Adobe 38043740 Lockdown Guide - Page 50

You may consider using chmod -R 550 /web instead of 750 if write permission is not needed by ColdFusion on all files or directories. # chcon -R --reference=/var/www /web 4.2.3: Specify permissions for ColdFusion Directories chown -R cfusion:root /opt/coldfusion10/ chmod -R 750 /opt/coldfusion10/ You should consider a more restrictive file permission structure which removes any unnecessary write permissions. The permissions specified above will allow ColdFusion to have full control over the files in its own directories as needed by the CF administrator or hotfix installer - a more restrictive approach while more secure may cause errors in ColdFusion administrator or elsewhere. If you do not make changes in the ColdFusion administrator and only run the hotfix installer by root you can setup more restrictive file security. Now to allow access Apache to serve files in the /CFIDE we need to ensure that apache has execute permissions on all parent folders so that it can traverse the directory structure: chown cfusion:webservices /opt/coldfusion10/ chown cfusion:webservices /opt/coldfusion10/cfusion/ chown cfusion:webservices /opt/coldfusion10/cfusion/wwwroot/ chmod 710 /opt/coldfusion10/ chmod 710 /opt/coldfusion10/cfusion/ chmod 710 /opt/coldfusion10/cfusion/wwwroot/ chown -R cfusion:webservices /opt/coldfusion10/cfusion/wwwroot/CFIDE/ chmod 750 /opt/coldfusion10/cfusion/wwwroot/CFIDE/ chcon -R --reference=/var/www /opt/coldfusion10/cfusion/wwwroot/CFIDE 4.2.4: Install Apache Connector As root run the connector installer utility called wsconfig with the following options: /opt/coldfusion10/cfusion/runtime/bin/wsconfig -ws Apache \ -dir /etc/httpd/conf/ \ -cfide /opt/coldfusion10/cfusion/wwwroot/CFIDE/ \ 50