HD Theatre can view entire WHS

[Mpegger]

I just finished playing around abit with the HD Theatre, and so far its working great, except for one very big problem.

The SageTV server is installed on a Windows Home Server setup, and there are only a few folders shared, which show up as it should within the HD Theatre (Video folder, Photos folder, Music folder, and Public folder).

The problem is that if I choose "Browse Media Files", then "Browse Files on the Server", it allows access to the entire WHS, both C: and D:, even folders that are not supposed to be accessible.

I didn't realize this on SageTV Client because I never needed to use that option before, but this is totally unacceptable that the HD Theatre can access the entire server unhindered.

Is there a way this fix this behavior? It should only have access to those folders which are shared and no others, regardless of whether its running off the server or not.

[Fuzzy]

The reasoning for this, is the HD200 isn't accessing the files. The SageTV Server is. The HD200 runs in the context of the server, so since it's local, it has full access. Standalone mode wouldn't be able to access non-shared files. If you want to disable the 'browse for files' feature, you should be able to with some minor changes in Studio.

[Mpegger]

Quote:

Originally Posted by Fuzzy

The reasoning for this, is the HD200 isn't accessing the files. The SageTV Server is. The HD200 runs in the context of the server, so since it's local, it has full access. Standalone mode wouldn't be able to access non-shared files. If you want to disable the 'browse for files' feature, you should be able to with some minor changes in Studio.

I understand its because the HD200 is running off the server in extender mode, so in essences, its like running a remote screen from the computer. I just don't understand why a big security flaw like this would be left in for the WHS version. Absolutely NO clients, extender or not, should be allowed to view ANY other folders on the server except for those public share(s) and designated recording folder(s).

That being said, yes, I want to disable this behavior and would love to know how to do so.

[Fuzzy]

no idea exactly how to do so, but if you read up on studio, you should be able to find that widget in the code and disable it.

And I also don't see how this is some sort of 'security flaw'. Worst someone could do is watch your videos that aren't in the import for some reason.

[Mpegger]

Quote:

Originally Posted by Fuzzy

no idea exactly how to do so, but if you read up on studio, you should be able to find that widget in the code and disable it.

And I also don't see how this is some sort of 'security flaw'. Worst someone could do is watch your videos that aren't in the import for some reason.

Quote:

Files Types Shown In Browser: All Files
Allow File Deletion - Checked

Those settings alone are the security problem I'm talking about. With it, you can view any file, and delete it, from within SageTV. Sure, you can't view the file if it was a document of some sort, or run it if it was some type of program, or even download it to the client/remote connecting PC, but one (ie kids, inept/curious users) can easily royally hose a system because of it.

I'm looking into Studio right now to remove that file browsing option from SageTV altogether.

[stanger89]

I'd think the problem is you're running the Sage service under the LocalSystem account which has access to everything. If you don't want Sage to have access to everything, you should run it as a different user with more limited access.