Custom MB3 Installation Path

[dr1rrb 0]

If I can suggest something then, it's to create the service using "%appdata%" in the path to the application. So we will be able to install the service using an admin user, and then launch the service with a restricted user (by coping files from the first user to the second one).

[ebr 14935]

If I can suggest something then, it's to create the service using "%appdata%" in the path to the application. So we will be able to install the service using an admin user, and then launch the service with a restricted user (by coping files from the first user to the second one).

 

To what are you responding?  The server already is installed into appdata but it goes into the admin user's appdata.

[dr1rrb 0]

To what are you responding?  The server already is installed into appdata but it goes into the admin user's appdata.

 

Yes, but the "binPath" of the service is set to "C:\Users\[Name_Of_The_User_who_Installed_Media_Browser]\AppData\Roaming\MediaBrower-Server". So when we configure to service to run using another account like describe here, if the new user cannot access to this folder, the service won't run.

 

The idea was to configure the path to "%appdata%\MediaBrowser-Server" (so the resolution of the %appdata% is acheive in the context of the guy who run the service) which allows to easily switch user, and possibly run under lower privileges.

 

BUT, since I posted this comment I went further into MediaBrowser discovery and realized that the user must be admin on the computer, so he will always have access to the folder (and reallized that will also introduce lots of other issues). So forget about my comment

Edited September 4, 2014 by dr1rrb

[superkat 0]

This is really a shame, and a really bad design choice. I know a lot of people don't care, but from a security perspective this is really bad. Now I'm not saying that the product is full of security holes, but as every developer knows, you can't cover all bases all of the time.

 

Now, having this exposed (potentially to the internet too) and having it run with Admin priviledges is not a good idea. A hacker potentially has full access to the machine it is running on.

 

For this very reason this is a non-starter for me. I have evaluated it and prefer it to all the others options out there, but I use my server for lots of other things too, and security is a prime concern, as it should be.

 

IMHO, as a server admin for 20 years and now a security consultant, updates should be controlled and not installed automagically. I know some people dont care and want an easy life, so why not install properly and securely and provide a tool to automagically update it if they so want to.

 

Mediabrowser - A really great product let down by a bad install process. - Sorry.

[superkat 0]

Now I hate to leave thinks alone, especially when it is a good product. So after a little tinkering and playing I have this installed as I want it.

 

Not going to go into great detail but this is how I did it:

 

1. Installed Mediaserver.
2. Terminated the tray icon right after install and before config.
3. Copied %Appdata%\Roaming\ to D:\MediaBrowser
4. Created a new non-admin user.
5. Opened Regedit and modified HKLM\SYSTEM\CurrentControlSet\Services\MediaBrowser\ImagePath value to "D:\MediaBrowser\MediaBrowser-Server\system\MediaBrowser.ServerApplication.exe" -service
6. Modified the MediaBrowser service to run under teh context of my new user.
7. Gave Modfiy permission for my new user to the following folders:

• D:\MediaBrowser\MediaBrowser-Server\cache
• D:\MediaBrowser\MediaBrowser-Server\config
• D:\MediaBrowser\MediaBrowser-Server\metadata
• D:\MediaBrowser\MediaBrowser-Server\logs

Finally I started the service and ran through the config wizard.

 

I havn't used it in anger yet, but so far no problems.

 

Disclaimer: This is clearly an unsupported route to follow, so please dont do this if you want to rely on the support provided by the excelent team here.

[ebr 14935]

Unfortunately, most people are not Server Admins so managing update cycles isn't something they do a lot.  So, for the average user, automatic updating is the way to go.

[superkat 0]

Unfortunately, most people are not Server Admins so managing update cycles isn't something they do a lot.  So, for the average user, automatic updating is the way to go.

Isn't that exactly the reason the install should be secure?

 

There are several products that provide auto updates, they don't run as admin in a data folder.

 

I don't suppose you will, but please reconsider the design decision to install it this way.

[ebr 14935]

Even though this is where we install by default, the installation is really quite portable.  You can move the whole thing almost where ever you want - but you may have issues with updates if it isn't configured properly.