OS X Installer Insecure Permissions

Wowza Streaming Engine
1

Hello:

I just installed the Wowza Streaming Engine 4.1.2 OS X using the installer and installs many files/directories with other write permissions.

Is there a reason why? Or was this overlooked when building the installer? Does others really need write access? What permissions should be used?

For example, pretty much every directory and file installed in “Library/WowzaStreamingEngine-4.1.2”…

% ls -al /Library/WowzaStreamingEngine-4.1.2

total 0

drwxrwxrwx 16 root wheel 544 Jun 10 13:34 .

drwxr-xr-x+ 65 root wheel 2210 Jun 10 13:34 …

drwxrwxrwx 4 root wheel 136 Jun 10 13:34 applications

drwxrwxrwx 2 root wheel 68 Jun 10 13:34 backup

drwxrwxrwx 16 root wheel 544 Jun 10 13:34 bin

drwxrwxrwx 20 root wheel 680 Jun 10 14:22 conf

drwxrwxrwx 4 root wheel 136 Jun 10 13:34 content

drwxrwxrwx 7 root wheel 238 Jun 10 13:34 documentation

drwxrwxrwx 11 root wheel 374 Jun 10 13:34 examples

drwxrwxrwx 2 root wheel 68 Jun 10 13:34 keys

drwxrwxrwx 5 root wheel 170 Jun 10 13:34 legal

drwxrwxrwx 47 root wheel 1598 Jun 10 13:34 lib

drwxrwxrwx 6 root wheel 204 Jun 10 14:26 logs

drwxrwxrwx 6 root wheel 204 Jun 10 13:34 manager

drwxrwxrwx 2 root wheel 68 Jun 10 13:34 mediacache

drwxrwxrwx 2 root wheel 68 Jun 10 13:34 updates

2

Hi,

Wowza generally installs with enough permissions in order to work without the user having to worry too much about permissions. So it can be seen as quite generous on some platforms, as in OS X - which is generally similar to a desktop installation. For example, if installed and run as stand-alone mode then Wowza is running as the user logged into OS X at that time, so long as that user also has admin/root privileges.

You can lock this down manually to your specific administrator user, for example user “paul” in group “staff” (stop Wowza first)

cd /Library
chmod -R 700 WowzaStreamingEngine-X.X.X
chown -R paul:admin WowzaStreamingEngine-X.X.X

That would prevent anyone apart from “paul” (or root of course) from cd’ing into the Wowza installation path.

Paul

3

Apple has guidelines on best practices on software install on OS X, these permissions on either OS X client or server don’t follow there guidelines.

https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/SecurityDevelopmentChecklists/SecurityDevelopmentChecklists.html

Everyone should not have write access to /Library or sub-directories. I would recommend that the installer is fixed to use proper permissions in future releases.