If you are connecting to a database your scripts will contain database usernames and passwords. As a best practice ensure that your ColdFusion scripts are NOT readable by others except for the ColdFusion server. The server runs as a non-root ‘cfmx’ user. This greatly enhances security of the client data, service and the server itself. If you have set up any of your ColdFusion scripts as unreadable by others you will need to explicitly grant read access to the ‘cfmx’ user using ACLs.
Managing Passwords (Sensitive Data) with Access Control Lists (ACLs)
setfacl –m u:cfmx:r myscript.cfm
List Current ACLs
The best practices for keeping the sensitive information (e.g. passwords) in your scripts secure:
- Centralize all sensitive information such as passwords by placing them in a single file such application.cfm.
- Revoke the read, write, execute file attributes from the group and others: chmod go-rwx application.cfm The recommended permissions are 600 (-rw- --- ---) on files.
- Keep the x attribute for others for directories - 701 (drw- --- --x). Optionally you may choose to use ACLs on directories as well.
- Grant the ACL read access to the cfmx user.
Setting Database Passwords
All connections to Access databases involve logging in to the database with a username. Normally, this is not obvious, because the default username is Admin, with no password. In other words, when you open an Access database without being prompted for a username and password, this means you are logged in as Admin, and the database is unsecured. This is the default security condition for new databases: anyone who has access to your database can open it, and can do whatever they want to your data and database structure. To use secure your database with
- Make sure there are no open instances of this database
- Make a backup of the database
- Go to File / Open
- Navigate to your database and highlight
- Click the arrow to the right of the Open button
- Select Open Exclusive
- Click on Database Tools on the menu
- Click Set Database Password
- Type in your password
- Confirm your password by typing the password again
- Click OK
- If you have forgotten your database password, it can't be recovered, CCS does not have a copy so you will not be able to open your database
- Do not use a database password if you will be replicating because they can't be synchronized if the password has been defined in the database
- You will not be able set a database password if the user-level security has been defined for your database and you don't have admin privileges
- If you request a restore using our Backup Service, ACLs cannot be restored, you will need to set the ACL again. However, if you have multiple ACLs, please contact the CCS Help Centre and we can run a script that will restore them for you
- For more information on database passwords for MS Access, please visit Microsoft.