dr1rrb 0 Posted August 30, 2014 Share Posted August 30, 2014 If I can suggest something then, it's to create the service using "%appdata%" in the path to the application. So we will be able to install the service using an admin user, and then launch the service with a restricted user (by coping files from the first user to the second one). Link to comment Share on other sites More sharing options...
ebr 14935 Posted August 31, 2014 Share Posted August 31, 2014 If I can suggest something then, it's to create the service using "%appdata%" in the path to the application. So we will be able to install the service using an admin user, and then launch the service with a restricted user (by coping files from the first user to the second one). To what are you responding? The server already is installed into appdata but it goes into the admin user's appdata. Link to comment Share on other sites More sharing options...
dr1rrb 0 Posted September 4, 2014 Share Posted September 4, 2014 (edited) To what are you responding? The server already is installed into appdata but it goes into the admin user's appdata. Yes, but the "binPath" of the service is set to "C:\Users\[Name_Of_The_User_who_Installed_Media_Browser]\AppData\Roaming\MediaBrower-Server". So when we configure to service to run using another account like describe here, if the new user cannot access to this folder, the service won't run. The idea was to configure the path to "%appdata%\MediaBrowser-Server" (so the resolution of the %appdata% is acheive in the context of the guy who run the service) which allows to easily switch user, and possibly run under lower privileges. BUT, since I posted this comment I went further into MediaBrowser discovery and realized that the user must be admin on the computer, so he will always have access to the folder (and reallized that will also introduce lots of other issues). So forget about my comment Edited September 4, 2014 by dr1rrb Link to comment Share on other sites More sharing options...
superkat 0 Posted March 3, 2015 Share Posted March 3, 2015 This is really a shame, and a really bad design choice. I know a lot of people don't care, but from a security perspective this is really bad. Now I'm not saying that the product is full of security holes, but as every developer knows, you can't cover all bases all of the time. Now, having this exposed (potentially to the internet too) and having it run with Admin priviledges is not a good idea. A hacker potentially has full access to the machine it is running on. For this very reason this is a non-starter for me. I have evaluated it and prefer it to all the others options out there, but I use my server for lots of other things too, and security is a prime concern, as it should be. IMHO, as a server admin for 20 years and now a security consultant, updates should be controlled and not installed automagically. I know some people dont care and want an easy life, so why not install properly and securely and provide a tool to automagically update it if they so want to. Mediabrowser - A really great product let down by a bad install process. - Sorry. Link to comment Share on other sites More sharing options...
superkat 0 Posted March 3, 2015 Share Posted March 3, 2015 Now I hate to leave thinks alone, especially when it is a good product. So after a little tinkering and playing I have this installed as I want it. Not going to go into great detail but this is how I did it: Installed Mediaserver. Terminated the tray icon right after install and before config. Copied %Appdata%\Roaming\ to D:\MediaBrowser Created a new non-admin user. Opened Regedit and modified HKLM\SYSTEM\CurrentControlSet\Services\MediaBrowser\ImagePath value to "D:\MediaBrowser\MediaBrowser-Server\system\MediaBrowser.ServerApplication.exe" -service Modified the MediaBrowser service to run under teh context of my new user. Gave Modfiy permission for my new user to the following folders: D:\MediaBrowser\MediaBrowser-Server\cache D:\MediaBrowser\MediaBrowser-Server\config D:\MediaBrowser\MediaBrowser-Server\metadata D:\MediaBrowser\MediaBrowser-Server\logs Finally I started the service and ran through the config wizard. I havn't used it in anger yet, but so far no problems. Disclaimer: This is clearly an unsupported route to follow, so please dont do this if you want to rely on the support provided by the excelent team here. Link to comment Share on other sites More sharing options...
ebr 14935 Posted March 3, 2015 Share Posted March 3, 2015 Unfortunately, most people are not Server Admins so managing update cycles isn't something they do a lot. So, for the average user, automatic updating is the way to go. Link to comment Share on other sites More sharing options...
superkat 0 Posted March 3, 2015 Share Posted March 3, 2015 Unfortunately, most people are not Server Admins so managing update cycles isn't something they do a lot. So, for the average user, automatic updating is the way to go. Isn't that exactly the reason the install should be secure? There are several products that provide auto updates, they don't run as admin in a data folder. I don't suppose you will, but please reconsider the design decision to install it this way. Link to comment Share on other sites More sharing options...
ebr 14935 Posted March 3, 2015 Share Posted March 3, 2015 Even though this is where we install by default, the installation is really quite portable. You can move the whole thing almost where ever you want - but you may have issues with updates if it isn't configured properly. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now