latter excels and is the gold standard, since it’s so highly recommended.

Is there documentation anywhere of how to implement each one?

I also may need to fundamentally modify how I’m sharing my custom udf and vendor libraries between my own apps before trying any of the 3 options.

I’ve come to realize that Adobe’s description of Sandbox Security is exactly what I had in mind:

“In ColdFusion Enterprise, sandbox security lets you apply different sets of rules to different directory structures. Use it to partition a shared hosting environment so that a number of applications with different purposes, and possibly different owners, run securely on a single server. When multiple applications share a host, you set up a separate directory structure for each application, and apply rules that let each application access only its own data sources and files.”

And now it becomes clear why this doesn’t exist in Lucee (as far as I know), because it also doesn’t exist in ColdFusion Standard, only Enterprise.

Which leads to yet more questions:

1. Shouldn’t this vulnerability in shared hosting environments have been mentioned in Lucee Security Best Practices and/or Lucee Lockdown Guide a long, long time ago?

2. Are there any extensions or 3rd party implementations of Sandbox Security for Lucee?

3. Assuming the answer to 2 is no, which of the 3 solutions discussed above, or some other solution not yet discussed, is closest to how Adobe implements Enterprise Sandbox Security for shared hosting?

I very much appreciate the time and effort of anyone who replies here!

Kenric, I want to address your thoughts here in different aspects: first clarifying the ACF edition difference you observed, then discussing the technical underpinnings (for your question about Lucee), also sharing some sad prospects to consider. But then I want to address your assertion that the lack of Sandbox Security is inherently a “vulnerability”, and finally offer some more alternatives as you’ve asked.

1: First, while realize that many resources (including from Adobe) indicate that Sandbox Security is Enterprise-only, in fact it was made available in CF Standard starting with CF11, which came out in 2014.

Before anyone may think I’m confusing this with the “Resource Security” feature (which CF Standard had before that–essentially allowing one sandbox configuration for the entire instance), that is NOT what I’m referring to. That, too, was removed with CF11, and now Standard has the same Sandbox Security feature that Enterprise had.

(I do realize of course many people here may have stopped paying attention to CF differences long ago, when they switched to Lucee. I live and breath clarifying these differences about CF editions and versions in my work and presentations, and I even have a talk on differences between CF Ent and Std, where I also shared this news about Sandbox .)

And to be clear this change IS documented, on the CF doc page about security features in the CF Admin, where it notes that “In ColdFusion 11, you can configure multiple security sandboxes irrespective of the edition that you are using.” (Sadly there are 5 other references on that page to the old distinction of Standard. There are other pages on Adobe’s site that also were never updated.)

Finally, FWIW I’ve attached below a screenshot from a cf2021 Standard edition which I have running, showing that this is no mistake that the docs (or I) say this.

2: So now, about those technical underpinnings of the sandbox feature, and your hope of seeing it perhaps added to Lucee, I’ll note that the feature is (and always has been) based on the underlying Java Security Manager feature.

So COULD Lucee provide for it? Sure. It’s not depending on some licensed software, which is perhaps what you thought the Enterprise limitation was implying.

But will the Lucee team take it on? I won’t be surprised if it’s a “hard pass”.

3: And one reason will be that folks who follow Java may have pricked up their ears at what I just said, as they’ve heard that the Java leadership and many in the community have been targeting complete removal of the Security Manager from Java. It’s currently “deprecated”, as they await community feedback.

Their beef (I’m paraphrasing) is that “no one uses it”, and it’s “hard to keep dealing with it”–and the worse is that most assume “it’s only of value for client-side java, which is hardly used any more”. But they won’t care to hear much from CF folks saying, “wait, we use it”. My hope is that some other large java project ALSO uses it for server-side security and will get their ear and plead for a stay of execution.

Indeed, here you are singing its praises–which are deserved…but very few in the CF/Lucee world know of it, and fewer use it–which is indeed sad. (I’ve spoken on it, and I even wrote a two-part series on it for for Adobe…um…22 years ago. FWIW, you can still read it and for better or worse the feature hasn’t changed much since then!)

4: Moving on, you bring this up in the guise of the lack of it existing in Lucee being a “vulnerability in shared hosting environments” that should “have been mentioned” in the Lucee security docs.

I’m not sure I’d cast it quite as a vulnerability. It’s more an inherent limitation of shared hosting–and a reason why it’s gone the way of the dodo mostly. You bring up Docker as an alternative, but there are others. Since you wondered about possibilities you may consider, here are a few others.

5: I’ll note first that most hosting companies in the CF space switched to vps’s (virtual private servers) a long time ago, where each client had what SEEMED to them to be their “own server”. In that case, it was OS software or otherwise that implemented the separation you rightly are concerned to see.

Others solve the separation problem with vm’s.

And some might propose that one CAN run multiple instances of Lucee, each with their own JVM–which can run as a different user. And then you can control via the OS what folders that user can access.

6: Then again, controlling file access is really only one facet of sandbox security. As you may have read, it also affords control over much more, such as what datasources can be used, what tags can be called, what domains/ips and ports can be called, and much more.

It may also be worth clarifying that the sandbox security feature was not really about controlling “who could see what” based on the “user” running the CF instance–instead it was about “what code could see/do what” based on where that code lived. It was set “per folder”–which was “the sandbox” to be configured. Again, anyone curious to understand it more can see my article (or the Adobe docs) for more.

It was a nifty feature–though it had its warts, and some special massaging it sometimes needed as certain aspects of CF configuration and the JVM evolved over time. I never got around to doing something on that, but I know others did, including Snake in 2006, and Adam Cameron in 2013, and a few folks in a Farcry thread in 2020 (which concluded with a seeming fix Adobe was applying in CF2018 then).

I realize this is now getting into the weeds–as it’s how it worked on ACF. I just share it to help both those who may explore it in ACF…and as more fodder for any who might consider it for Lucee.

And here’s that image of it running in CF Standard, FWIW:

cf_std_sandbox760×406 25.3 KB

1. Lucee docs always needs volunteers to dedicate some time writing the docs. Just because the documentation is lacking doesnt meen it cant be done.

2. You could, for example install multiple iterations of Lucee Tomcat, assign each its own user & user group, with its own web path. This is very similar to what php-fpmd does.

You can spin up a per instance of Lucee, virtual machines or containers are cheap. I go with virtual machines as they are more universally portable and secure than the container model

If you are however interested in actual “security” then in theory no shared hosting is ever “secure” and you should look into a dedicated VM or physical box

@carehart thank you for that fantastic summary, update, and history lesson!

@Terry_Whitney I shall consider my options. I actually do already have my own VPS, but my situation is that I host other websites for my business clients, some of the content of which is dynamically generated by my apps while I personally code and have sole control over the static source.

I think what I’ve come to realize is that if a client of mine requires any form of write access, their site will have to be hosted separately on their own VPS, or for lower cost one of the other methods you’ve suggested to keep them on my own VPS, and I’ll have to modify my apps to update the dynamic portions of their sites in a different way.

As for documentation, I meant anywhere online that you know of and/or bookmarked, not necessarily Lucee docs which of course I know only exist thanks to the valiant efforts of volunteers!

Another level of complexity for me, however, is that I seem to be one of the few Lucee devs who also loves all of the powerful features of cPanel. That’s why I was hoping for a solution that keeps all of my hosted sites on the same VPS.