OS X Installer Insecure Permissions
Hello:
I just installed the Wowza Streaming Engine 4.1.2 OS X using the installer and installs many files/directories with other write permissions.
Is there a reason why? Or was this overlooked when building the installer? Does others really need write access? What permissions should be used?
For example, pretty much every directory and file installed in "Library/WowzaStreamingEngine-4.1.2"...
% ls -al /Library/WowzaStreamingEngine-4.1.2
total 0
drwxrwxrwx 16 root wheel 544 Jun 10 13:34 .
drwxr-xr-x+ 65 root wheel 2210 Jun 10 13:34 ..
drwxrwxrwx 4 root wheel 136 Jun 10 13:34 applications
drwxrwxrwx 2 root wheel 68 Jun 10 13:34 backup
drwxrwxrwx 16 root wheel 544 Jun 10 13:34 bin
drwxrwxrwx 20 root wheel 680 Jun 10 14:22 conf
drwxrwxrwx 4 root wheel 136 Jun 10 13:34 content
drwxrwxrwx 7 root wheel 238 Jun 10 13:34 documentation
drwxrwxrwx 11 root wheel 374 Jun 10 13:34 examples
drwxrwxrwx 2 root wheel 68 Jun 10 13:34 keys
drwxrwxrwx 5 root wheel 170 Jun 10 13:34 legal
drwxrwxrwx 47 root wheel 1598 Jun 10 13:34 lib
drwxrwxrwx 6 root wheel 204 Jun 10 14:26 logs
drwxrwxrwx 6 root wheel 204 Jun 10 13:34 manager
drwxrwxrwx 2 root wheel 68 Jun 10 13:34 mediacache
drwxrwxrwx 2 root wheel 68 Jun 10 13:34 updates
I just installed the Wowza Streaming Engine 4.1.2 OS X using the installer and installs many files/directories with other write permissions.
Is there a reason why? Or was this overlooked when building the installer? Does others really need write access? What permissions should be used?
For example, pretty much every directory and file installed in "Library/WowzaStreamingEngine-4.1.2"...
% ls -al /Library/WowzaStreamingEngine-4.1.2
total 0
drwxrwxrwx 16 root wheel 544 Jun 10 13:34 .
drwxr-xr-x+ 65 root wheel 2210 Jun 10 13:34 ..
drwxrwxrwx 4 root wheel 136 Jun 10 13:34 applications
drwxrwxrwx 2 root wheel 68 Jun 10 13:34 backup
drwxrwxrwx 16 root wheel 544 Jun 10 13:34 bin
drwxrwxrwx 20 root wheel 680 Jun 10 14:22 conf
drwxrwxrwx 4 root wheel 136 Jun 10 13:34 content
drwxrwxrwx 7 root wheel 238 Jun 10 13:34 documentation
drwxrwxrwx 11 root wheel 374 Jun 10 13:34 examples
drwxrwxrwx 2 root wheel 68 Jun 10 13:34 keys
drwxrwxrwx 5 root wheel 170 Jun 10 13:34 legal
drwxrwxrwx 47 root wheel 1598 Jun 10 13:34 lib
drwxrwxrwx 6 root wheel 204 Jun 10 14:26 logs
drwxrwxrwx 6 root wheel 204 Jun 10 13:34 manager
drwxrwxrwx 2 root wheel 68 Jun 10 13:34 mediacache
drwxrwxrwx 2 root wheel 68 Jun 10 13:34 updates
Hi,
Wowza generally installs with enough permissions in order to work without the user having to worry too much about permissions. So it can be seen as quite generous on some platforms, as in OS X - which is generally similar to a desktop installation. For example, if installed and run as stand-alone mode then Wowza is running as the user logged into OS X at that time, so long as that user also has admin/root privileges.
You can lock this down manually to your specific administrator user, for example user "paul" in group "staff" (stop Wowza first)
That would prevent anyone apart from "paul" (or root of course) from cd'ing into the Wowza installation path.
Paul
Wowza generally installs with enough permissions in order to work without the user having to worry too much about permissions. So it can be seen as quite generous on some platforms, as in OS X - which is generally similar to a desktop installation. For example, if installed and run as stand-alone mode then Wowza is running as the user logged into OS X at that time, so long as that user also has admin/root privileges.
You can lock this down manually to your specific administrator user, for example user "paul" in group "staff" (stop Wowza first)
cd /Library chmod -R 700 WowzaStreamingEngine-X.X.X chown -R paul:admin WowzaStreamingEngine-X.X.X
That would prevent anyone apart from "paul" (or root of course) from cd'ing into the Wowza installation path.
Paul
Apple has guidelines on best practices on software install on OS X, these permissions on either OS X client or server don't follow there guidelines.
https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/SecurityDevelopmentChecklists/SecurityDevelopmentChecklists.html
Everyone should not have write access to /Library or sub-directories. I would recommend that the installer is fixed to use proper permissions in future releases.
https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/SecurityDevelopmentChecklists/SecurityDevelopmentChecklists.html
Everyone should not have write access to /Library or sub-directories. I would recommend that the installer is fixed to use proper permissions in future releases.
